Tag Archives | Security

Microsoft Bows to Critics, Will Change Windows 7 UAC

Windows 7Yesterday I wrote about the Windows 7 dust-up that involved a couple of security bloggers’ concern that malware could silently turn User Account Control off, and Microsoft’s seeming unwillingness to talk much about the issue other than to say it wasn’t really a problem. Today, Microsoft’s Jon DeVaan addressed the controversy on the Engineering Windows 7 blog. The gist of his 2100-word post: Microsoft appreciated the input, but UAC’s behavior wasn’t an issue, because malware could only fiddle with UAC settings after it had gotten on a PC, and Windows 7 is really good at warding off malware. And to change UAC’s default behavior to alert users when UAC settings changed would be inconsistent with the approach which Microsoft’s testing had shown that real people liked.

I make no claim to being a security expert (or even the intended audience for DeVaan’s post, which was aimed at developers). But like the rest of Microsoft’s response to this mini-firestorm to date, it was profoundly unsatisfying. No matter how strong Windows 7’s anti-malware protections are, some bad stuff is going to get on some PCs. Why not make it tough for it to perform one task which would unlock the ability for it to do further damage? Screwy but possibly appropriate metaphor: It’s like an apartment manager telling tenants that a presence of a burly doorman in the lobby meant that anyone found in the building changing the lock on a particular conso must be doing so with the owner’s permission.

That post went up at midnight. At 3pm, another one appeared–cosigned by DeVaan and Windows 7 honcho Steve Sinofsky. With reasonably good humor, it ate crow and said that Microsoft will change Windows 7’s behavior:

With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.

It’s startling that it took Microsoft so many false starts before they got this right: Even if Microsoft was right on some theoretical, technical level, the issue had snowballed into an argument the company simply couldn’t win, period. Nerds will be nerds, and nerds are often stubbon, prickly, and prone to falling victim to the hobgoblin of little minds. But good for Microsoft for (eventually) engaging in healthy, bloggy debate, and being willing to concede its mistakes and move on. Knowing when you’ve screwed up and being unafraid to admit it in public is very 2009.

More at Dwight Silverman’s TechBlog, Mary-Jo Foley’s All About Microsoft, and I Started Something by Long Zheng (one of the guys who raised the issue in the first place).


5Words for February 5th, 2009

5wordsWhat’s transpiring this fine morning?

Hey, Woz is gainfully employed!

Fake parking tickets install malware.

Lenovo struggles, dumps American CEO.

GoDaddy’s cheesy ads work, alas.

HP unveils a Netbook Linux.

Bill Gates bugs conference attendees.

The new Macbook’s running late.

Hankering for a 240GB iPod?

Microsoft joins celebrity gossip race.

Facebookers compile “25 Things” lists.

Will Snow Leopard track you?

Boy, Windows Mobile is behind.

Xbox 360 owners love NetFlix.

One comment

Microsoft: Windows 7 UAC is Fine, Don’t Worry, We Don’t Want to Talk About It, OK?

Windows 7When it comes to Windows’ User Account Control security feature, Microsoft just can’t catch a break. The version of UAC that debuted in Windows Vista is famously paranoid and pushy. And now there’s controversy brewing that the default settings of Windows 7’s less in-your-face UAC are too lax. Malware can turn off UAC without Windows 7 notifying the user; it can also take advantage of a security hole to give itself auto-elevate permission, thereby hiding its actions. Over at ZDNet, Mary Jo Foley has a good report on this.

I’m most concerned about the fact that Microsoft refused to let Mary Jo interview anyone on the subject–instead, the company provided her with a terse and not very satisfying prepared statement. There may be a rational argument for why Windows 7’s approach to UAC makes sense, but so far, Microsoft doesn’t even seem to be trying to make it…


My.BarackObama.com’s Porn-and-Malware Problem

An online community burgeoned out of Barack Obama’s use of Web 2.0 technologies during his campaign for the U.S. presidency. Supporters flocked to My.BarackObama.com to share blogs, videos and organized events. In the wake of that success, malicious hackers are leveraging the site in a socially engineered scheme to infect PCs with a trojan.

The hackers are embedding their My.BarackObama.com Web pages (content on the site is user generated) with links to Web sites that masquerade as YouTube, according to a report by Websense Security Labs ThreatSeeker Network. The fraudulent YouTube sites are filled with pornography, and prompt visitors to install a codec for video playback, which is really the trojan.

The good news is that today’s Web browsers don’t just automatically install software: end user interaction is required. While some people may be fooled into installing the trojan because the domain is legitimate, many will not simply because they did not recognize the My.BarackObama.com user’s Web page that directed them to it.

My.BarackObama.com is a community where people have reputations and interact with one another. I participated in the “blog wars” during the Democratic primary, and know whose URLs I would trust to click on. The trojan’s creators are plastering links to the malicious pages around the Web without regard for that community dynamic. My bet: Virus definitions will be updated to foil these scams, and they won’t spread far.

Be the first to comment

Microsoft Security Vulnerabilities Pose Worm Threat

Vulnerabilities in Microsoft’s Server Message Block (SMB) file-sharing protocol could pose a serious threat to enterprise networks if companies fail to promptly patch their systems, according to reports. Microsoft has released fixes for the holes.

For Microsoft, the days when worms like Blaster and Sasser regularly blackened its eye have passed; the number of major operating system vulnerabilities fell dramatically after it weaved security into its development life cycle. However, two out of the three SMB vulnerabilities that the company disclosed today are critical enough that virus writers could exploit them in a similar fashion.

I don’t expect anything on the scale of Blaster or Sasser to happen even though un-patched enterprise systems will be easy targets. Microsoft has better security procedures in place, and will get the word out to network administrators. Most home users will be using firewall and have anti virus protection; the average user should be well protected.

These defects do not mean that Microsoft is returning to the bad old days of Windows security. It has made a big investment in its security development life cycle, and has top down approval from upper management. In fact, Microsoft invests more into security than most software makers, has a comprehensive patch process, and has firm plans for how future operating systems should handle security.

Microsoft’s problem is all of the legacy code and protocols that it must continue to support – they weigh like an anchor around its neck. While Microsoft introduced the affected protocol SMB 2.0 in 2006, SMB itself dates back circa the early 1990s. It would not at all surprise me if these vulnerabilities have something to do with legacy support (it’s too late in the evening to expect a response from Microsoft).

We attempted to reach several security experts for analysis, but did not receive a response before press time. I will update this story should any contribute their ideas this evening.

Be the first to comment

Sorry, Mr. President Elect: Twitter Gets Hacked

Twitter logoMalicious users gained access to Twitter’s account support tools by exploiting an undisclosed security vulnerability and hacked into 33 high profile accounts, including those belonging to Fox News personality Bill O’Reilly, U.S. President Elect Barack Obama, and CNN anchor Rick Sanchez. The intrusions caused no real harm, but Twitter’s status as a soapbox for public figures obligates it to be more responsible going forward.

Twitter acknowledged the exploits on its blog, which it considered to have been a “very serious breach of security.” It took the tools offline and froze the affect accounts when it was alerted to the problem. The Twitter team speculated that the breach may have been prevented had it been using the open authentication protocol (OAuth), a protocol to allow secure API authorization from Web applications.

The hacker (or hackers) used the President Elect’s account (which had been inactive since election day) to plug a gas card offer, made O’Reilly a more interesting individual, and changed Sanchez’s status to, “high on crack and might not be coming into work today.” Screen grabs of the exploits have been posted by TechCrunch.

No real harm was done, but the hackers’ puerile statements could have caused a real kerfuffle. Had Barack Obama already been swore in as President, an inappropriate statement could have inflamed political tinderboxes around the world. Indeed, Officials of other governments have been using Twitter for official statements.

The Israeli Consulate has been using Twitter to explain its justification for its recent military action; the wrong statement could have made an already acute political and humanitarian situation worse. It may be time for public officials and governments to reconsider their participation in social media unless there has been some form of a security audit. Twitter should take the responsibilities that come with being an impactful channel for disseminating information seriously.

The TV station across the street from me has a security guard and uses access cards at the door for a reason. The same standard should apply to new media.

In an indication that Twitter has become hackers’ target de jour, the intrusions come on the heels of a major phishing campaign that took place over the weekend. An untold number of Twitter users were lured into giving up their passwords for the promise of an iPhone.


Researchers Demo E-Commerce Insecurity

When you see the little padlock icon in your browser, it’s supposed to indicate that the Web page you are visiting is legitimate and that your connection is secure. Today, at the Chaos Computer Club’s annual conference in Berlin, a group of researchers undermined that assumption by exposing flaws in the underlying authentication mechanism that e-commerce relies upon.

A group of researchers represented by David Molnar, a doctoral student in computer science at the University of California at Berkeley, demonstrated a proof of concept of an exploit that bypasses Secure Sockets Layer (SSL) security safeguards. Every Web browser that implement SSL can be spoofed into displaying the padlock.

In short, the researchers successfully exploited a vulnerability in the MD5 algorithm that is used to verify whether or not SSL certificates are legitimate, enabling them to forge certificates that would be accepted by Web browsers. The certificates are used to authenticate the ownership of domains.

But don’t get too worked up just yet–there is a lot of work involved. Creating a forged certificate took the team over two weeks and required the muscle of a cluster of 200 PlayStation 3 consoles. Further, a malicious user would have to trick a victim into visiting a fake version of the legitimate site that he or she meant to visit. The gory details of the exploit will not be publicly disclosed until the problem has been addressed, according to a report by News.com.

Techniques as complex as DNS poisoning to simple social engineering have proven that traffic can be rerouted to rouge Web sites. There is a potential for real mischief, but today’s browsers have facilities that go beyond SSL to detect phishing attempts. Microsoft’s phishing filter compares domains against black lists (As an aside, the Phishing Filter Web site has an expired SSL certificate).

End users are more secure than they were a few years ago, but I never underestimate the ingenuity of criminals – especially when the incentive is valuable identity and financial information. It would not be inconceivable for a group to develop a grid-enabled application to churn out false SSL certificates.

That said, the research is important work toward securing the Web, and this type of research should remain unrestricted. There is no real security in obscurity, but research should prompt action.

The MD5 algorithm is critically important for e-commerce, yet it is an early 90’s era technology that was not designed for today’s Web, just as DNS was not designed with security in mind. The experts knew the risks.

It is alarming that little was done to harden SSL even while MD5’s weaknesses were understood; papers were published and reported on in the press four years ago. OpenID authentication also relies upon MD5: This vulnerability affects more than just e-commerce.

There must be more coordination to secure the Internet going forward. The industry needs to learn from past mistakes and bake security into the design life cycle of all future Web standards.


Symantec’s New Mac Security Suite: A Different Side of Norton

nortonformacLast week, I published the results of a little survey about Mac security that showed that the respondents, at least, are a pretty blasé bunch compared to their Windows-using friends. With the exception of firewall software–which comes built into OS X–the vast majority of survey respondents said they’re not running security software on their Macs, and don’t spend much time fretting about threats.

Symantec hopes that there’s a critical mass of Mac users who are security-minded enough to make its new Norton Internet Security 4 for Mac successful. The suite, which was announced today, is a Mac edition of a prominent Windows package. But Symantec has intelligently shifted the product’s emphasis when bringing it to OS X.

Continue Reading →


Serious IE Flaw Gets Special Patch Treatment

Well, that was quick. The serious flaw in Internet Explorer that we posted about Tuesday has been fixed through an out of cycle security patch. Typically, Microsoft holds its “Patch Tuesday” event on the 1st Tuesday of the month. However, this time it was too serious to wait — and the company probably realized it would be a perfect time for its competitors to pounce.

It’s pretty bad when security experts are telling your customers to switch. These are unbiased (for the most part) folks, and the typical computer user is going to take their advice seriously.

Patch MS08-078 has been rated “critical” by Microsoft. The company is obviously recommending that users apply this patch immediately. Without it, they are obviously keeping themselves open to code execution attacks.

Be the first to comment

An IE Security Flaw So Serious, Experts Suggest Switching

Microsoft has admitted that a serious flaw exists in all supported versions of Internet Explorer from IE5 right through the current betas, which could allow hackers to peer into user’s computers. Worse yet it is said some 10,000 websites have already been compromised to take advantage of the flaw, heightening the danger.

Right now hackers only appear to be stealing online gaming information. This could change — SANS Internet Storm Center expects the hackers to begin modifying the code to steal other (more personal) information.

Redmond’s suggestions to protect users include enabling “data execution prevention” (Tools > Internet Options > Advanced), and setting security settings to “high.” This may be a problem for some, as that setting disables active scripting.

Security experts are recommending users go one step further: switch browsers. Neither Opera, Safari, nor Firefox are vulnerable to the issue.

Mozilla’s Asa Dotzler puts in it blunt terms (perhaps with some motive):

“Stop using IE now. You are in serious danger. Even if you don’t like the other browsers, you just cannot afford to be using IE right now with this massive vulnerability being exploited as we speak.”

My suggestion would be the same. Using Microsoft’s suggestions will cripple your online experience. So even if you are an IE fanboy, suck it up, download Firefox, and go back when Microsoft is ready. Don’t be stupid — it’s just a browser.