Pavlov Scope

• MS06-011 – KB914798: Fixes a problem in Windows XP Service Pack 1 (that is, WIndows XP without the newer Service Pack 2 applied). This problem, albeit difficult to exploit, could allow a malicious program to “elevate” its permissions to obtain higher access on your system allowing the program to do more nefarious activities. However, most standard home users already run with elevated permissions (i.e. as Administrators) so this flaw is effectively already a problem for most users anyway (no matter what version of Windows) through the way that they use their computer (I too am guilty of this).
  For any server-types out there (like me), this update also applies Windows 2003 Server without SP1.
  For more information: Microsoft Security Bulletin MS06-011 

  To update Windows on your personal machine (i.e. not your work computer), I recommend using the Microsoft Windows Update  site. If you company/organization does not automatically update your PC at work, update that one too.

• KB913571: Updates the multilingual versions of Visio 2003, Project 2003, and Office 2003 to improve how those products find and correct errors in Dutch language documents. More information: KB913471 - Dutch Language Update for Office 

• MS06-012: “Critical” error fixed in multiple versions of Office, Outlook, and related programs (e.g. Excel 2003 VIEWER). This fix plugs a hole preventing “arbitrary code execution” by potentially dangerous programs. Products affected are:
  1. Office XP
  1. Office 2000
  1. newer versions of Outlook
  1. Office (Excel) 2003 or the Excel Viewer
  1. Microsoft Works (versions 2000-2006)
  1. and Office X & 2004 for Mac

  Please update it to prevent any as-yet-unknown viruses or spyware from exploiting this flaw on your machine. If you know which versions of each that you have, please visit Microsoft Bulletin MS06-012  for direct download links.

  But, I recommend simply going to the Microsoft Office Update  site for best results (this site will interrogate your computer for which software you have and which needs to be updated).

Mac Updates: In addition to the Microsoft Office X / 2004 update for Mac’s (see above), there are additional Apple (Mac OS X) fixes that address the same and similar problems as the updates released a couple weeks ago.

• Security Update 2006-002: Corrects a problem caused by the previous patch a few weeks ago. However, there was another problem (discovered earlier this week) with this “002” patch that caused Safari to have a blank icon and/or the browser would not start. Additionally, some Mac users reported networking-related problems after the -002 update was applied Monday the 13th.

• However, Apple released “2006-002 v1.1” for Mac OS X 10.45 (both PowerPC and Intel) yesterday, Thursday 2006-March-16. Please visit the Apple Support Downloads page  for the latest updates and downloads (if your Mac didn’t already download and prompt for install of the latest updates already).

Flash Updates: Macromedia Flash Player

• If you have Flash installed, you might have already seen the “update Flash” tray icon which looks like this: . If you click on that icon, the following dialog box should be displayed:
  
  which will walk you through the update.
  Otherwise, find out more about the issue here – Apple Support Downloads page  and then go here – Apple Support Downloads page  to get the recommended download and instructions for the Flash update.
  Flash is used to display movie files and rich navigation front-ends for many websites, so it is important to keep this browser add-on up-to-date. The flaw allows a hacker to create a malicious Flash file that will compromise browser security (and potentially your email client) allowing all kinds of ugly stuff (spyware, data loss, data compromise/disclosure, etc.).

McAfee Update alert: McAfee AntiVirus software released an update last Friday (March 10) that mistakenly identified Excel and some additional components as viruses (what is called a “false positive”).
If you run McAfee on your system for your antivirus, make sure your definitions are configured to automatically update and that the current definition file you have is equal to or higher than 4716.

Norton/Symantec AntiVirus and Internet Security problem: Very similar to the McAfee issue above, Norton Security products (A/V, Firewall, etc.) received an update on Mar. 15 (Thurs.) that caused some AOL customers to be bumped from their broadband and/or dialup connections. More information available here: Symantec AOL issue page 

Now, I have to go recupperate from a hellish week where I accomplished 10% of what I had planned due to increased security demands on my tasklist – ugh.

Heise online has a nice article on some of the technical details of the flaw if you are a concerned Mac user. But, to summarize, the problem is that Safari automatically executes certain file types designated as “safe” by default. Examples of these include ZIP files, documents, images, video, etc. However, Lehn has found that shell scripts (a kind high-level operating system programming function) will automatically execute if a specific qualifying line is omitted from the file. This is bad, because shell scripts are very powerful and can do things like delete or manipulate files, call other programs, etc. and a clever hacker could easily find a way to infiltrate a Mac OS X computer using these scripts.

Additionally, if the script file is disguised as an image file (etc.), it could be used on a web page and automatically rendered by the Safari browser to run. This remote execution is the crux of the severity assigned to this flaw and is very similar to the flaw found in December 2005 in Windows Metafiles (WMF) during the New Year’s time frame.

Mac users have yet to hear from Apple on this flaw and a fix has yet to be published. The vulnerability has been confirmed on fully patched systems running Safari 2.0.3 (417.8), Mail 2.0.5 (746/746.2), and Mac OS X 10.4.5.

How to protect yourself in the meantime

• Temporarily disable the “Open safe files after downloading” option in Safari until a fix is released from Apple and applied to your system.

• Do not open files or mail attachments from unknown or untrusted senders.

I will update this entry once Apple has posted a fix or if new information is forthcoming.

The fixes recently released from Microsoft include important updates to Windows Media Player (many versions). It is very important to update your computer(s) accordingly. The best route (if you haven’t already configured it) is to setup Automatic Updates in Windows. Or, you can manually go to the Windows update site every month or so. The Automatic method is the best, however, because it is a “set it and forget it” option that elminiates the manual step of visiting the website.

I have tested and installed these fixes in both my test environment and my workplace divisions without troubles.

It is important to install these latest updates because just a couple days after the patches were released (as is the case for nearly all patches), malicious hackers have reverse-engineered the patches to determine what “holes” were plugged. Accordingly, they have written exploit code that takes advantages of those flaws on unpatched machines – don’t let your computer be an unpatched (read:vulnerable) computer. Most XP Service Pack 2 machines have auto-updates already configured, but for users of older versions of Windows (XP original, Windows 2000, etc.) need to manually configure these updates.

Also – I CANNOT OVERSTRESS the need to keep your anti-virus software up-to-date. Most such programs have automatic update features, so please take advantage of them.

Many stastical studies have shown that most Windows users do not keep their computers up-to-date; be the exception and you will be a harder target (that is, most exploits will attack the easiest – soft – targets).

Winamp has more vulnerabilities. Upgrade to version 5.2 to resolve those issues.

If it doesn’t automatically prompt you to update, please visit WinAmp’s site for the latest version (at the time of this writing, 5.2) which will resolve all known exploited issues.

Exploit code has been released to take advantage of the recent flaws, mostly by spyware writers to install popups and adverts onto your machine, so prevent that by upgrading ;-)

I am in a conundrum: From a technology perspective, how do we prevent confidential company data from being disclosed over the web?

Information leakage, in this sense, is a very difficult problem to solve with certainty. Almost everything is merely a mitigation and nothing is seems to be foolproof or without a way around it. If an organization has decided to provide fairly liberal access to the Web by company employees using company computers, either internal or remote, then preventing the use of “certain” kinds of sites (such as webmail, webstorage, etc.) becomes very difficult.

For example: How to lock down the use of webmail and those free (or cheap) webstorage sites like FreeWebSpace.com, BigVault.com, xdrive.com, ibackup.com, filelodge.com, etc. etc. etc. (I’ve counted more than 20 and that is with a simple, quick Google search)?

Add to the problem, remote users. Other than installing software firewalls with according policy configurations (which is daunting in itself), how does one prevent remote PC users (i.e. users outside of the company network) from utilizing webmail and webstorage services? And, even with software firewalls, if the remote users have Admin rights on their computers, they can delete, disable, or cripple the firewall software (and arguably, need to for interop with the heterogeny of networks and configurations in hotels, hotspots, etc.).

Additionally, dropping access to each and every Internet proxy (used for anonymizing, etc.) which might be used to circumvent company site restrictions is like trying to stop lava flows with a garden hose – akin to putting each spam domain name one encounters in a blocklist individually! Hell, anyone can setup a private proxy and use that to browse the web and it would go undetected for a while before the log pattern of a single site being accessed would emerge.

Another REMOTE user problem:

If one mandates that all users, including remote VPN-attached clients, use the proxy server for Web access. This is to prevent access to webmail, webstorage, anonymizers, etc. type sites to prevent information leakage or outright unlawful and intentional disclosure.

However, this introduces a bit of a problem: Users will be required to connect to the VPN to get access to the proxy server in their web browsers. However, to connect to the VPN from most hotels/hotspots/etc., one must authenticate with the provider’s infrastructure (either to accept charges and/or to accept terms and conditions) via the same web browser. This writes out a session cookie from the provider, which then allows the PC out to the Internet (which then allows VPN, etc.).

The problem is that browsers configured to use a proxy server will not “trigger” the mechanisms generally used by hotels/hotspots/airports/etc. So, we are stuck with a chicken-and-egg problem.

I see two primary ways around this:

1) Determine the URLs / addresses used by a majority of providers, and place those into the “exceptions” list in each of these remote clients to bypass the proxy for those sites (allowing authentication with the local provider’s infrastructure to get a VPN connection, thereby allowing the rest of the Internet sites to route properly through the proxy server).

2) Put the proxy server into a publicly available (non-NAT) DMZ, so that the Proxy server’s IP address is available to both internal and Internet-based clients (this seems less secure).

I ask these questions to determine what technology can be used to construct a policy enforcement system to contain intentional attempts to utilize non-company mechanisms to transfer, share, or store company information assets.

Am I missing something or is this just hard? To me, without spending gobs of money on technology and implementation, this is a question of the classic security vs. usability problem. Is there an enterprise solution for preventing PCs from sending data (preferably policy-based) either via blocking HTTP PUT commands or other methods? Please only consider IP network methods specifically – USB, CDRom, etc. should be excluded from the discussion.