Pavlov Scope

Several watchdog groups have reported that a flaw has been found in Microsoft Word (XP and 2003) and it is being actively exploited "in the wild." This doesn’t appear to affect the Mac versions of Office. Microsoft’s bulletin on the flaw is here . The flaw is intended to be fixed on the upcoming June 13th release of monthly fixes, but it might be issued sooner if larger-scale (more widespread) exploits arise. This is a nasty flaw since it is related to email attachments and people generally trust Word docs. Don’t open any Word attachments until you have applied the forthcoming fix (unless you are expecting it from a known sender)! If a bad guy decides to couple this attack with collected, related address book email addresses, one could easily receive a message from a known sender but it could contain an exploited Word doc attachment, so be careful in all cases. The trouble with patching this flaw is that Office XP users will probably need to have their installation media available to install the patch. This isn’t such a big deal in a home environment, but in an enterprise it presents the challenge of deploying patches to users that do not have Administrative rights to their PCs. Office 2003 does not seem to have this trouble. Microsoft has issued a workaround procedure to assist users in protecting themselves from this flaw in the interim. Good news is that they have instructions for both home users and enterprise-focused administrators. Expand the "Workarounds…" section in the above listed link (there are several levels to expand using the plus "+" signs). In there you will find the workaround directions that best suit your situation. Domain administrators have been given a method for Group Policy deployment (GPO) for implementing the "safe mode" portion of the workaround. This is nice, but to disable Outlook feature of using Word as an email editor is still a manual workaround according to Microsoft. However, you should be able to enforce the Microsoft Word editor option using the Office Resource Kit’s Group Policy object to modify the Mail Editor settings accordingly (based on your environment). All you Admins out there: I haven’t experimented with this option myself, but it should do the trick… if concerned, try it out on a limited OU of test machines/users and let me know if you feel altruistic. Here is where the setting should be:

But I digress – If you choose not to open any Word attachments, you can safely "wait it out" for the patch to be released 2nd week of June.

Greetings all; Just a quick one…

New flaws have been fixed by Nullsoft (list of fixes here ) to resolve some apparently nasty issues in WinAmp. Additionally, many other fixes that resolve some operational issues with the software have been implemented which should help the overall user experience (few crashes, odd behavior, etc.).

If you use Winamp, please update it to v5.22 .

Hiya; My Firefox just prompted me to download and install the 1.5.0.3 update. Last week I reported that the Mozilla team had developed a fix, so it was soon to be released. Now, that fix is out in the patch 1.5.0.3. So, please install it when prompted by Firefox – or if you are not prompted, go download it here: Firefox Download 

Additionally – More bad news about IE: Just today (2006-May-02), security researchers have found YET ANOTHER  new flaw.

Ugh. Microsoft is burning up my OT.

_____________________________________________________________KevFrey
kevfrey@gmail.com.     .    .   .  . .. .  .   .    .     .

First off, the patches to fix the flaw from two weeks ago was flawed itself in that some machines had problems either during shutdown immediately after patch installation or afterward due to a compatibility problem with certain third party software.

The former I experienced on Windows 2000-based workstations – After the patch was installed and the machine was restarted, the restart process hung during shutdown (“Shutting down Windows….”). A hard power cycle was required to get through it, but then everything seemed fine on the machines after that.

The latter I have not encountered myself, but appears to be related to certain HP-based software  (for things like CD burners, certain printers/scanners, etc.) and certain Nvidia video drivers .

A “patch for the patch” was released last Tuesday (2006-Apr-25) and I have deployed it in my test environment successfully. I have not seen any reports of issues related to the new version of the software (that doesn’t mean there aren’t any, but they are not widespread if there are some). If you run Automatic Updates on your computer, you should have already been prompted to install these updated updates. I know this gets confusing, but please bear with me (it gets worse, read on).

So, after you are all patched up – know now that there are ADDITIONAL zero-day flaws released this week that affect “fully patched” versions of Windows. There are two:

1. One flaw is a bug in the way that IE handles image links, but it is tricky for a would-be attacker to take advantage of.
2. The second flaw is like other critical flaws in IE, which does not require user interaction and can be exploited by simply browsing to a website that has been compromised with attack code – allowing the installation of the usual suspects (spyware, adware, viruses, rootkits, etc.). This flaw is more serious, and has been confirmed by security researchers and “proof-of-concept” code has been released publicly. This means, as you have probably read in previous blog entries of mine, that not-so-well-meaning attackers now have a template they can use to quickly develop ways to take advantage of this new, unpatched flaw. Aggravating this issue is that there is no workaround that I can advise you to put into place that will protect you; earlier flaws like this one are often mitigated by disabling ActiveScripting (JavaScript) in IE, but this flaw does not appear to need scripting to be exploited. There are no reported known sites using this flaw yet, but use Firefox or Opera for now – and I recommend making one of those two your “default browser” in windows – Here is a nice, clean freeware program  which will allow you to easily set your default browser.

Firefox is not untouchable, however – So please keep that in mind (nothing beats “safe” web browsing practices). I highly recommend the use of the NoScript extension  for Firefox. This allows you to execute JavaScript for only certain websites, disallowing all others by default. This can result in some odd behavior for disabled JavaScript sites, so just enable it for sites that you trust only.

But, I digress – Firefox has had its share of knocks recently as well. You must upgrade to 1.5.0.2  if you haven’t already. However, PC Magazine has reported the following:

1.5.0.2 – current patched-up version, allows remote code execution, but only through some user cooperation. The Firefox development team is working on a patch.
The problem happens when non-image content is presented in an IMG tag. It will appear to the user as a broken image link. If the user right-clicks and chooses the View Image option, the file will be downloaded and, if the type is in the Firefox bypass list, executed.

In other words, one must interact with a “dead image link” directly by right clicking and executing it (if it is in the list of automatic programs to execute like a movie file or an acrobat file, etc.). This isn’t a terribly serious bug, but it could be a what we in the security community call a “vector of attack” into your computer. The good news is that the mozilla developers have already alleviated the bug, but it has not yet been incorporated into a public release yet (that will surely be soon to come).

Mac OSX continues to be a larger target, perhaps because more people are using Macs now or perhaps because the underlying operating programming code changed from older Macs to a Unix-based system. Whatever the reason, a new set of flaws has been found in OSX by a security researcher named Tom Ferris . These flaws are also unpatched, but expect to see them soon via the auto update feature of OSX if you run it. Stay vigil.

A bit of interesting Microsoft news is that not only are they seemingly gearing up to get into the anti-malware business (after years of promises to business partners in those sectors that they would not), a new version of their “Desktop Search” program was released this week a little bit under-the-radar. Like Google Desktop (extremely popular and useful), Windows Desktop Search v2.6.5 ” helps you find virtually anything on your PC or your networked drives including e-mail messages, calendar appointments, documents, and more. Searching your computer is now as fast and easy as searching the Web. After you install this item, you may have to restart your computer.” – Those are Microsoft’s words via the corporate Upate tool that we use to deploy new patches (WSUS – see my recommendation  for those interested). This isn’t groundbreaking stuff, but just another battle in the war between Google and Microsoft.

My upcoming travel fyi: I am headed out to SoCal on May 14 – 18. I am in D.C. for the Gartner IT Security  conference, and then in Frankfurt, Deutschland consulting with a sister division later in June (Hi Mr. Bhatti!). Let me know if any of you will be be “in town” on those dates/places and we can try to get together.

Subscribe to my blog via Email (easiest for most people) or RSS (for advanced users).
See above right for subscription field: Looks like this——————

Update, reboot, lock down, be safe.

Hi all;

Sorry I’ve been away recently – Lots of confidential security breach discoveries going on at work which have been keeping me swamped.

Along with other patches in this “Patch Tuesday” deployment, Microsoft has deployed the fix for the recently disclosed flaw that was allowing spyware and other malware authors to bypass system security, install devious software, eavesdrop on passwords/account numbers/etc. and in general cause trouble.

As usual, I will test them out in the test base and confirm here once installation is confirmed OK and operational.

ComputerWorld article here. 

Also, about a week ago, Apple released additional fixes for OSX that Mac users will want to download and install (if the system didn’t already prompt you to update automatically).
More info here. 

Administrative Note: As a side note, take a look at the “Subscribe” link at the top right of this page. It allows you to subscribe to this blog and receive an email everytime I update this page. If interested, simply type in your email address and press the Subscribe button.

Here we are again – another unpatched IE bug has just been announced. This one is similar to the issue last Dec. 2005 (described here ) in that disabling Active Scripting – Internet Explorer’s JavaScript engine – prevents the flaw from being exploited.

The official “word” from Microsoft is here , but the gist for non-technical users out there is that this is a remotely exploitable (meaning, your computer can be compromised without having local access to your physical computer) and critical flaw that can allow an attacker, virus, or spyware (etc.) to run programming code on or infiltrate your computer or network.

There is a exploit code now publicly available that utilizes this flaw, so it is only a matter of time (short amount of time) before spyware, adware , phishers , virus writers, and hackers adapt the code for more nefarious purposes.

Microsoft has not issued a patch yet, but is working on one now, so stay tuned for an “out of cycle” patch to be released. I will let you know here as soon as I am notified.

In the meantime, always know that there are other browsers to use when IE has flaws like this – I recommend either Firefox  (with the Adblock, NoScript, and Fasterfox extensions ) and Opera  (now version 8.53).

Avoid using Internet Explorer for the next few days if at all possible. Once I’ve installed and tested the forthcoming patch, I’ll post on this blog.

Happy St. Pat’s day!

Microsoft Updates: This past Tuesday (March 14), Microsoft released additional patches to address a few problems and changes for Office and Windows.

• KB912475: Modifies Windows so that an Australian timezone change is properly implemented by the Operating System. Official description: “Australia has changed the regularly scheduled end of Daylight Saving Time in five Australian states from March 2006 to the first Sunday of April 2006 due to the 2006 Commonwealth Games. Install this update to enable your computer to automatically adjust the computer clock on the correct date. After you install this item, you may have to restart your computer.”

Technical Article

Recently, my organization had the need to provide web proxy service to internal users, while not clobbering hotel, home, remote office, coffee shoppe, etc. type access while users were roaming outside of our divisions’ walls. The purpose is to apply content filtering rules to outbound Web traffic based on our organization’s security policy (i.e. no external webmail, personal web storage sites, etc.). I did some research and testing on this side and have come up with a solution that seems to work well across the board for our clients.

Using Internet Explorer’s capability to Automatically detect proxy server settings, IE uses the proxy when the proxy server is reachable, and connects directly when it is not. I have tested this with success (after a lot of initial troubles and debugging ;-)

The components involved in the proposed and tested solution:

• Proxy Auto-configuration file (PAC)

• Web Proxy Automatic Discovery (WPAD)

• Related DHCP and DNS settings

• Internal Web server

• Group Policies in Active Directory (GPO)

PAC file:

The first step is to configure the Proxy Auto-configuration file (or PAC for short). This is a JavaScript-like file that has a set of predetermined variables and functions for use in making decisions defining the browser’s behavior at runtime. See below for references.

This file can be hard coded in the browser, or preferably delivered using WPAD (see next).

I have built the following sample file using the PAC spec standards which tests for exception sites first (should be accessed directly by the browser) – things like internal sites, private addresses, etc.

Then, the file will test against the client’s IP address (to determine network location). If the IP address is within our internal subnet ranges , it sets the proxy server(s) to use.

The file ends with an else statement that catches all other conditions and sets the browser to use direct access (for when the computer is located outside corporate-controlled facilities).

I have successfully tested this file format with both IE and Firefox. It is provided below as an example for you to utilize, but I make no warranties or claims of fitness-to-purpose. There are many additional testing conditions that might be more relevant to another environment or set of business policies (e.g. Time-of-day, day-of-week, DNS information, etc.).

Sample file:

WPAD

Second came the challenge of getting the clients to use that file without hard-setting it (hardcoding almost always an undesirable option if it can be avoided). The mechanism used for this is WPAD, which allows the browser to "discover" where the above configuration file is stored, allowing it to then dynamically pull it down and apply the function code therein during operation. There are several mechanisms available to WPAD, but they center on DHCP and DNS. I have opted to implement both the required elements of the standard (DHCP option and DNS "well known alias" methods), and have left alone the optional requirements as they are redundant for my purposes and remain unused if the required elements exist – if the required elements are unavailable (in my environment), it would be equivalent to a network outage at which point we have bigger problems to solve than WPAD not functioning.

The first step to configure WPAD is to put the PAC file onto a web server for all users to access. Depending on the web server platform and version chosen to host the file, this might require defining additional MIME types to allow the server to properly serve the file (see standard). As a reference point, Win2K’s IIS server generally hosts whatever files you make available, whereas Win2K3 (2003 Server) IIS requires the additional MIME definitions – otherwise you will receive 403 errors, and the browser will transparently fail to pickup the PAC file without displaying an error message (by design).

The recommendation is to place the PAC file on the same server that hosts the proxy. The rationale is that if it is unavailable, implicitly so is the proxy and as such, should not be utilized. However, one might opt to locate the PAC file on a neutral / different server (independent of the proxy) to allow for more robust proxy fail-over (since the PAC standard allows for multiple proxies to be defined for fail-over).

DHCP: The second step is to configure a custom vendor option on the DHCP server. The reserved vendor option for WPAD is 252, and must be created on the DHCP Server config first. Then you can configure scopes (either via a server-wide setting or per-scope setting, relevant to your environment, with the proper URL string which tells the browser where to get the PAC file. However, the DHCP piece is not fully functional for PAC file location until the AutoDetect option is enabled in the web browser. In Firefox, this is the "auto-detect proxy" setting under Tools-Options-Connections – In IE, one can deploy the setting via GPO (see below). The value of the 252 WPAD option is the full URL to the PAC file, including FQDN of the web server (e.g. http://websrv.us.company.local/wpad.dat). This is the first component tried by WPAD for PAC file location, and is a required component of the standard.

DNS: The third configuration change I made was to place a DNS entry (can be an A or CNAME record) which includes a "well-known alias" for the service discovery – in my case – "wpad" without the quotes, which points to the proxy server. I opted for a CNAME record to alias the proxy itself since that is where my PAC file was located and maintaining multiple autonomous A records for the same host is problematic in this case.

The DNS option appears to be the one favored by Firefox, although secondary by IE based on my test results, so I implemented both to cover both browsers more effectively. (Note: In my corporate environment, the Proxy server in use uses proprietary auth mechanisms that Opera does not support, thereby preventing Opera from functioning with my organization’s proxy. This is why no mention of the Opera browser in this Windows-centric platform discussion).

GPO

The setting to have IE use Auto Detection for its Proxy settings is configured in the same place in Group Policy as if one was hard-coding the proxy (Internet Explorer Maintenance) – it is just a different option. This affects only IE at this time, since Firefox is not natively GPO-aware (author note: Efforts are underway to allow Firefox GPO administration, but not covered here – will cover in an upcoming entry) .

In the Internet Explorer Maintenance area:

Additionally, in the Computer Configuration area, the following settings should be changed to maintain consistency and compliance of the browser’s settings:

Firefox

The methods described in the above sections, when implemented together, support both IE and Firefox. The main hurdle is centrally deploying the Auto-Detect setting to both browser platforms consistently. Additionally, unrelated, anyone using Firefox should upgrade to 1.5.0.1 if they have not already, for security reasons.

Although many organizations do not officially advocate the use of Firefox (since there are still some management/administration hurdles for corporate deployment), I felt that it was important to find a workable solution that fit for both browsers since use of Firefox has become much more prevalent in the past year. Some organizations might choose to limit the use of Firefox altogether for other reasons (such as application standards, etc.), but I wanted to make the solution as browser-agnostic (cross platform) as possible.

I found that Firefox had some unexpected (by me) behavior in the way that it searched for the PAC file. Specifically, the Auto-Discover mechanism seems to always query the configured web server for the filename wpad.dat (instead of proxy.pac as I originally had the 252 DHCP WPAD option configured). IE obeyed my configuration, but Firefox insisted otherwise. Workaround, and the standard generally used by Windows shops anyway, was to make the name the file wpad.dat, update the 252 option accordingly, and then both browsers could automatically discover the file appropriately.

Also, on an unrelated note, I have had some odd, almost random, occurrences of Firefox interoperability problems with the Computer Associates (CA) SCM (Secure Content Manager) Proxy service. In some cases, the user is prompted for an ID, when – in fact – this authentication should be transparent (based on internal domain ID). The same behavior is not exhibited in IE thusfar.

Further research and "development watching" I am taking from this include the emerging capability for Firefox to be administered via GPO as well as an initiative inside the Firefox open-source development community to support MSI installers for corporate deployment and easy updates (that is, from the Mozilla side). There are third parties that have made great gains in both GPO and MSI for Firefox, but as I stated – that is something I’ll get into in an upcoming post.

Conclusion

From the testing I have done so far, both browsers appear to behave as expected once AutoDetection is setup as above. If the PAC file is not reachable using the "AutoDetect" WPAD mechanism, both browsers automatically default to direct, which gets around the issue of hard-coded proxy settings in hotels, WiFi hotspots, etc. Additionally, once the user connects to the VPN, they receive an internal IP address which matches on the PAC rules, and WPAD finds the PAC file to utilize (via the DNS mechanism of WPAD) and begins using the proxy for connections to the Web – thereby applying our corporate policies.

This system of configurations represents a "best effort" to provide technical compliance with our corporate policies with regard to web content filtering. There still exist some unavoidable loopholes, but those should be addressed through policy education to the user community (i.e. they are not allowed to browse the web in remote locations – home, hotel, airport, coffeeshoppes, etc. – without first connecting to the VPN). Adherence to that policy can be assured with monitoring, logging, and other tools.

References

For more technical information about the PAC and WPAD components of this proposed solution, please reference the following links:

PAC – This file’s format (along with some samples) is described here: http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

WPAD – IETF spec for Web Proxy Automatic Discovery – http://www.wrec.org/Drafts/draft-cooper-webi-wpad-00.txt

I hope this was helpful or informative to some of you out there! Good luck and if you have any questions or comments, please use the comment area or email me directly.

Update (2006/Mar/2) – Apple has released updates to several versions of OS X (OS “ten”) to fix the previously reported flaw in Safari and file handling below, as well as a handful of other bugs (security-related and otherwise).

The versions covered in this update include v10.3.9 and 10.4.5 – Mac users should upgrade either manually @ Apple’s” Downloads site” or you can configure and utiize the Mac’s Automatic Update feature if you haven’t already configured it in your System Preferences. I recommend using automated tools like the Auto Update function as much as possible to make you life a bit easier (and to receive the updates in a more timely manner in the future).

============================================
Original Advisory: 2006-Feb-26
A new vulnerability has been discovered affecting users of Mac OS X by a Ph.D. student named Michael Lehn. This flaw is very serious and can be exploited remotely. Like many IE flaws in Windows, this flaw allows the automatic execution of code by Safari (default Mac web browser). Other browsers (Firefox, Opera, Camino, etc.) do not automatically execute the problematic files, but could still be used as a way of delivering the nefarious programs onto your computer.