[ad]
Seen as though we’ve been having a good bash on Microsoft recently, here’s some more relevant news. The December update from Microsoft has delivered patches for 11 series flaws spanning both IE6 & IE7 and all their currently supported operating systems (Windows 2000, Windows XP and Windows Vista).
So if you are running Windows, make sure you get your updates downloaded and installed before you’re away from your PC during this festive season.
Microsoft today released software updates to plug at least 11 security holes in PCs powered by its Windows operating systems and other software. Windows users can download the fixes either directly through the Microsoft Update Web site or via Automatic Updates.
December’s seven update bundles includes fixes for four separate security holes in Internet Explorer 6 and IE7, vulnerabilities that are considered critical for Windows 2000, Windows XP and Windows Vista users. Microsoft rates a flaw “critical” if it can be exploited to break into vulnerable systems with little or no help from the user, save perhaps for browsing a Web site or by clicking on a malicious link in an e-mail or instant message.
Seems like even though Internet Exploder Explorer is such a ‘stable’ and ‘mature’ product – it’s not immune to serious problems. I’m sorry but it’s a web-browser..how complicated can it be!
Microsoft also issued critical updates to fix at least two different problems with the way Windows handles the processing and display of various video and audio files. The first of those is a serious vulnerability in the “Windows media file format” — chiefly, files that end in “.asf” and “.wmv” — used principally by the Windows Media Player software bundled with the operating system. Another patch addresses a critical flaw in most versions of “DirectX,” a Windows component that handles the display of a variety of video file formats (files that end in “.wav” and “.avi” for example). Again, these are especially dangerous flaws because they can be exploited merely by getting users to view maliciously crafted video files via a Web browser or e-mail.
Of the seven patch bundles released today, only two did not affect Windows Vista systems, suggesting that the vulnerable components were carried over into Vista from older versions of the OS despite the multi-year secure coding review conducted for Vista. That said, two of the bundles were released to plug security holes that were found exclusively in Vista.
This news directly related to what we have been discussing recently, how previous Windows flaws carry over into the supposidly ‘all-new’ Windows Vista.
Only TWO of the problems did not effect Vista, which shows that the problems that effect an OLD (8 years old now) OS like Windows 2000 are still effecting Vista.
Source: Security Fix
mandy says
never thought that internet explorer is so faulty. could you recommend to me other web browser to use?
Pantagruel says
@ mandy
No webbrowser is perfect, the heralded alternate ones (FireFox, Opera, etc) suffer the occasional bug or vulnerability just as IE does. Eventhough all browsers concerned advertise themselves as being ‘the safest browsing experience’ they can still be vulnerable through any plugin used (plugins concerning media content [pictures/film/sound].
I am no advocate of either 3, but I recently switched to Opera, added some plugins and applied restrictive settings to further secure things. It’s seems to work nicely.
Nobody_Holme says
I personally have never had problems using firefox, as long as i’m careful where i browse to.
Also… why am i not suprised that MicroSuck didnt actually change very much before selling something as “new and improved”? oh, thats right, they never do anything else.
net2004eng says
@Darknet
LMAO, you mentioned “Seen as though we
net2004eng says
@mandy
If I can make any recommendations for you concerning a browser…You may want to look in to the Lynx text based browser, haven’t heard of too many vulnerabilities associated with it! :-)
But realistically, like Pantagruel mentioned, there really are no perfect browsers. I know I personally like to run a hardened Firefox, or Opera browser. Firefox has tons of cool add-ons, and depending on what function you would like your browser to perform, you can use many of these for auditing web apps and such:
“Tools
Before we get started, let’s talk about some tools. In order to perform your audit, you need appropriate tools to attack the application under test. You already have the most important tool for auditing Web applications: a browser. If you use Firefox, you will be able to use a number of free toolbars that will make it much easier to launch the attacks outlined below. We recommend the following plugins:
* Web Developer toolbar (https://addons.mozilla.org/firefox/60/) A Swiss Army knife-like extension every Web developer should have installed. For our purposes, the important feature is the ability to modify forms on the fly to remove some of the restrictions imposed by forms. For example, you are able to enter strings beyond the designed length, or you are able to edit locked fields.
* Hackbar (https://addons.mozilla.org/firefox/3899/) Nice tool to decode Base64 and URL Encoding. It is also helpful in obfuscating SQL injection attacks.
* SwitchProxy Tool (https://addons.mozilla.org/firefox/125/) If you decide to use a proxy server like WebScarab, Switch Proxy allows you to quickly switch proxies.
* Add N Edit Cookies (https://addons.mozilla.org/firefox/573/) The Add N Edit Cookies cookie editor will allow you to edit cookies on the fly. This tool gives you one less reason to require a full proxy server to intercept requests.
* Tamper Data (https://addons.mozilla.org/firefox/966/) This extension, much like a proxy server, will allow you to intercept requests and responses. Either may be manipulated at will.
These toolbars allow you to do most of what is required to quickly test a Web application. However, for some of the more advanced techniques, a proxy server can be helpful. Probably the most full-featured free proxy server for auditing purposes is WebScarab (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project). The Open Web Application Security Project (OWASP) Web site is also a good resource to learn more about Web application security.”
The full article “Web Application Auditing over Lunch” by Dr. Johannes B. Ullrich can be found at:
http://www.sans.edu/resources/securitylab/audit_web_apps.php
Pantagruel says
@ net2004eng
Every OS (and thus it’s manufacturer/distributor) will get the occasional bashing, mainly because it cannot fulfill the expectations it has created itself.
The sad thing for MS it, that due to it’s omnipresence and the market share they aim for, get’s more of a bashing than the others (OS X;Linux;BSD;OS/2;AIX;etc…).
The attention MS draws onto itself works as a red flag to a bull, more people will be eager to prove them wrong. Since MS seems to be aiming for a holistic approach regarding their OS allowing many spots to serve for entry or abuse (IE/Office suite products/Outlook/WMP/Etc…
mumble says
In many ways, the problem with IE/Office/Windows whatever is that Microsoft tends to closely tie the browser -> OS -> Office Suite. The biggest part of this (though by no means the only one) is ActiveX. Because ActiveX==Browser plugins==Office Extensions==COM Components (yes, I oversimplify slightly) leveraging a failure in one component to subvert another part of the stack is trivial. Add to that x million boxes, many run without any real IT support, and you get trouble.
Once you have code running on the box at all, the structure of Windows gives malware too many places to hide. Too many users have all privs on the machine. It’s these decisions, which MS made years ago, and really wishes it could change today, which get them bashed.
If they fix the underlying problems, they break compatibility,and lose. If they don’t, they have security trouble and lose. Either way they’re messed up.
I try not to bash MS too much these days – I kind of feel sorry for them.
Elizabeth says
Okay grammer police – Learn the differenc eand correct usage of “effect” and “affect!
net2004eng says
@Pantagruel
Kind of sounds similar to the words I uttered a few days ago when we were discussing MS in the other discussion topic – under SANS Top 20…as long as their products are popular and mainsteam, they will receive bashing… until something else comes and takes their marktshare, I think we will continue to see people targeting MS.
Just like the ever popular IE and its vulnerabilities, there have been many people targeting it for a while, and why wouldn’t they? If I was developing client side exploits for a browser, I would target IE, and why…because everyone and their mother use it! Unless a person is a techie, or has a computer configured by a techie (or of course if your using *nix, or MAC), more than likley your using IE for your default browser in Windows. I would want to focus on what type of exploit I could create that would have far reaching impact, and by looking at IE, Firefox, Opera, Safari, etc… I would go with IE…
Not to say that other platforms and apps aren’t targeted- because surely they are, but just like you mentioned, and I agree with…MS seems to be the breadwinner here!
net2004eng says
Here are the other links I was looking for concerning Firefox Tools – FireCat…as mentioned in a previous entry by Darknet:
https://www.darknet.org.uk/2007/03/firecat-firefox-catalog-of-auditing-tools/
http://www.security-database.com/toolswatch/FireCAT-Firefox-Catalog-of,232.html
Sir Henry says
This is why I am so happy that I no longer have Windows on any of my systems. I feel much more secure with linux and Mac OS X.
tek se7en says
Linux FTW! Fuck Winblows!
Darknet says
Elizabeth if you learn to spell grammar correctly I’ll use affect instead of effect.
Pantagruel says
@ net2004eng
Thanks for the listing of FF plugins and extension, I will surely a few of them.
You are absolutely right, I’d surely go for the bread and butter OS which is bug ridden if I am after data or something to exploit instead of something less well spread. If you want to target the bulk of the browser with sploit try a cross site scripting bug. You will get all IE browser and the added bonus of FF (and perhaps Opera).
Ahh Lynx, makes me think of ASCII art and a lot of message screaming: ” This site is optimized for IE @1024×768″ ;)
@Sir Henry, even Safari has suffered some bad bugs, but it has indeed been a while ago Safari really came down with a bad bug (jan 2007)
@tek se7en
Nothing like a pure and simple bash
Sir Henry says
@Pantagruel:
I use not Safari, for I remain fastened to my roots in Firefox.
Nobody_Holme says
@Darknet
*applauds* nicely done there, sir.
(also, come on… add 5 and 10 and when i say 15 its wrong?)
@Sir Henry
I know how you feel… My firefox is customised to hell, and getting a new browser would mean getting a whole new load of stuff to make it do what the addons make FF do, and then manually transferring my HUGE blocklist (stuff like googlesyndication and so on) accross.
Pantagruel says
@ Sir Henry
Using FF in OS X will give you all the nice plugins,etc, but also the same bugs and vuln’s the FF linux and Windows version are prone to.
I hope you are not using MS Office on the Apple ;)
Security isn’t just the OS, but also the applications one uses.
Sir Henry says
@Nobody_Holme:
Yeah, I just do not feel comfortable using another browser. Given, FF is a complete memory hog on Ubuntu 7.10, but I feel that there is no other viable alternative browser out there. Opera, sure, but there are so many things that do not inherently work with it that I find there truly is no other viable alternative to FF at the given time. Then again, apart from the memory issues, I do not see why I should try to find an alternative.
Sir Henry says
@Nobody_Holme:
Didn’t see your last comment for some reason, but, I agree, the OS is only as secure as that which you use on it from an application perspective. I once had MS Office on there, but dropped it from lack of need. I was on Leopard, but just went back to Tiger after getting the nefarious Airport kernel panic oft experienced in the wild, thus back to a limited number of applications and taking a particularly close look at which I install.
cpj says
Opera does not open some pages, yes, but for those few times when I cannot open a page and I absolutely must do so, I can use a different browser. Two browsers is not that crazy. Use one for most things and something like IE for one or two websites that you deem to be safe but necessary.
Sir Henry says
Yes, I have done that in the past, but my never ending pursuit is in finding a browser that will handle all pages. What I find deplorable is that there are still sites out there that require you to user IE. My current place of employment is one such place and it sickens me.
fak3r says
No tool is ever going to be good enough to protect dumb users, IE, FF, Opera, who cares, they’re all taking in info from outside, an overzealous click can bring a user all sorts of pain. Best bet for these folks is Linux – again, it’s too not perfect, but far better for people that dnld first, virus scan later…
Sir Henry says
@fak3r:
I could not agree more. Let’s linuxize the world!
isaacisback says
quote: I could not agree more. Let
Nobody_Holme says
@fak3r
hey, I dl first then scan… i’m just not too stupid in what i dl. *never had a virus* (bar the trojan that didnt execute for over a year in the no-cd exe i had for rome:total war, and that was the ONE time i trusted someone else to get one of those for me… and it walked straight into AVG when it tried to run)
eM3rC says
I say mozilla firefox is the most secure and easy to use browsers out there. It is both secure and very easy to use (plus it has very few flaws).
@ issacisback and Sir Henry
Linux needs to get to an out of the box stage like mac or windows, then it will really catch on.
Mark RAtliff says
This update single handedly corrupted my Vista OS.
In no particular order, I can no longer:
Use IE7 – It will not load
Install IE8 – it fails religously
Do a system restore more than 1 day back
Print from any Microsoft Office suite product
Uninstall the updates from December
Repair without re-format.
Use any Apps that require internet access even if I change the default to firefox.
I have spent 2 days on the phone with 5 different people at Microsoft….even supervisors. They actually admitted that they are responsible. My Vista CD is the OEM CD provided by Toshiba. It cannot repair without reformatting. MS told me I can borrow a Vista CD from a friend and use that for repair but most of my friends were too smart to have XP in the first place….and the ones that do have Vista warned me to ignore this “critical” update.
MS makes no effort to help with this issue any further telling me that only purchasing a new Vista will be my only recourse short of Formatting.
I love living in a world where someone like MS can mess up a $2000 machine and then tell you to give them $140 to fix it. I like to think that all the old AV companies that would serve you junk and then tried to charge you to remove it were gone. Shows what I know. They just went mainstream with it.
Way to get the world behind you MS. No wonder Apple people are so loyal. Contact me if you would like for details but do not download these updates. You will be sorry…like I am now.