September 2006 - Posts

Set KillBit on Arbitrary ActiveX Controls with GPO or an EMS

In a parallel universe, where our normal rules of logic do not apply, security is enhanced by publishing exploits for unpatched vulnerabilities. Straight from that universe, we received a gift from H.D. Moore today - a brand new MetaSploit toolkit for an unpatched vulnerability in an ActiveX control that ships with the Windows Shell. The control is called the WebViewFolderIcon and is among other things used for rendering the Web View in Windows Explorer. It can also be called from inside Internet Explorer, and can therefore be exploited if a user allows ActiveX controls to run from a hostile site. Sandi says IE 7 is also vulnerable.

While I have yet to hear of exploits in the wild, and the actual vulnerability has been public for a couple of months already, the presence of a toolkit lowers the bar for large-scale exploitation to next to nothing. Microsoft released an advisory today, and most of the other outlets have too. The advisory contains several work-arounds, the most easily implemented of which is the advice to set the kill bit on the control.

As with the other recent web-based security issues, setting the killbit on a large number of systems is not simple though. Microsoft does mention in the advisory that it can be done with Group Policy, but leaves it up to the community to determine how exactly to do that. After discussing the risk a bit with my good friend Alun, we decided it was time to do something.

To solve this problem more generically I went ahead and wrote a script that can be used either on the command line, as a startup script, or be called from an Enterprise Management System (EMS), such as Microsoft's Systems Management Server (SMS). The script takes three arguments:

SlayOCX.vbs -k|-r GUID [-l]
          where:
                  -k - Turn on the killbit of the control
                  -r - Turn off (revive) the killbit of the control
                  GUID - The GUID of the control, complete with the opening and closing {}
                  -l - Log the action to %systemdrive%\SlayOCX.log

The -l parameter is optional, the others are required. The reason the script requires the GUID is that it makes it more generic, allowing it to be applied to any ActiveX control you wish to killbit, or enable again. The script is attached to this post.

To set the kill bit on the first of the WebViewFolderIcon control, you would run the following command:

SlayOCX.vbs -k e5df9d10-3b52-11d1-83e8-00a0c90dc849 -l

To turn the control back on again, run this command:

SlayOCX.vbs -r e5df9d10-3b52-11d1-83e8-00a0c90dc849 -l

There are two controls that implement the vulnerable function. To kill/revive the second one, substitute 844F4806-E8A8-11d2-9652-00C04FC30871 for the GUID above and run the script again. You can only kill/revive one control each time the script executes.

You can configure this script to run as a logon script in Group Policy using the following steps, copied and pasted from the post about the DAXCTL and VML vulnerabilities:

Copy the script above (everything between the begin and end tags) and paste it into a new text document. Save the document as "ProtectIE.cmd". Alternatively, just download and expand the SlayOCX_vx.zip file attached to this post.
Copy the ProtectIE.cmd file to \\<your domain>\sysvol\<your domain>\scripts. where you replace "<your domain>" with the full DNS name of your domain.
Open the GPMC (if you do not have the Group Policy Management Console, you need to get it. Strictly speaking you can manage GPOs without it, but you really don't want to)
1. Right-click the domain or OU where you want to link the GPO - you may as well do it at the domain level - and select "Create and Link a GPO Here..." Name your new GPO "SlayOCX"
2. Right-click the GPO ProtectIE and select "Edit..."
3. Expand "Computer Configuration:Windows Settings" and click on "Scripts (Startup/Shutdown).
4. Double-click "Startup" in the right-hand pane
5. Click "Add..."
6. Browse to \\<your domain>\sysvol\<your domain>\scripts and select "SlayOCX". Click "Open"
7. In the "Script Parameters:" box type "-k e5df9d10-3b52-11d1-83e8-00a0c90dc849 -l" without the quotes. Click "OK."
8. Repeat steps 8-10, but this time, type "-k 844F4806-E8A8-11d2-9652-00C04FC30871 -l" in the parameters box.
9. Click "OK" again.
10. Close the GPO editor and go back to the GPMC
11. In the "Security Filtering" pane remove "Authenticated Users" and click Add...
12. In the text box called "Enter the object name..." type "Domain Computers" or some other relevant group that you want to apply the policy to. Click OK.

The script should be run as a startup script, not as a logon script. Unregistering an ActiveX control is an administrative action, and as users should not be administrators, the script will not work properly as a logon script. Needless to say, this also means you have to restart the computer for the script to take effect if you run it from a GPO.

 If you also want to use this script to block the, still unpatched, DAXCTL vulnerability, repeat steps 8 through 10 above, but type the following parameters in step 10:

-k D7A7D7C3-D47F-11D0-89D3-00A0C90833E6 -l

 I should also mention that, while I am blissfully unaware of any adverse effects associated with killbitting this control at this time, that does not mean there are none.

 Update Sept. 29

• There are two controls containing the WebViewFolderIcon issue. Added the GUID for the second one.

Attachment: SlayOCX_v1.zip

Posted Fri, Sep 29 2006 by jesper | 12 comment(s)

Filed under: Windows Security

New Article: SBS At Home

I've had this love-hate relationship with Microsoft Small Business Server (SBS) for years. On the one hand, I agree to a large extent with Tom Shinder and Tim Mullen that SBS makes security compromises that in many, if not most, businesses are imprudent. It combines all services onto a single system, including (horror!) the firewall that is designed to protect them all. It also exposes a lot of things that you may not want to expose, but that the user base may not know enough to disable.

At the same time, SBS is a wonderful product, for the target market that it is designed to serve. A small business, which does not handle information that requires advanced protection, and which cannot justify the expense of designing a secure "Big-IT" network will find SBS an adequate risk management tradeoff. It is probably far more secure than anything they could build by putting the pieces together themselves. They simply cannot, or will not, for whatever reasons, pull the resources together to build equivalent but more secure functionality. If they were to try, the outcome in many cases would likely be significantly less secure than what SBS makes them.

Then it turns out there is a secondary market for SBS: geeks. If you are interested in building a home network where you want to play with all the different services, but you can't justify the budget to acquire several servers, OS licenses, application licenses, and the time to build it all SBS may represent an attractive option. The usual security caveats about co-locating everything on a single server still apply, but if adequate steps are taken to protect the SBS server from the Internet then it gives you a lot of functionality in a single, relatively inexpensive package. To discuss that further, my friend Matt Clapham and I wrote an article for TechNet Magazine on the topic.

Oh, and Thor, the mere fact that you have an "infrastructure" to flay means you are already out of the target market for SBS.

Posted Thu, Sep 28 2006 by jesper | 3 comment(s)

Filed under: Windows Security, Running Windows

So, you want to BitLocker an existing computer?

The other day I decided, probably against better judgement, to turn on BitLocker on my laptop running Windows Vista RC1+. There were several concerns about doing that though:

1. What if you do not have a TPM chip of any kind. In that case, your only option is to use a USB key for BitLocker.
2. When I installed my machine I let the Windows Vista installer partition the drive for me. That means I had one large partition covering the whole drive
3. You mean you are turning on whole hard disk encryption on a beta OS? What are you thinking?

Let’s ignore number three for a moment. Number 1 is simple to solve:

1. Go to Start:Run, and type gpedit.msc to open the Group Policy Editor.
2. Select “Computer Configuration:Windows Components:BitLocker Drive Encryption”.
3. Double-click the “Control Panel Setup: Enable advanced startup options” entry in the right-hand pane.
4. Check the “Enable” radio button and then check the box for “Allow BitLocker without a compatible TPM.”

Next we need to solve the partition problem. BitLocker requires a 1.5 GB partition as the system partition (the one you boot from) so that it can boot in the clear and decrypt the boot partition (the one that has the operating system files). If you do not have two partitions already, you need to create another one. There is a great walk-through on how to use BitLocker on the Microsoft site, but it presumes you are starting from scratch, which I was not. To do that, take the following steps:

1. Open an elevated command prompt (right-click the command prompt shortcut and select "Run as administrator")
2. Run the diskpart command
3. Select your disk. Normally it is disk 0, but you may have a couple of disks, although if you do, you should consider using one of the other disks for your system partition. If you want to see the disks, type “list disk”. To select your disk, type “select disk 0”, where 0 is the number of your disk (from now on, all the directions will assume you have a single-disk, single-partition setup).
4. Select your partition. Normally it would be partition 1, assuming there is only one partition on the disk. If you are not sure, type “list partition” to see what you have. Then select it using the command “select partition 1”
5. Use the shrink command to shrink it. DO NOT JUST TYPE SHRINK! That would shrink the partition so that all the available free space is made available for a new partition. If you need help on the command type “help shrink”. In this case we need to shrink it by 1.5 GB. To do that type “shrink desired=1500”. Note that this may not give you exactly 1.5 GB. In my test it gave me 1.496. I have run into problems with that such as upgrading one Vista install to another. The installer looks for more than 1.5 GB on the system partition and if that space is not there it fails. You may want to overshoot a little to make sure you get at least 1.5 GB.
6. Open Computer Management and select “Disk Management”
7. Format the new empty space on your disk using NTFS. If you label it something like “boot” it will be easier to find it later.

Now you need to set this partition up to be bootable. First go into Computer Management to format it with NTFS. Next you need the boot files. To copy the boot files over you actually have to boot into a neutral installation. The operating system holds the files open while the machine is running so you cannot copy them. The easiest way to resolve this is to boot into the Windows Vista Recovery Console:

1. Put the Windows Vista DVD into the drive and reboot the computer. Select to start from the DVD. On many computers you have to hit F12 to get the boot menu
2. When the Windows Vista locale selection screen comes up pick your locale
3. When the Windows Vista installation screen comes up, select “Repair your computer”. It may not be broken yet, but we are working on that.
4. Select your Windows Vista partition and click “Next >”
5. Select “Command Prompt”
6. In the resulting command prompt, figure out which drives are which. Most likely your boot partition (the one with the OS) is C: and the new one you just created is D:. You can use diskpart to figure it out. Launch diskpart and type “list volume”
7. Copy the boot directory. Use this command
   xcopy c:\boot d:\boot /h /e
   This will copy the whole directory structure and all the hidden files, which they are all hidden. You will probably get a prompt asking whether boot is a directory or a file on the target. It is a directory
8. Copy the boot manager using this command:
   xcopy c:\bootmgr d:\bootmgr /h
   In the prompt whether bootmgr is a directory or a file on the target, select file
9. Finally, we need to set the new partition active. To do so launch diskpart again. Select your disk. It is probably disk 0, but you can always list the disk to be sure
10. List your partitions to determine which partition is the new boot partition. Then type select it using “select partition 2”, where 2 is the number of your partition
11. Make it active by typing “active”
12. Exit diskpart and reboot the system. To do so, type exit twice

At this point you have a system that can run BitLocker. You can now boot it and go into the BitLocker control panel and turn it on, and of course, submit any bugs you find to Microsoft so they can fix them before they release this to the rest of the world.

Posted Wed, Sep 27 2006 by jesper | 6 comment(s)

Filed under: Windows Security, Windows Vista

VML Patch Is Out - Unapply The Mitigations

The VML patch is out. Microsoft just released MS06-055 out of band.

If you have applied the work-arounds you need to know a few things first though:

This update does not fix the DirectAnimation Path issue. It only fixes the VML vulnerability.

If you have applied the Access Control List (ACL) change mitigation you need to unapply it before you can install the patch. To do that you need to either use the GUI to remove the deny ACL Entry (ACE) for Everyone, or implement a command line way to remove that ACE. The enableVML.inf security template I posted with the first post I wrote on this topic will do it. You can use that in a GPO, or you can use it on the command line with this command
secedit /configure /db foo.sdb /cfg enableVML.inf /log foo.log

Please note that the command given in the security bulletin to remove the ACE does not currently work. It is not structured correctly. To remove the mitigation with a cacls command you can use
cacls %CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll /e /r Everyone

This is what I do in the startup script I posted. However, this command will remove all permissions for Everyone. Ordinarily this would not be a problem, but if you have a system with non-standard ACLs it could cause a problem. This is documented in my other post today.

Finally, if you use the unregistration work-around, as I did in the startup script, you must re-register the DLL to restore functionality. This can be done using the startup script by using the "enable" switch instead of the "disable" switch. Note that unless you modify the script though it will leave you vulnerable to the DirectAnimation Path issue, which is mitigated using the same script.

Posted Tue, Sep 26 2006 by jesper | no comments

Filed under: Windows Security

Negative Impacts of VML Vulnerability Workaround

There have been few reports of negative impacts of the two VML workaround scripts I have posted. However, two issues have come up that may be worth pointing out:

1. Some OEMs apparently ship hard drives with non-standard permissions (ACLs) in various places. I have reports of an unspecified image where the %CommonProgramFiles%\Microsoft Shared\VGX directory has an ACL that has only Everyone:Full Control in it. In the script in the most recent post (http://msinfluentials.com/blogs/jesper/archive/2006/09/22/More-options-on-protecting-against-the-VML-vulnerability-on-a-domain.aspx) I undo the Everyone Deny ACE by removing all permissions from Everyone. On these OEM systems, that means the vgx.dll file now has no permissions at all, and everyone is denied access to the file. To fix that problem, you need to replace the permissions on the directory with the proper permissions. Those are, in SDDL form:
   O:BAG:SYD:ARAI(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;;0x1301bf;;;PU)(A;OICIIO;SDGXGWGR;;;PU)(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICIIO;GA;;;CO).
   
   These permissions are normally inherited from %ProgramFiles%. The only command line way I can find to propagate inherited permissions is to create a security template that specifies and ACL that has only "D:AI" in it and then apply that with secedit. The enableVML.inf template posted in the first post I wrote (http://msinfluentials.com/blogs/jesper/archive/2006/09/19/Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx) does exactly that. To apply it with a script, call:
   secedit /configure /db foo.sdb /cfg enableVML.inf /log foo.log /quiet
   This will configure the system silently with that template, which restores the original inherited permissions on the vgx.dll file.
   
2. If you put a deny Access Control List Entry (ACE) for Everyone on vgx.dll you will have odd formatting problems with SharePoint. The site simply will not look right. It is unclear why this happens, but the problem only happens if the DLL is registered and it has a deny ACE on it. If the DLL is unregistered, as the startup script does, the problem goes away. In other words, if you use the startup script, this problem goes away.

If you have seen any more problems with any of the work-arounds, I'm sure everyone would love to hear about them and how you solve them.

Posted Tue, Sep 26 2006 by jesper | 2 comment(s)

Filed under: Windows Security

More options on protecting against recent IE vulnerabilities on a domain

The VML vulnerability continues to haunt us. According to SANS the exploit is "spreading," although SANS is not giving any details on what the relative spread is, or what intelligence it is basing that claim on. There is also now an unofficial patch from a group calling themselves the "Zeroday Emergency Response Team". The patch is truly just that: it creates a copy of the vulnerable DLL and performs a binary patch on it. It then unregisters the vulnerable original, and registers the patched version. Not having verified the actual machine code that constitutes the patched code I cannot say how exactly that works. Suffice to say that I would be extremely wary about deploying an unofficial patch. In the end, it is a risk-management decision though. The same considerations I discussed in regards to the WMF vulnerability in January applies here too. If you have an absolute need to view VML pages between now and October 10, when the official security update is currently scheduled to come out, and you feel that you cannot live with the risk of getting attacked, then the unofficial patch may be your only option. Personally, I worry about putting unverified and untrusted binaries on my system, and about the likelihood that they are going to be any higher quality than the ones Microsoft released. Consequently, I will not use the unofficial patch, nor can I think of anyone I would recommend it to.

This leads us to look for another option for protecting against the attack. On Tuesday I showed one method. That method works by setting an access control list (ACL) on the associated DLL to prevent read-access to it. This works, but can cause problems with Windows 2000. On Windows 2000 the Automatic Updates mechanism will attempt to open the DLL and get an access denied error. This error will cause it to try to replace the file with the most recent version, which is the one announced in Microsoft Security Bulletin MS04-028. However, that replacement will fail as well, causing the cycle to repeat all over again.

There are several other techniques to resolve the problem though, and perhaps the most robust is to unregister the vulnerable DLL entirely. This is done using the regsvr32.exe tool, but requires us to run commands on all the systems we want to protect. If we have an Enterprise Management System (EMS) this should be a snap, but if we do not, we need to develop a way to achieve the same result. A natural method to run commands are either logon scripts or startup scripts. Logon scripts are batch files that run when a user logs on to the system. A startup script is essentially like a logon script, but rather than runnig in the user's security context when the user logs on it runs in the context of the LocalSystem account when the machine boots. This makes it a much better option than a logon script for what we are trying to achieve because all the work-arounds for the problem represent administrative actions that users running with least privilege, as all users should, cannot take.

If we are going to use a startup script to protect against the VML vulnerability (CVE-2006-4868) we may as well make it block the DirectAnimation Path issue (I will refer to it as the "DAXCTL vulnerability" from now on; officially it is CVE-2006-4777) that came out last week while we are at it. This vulnerability is similar in scope to the VML vulnerability, but has a different mitigation strategy. The DAXCTL vulnerability is mitigated using a kill bit instead of by unregistering the DLL. The kill bit is a flag on an ActiveX control that causes IE to refuse to invoke the control. That requires modifying the registry on the system, which you can do several ways, including with a custom group policy template. However, if you are using a startup script already it is easy to add this functionality to the script.

The VML mitigation is simple. All we do is run the command Microsoft gives in the advisory:

regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

We will modify this just slightly. by replacing "%ProgramFiles%\Common Files" with "%CommonProgramFiles%" we can make the script work on non-English systems as well. We are also going to add the -s switch to run the command silently.

To mitigate the DAXCTL vulnerability we need a registry script that sets the kill bit. We can then call that script using the regedit.exe command to import it into the registry. However, that means we need to put it somewhere where the clients can read it while starting up. This does turn out to be a bit tricky. The current working directory while processing startup scripts is %systemroot%, and the assumption is that we cannot deploy files to every host, which means we cannot rely on the registry script being in the current working directory.

The natural place to put the registry script is in the sysvol folder on the domain controllers, but that means we need an absolute path to that folder. The first thing we need for that is the name of the domain. While there is an environment variable called %USERDNSDOMAIN% that we could use to obtain this value, the environment block where it is specified is not available when startup scripts run. In addition, if we put the script in the Group Policy Object (GPO) directory we would also have to modify the script to include the GPO GUID, which is unique for each script. One way to resolve all this is to use the %PATH% variable is available to us and contains this value:

\\<dns domain name>\sysvol\<dns domain name>\policies\<GPO GUID>\machine

I am a bit distrustful of relative paths though specified in environment variables though, especially as I do not get instant feedback on whether they worked or not, so I do not like this idea. Alternatively, we can specify the full path to the registry script in our startup script. but that means that we have to modify the script each time we move it to another domain or each time we specify it in a different GPO.

The approach I like best is to just write the script on the fly. Since it is such a simple script this is easy. That way our startup script is totally portable regardless of the name of the domain we put it on. 

Putting it all together we end up with a script that looks like this:

=======START OF SCRIPT=========

@echo off

REM Print some debugging info
date /t >> %systemdrive%\ProtectIE.out
time /t >> %systemdrive%\ProtectIE.out

REM Start writing the header to our registry script
echo Windows Registry Editor Version 5.00 > DAXCTL.reg
echo. >> DAXCTL.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}] >> DAXCTL.reg

if "%1" == "" (
 echo ERROR: You must specify either "enable" or "disable" on the command line for this script to have any effect >> %systemdrive%\ProtectIE.out
 goto cleanup
)

if /i disable == %1 (
 echo Disabling VML and DAX  >> %systemdrive%\ProtectIE.out
 
 REM In case the ACL-workaround has been applied, remove the Everyone ACE
 cacls "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" /e /r Everyone >> %systemdrive%\ProtectIE.out
 
 REM This unregisters the vgx control that enables VML
 regsvr32.exe /s /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" >> %systemdrive%\ProtectIE.out

 REM Finish creating our reg file. This one sets the kill bit
 echo "Compatibility Flags"=dword:00000400 >> DAXCTL.reg

 REM Call the reg file
 regedit /s DAXCTL.reg >> %systemdrive%\ProtectIE.out

 goto cleanup

) else (
 if /i enable == %1 (
  echo Enabling VML and DAX  >> %systemdrive%\ProtectIE.out
 
  REM In case the ACL-workaround has been applied, remove the Everyone ACE
  cacls "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" /e /r Everyone >> %systemdrive%\ProtectIE.out
  
  REM This registers the vgx control that enables VML
  regsvr32.exe /s "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" >> %systemdrive%\ProtectIE.out
 
  REM Finish creating our reg file. This one sets the kill bit
  echo "Compatibility Flags"=dword:00000000 >> DAXCTL.reg

  REM Call the reg file
  regedit /s DAXCTL.reg >> %systemdrive%\ProtectIE.out

  goto cleanup
 ) else (
  echo ERROR: You must specify either "enable" or "disable" on the command line for this script to have any effect >> %systemdrive%\ProtectIE.out
  goto cleanup
   )

  )

:cleanup
REM Delete the registry script
DEL DAXCTL.reg

echo Finished processing >> %systemdrive%\ProtectIE.out
echo. >> %systemdrive%\ProtectIE.out
echo ======================================= >> %systemdrive%\ProtectIE.out

=======END OF SCRIPT=========

The script itself should be pretty self-explanatory at this point. I added some debugging information to it that seemed interesting. You can remove that (most of the "echo" and >> commands) if you do not want it.

One thing that is worth explaining though is that this same script can be used both to mitigate the problems by disabling the related functionality and to turn the functionality back on again once you have deployed the security updates. The script takes a command line argument of either "enable" or "disable" that tells it which of the actions to take. "Disable" disables the vulnerable functionality and turns on the protection, and "enable" enables the functionality and therefore turns off the protection. Note also that you can test the script by running it interactively, although you get no output other than the debugging file if you do so. Of course, you can also call the script from an EMS if you have one of those.

To create a GPO that runs this script, take the following steps:

Copy the script above (everything between the begin and end tags) and paste it into a new text document. Save the document as "ProtectIE.cmd". Alternatively, just download and expand the ProtectIE_vX.zip file attached to this post.
Copy the ProtectIE.cmd file to \\<your domain>\sysvol\<your domain>\scripts. where you replace "<your domain>" with the full DNS name of your domain.
Open the GPMC (if you do not have the Group Policy Management Console, you need to get it. Strictly speaking you can manage GPOs without it, but you really don't want to)
1. Right-click the domain or OU where you want to link the GPO - you may as well do it at the domain level - and select "Create and Link a GPO Here..." Name your new GPO "ProtectIE"
2. Right-click the GPO ProtectIE and select "Edit..."
3. Expand "Computer Configuration:Windows Settings" and click on "Scripts (Startup/Shutdown).
4. Double-click "Startup" in the right-hand pane
5. Click "Add..."
6. Browse to \\<your domain>\sysvol\<your domain>\scripts and select "ProtectIE.cmd". Click "Open"
7. In the "Script Parameters:" box type "Disable" without the quotes. Click "OK."
8. Click "OK" again.
9. Close the GPO editor and go back to the GPMC
10. In the "Security Filtering" pane remove "Authenticated Users" and click Add...
11. In the text box called "Enter the object name..." type "Domain Computers" or some other relevant group that you want to apply the policy to. Click OK.

Now you need to reboot all the computers before they get the policy applied to them. One of the great comments I got on Tuesday's post was a pointer from Joe to http://www.specopssoft.com/products/specopsgpupdate/default.asp. Special Operations Software has a tool that enables you to propagate group policy to all the systems on your domain, as well as remotely trigger a restart if you want. That presents its own challenges though. First, if you restart the whole domain at the same time it is likely that your domain controllers (DC) are not ready to serve group policy when your clients are ready to receive it, not to mention how loudly the DCs will complain about every client trying to authenticate at the same time. Used judiciously this could be a valuable tool though. I also would not be overly concerned with servers. These vulnerabilities are primarily a problem when people surf untrusted web sites. If people are using your servers (not including Terminal Servers, naturally) to surf untrusted web sites you have a lot of other problems.

The security updates to fix these issues are currently scheduled for October 10. Once you have those applied you can go back to these instructions and change the parameter "Disable" in step 10 to "Enable" to turn all the functionality back on again.

Attachment: ProtectIE_v1.0.zip

Posted Fri, Sep 22 2006 by jesper | 12 comment(s)

Filed under: Windows Security

Block VML Zero-Day Vuln on a domain

By now hopefully you have heard about the latest Internet Explorer Zero-Day attack. This one is allegedly being exploited in the wild making it important to protect against it. As an indication of how urgent this is Microsoft, traditionally loath to block functionality in a work-around, even posted details on how to disable VML in their security advisory. Of course, using cacls to block the attack on a few thousand systems could get cumbersome. Microsoft is planning a fix in the October time-frame apparently, earlier if the rate of attacks picks up.

If you have a Windows Domain you can use Group Policy to block this attack much more easily than having to touch every system manually. With the help of my good friend Alun Jones I was able to produce two security templates that disable and enable, respectively, the dll that renders VML. Here is the one that disables it:

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
"%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll",0,"D:AR(D;OICI;CCSWWPLORC;;;WD)"

And here is the template that re-enables it by removing the ACL on vgx.dll:

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
1="c:\program files\common files\microsoft shared\vgx\vgx.dll", 0, "D:AI"

Save each of these templates to inf files called, respectively, DisableVML.inf and EnableVML.inf. Alternatively, just use the ones in the zip file attached to this post. Save the files in somewhere so you can access them from the system you use to edit your Group Policy objects (GPO). Then create new GPOs to disable and enable VML. You are going to need two different GPOs, one to apply the settings and another to remove them again. Obviously you will want only one active at a time. To create the GPO, take the following steps.

1. Open the GPMC (if you do not have the Group Policy Management Console, you need to get it. Strictly speaking you can manage GPOs without it, but you really don't want to)
2. Right-click the domain or OU where you want to link the GPO - you may as well do it at the domain level - and select "Create and Link a GPO Here..." Name your new GPO "DisableVML"
3. Right-click the GPO DisableVML and select "Edit..."
4. Expand "Computer Configuration:Windows Settings" and right-click on Security Settings. Select "Import Policy".
5. Find and select the "DisableVML.inf" file. If you used an existing GPO instead of creating a new one, also check the "Clear this database before importing" checkbox.
6. Close the GPO editor and go back to the GPMC
7. In the "Security Filtering" pane remove "Authenticated Users" and click Add...
8. Select the group "Domain Computers" or some other group that represents the computers to which you want to apply the policy. If you are not using the GPMC you also need to check the "Allow" box under "Apply Group Policy"

That's all there really is to it. When the systems refresh their group policy next time they will automatically apply this GPO and block the attack. By default this happens each time they reboot or every 90 minutes, whichever comes first. You can also force this refresh using "gpupdate /target:computer /force" if you have a way to do that.

If you create both of the GPOs now you save yourself a little bit of work later. You can create one to disable VML and one to enable it, and then disable the link for the one you do not want by right-clicking it in GPMC and selecting "Link enabled" as appropriate.

 Good luck!

 Update Sept. 20, 2006

• Uploaded a new archive that uses an environment variable in both templates to specify the file location.
• Fixed the refresh interval
• Clarified one of the steps

Update Sept. 21, 2006

• Uploaded a new version of the archive that uses %CommonProgramFiles% instead of %ProgramFiles%\Common Files to specify the file location. This helps make it work on non-English systems that have translated the name of the Common Files directory.
• Put a version number on the archive to make it easier to track which one you have.

Update Sept. 22, 2006

• Further clarified step 8
• Wrote a new post at http://msinfluentials.com/blogs/jesper/archive/2006/09/22/More-options-on-protecting-against-the-VML-vulnerability-on-a-domain.aspx giving further options for protecting against this attack, as well as the DirectAnimation Path ActiveX Control problem that came out last week. The new method has been tested on both Windows XP and Windows 2000.

Attachment: BlockAllowVML_v1.2.zip

Posted Tue, Sep 19 2006 by jesper | 35 comment(s)

Filed under: Windows Security

So you want to play with writing code for Windows?

Maybe I've been living in a hole for the past six months, but I just found an announcement on the Microsoft Developer Network site: the Visual Studio Express Editions are free - forever!

 That's great news if you are looking for a low-cost development environment for Windows. For many of us, the Express Editions are probably all we need. The only major drawback is the lack of a full MSDN Library. Had I known this before I probably would have gotten these instead of a Visual Studio Standard Edition license.

Posted Tue, Sep 19 2006 by jesper | 5 comment(s)

Filed under: Software Development

Underwater housing for sale cheap. Only leaked once...

Sigh. Today was the last dive for my Olympus C7070 Wide Zoom camera. As I got in the water I noticed that there were bubbles coming off the housing. By the time I got it pulled out the housing was about 2/3 full of saltwater. As digital cameras and salt water do not mix particularly well, this was an unsalvagable problem. As if to add insult to injury, we had a really nice dive, and saw a very gorgeous Decorated Warbonnet that I will have to take pictures of with another camera later.

One of the last shots this camera ever took was a pretty one of three Coonstripe Shrimp.

 BTW, for those of you here looking for security info, I'm working out the details on how and what I can write at the moment. I'll be back.

Posted Sun, Sep 17 2006 by jesper | 1 comment(s)

Filed under: Diving

Excellent Underwater Photo Book

OK, so I know that most likely not very many of you are going to be looking for underwater photo books on my blog, but I recently was so impressed by a book on the topic that I thought it merited a few minutes attention. I really enjoy underwater photo. If you are interested in looking at some of my shots see my gallery at the Bubbles Below web site.

Martin Edge's The Underwater Photographer is the best underwater photo book I have seen yet. It goes through every possible technique and gives great examples that really help you figure out what they mean. There are great tips throughout and good advice for every type of photography using most any type of camera. It is even up to date enough to tell you some things about new cameras, like the Nikon D200. If you are just getting into SLR photography, there is advice on what lenses to use; if you are using a compact digital, there is advice on how to configure those - there is something for everyone in here. I probably could have saved some money on things that I don't need had I had this book a several years ago.

As an example, I finally managed to understand something I have never understood: magnification levels. I knew that 2:1 is twice life-size, but never what that really means technically. To explain it, Edge put in an exercise - there are several of these scattered throughout the book - where you zoom in on a metric ruler. When the camera is set to its maximum magnification and zoom level, you see how much of the ruler you can see when it is in focus. If you see 35 mm with a film camera, or 23.6 with a 23.6 mm digital CCD, you are at 1:1 magnification. If you see more, you are at less than that, and if you see less, say, 12 mm with a digital, you are at 2:1 magnification. Finally, an explanation that makes sense.

There are some editing mistakes, some of which are just a little annoying, and some of which cause the explanation to be wrong, but on the balance, the book more than makes up for it.

Posted Thu, Sep 14 2006 by jesper | 2 comment(s)

Filed under: Diving

Place offline web pages in the correct zone with MOTW

For several years I have used a homepage in Internet Explorer (IE) that is a list of links I often visit. I find it a lot more convenient than using Favorites to track this, and it is easier to save, move to a new system when you flatten this one, and even send to someone else if you want. For example, I have nicely formatted lists of links I get asked for a lot in there. When someone sends me an e-mail asking where something is I just open IE, copy the list, paste it into an e-mail, and hit send. It makes for a great way to maintain my links.

That is, it worked great until Windows Vista RC1. The homepage is stored in c:\users\<my user name>\documents\homepage.html. When IE7 opens that page it is in the Computer Zone. Virtually all of the links in it are in the Internet Zone. IE 7 has a new security feature, for good reason, which prevents pages in one zone from opening new pages in a different zone in the same window. In other words, if you are on the Internet and click a link in a page that takes you to a location on your Intranet, the Intranet site opens in a new browser window. This is done to prevent certain cross-site scripting attacks. However, it also makes my custom home page much less useful as I actually want all the links on it to navigate in a new window.

To resolve this I used a feature added to IE years ago called the mark of the web. I first ran across this a few years ago when I used to hang out with a guy that originally implemented it. Basically, it is a way to tag a page with a URL that the page purportedly came from. Instead of rendering the page in zone that it is actually in, it gets rendered in the zone indicated by the mark. The original purpose was to mark all saved pages with the mark of the web so that when the user opens them locally they would not be rendered in the local machine zone. It turns out to be the perfect tool to fix the issue I am running into with Vista though. Open up the HTML page that represents the page you want to mark and put a comment like this one right after the end of the <HTML> tag:

<!-- saved from url=(0041)http://www.protectyourwindowsnetwork.com/ --> 

The 0041 part is simply a counter that indicates how much of the URL following it to parse (yes, I tried what will happen if you use a very long value: IE will ignore the mark). The other parts are the “saved from url=” and the actual URL. You can put any URL you want, as long as it is in the zone you want.

Posted Thu, Sep 14 2006 by jesper | 5 comment(s)

Filed under: Running Windows

Unable to install Vista because of "Roxio Backup MyPC?"

Today I tried installing the latest build of Vista and ran into an interesting problem. The compatibility check during installation failed because I had "Roxio Backup MyPC."

The only Roxio app I have is Roxio Easy Media Creator Suite 8, so I went and checked that and the backup portion was deselected in setup. I then started searching around for why I was getting this error. Pulling the log files from setup turned out to be difficult because they got wiped after I closed setup for Vista, so I had to redo the install and grab them before closing. Those revealed that the problem was Sonic Backup MyPC, not Roxio Backup MyPC. Looking in Add/Remove Programs, however, I don't have any Sonic software installed.

The problem turns out to be relatively insidious. Sonic is actually a Roxio subsidiary now, and Sonic's Backup MyPC comes with Easy Media Creator. In fact, it turns out that regardless of whether you select to install the backup component of Roxio's suite or not, they will always install the Sonic Backup MyPC bits. I'm not sure whether that is a bug or not, but they do. Only by manually removing the directory %program files%\Sonic and then finding and removing all references to it in the registry was I able to proceed with the installation.

I thought this might be useful to others who, like me, want Vista on a machine with Roxio's Suite.

Posted Fri, Sep 1 2006 by jesper | 4 comment(s)

Filed under: Running Windows

Search

This Blog

• Home

Tags

Community

Archives

Links

• My Microsoft Blog
• Steve's Blog
• Susan's SBS blog
• Alun Jones is a great guy, with great insight
• Aaron Margosis' blog

Syndication

• RSS for Posts
• Atom
• RSS for Comments
• Email Notifications
  Go

News

• 
  
  The Windows Server 2008 Security Resource Kit is available!
  . You can also order it as part of the whole Windows Server 2008 Resource Kit and save some money.
  Or, if you need to know about Vista instead, there is:
   
  
  If you need a more general approach to help you Protect Your Windows Network, there is a book for that too
  

  There is now a mobile version of the blog.