July 2007 - Posts

The Protocol Handler Saga Continues: Say What Secunia?

Sometimes you just have to wonder how far people will go to lend undeserved credibility to opinions. The Protocol Handler Saga is rapidly becoming a religious war. The latest entry is related to a very cool exploit that Billy Rios and Nate McFeters published on Tuesday. Unfortunately, he failed to give Mozilla a chance to fix the problem before publishing it. Firefox users would have been far safer had he done that.

The exploit is quite simple: by embedding a null in a link to a protocol handler Firefox can be tricked into executing arbitrary commands on the users computer. Mozilla is working on a fix which will parse the URL looking for null characters and reject the request if it finds the. (This might be a good time to enter into a longer discussion on the ill advised strategy of looking for known bad stuff, but I have a different point to make).

My point however, is not in Billy's exploit, but rather related to Secunia's listing for this vulnerability. Secunia maintains a vulnerability database, which has not always been known to be entirely impartial. Nevertheless, Secunia's CTO, Thomas Kristensen, agreed with me last week that the responsibility for protection against malicious protocol handlers rests with the protocol handler.

That makes Secunia's advisory on the exploit that Billy Rios published even more astonishing. They claim it is an Internet Explorer 7 flaw and lists all versions of Windows Server 2003 and Windows XP as vulnerable! Let's see:

  1. If a user browses the web using IE is he subject to this flaw? Answer: No
  2. If a user browses the web using Firefox 2.0.0.5 and below, is he subject to this flaw? Answer: Yes
  3. When a user clicks the malicious link in Firefox is IE launched? Answer: No

How exactly then does Secunia figure this is an Internet Explorer flaw? It's hard to tell really. Apparently, it is because the flaw only affects users that have Internet Explorer 7 installed. It turns out that Mozilla loads several components that ship with Internet Explorer, including ieframe.dll and urlmon.dll. Apparently, there is some interaction with those that causes this exploit to fire through Firefox, but not through IE. Maybe Mozilla expected those DLLs to do their input validation for them? A bit of threat modeling seems like it may be in order. This expectation that others are do input validation for you, without actually validating that they do, is seriously harming Mozilla's users.

On a slightly related note, several years ago when I was researching protocol handlers I wrote a little program that enumerated both protocol handlers and asynchronous protocol handlers. I thought it might be of interest to people to see just how many they have, so I have made that program available for download: listProtocols.zip.

In the meantime, what do we do? Well, several years ago, when there were some vulnerabilities in Internet Explorer's handling of protocols, the US-CERT had this advice: "It is possible to reduce exposure to these vulnerabilities by using a different web browser." Mozilla even echoed that sentiment two weeks ago, when they were trying to pin their protocol handling problems on IE.

If only the same advice worked now. If only there were a browser that was not subject to all these Mozilla flaws! Wait! I know:
We recommend people use Internet Explorer in Protected Mode on Windows Vista and practice safe browsing habits to protect themselves against these vulnerabilities in Mozilla Firefox.

I wonder why the US-CERT did not include that little piece of advice in its advisory?

Update Later That Evening

I wanted to answer Harry Johnston's comment about my seeming inconsistency in blaming Firefox for this instance of a protocol handler problem where Firefox only passes on the command; while I also claimed Firefox was to blame for the previous issue where it was the actual protocol handler. It does seem inconsistent, but so is Firefox' protocol handling. The best way, therefore, to answer turns out to be by amending the post.

The problem here is quite convoluted, but from what I can tell, it lies squarely with Firefox. I say that because Firefox never actually invokes the protocol handler in certain cases. Those cases happen to include the ones that Billy mentioned. You can actually test this using the test protocol handler that I included in a prior post. If you simply register that and then modify Billy's exploit like this:

<a target="_blank" href='testURL:%00%00..\..\..\..\..\..\windows/system32/cmd".exe ..\..\..\..\..\..\..\..\windows/system32/calc.exe " - " blah.bat'>testURL 0-day</a>

You will get the expected dialog:

Firefox calls the handler and the handler gets the nulls as you would expect. If this now caused code to be executed, then it most certainly would be the handler's fault, not Firefox'. However, that is not actually what happens.

It is actually Firefox that executes the malicious code. To test that you need to intercept the calls the one of the handlers that Billy exploited: mailto, nntp, news, snews, or telnet. The easiest way is to simply change the executable they point to. For instance, I changed the mailto protocol to point to this:

"c:\test.exe" /mailurl:%1

Then I clicked Billy's exploit. Calc.exe and a command prompt showed up just like it did when msimn.exe (Outlook Express) was the handler. The test.exe application was never invoked. Had it been, we would have seen it. In fact, you can confirm that Firefox is what launces the exploit (cmd.exe and calc.exe in this case) by using Process Explorer:

Notice the executable tree there. It is Firefox that launched cmd.exe. It launches that instead of the actual executable for some reason.

I do not fully understand why only some protocols are affected by this. It seems that Firefox does some kind of additional parsing of those protocols but not others, but it is not clear from a cursory look at the sources why that is.

Update 28 July, 2007

There will likely be plenty of blame to apportion once the investigations for this issue are concluded. For the moment, to allow vendor investigations to continue without giving much more away to the bad guys than what is already out there, I am not going to comment any further on the scope and source of the problem. First and foremost, we need to stop the bleeding. Then we can discuss what happened.

Posted 26 July 2007 04:19 PM by jesper | 11 comment(s)
Filed under: ,
Hey, Mozilla: Quotes Are Not Legal in a URL

When I was a child, I learned a saying that I still find important to keep in mind:

Those who are sitting in a glass house shall not throw stones

The good folks at Mozilla may want to look up what that really means. Two days ago, Mozilla published Firefox version 2.0.0.5 to fix a security vulnerability resulting from an interaction between Firefox and Internet Explorer (IE). Put briefly, if a user that has Firefox installed uses Internet Explorer to browse to a malicious site that malicious site can cause IE to spawn Firefox on the user's computer. Firefox, in turn, fails to validate the input it receives from IE, and will run arbitrary code of the bad guy's choosing on the user's computer. This is especially valuable to criminals on Windows Vista since IE runs in protected mode on Vista by default, providing a layer of protection from malicious web code. Firefox does not have any such protection and executes with the full privileges of the locally logged on user.

In conjunction with the fix, Mozilla's Chief Security Something-or-Other, Window Snyder, wrote a blog post where she states that "This patch for Firefox prevents Firefox from accepting bad data from Internet Explorer. It does not fix the critical vulnerability in Internet Explorer. Microsoft needs to patch Internet Explorer..." [emphasis in the original]. The IE team, meanwhile, has stated that they do not intend to fix what they see as Mozilla's problem.

Well Window, those who sit in a glass house should not be throwing stones. Let's take a look at the issue, shall we?

Window's claim that this is a critical vulnerability rests on RFC 3986, which defines the standard Uniform Resource Identifier (URI) syntax. Section 2 of that RFC states that a URI consists of a limited set of characters; basically numbers, letters, and a few non-alphanumerics. It goes on to state that other characters are encoded using percent encoding. Specifically: "the only time when octets within a URI are percent-encoded is during the process of producing the URI from its component parts" (RFC 3986, section 2.4). The people who argue that Microsoft is at fault in passing the URI on to Firefox apparently take that statement to mean that IE should be encode the URI before passing it on to the protocol handler. Personally, I fail to see how taking a link on a page and passing it on to the handler that deals with that link constitutes "producing the URI from its component parts" but I could be missing something. I think the statement about percent encoding applies to the bad guy that constructed the URI in the first place, and the application that ultimately executes it. Therein lies the rationale behind my claim that the flaw is in the protocol handler, i.e. Firefox in this case.

However, let's assume that we take Mozilla's claims at face value; that IE really is at fault here. Window goes on to claim that this is a serious issue also affecting other applications. In fact, she points to a different article that demonstrates how to execute arbitrary code in Trillian using this "IE flaw". Thor Larholm adds a list of other protocol handlers, which can be passed arbitrary command line arguments, although this is merely a list of some protocol handlers, not a list of vulnerable ones. Window finishes her post with the usual line: "Mozilla recommends using Firefox to browse the web to prevent attackers from taking advantage of this vulnerability in Internet Explorer."

That would be sage advice, if:

  1. This were actually a vulnerability in IE, and not a failure of Firefox and Trillian to validate input, and
  2. If Mozilla were any safer

Just for fun, I decided to conduct a little test of that second hypothesis. I used the very simple protocol handler I wrote for the previous blog post:

#include <stdio.h> 
int main(int argc, char* argv[])
{
    // The URL is in argv  
    printf("\nThere are %d arguments in the URL\n", argc);
    for(int i=0;i<argc;i++)  
    {      
        printf("\nArgument %d:\t%s",i,argv[ i ]);
    }   
    printf("\n");  
    char c;  
    c = getc(stdin);
}

This program lets us inspect what the browser that calls the protocol handler actually passes on to that protocol handler. In other words, it lets us see exactly what Firefox and Trillian see when they are invoked using their respective protocols from a browser. The URL that is passed by the browser to the handler is passed as a command line argument (this is the argv parameter, in case your C is a bit rusty). The program simply enumerates all the command line arguments and prints them. To do that it needs to be registered, which we do with a reg script, like this:

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\TestURL]
@=URL:Test Protocol
"URL Protocol"=""
[HKEY_CLASSES_ROOT\TestURL\DefaultIcon]
@="cmd.exe"
[HKEY_CLASSES_ROOT\TestURL\shell]
[HKEY_CLASSES_ROOT\TestURL\shell\open]
[HKEY_CLASSES_ROOT\TestURL\shell\open\command]
@="\"c:\\test.exe\" \"%1\""

We now have a program that handles the TestURL protocol, invoked by calling testurl://<location>. To test it, I downloaded Thor Larholm's sample exploit, and changed it to call the TestURL protocol instead. The original script said:

<iframe src='firefoxurl://larholm.com"...

And my modified version said:

<iframe src='testurl://larholm.com"...

To test it, I opened the sample exploit using IE on a fully patched Windows Vista computer. IE, on Vista, will prompt you whether you want to open the external program or not, as shown in this picture:

 

If you click allow, you get this output:

It all seems to work. I get four command line arguments (three of which are part of the URL), which is what we would expect if the calling application, IE, or more specifically, urlmon.dll, does not escape the quotes in the URL. This is the crux of Mozilla's and Thor's claims. They want IE to escape the quotes so the URL is passed as a single command line argument.

Now, what do you suppose happens when you run the sample exploit using Firefox? First, you will get a big scary warning:

Cool. Firefox shows the user the entire URL. I wonder if that helps people in general make security decisions? Note also that the quotes are not escaped. Clearly, that must come later. To see, click "Launch Application" and you will get this output:

Can you spot the glass house too? To paraphrase Window: "This patch for Firefox ... does not fix the critical vulnerability in Firefox."

That's correct. Following Mozilla's, and Thor Larholm's logic, Firefox is subject to the exact same flaw that they blame on IE! Firefox also does not escape quotes in URLs before it passes them on to protocol handlers. I won't speculate here on why they failed to fix that "flaw" in the new version of Firefox that was just released.

Now, ordinarily I would not release details of an exploit without notifying the vendor first and giving them a reasonable chance to fix it. However, as I have claimed all along that the flaw is that the protocol handler fails to validate its inputs, I do not consider this particular issue to be a flaw in Firefox at all. Therefore, I do not believe I am engaging in irresponsible disclosure by letting people know that Firefox also does not protect users of Trillian from flaws in Trillian. I would never do such a thing, and I am sure Window will agree with me.

Update July 23, 2007
Replaced text output with screenshots because the exploit script did not render properly as some of it was blocked by the security filters on the blog. Also added a picture of the IE warning upon launching an external protocol handler outside of protected mode.

Posted 20 July 2007 10:25 PM by jesper | 35 comment(s)
Filed under: , , ,
At Least This Snake Oil Is Free

Snake oil, for those that are not familiar with the U.S. English vernacular, is a derogatory term for some product that makes unverifiable or exaggerated claims.

True to the tradition, we now find "Vista Firewall Control," complete with a PC World article that includes not only incorrect descriptions of the Windows Vista Firewall, but exaggerated and bogus claims of value, including "All in all, VistaFirewallControl is a great way to make sure your PC isn't making unwanted outbound connections."

No. It is not. There is only one great way to make sure your PC isn't making unwanted outbound connections.

There are several serious flaws in the reasoning that outbound, host-based firewalls will actually stop attacks. The one that seems to elude everyone that claims a piece of software can stop arbitrary other pieces of softare from making outbound connections is that all software running within the same user context can control any other software within the same user context. Put more simply, if you permit any application to communicate out, over any port, then any other piece of software you execute as the same user can communicate out over that same port.

Let's say you run application A, a web browser. The browser runs as you, user Bob, who is a standard user. The browser tries to connect to some server, and the outbound host-based firewall detects that and asks if you wish to permit it. If the administrator has enabled it, you can permit that yourself, otherwise you may need an administrative account to do it. For the sake of argument, let's say you can enable it yourself. More than likely, you would enable it to connect to all web servers, since a web browser is far more useful that way.

Now some distant friend of yours, Paul, e-mails you this cool app he found, and you run it. The application gathers up all your stored passwords, your Microsoft Money file, all your recent e-mail messages, and any documents you have access to. It then needs to send this stuff to the criminals, but, the outbound host-based firewall would stop it, right? No. The malicious application could do a couple of things. First, if you have the ability to open outbound ports the application, running as you, could just open the ports it needs, transfer the data, and close them again.

Let's say, however, that you would have to ask your administrator to open ports (notwithstanding the fact that no administrator, and no user, would ever put up with that in the long run). That would stop the malicious application, right? No. That won't work either. The application would simply look for some other application that can communicate outbound. It would find that the web browser can do so. Cool. The malicious application would launch the web browser, which opens the hole in the firewall, attach to it using standard debugging techniques, and then ask the web browser to take the neatly packaged information it stole and send it to whereever it wants. This would be done by simply injecting code into the running web browser. The web browser, essentially unaware that this was even happening, would go ahead and do it. The host-based outbound firewall would only know that the web browser sent some data out, which it is permitted to do, and would not take any action to stop it.

Since there is no application isolation between applications running within the same user context there is no real way to prevent this from happening. Only by completely re-architecting Windows could this be prevented, and even then, it would only truly work if everything we know about computers, from the hardware on up, changed fundamentally. The Trusted Computing Platform and Microsoft's Next Generation Secure Computing Base (NGSCB) initiatives of several years ago were originally designed to achieve that, but the aims have since been scaled down significantly, at least in the tactical term.

This is only one reason why presenting host-based outbound firewalls as a protective measure against malware is pure snake-oil. There are several others as well, but rather than repeat them again here, you can just read some things I have written in the past, such as a post in my old blog, an article in TechNet Magazine, and of course, a rather lengthy discussion in the Windows Vista Security book.

Does that mean that all outbound host-based firewall filtering is meaningless? No, it does not. Host-based outbound filters can make it more difficult to communicate out for applications which cannot (easily) get other applications to do their evil bidding for them. Windows Vista already does that by default with services. It can also be used to prevent accidental disclosure. For example, you can block outbound SMB connections on public networks. SMB, or Windows file sharing, should not be used outside a confined network environment anyway. Blocking it on public networks can prevent a user from accidentally connecting to a file server on the Internet and performing a challenge-response authentication, thereby volunteering an authentication sequence that can be cracked. Of course, with Windows Vista, the challenge-response protocols used are far stronger by default than in previous versions of Windows, but nevertheless, putting such a filter in place provides a measure of defense in depth against accidents and should have no adverse application compatibility impact. I covered both of these benefits in greater depth in the Windows Vista Security book.

However, the existence of some benefit from outbound host-based firewall controls does not in any way make such controls "a great way to make sure your PC isn't making unwanted outbound connections."

Posted 19 July 2007 09:33 PM by jesper | 2 comment(s)
Filed under: , ,
New Firefox Available

Mozilla has published a new Firefox. Version 2.0.0.5 fixes the FirefoxURL protocol handler issue by changing the calling convention for the protocol handler. Instead of the old calling convention:

C:\\PROGRA~1\\MOZILL~2\\FIREFOX.EXE -url “%1″ -requestPending

%1 is the string that urlmon.dll fills in with the request.The new calling convention puts all the parameters before the URL string. :

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1"

Using these parameters Firefox can determine that a request needs validated as a protocol handler call.

This version, like previous ones, does leave some detritus on the system after it is removed. Curiously, it leaves all three of its URL Protocol Handlers: FirefoxURL, FirefoxHTML, and gopher. Nevertheless, it should fix the failure to validate input from protocol handlers from prior versions. And, whatever else you can say about Mozilla, you have to admire a browser whose entire installer is just over 6MB and whose OS footprint is less than 20MB.

Posted 19 July 2007 09:10 AM by jesper | 2 comment(s)
Filed under:
Downloads from the Vista Security Book

As with Protect Your Windows Network I wrote some tools for the Windows Vista Security book that just came out. However, the Vista book does not come with a CD. Rather, Wiley has made the tools available for download. If you solemnly promise that you will buy the book, you may get the tools from there. Smile

The tools are:

  • A couple of Windows Management Instrumentation (WMI) Scripts that demonstrate how to interact with the Windows Firewall with Advanced Security. These scripts check if the firewall is on and which profile is active.
  • An electronic version of chapter 1. The link to this is currently broken. I will update the post as soon as I know what the link should be.
  • A very long (200 pages) Word document detailing the default security parameters for every built-in service in Windows Vista Ultimate. It has the ACL on the service as well as the process security parameters. I originally intended this as an appendix but it got too long.
  • WMI is essentially an object store that lets applications store all kinds of configuration information and lets other programs read that information using standard interfaces. While developing the group policy object (GPO) for the new Windows Firewall that is shown in the firewall chapter I needed a way to filter the GPO by operating system. WMI filters is a good way to do that, but to ensure that I had the right WMI data I wrote a little WMI script that dumps out all WMI data about the operating system. I figured you can use it to learn about what data WMI provides that you can leverage for other things, like GPO filtering.
  • The default Group Policy settings for User Account Control (UAC) leaves out one of the UAC settings: the one that controls whether a locally defined administrator gets a full or filtered token when connecting to the computer remotely. To enable that setting to be managed using Local Security Policy or Group Policy requires a new sceregvl.inf file. The UAC chapter discusses the setting and how to use this file to add it to the security policy tools.
  • A tool that enables you to launch a process elevated from a command line. You run "elevate <program> [program arguments]" and it will give you the standard elevation prompt. Since much of the code is reusable I also added the ability to run a process with low integrity with almost all the privileges stripped. Many programs won't work properly that way but I thought it was a nice way to test what will happen when you run them low.
  • One of my favorite utilities is the cmdhere.inf tool from the Windows 2000 Resource Kit. It puts a "command prompt here" command on the context menu for folders in Windows Explorer. However, with Vista cmdhere no longer works, and if you tweak it to work you get a non-elevated command prompt. Using the elevate tool, this little utility adds an "elevated command prompt here" item to the shortcut menu. Here is what it looks like:

Enjoy the tools, and the book!

Posted 11 July 2007 11:39 AM by jesper | 6 comment(s)
Filed under: ,
Blocking the Firefox -> IE 0-day

Thor Larholm, unhelpfully, published details on what he claims is a 0-day exploit for Internet Explorer (IE) yesterday. This exploit is actually for Firefox, but Thor exploited it by making IE launch Firefox.

Firefox creates three protocol handlers. A protocol handler is essentially a mapping from an Internet protocol, such as http, to an executable that handles that protocol. For instance, http may be mapped to "C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" -requestPending".

Thor claims that a user can go to a web page that invokes a Firefox protocol handler with malicious arguments. In Thor's words: "When Internet Explorer encounters a reference to content inside the FirefoxURL URL scheme it calls ShellExecute with the EXE image path and passes the entire request URI without any input validation." Obviously, the problem here is most definitely not in IE. There is nothing in the protocol handler that informs IE how to perform input validation. IE's only responsibility is to take the parameters that are passed to the protocol and pass them on to the protocol handler, in this case Firefox. Firefox fails to properly validate the parameters, and any fix will have to come from Mozilla, not Microsoft.

A couple of comments on Thor's blog claim to have gotten the exploit to work, but I was unable to do so on either Windows XP SP2 or Vista. The proof of concept that Thor published is full of bugs and does not run at all. The little bit of time I spent fixing it resulted only in disabling the computer by making Firefox open thousands of new tabs. In any case, it seems a far better use of my time to block the exploit altogether than to try to exploit it. That turns out to be simply a matter of deleting the Firefox protocol handlers. To do that on a single computer, run these commands:

reg delete HKCR\FirefoxHTML /f
reg delete HKCR\FirefoxURL /f
reg delete HKCR\Firefox.URL /f

You can of course wrap those in a group policy script, and SMS package, or whatever other mechanism you desire to get them out to many machines. I wrote a couple of posts about how to roll out these kinds of fixes before, such as this one on blocking an ActiveX control vulnerability. The same technique can be used here to roll out this fix to thousands of machines by simply creating a batch file that is deployed as a startup script.

I do not know what these protocol handlers are used for or whether they are essential to the functionality of Firefox or not as I tend not to use Firefox very much. You may, however, want to restore them at some point. To create a backup you can run this command on any machine with Firefox installed:
reg export HKCR\<protocol name> backup<protocol>.reg

That will create a reg script that you can use to reimport the settings once Mozilla produces a patch to fix the problem. The other post I mentioned above shows how to roll that out with Group Policy.

UPDATE 11 July 2007

This may be unrelated - I have not had the time to investigate yet - but yesterday, after I removed the FirefoxHTML protocol handler I started having problems with Outlook. When I clicked on a link in a message I received the "This operation has been canceled due to restrictions in effect on this computer" error message. I realized there was some detritus left in the registry that listed FirefoxHTML as the first protocol handler to use for htm and html files. Deleting those entries solved the problem. I'd like to replicate this before I say for sure that it is related to deleting the protocol handler, but I thought I would throw it out there in case anyone else has seen it.

UPDATE 12 July 2007 - Whose problem is it really?

The debate still seems to be raging about whose problem it is. The Register had an interesting quote by Roger Thompson, CTO of Exploit Prevention Labs, where he reiterated the common mantra that "IE fails to properly validate the input before passing it along". I ask again, what is it that people want IE, or rather, urlmon.dll, which handles this invocation, to validate the input against? IE does NOT support any FirefoxURL protocol, and knows nothing about what a legitimate invocation of that protocol looks like. The argument could be made that IE should not permit quotes to be passed, but why would quotes be illegal in all custom protocols? The protocol handler provides no information to urlmon.dll on what a legitimate request looks like, and therefore, urlmon.dll has no ability to validate the input. In fact, this is documented: "the URL Protocol handler passes the complete URL string to the application registered in the command" [Registering an Application to a URL Protocol, MSDN Library]. It is quite clear really: IE does not validate the URL string, nor does it ever make any promise to do so. It passes the entire string on to the URL Protocol Handler via a call to ShellExecuteEx, if the application is registered using a simple URL protocol handler invocation.

It is clear from the documentation that it is incumbent upon the application to validate the URL string. If the application can accept, and process, dangerous commands through its protocol handler, as Firefox does, it is even more critical that the application take care to validate the URL before processing it. In fact urlmon.dll even provides such a way. To do so, you would use the asynchronous pluggable protocols API, as opposed to a simple URL protocol handler. The asynchronous pluggable protocols API is used to map a COM object implementing certain interfaces as the handler for a protocol, instead of just mapping the protocol to an executable. This results in a programmatic invocation through an API, which provides more security features. One of the interfaces, which the COM object can optionally implement, is the IInternetProtocolInfo::ParseUrl method that permits the handler to see and provide information back to urlmon.dll with respect to the URL. For instance, that method could be used to return information that causes urlmon.dll to consider the URL to be in the Restricted Sites Zone and put extra restrictions on it. Alternatively, the protocol handler can wait until IInternetProtocolRoot::Start gets called, again with the complete URL, and then validate it appropriately at that point. Since the entire URL is passed programmatically in the call to ::start there is no risk that it is interpreted as separate commands, and the handler now gets the ability to validate the input, with the result that multiple invocation problems are not possible. If there is a chance that the URL can contain escaped characters this is a far safer option than the very simple URL protocol handler that Firefox implements currently.

Posted 10 July 2007 08:55 AM by jesper | 26 comment(s)
Filed under: , ,
WSUS is Like A Box of Chocolates

Windows Software Update Services (WSUS) is one of the more entertaining products Microsoft has created, if by entertaining you mean trying to put logic behind the installation of some relevant subset of 4,381 updates (today's total).

WSUS 3.0 has been out for a while now, and was supposed to work well together with the built-in Windows Update in Windows Vista. But, the combo seems to require a fair bit of work still. For over a month now, I have been offered the Windows Live Toolbar 3.01 Critical Update on one of my systems. If I install it, the computer soon nags me to install it again. How many times do you really need to install this update before it finally takes? Apparently more than the 16 times I've done it in the past 24 hours:

What will it take before WU/WSUS decides it is there? Evidently 16 installs was not enough because it just offered it again. It must be 17... Nope. 18? ...

But, the fun with WSUS does not stop there. A few years ago some of us remember Windows Update offering the Critical Update offered so that the Snow White and the Seven Dwarves game would play correctly. I suppose for some subset of parents who let their children play such things, and senior management at Disney, that update really was critical. For the rest of us, the criticality of that particular patch was somewhat lower.

This morning, WSUS surprised  me again. It just offered Network Monitor 3.1, to all computers. Now, personally, I really like Network Monitor 3. It is a vast upgrade over previous versions, and if you are into analyzing packet traces, you really ought to try it. It was just quite surprising to see it offered on WSUS. Because I was intending to install netmon anyway I decided to accept it. I'm not sure whether that is why my Vista machine just blue screened or not, but it did. During the install process the computer hung. Then the screen went black. I hit the power button to see if sleep would work as I have found that sometimes clears things. After spinning for about 30 seconds the blue screen appeared, reporting an internal power failure. I'm about to try it again. Wish me luck!

WSUS is a nearly endless source of entertainment. You never quite know what your are going to get offered. If it could only offer the Hold 'Em Poker game it would truly be endless.

Posted 06 July 2007 07:04 AM by jesper | 8 comment(s)
Filed under:
Unified Hardening Guidance for the U.S. Government

All U.S. Government computers are finally required to conform to one of two configurations. White House Memo M-07-11, further clarified in M-07-18 directs all government agencies to use a single hardening guide. M-07-18 clarifies that it is to be the NIST guide.

Overall, this is welcome news. The agencies finally will have an argument against the army of Nessus-armed "auditors" they have been battling with for years. Finally, they can point to something when said "auditor" claims they would be negligent unless they replace Everyone with Authenticated Users throughout the file system, and disable the netlogon service. 

Of course, there is one thing that bothers me a bit. There are only two levels in the NIST guide. The Enterprise level (let's hope that's what they all chose to use) and the Specialized Security Limited Functionality (SSLF) level. Notwithstanding the warnings about the SSLF level breaking things, it is a sure bet the "auditors" will demand that it be used throughout. Whether a system is embedded Windows running a gas pump at Baghram Air Force Base, or the receptionist's computer at the Bureau of Indian Affairs office in Winnebago, or a signals processing computer in one of the unmentionable intelligence agencies, you can bet that the report will require the SSLF configuration. That's a battle that still remains.

Still, this really is a good thing all around. The U.S. Government today has hundreds, if not thousands, of configurations, and lose thousands, if not hundreds of thousands, of computers every year to unsupportable security settings and attacks that were successful because of bad settings. It is also a dream come true for Microsoft, which can now focus support for the largest set of customers it has on two well-defined configurations. It also is wonderful to see recommended language in M-07-18 that specifies that users should run with least privilege and sets requirements on applications for how they should work. Finally, two of the biggest sources of security headaches have a mandate to be fixed.

The only thing one might wish now is that the Vista Security Guide were cleaned up a bit. For instance, the settings which do not exist on Vista could be removed. That would mean we finally have a government configuration that makes sense.

Posted 03 July 2007 05:51 PM by jesper | 4 comment(s)
Filed under: ,
Show the Owner of a File

In my most recent article in TechNet Magazine I wrote:

Unfortunately, icacls.exe can’t show you the owner of an object. There is no way to actually see, from the command line, who the owner of an object is. Furthermore, if you save the ACL for an object, it does not save the owner of the object.

As an author, I really hate it when, no matter how many times I seem to edit things, a statement that is unclear still slips through unchecked. The statement, as written, seems to indicate that there are no command line tools, in the universe of command line tools, that can show the owner of an object. Not only is that not the case, it wouldn't take more than a few lines of code to produce one. What I, unsuccessfully, was trying to say was this:

Unfortunately, icacls.exe can’t show you the owner of an object. There are, of course, other tools that can do that, including DIR /Q, but it would have been logical for icacls to include the ability to show who the owner of an object is. Furthermore, if you save the ACL for an object, it does not save the owner of the object.

As I said, there is DIR /Q, which is built in. There are also others that can do this:

  • My favorite tool: subinacl /file notepad.exe /display=owner
  • Chad pointed me to fileacl c:\test /owner

There are probably a lot more, but all I really want is for one tool to do it all (with a slightly less obscure syntax than subinacl, and built in).

The book, from which this article is an excerpt, is a bit clearer on this point, but I wish I had thought to clarify it further from the outset. Sorry about the confusion.

Posted 02 July 2007 04:36 PM by jesper | 1 comment(s)
Filed under: ,
It's been a month already?

It has really been a month since my last post. I will try not to let it go that far between them again. I've been busy with diving, and writing. On that note, my second Access Control List (ACL) article came out in TechNet Magazine this week. It is the second article excerpted from the Windows Vista Security book that Roger Grimes and I wrote. The book will be out tomorrow, according to Amazon. In fact, it lists as in stock today.

 I also have a very cool project in the works that I will talk about as soon as all the details are firmed up. I'm very excited about it though.

And, I took a neat picture of a Rockfish. Well, it is neat if you consider that it was taken in Puget Sound, in the summer, with sub-8 foot visibility, with natural light. Considering all that it is a spectacular shot.

Posted 01 July 2007 03:02 PM by jesper | 1 comment(s)
Filed under: ,