Friday, January 28, 2011

Microsoft Security Advisory 2501696 and Fix it


Microsoft released Security Advisory 2501696 which relates to a publicly disclosed vulnerability in the MHTML protocol handler. The vulnerability affects all current versions of Windows except Server Core.  Because this is a Windows vulnerability, the version of IE is not relevant.  The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure.

The recommendations in the Security Advisory are two-fold.  I added a third recommendation, which is to disable ActiveX with WinPatrol.

1.  Enable the MHTML protocol lockdown, which can be accomplished via the Microsoft Fix It in Microsoft KB Article 2501696. When a security update is released, undo the lockdown of MHTML.
2. Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.  To raise the browsing security level in Internet Explorer, follow these steps:
  • Launch Internet Explorer and select the Tools menu and click Internet Options.
  • Under Internet Options, select the Security tab and then click the Internet icon.
  • Under Security level for this zone, move the slider to High.  (This sets the security level for all Web sites to High.
Note:  If no slider is visible, click Default Level and then move the slider to High.

Use WinPatrol to disable ActiveX

ActiveX can be disabled with WinPatrol.   By default only those controls used by Internet Explorer are displayed. WinPatrol allows you to disable ActiveX controls by setting the "Kill-bit" found in the Windows registry. Disabling a control will not delete any files from your system. You can Enable a killed control at any time in the future.

References:





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, January 27, 2011

Data Privacy

Data Privacy Day is "an international celebration of the dignity of the individual expressed through personal information."

There is no doubt that we have evolved into a digital society. Whether it is via a traditional laptop or desktop computer or a mobile device, we are seldom far from being connected to the Internet.

Computers surround our everyday lives. When we make a credit card purchase, the information is transmitted over the Internet.  Computers are an integral part of the airline reservation services we use to schedule a family holiday.  If we need to contact our local police or fire department, they access directions to our home via a computer.

Much of our personal information is stored on computers.  The information contained in our medical, insurance, pharmacy, employment and school records, bank and credit reports, tax and government data provide not only a story of our life but also a key to our identity. 

There is more to online privacy than personal records.  Consider the following activities:
  • Information searches
  • Browsing online for products and services
  • Information shared with friends on social networking sites
  • Travel and location information with location-enabled Smartphone applications

As any of the above online activities are conducted, information is stored on your computer. This information is potentially available for data collection and manipulation, resulting in targeted advertisements. Advertisements are a “necessary evil”. Maintaining websites is not cost free.  Thus, the need for the subsidy provided website owners by advertisers. Although many free and licensed applications and browser add-ons have been created to block or remove what is commonly referred to as tracking cookies, other means of tracking website visits have evolved.


The Future

Particularly due to a year-long study by the Federal Trade Commission (FTC), a lot of attention has been devoted to online privacy. On December 1, 2010, the FTC released a preliminary report entitled "Protecting Consumer Privacy in an Era of Rapid Change". The one hundred twenty-two (122) page PDF file is available for download at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf ). Briefly, the FTC report provides a broad framework centered on three concepts: privacy by design, simplified choice, and greater transparency.

Within days of the FTC report, the Microsoft Internet Explorer 9 team announced tracking protection for inclusion in the Internet Explorer 9 Release Candidate. Both privacy advocates and consumers alike will see this as a major step forward to providing additional online privacy.

IE9 and Privacy: Introducing Tracking Protection
  • Opt-in “Tracking Protection” to identify and block many forms of undesired tracking.
  • “Tracking Protection Lists” to enable control of the third-party site content that can be tracked when online.

clip_image001With Tracking Protection in Internet Explorer 9 (IE9), you will have control of what data is shared as you navigate from one website to another.  This is accomplished by adding Tracking Protection Lists (TPL) to Internet Explorer. Anyone, and any organization, on the Web can create and publish Tracking Protection Lists. 

Although the default installation of IE9 will not include Tracking Protection lists (TPL), the option will be available to add lists created by others.  In effect, the lists provide a “Do Not Call” indicator for external content, unless you visit those sites directly. The TPL will also include the ability to include “OK to Call” addresses.  This is to ensure you can access these sites even if one of their lists has the site identified as “Do Not Call.”  Tracking Protection is not on by default. Thus, after turning on Tracking Protection, it will remain on until you turn it off.

The process of change is not simple.  Realize that it will be ongoing.  As a postscript to the IE Blog article, IE9 and Privacy: Introducing Tracking Protection Dean Hachamovitch, Corporate Vice President, Internet Explorer, added:
"One aspect of the larger tracking discussion involves a change to “HTTP headers.” The key thing to note is that such a change is the start but only part of delivering tracking protection. It is a signal to the web site of the consumer’s preferences. The rest of that solution (defining what that signal from the consumer means, what to do with it, verification, enforcement, etc.) is still under construction."
Mozilla Firefox "Do Not Track"


Last week, Mozilla announced “Do Not Track”.  The concept is to provide a way for people to opt-out of online behavioral advertising (OBA) by transmitting a Do Not Track HTTP header every time their data is requested from the Web. This header will notify the website that the visitor wants to opt-out of third-party tracking for behavioral advertising.  When the feature is enabled, advertising networks will be told by Firefox that the user has asked to opt-out of behavioral advertising.

As indicated in the Mozilla announcement, the "initial proposal does not represent a complete solution" but rather is one step to see if the header approach can work.  The goal is to provide a more nuanced, persistent tool for communicating privacy choices on the web.  Do Not Track (DNT) is expected to be introduced in version 4.1.

More information is available in the MozillaWiki FAQ: Privacy/Jan2011 DoNotTrack FAQ


Today

The Internet Explorer 9 tracking protection will provide a viable option for protecting your privacy. I expect that the other browsers will provide similar methods of providing tracking protection in future releases. In the meantime, there are other options available for protecting your privacy. In the following segments are instructions for restricting tracking cookies as well as examples of options and a few of the available browser extensions for managing DOM Storage and Flash Cookies. Also included are browser settings for private browsing sessions.

Cookies


There are considerations when blocking cookies.  Keep in mind that not all cookies are tracking your every move.  As a simple example, website logon cookies remember pages read. Also, note that cookies cannot be used to run code (run programs) or to deliver viruses to your computer.

Session Cookies
are also useful. Some websites require session cookies to track your movements on the site. Without the session cookies, you would repeatedly be asked for the same information already provided.  As an example, session cookies are used when shopping online to remember items placed in a shopping cart.  Without the session cookies, the shopping basket would disappear before you reach the checkout.  Session cookies are stored in memory not on the hard drive. They expire when the browser is closed.

Third-party Cookies
are cookies that are set by one site, but can be read by another site.  This enables advertisers that use third-party cookies to track your visits to the websites on which they advertise. With third-party cookies, your web surfing habits are logged, allowing advertisers to tailor advertisements to your interests.

What if you do not want to be tracked?


The Network Advertising Initiative (NAI) provides a system for opting out of popular ad networks. The Network Advertising Initiative tool identifies the member companies that have placed an advertising cookie on your computer. Using the NAI tool is simple. Merely choose the provided option to Select All member companies or check specific boxes that correspond to the company(s) from which you wish to opt out. After you click the Submit button, the tool will automatically replace the selected advertising cookie(s) and verify your opt-out status.

TrackBlocker
is a Firefox extension provided by PrivacyChoice.org. The extension not only blocks cookie tracking by over 200 ad companies it also deletes Flash cookies from these companies.
Most web browsers have a feature in their settings that lets you disable cookies from third-party websites. Shown below are the instructions for the setting to block tracking cookies for the major web browsers.

To block third-party cookies in Internet Explorer, do the following steps:
  • Launch Internet Explorer and select the Tools menu
  • Click Internet Options, click Privacy, and then click Advanced.
  • Check the box next to Override automatic cookie handling
  • Check the option to Block in the Third-party Cookies column.
  • Click OK.
clip_image002

Firefox
also has the option to block third-party cookies.  The steps include:
  • Launch Firefox and click the Tools menu
  • Select Options and Privacy
  • Uncheck the option to Accept third-party cookies.
clip_image003

Google Chrome
allows all cookies by default.  Below are the steps for changing the default settings:
  • Launch Google Chrome and click the Tools menu
  • Select Options.
  • Click the Under the Bonnet tab and locate the Privacy section
  • Choose the Content settings button.
  • Click the Cookie settings tab and choose your preferred settings.
  • Click Close.
clip_image004

Google Chrome now also has available the recently announced Keep My Opt-Outs.  The extension provides users to out of cookies that are related to personalized online ads. Note, however, that a small percentage of personalized ads also come from companies who do not yet participate in self-regulatory efforts. Thus, do not expect perfection.

Safari has similar instructions as the other browsers:
  • Launch Safari and go to Preferences and then click the Security tab
  • Click the Show Cookies button
  • Click the radio button for the option Only from sites I visit (Block cookies from third parties and advertisers).

The terminology used by Opera is similar to Safari.
  • Launch Opera and press CTRL+F12 to open the Opera Preferences menu.
  • Select the Advanced Tab
  • Select Cookies from the left sidebar menu.
  • Select Accept cookies only from the site I visit to disable third-party cookies.
clip_image005

Opera also has the option to disable “referrer logging”, which allows a website to know what site you were previously visiting. Some sites depend on referrer logging to work correctly. If you elect to disable referrer logging in Opera, it can be done through Settings > Preferences > Advanced > Network. Uncheck Send referrer information.

DOM Storage


Although we generally associate the term cookie with data stored by websites we visit, DOM Storage does not store cookies per se. Rather, DOM storage is per-session or domain-specific data. It is easier to control how information stored in one window is visible to another with DOM Storage. (According to W3C, officially, the term is Web Storage but the common term is DOM for Document Object Model.)

DOM Storage is comprised of two primary parts, Session Storage and Local Storage. In Session Storage, any data input is stored for the duration of the session. Thus, if a new tab is opened, the data from the Session in the original tab is stored for the new tab. Conversely, Local Storage spans multiple windows and persists beyond the current session. Local Storage allows Web applications to store up to 10 MB of user data. This could include data stored offline for later reading.

Disable DOM Storage

It is easy to disable DOM storage cookies in both Internet Explorer and Firefox browsers by following the simple instructions below. It is important to note, however, that some sites (i.e., CNN) may not work correctly with DOM storage disabled.

Internet Explorer
  • Launch Internet Explorer and open the Tools Menu
  • Select Internet Options
  • Click the Advanced tab
  • Scroll down until you reach Security
  • Uncheck the box for Enable DOM Storage
  • Click Ok

Firefox


A simple way to disable DOM Storage in Firefox is with the extension, Better Privacy. To make the change manually, do the following:
  • Launch Firefox and type about:config in the address bar
  • In response to the warning, click I'll be careful, I promise!
  • Scroll down until you reach dom.storage.enabled or copy/paste dom.storage.enabled in the filter
  • Double-click the dom.storage.enabled line item and it will change from its default value True to False
  • Close the about:config tab

To undo the change to Internet Explorer or Firefox, simply reverse the above steps.

Recently, Google NotScripts extension was released. It is currently necessary to create a password when using the extension and also make other settings changes back to default. The Opera and Safari browsers use DOM storage but, at this point, it does not appear that either provides a means for disabling it.

Flash Cookies


Blocking all or just third-party cookies and clearing browser history does not remove another form of cookies -- Flash cookies. Flash cookies are also known as local shared objects (LSO) or Super Cookies. Because Flash cookies are not as well known as HTTP cookies, they provide the additional advantage for advertisers for tracking and providing targeted advertising. As a result, Flash cookies also jeopardize your online privacy. The same advantages of Flash cookies over HTTP cookies for advertisers are disadvantageous in maintaining privacy.

A partial list of Flash Cookie/LSO properties includes:
  • Unlike HTTP cookies, Flash Cookies are never expiring
  • HTTP cookies are 4 KB, compared to the default storage availability of 100 KB of storage for LSO’s.
  • Browsers provide control mechanisms for HTTP Cookies, which is not generally the case for LSO's.
  • Highly specific personal and technical information (including system and user name) can be stored via Flash.
  • The stored information can be sent to the appropriate server without permission.
  • There is no easy way to monitor sites following you with flash-cookies.
  • LSO’s work in every flash-enabled application, thus allowing cross-browser tracking via the shared folders.

Considering the complexity of Flash Cookies, the question in your mind most likely is how to control or remove them from your computer. Below are few options for consideration.

clip_image006Adobe provides an On-line Settings Manager, illustrated below, to configure Flash Player settings. To use the tool, you need to go to the Adobe Website Storage Settings panel to make the changes to the settings. Although the changes are made via the on-line manager, the settings are only stored on your computer. I have discovered that the Adobe On-line Settings Manager version has changed several times. As a result, it has been necessary after a Flash Player update to revisit the site to verify the settings.


For on-line game players, note that Flash cookies are used to save a game in progress. In that case, you will want to add an exception to the on-line game site.

The Taco plug-in is available for both Internet Explorer and Firefox. It helps manage and delete standard cookies as well as Flash and DOM Storage Cookies. The plug-in also lets you see who is trying to follow your online movements and helps you decline targeted ads from more than 100 ad networks.
Firefox users have the option of using the BetterPrivacy or Flashblock extension.

Flashblock blocks all Flash content from loading. It then leaves placeholders on the webpage. With that method, if you wish to view the Flash content, you can click to download and then view it.
The BetterPrivacy extension manages Flash Cookies by removing them on every browser exit. It also provides the capability of reviewing, protecting or deleting new Flash-cookies individually. If desired, the automatic functions can be disabled. BetterPrivacy also protects against the previously discussed DOM Storage.

Private Browsing


Private browsing options are available for occasions when you do not want to leave evidence of your browsing or search history. When surfing at an Internet Café or unsecured Wi-Fi location this feature is recommended to protect not only your privacy but also security should it be necessary to access a banking or similar secure site.


Internet Explorer
Internet Explorer 8 and Internet Explorer 9 provide several easy ways to start InPrivate Browsing. The feature is available from the Safety menu, by pressing CTRL+Shift+P, or from the New Tab page. Any of those actions will result in launching a new browser session that will not record any information, including searches or website visits. Closing the browser window will end the InPrivate Browsing session.
Note: InPrivate Browsing is not available in earlier versions of Internet Explorer.

Firefox


To access Private Browsing in Firefox, click on the Tools menu and select Start Private Browsing or key CTRL+Shift+P. To end Private Browsing, reverse the process by clicking on the Tools menu and selecting Stop Private Browsing.

Google Chrome

Private browsing in Google Chrome is called Incognito mode. To turn on Incognito mode, from the Tools menu, select New incognito window or key CTRL+SHIFT+N. To stop browsing in Incognito mode, close the Chrome window.

Opera

Opera provides the option of launching either a private tab or window. Any new tab opened in a private window is a Private Tab. Browsing history is removed when the tab or window is closed. Click the red O in the upper, left corner and select Tabs and Windows | New Private Tab or Tabs and Windows | New Private Window. This feature is also available from the File menu on the menu bar.

Finally

clip_image007 It is apparent that there is a long way to go toward online privacy before the tenants proposed in the FTA draft report are accomplished.  Internet Explorer 9 is taking a step forward in design with tracking protection as is Mozilla Firefox.  I anticipate that the other browsers will follow with something similar. A simplified choice and an easier method of changing the settings is needed. Beyond that, and more importantly, a clear understanding of the information advertisers are collecting is needed in order to make informed decisions about what information to allow or block.



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, January 25, 2011

Facebook Privacy "Instant Personalization"

You may not realize information you are sharing from Facebook when you visit current partner sites Bing, TripAdvisor, Clicker, Rotten Tomatoes, Docs, Pandora, Yelp, and Scribd.  The information includes your name, profile picture, gender, networks, and other information shared with everyone.  The concept is to provide a "personalized experience" at the partner sites; i.e., results targeted at public information in Facebook.

Facebook assures members that with "instant personalization"
  • Participating sites will provide a notification and a way to turn off the customized experience in one click.
  • Your information can only be used to present you with a more personalized experience and cannot be transferred to advertisers or used for any other purposes.
What happens when you allow "instant personalization"?  According to the Facebook description, you will see your Facebook friends reviews (favorites) first when you search for a movie or your favorite songs will play automatically when you visit a music site.  I don't consider that "personalization" but rather an invasion of privacy. 

To check the settings for instant personalization, do the following:
  • When logged on to Facebook, click Account then click Privacy Settings.  
  • Under Apps and Websites, click the "Edit your settings" link.
  • Go down the list to Instant personalization and click the Edit Settings button.
  

  • Don't be surprised when presented with a video telling you about the Instant personalization features.  To access the page, click the close button on the video:

  • After closing the video, the option to manage the Instant personalization setting is at the bottom of the page.  The box next to Enable instant personalization on partner websites. should be UNchecked

Facebook Information:


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Saturday, January 22, 2011

Microsoft Fix It Available to Uninstall Office Suites


There are occasions when it is not possible to uninstall Microsoft Office products via the standard uninstaller via the Control Panel.  In other situations, the installation of one of a Microsoft Office suite did not complete, leaving a corrupt installation.

The first step to removing the Microsoft office suite is to verify that using the standard procedure will not work.  Select the correct steps from below for your operating system:

Windows XP or Windows Server 2003

  1. Click Start, click Run, type control appwiz.cpl in the Open box, and then press ENTER.
  2. Click to select the Office system product from the application list, and then click Remove.

Windows Vista and Windows 7

  1. Click Start, type programs and features in the Search box, and then press ENTER.
  2. Click to select the product to be uninstalled from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks.
In the event you are still unable to remove the Office suite, continue with the steps below to run the Microsoft Fix It solution.

Notes:
  1. The Fix It solutions will not remove any Office program that was installed separately from the Office suite (i.e., with both Microsoft Office Professional 2007 and Microsoft Office Visio 2007 installed, only Microsoft Office Professional 2007 will be removed.)

  2. Select the appropriate Microsoft Fix It solution for the version of Office to be uninstalled. 

    • Windows 32-bit operating systems:  Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.
    • Windows 64-bit operating systems:  The solution will not work correctly if you try to run the Fix It directly from the article.  Download and save the Fix It solution to your desktop.  Then double-click the saved file and run it on your computer.
     
  3. After running the Fix It solution, restart the computer.

    Microsoft Office 2003



    Microsoft Fix it 50416



    Microsoft Office 2007




    Microsoft Office 2010

    Note: The Fix it solution for Microsoft Office 2010 suites will remove all Office 2010 editions. This includes all Office 2010 trial editions.






    Reference
    Microsoft KB Article 290301, How do I uninstall Office 2003, Office 2007 or Office 2010 suites if I cannot uninstall it from Control Panel?



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Saturday, January 15, 2011

    Leaked "Official" Windows 7 Service Pack 1

    It has been reported at several sites that the final Release to Manufacture (RTM) bits of both Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1 are in the wild.  A popular support forum posted that they have the SP available for download, stating that they:
    "can confirm, with accuracy, that this is the final, official, digitally signed version of Windows 7 Service Pack 1 which has been scheduled for imminent release to manufacturers (RTM), but has not yet appeared on Windows Update."
    Whether due to the popularity of people anxious to be among the first to get the final SP release or other issues, the site appear has been having stability problems, with regular outages.  Even when the site has loaded the past couple of days, it has taken a long time and often only partially loads.
    Edit Note:  I have just discovered that yet another popular site has the information posted.  This download link hosted on another P2P site.  My advice:  Don't do it!  Wait for the release by Microsoft to Windows Update.

    Warnings:
    • First and foremost, it is never recommended to download Microsoft software from any site other than directly from Microsoft.
    • Second, the SP download being offered by the aforementioned site (no, I will not provide a link to the site) is being provided via uTorrent, a popular P2P (peer to peer) program. 

      With P2P file sharing, what means do you have of identifying or authenticating the source of the download? In addition, a file can be distributed among many hosts, and peers will provide for download the sections that they have already downloaded. This results in the distinct possibility of a distribution method in which malicious bits are mixed with with good files.
    • Third, a Service Pack is essentially a collection of security and software fixes and enhancements for the operating system. Before a Service Pack is offered via Windows Update, your computer will be checked for missing prerequisites.  Installing the SP without the necessary prerequisites can result in a seriously damaged operating system, requiring a complete reinstall.
    Why anyone would want to jeopardize the security and stability of their computer by installing software from an unauthorized source is beyond me.  A non-Microsoft site merely saying the download is "Digitally Signed by Microsoft Corporation" does not make it so nor does it mean the download is safe.

    Be smart. Wait for the official release from Microsoft on Windows Update.


    Clubhouse Tags: Clubhouse, Security, Information, Service Pack, SP1, Windows 7,



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Wednesday, January 12, 2011

    Microsoft Fix it Available for Security Advisory 2488013

    Microsoft released a Microsoft Fix it solution that uses the Windows Application Compatibility Toolkit to provide protection from the vulnerability in Security Advisory 2488013, in which exploit code is available.  This workaround only applies if the MS10-090 update for Internet Explorer is installed.  If MS10-090 has not been installed on your computer, it can be obtained from here.

    Important Note:
    Prior to 10:30 PM Pacific Time, 1/11/2011, the Fix it links in the KB Article incorrectly pointed to the Fixit for KB2490606 (information provided here). If you installed the Fixit 50590 prior to that time, you should install the Fixit using the current link in KB 2488013.

    This vulnerability affects Internet Explorer 6, 7 and 8 on 32- and 64-bit Windows XP, Windows Vista and Windows 7 as well as Windows Server 2008 R2.

    Fixit solution for recursive cascading style sheets
    The Microsoft Fix it solution adds a check to check whether a cascading style sheet is about to be loaded recursively. If this is the case, the Fix it solution cancels the loading of the cascading style sheet. This Fixit solution takes advantage of a feature that is typically used for application compatibility fixes and can modify the instructions of a specific binary when it is loaded.

    To enable or disable this Fixit solution, click the Fix it button or link under the Enable heading or under the Disable heading. Click Run in the File Download dialog box, and then follow the steps in the Fix it Wizard.

    Note:  In addition to the requirement that the MS10-090 update for Internet Explorer be installed, this Fix it solution must be manually uninstalled before you apply a future Cumulative Security Update for Internet Explorer that contains a software fix for this vulnerability.

    Enable:  Microsoft Fix it 50591
    Disable: Microsoft Fix it 50592


    Additional details about the Fix it solution are available in the Security Research & Defense Blog at New workaround included in Security Advisory 2488013.









    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Tuesday, January 11, 2011

    Security Bulletin Release for January, 2011


    Microsoft released two (2) bulletins addressing three (3) vulnerabilities in Microsoft Windows and Windows Server.  MS11-001 has an Important rating and MS11-002 is rathed Critical.

    Following is the description from the MSRC Blog of the two bulletins.  A complete description of all the bulletins is available in the TechNet Bulletin Summary linked below. 
    • MS11-001. This bulletin resolves one reported issue rated Important and affecting Windows Vista. This security bulletin addresses a vulnerability in Windows Backup Manager. This has an Exploitability Index rating of 1, and gets a 2 on our deployment priority list.
    • MS11-002. This bulletin addresses two vulnerabilities affecting all supported versions of Windows. The first vulnerability is rated Critical for Windows XP, Vista and Windows 7 and the second rated Important for all supported versions of Windows Server. It involves the Microsoft Data Access Components (MDAC). This has an Exploitability Index rating of 1, and because there is a web based attack vector, this is at the top of our deployment priority list.


    Microsoft also released an updated Malicious Software Removal Tool this month.

    For complete details, see the references listed below.


    References:

    Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Sunday, January 09, 2011

    Assessing the risk of public issues currently being tracked by the MSRC

    To help clear up confusion regarding public issues being tracked by the Microsoft Security Research & Defense team, the table below was published at the MSRC Blog

    The risk to the vulnerabilities can be removed by applying the provided work-around.

    Issue Status Mitigation
    Internet Explorer 6/7/8 vulnerability in recursive style sheet importing. (CVE-2010-3971) Public, exploit code is available. We are seeing limited exploitation. As listed in Security Advisory #2488013, EMET is an effective mitigation tool. Anti-virus and IDS/IPS signatures developed by our MAPP partners for this issue have also been quite effective at detecting and blocking attacks.
    Windows graphics rendering engine vulnerability in parsing BMP thumbnails embedded within an OLESS document container. (CVE-2010-3970) Public exploit code was posted this week. Proof-of-concept code we have seen so far requires a user to browse to an attacker-writable folder using Windows Explorer. If Explorer is set to display thumbnails or a preview of contained files (neither setting is the default), the chance of code execution exists. Current proof-of-concept code is not successful when Explorer is set to display files in the default List mode. As listed in Security Advisory #2490606, modify the Access Control List on shimgvw.dll. The advisory also lists a one-click FixIt to automate this configuration change.
    IIS 7.0 and 7.5 FTP service vulnerability in encoding Telnet IAC (Interpret As Command) characters in the FTP response. (SRD blog post) As discussed in this SRD blog post, attempts to exploit this vulnerability would most likely result in a Denial-of-Service. We have not seen attempts to exploit this vulnerability for code execution. The FTP service is not installed by default with IIS 7 or IIS 7.5. And when it is installed, it is not enabled by default. If you have enabled IIS FTP service, consider disabling it, if possible, until a security update is available.
    Internet Explorer fuzzer released publicly capable of hitting Internet Explorer crashes A fuzzer for various browsers was released, as well as information on a crash that shows a potentially exploitable condition. While the fuzzer is successful in encountering exploitable memory corruption issues in Internet Explorer, we have been unable so far to turn a crash into a stand-alone HTML page that could be used as a browse-and-own exploit. Encountering the issues appears dependent on first loading many previous iterations of HTML in the fuzzer, making the issues we have discovered so far less useful for the purpose of real-world attacks. We are still investigating this issue and will monitor for any developments that may change the current risk. Unable to make an assessment at this time without stand-alone PoC. However, we are working on a security update to address the issues found in fuzzing.
    WMI Administrative Tools ActiveX control vulnerability. Only the very few customers who have installed the WMI Administrative Toolkit are vulnerable to this issue. This product has a small number of total downloads. The ActiveX control itself is not signed by Microsoft. This is not a case where an attacker can host a Microsoft-signed ActiveX control and entice the user to make one click to allow it to install. The real-world risk to most customers from this issue is expected to be quite low. This ActiveX control can be killbitted to protect any machines that have installed the WMI Administrative Toolkit. The affected ActiveX control was not intended to be instantiated within Internet Explorer so legitimate use of the WMI Administrative Toolkit should not be impacted by this configuration change. The attached .txt file, if renamed to .reg and opened, will apply the killbit to the affected clsid’s.


    Source:  Assessing the risk of public issues currently being tracked by the MSRC


    Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Advisory, Vulnerabilities, Information, How To,


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Thursday, January 06, 2011

    Microsoft Fix it Available for Security Advisory 2490606

    Two days ago, Microsoft released Security Advisory 2490606 to address a publicly disclosed vulnerability affecting Microsoft Windows Graphics Rendering Engine, Microsoft was not aware of any public attacks.  That has since changed and Microsoft has started to see targeted attacks.  As explained in the Security Advisory,

    "An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

    It is important to note that the vulnerability does not affect Windows 7 or Windows Server 2008 R2.  However, it does affect Windows Vista, Windows Server 2003, and Windows XP.


    In addition to the common sense advice to enable a firewall, get software updates (including third-party software) and install antivirus software, Microsoft has created a Fix it solution as a workaround option for some scenarios. To enable the solution until a security update is released, download and run Microsoft Fix it 50590.  After a security update is released, merely reverse the process by downloading and running Microsoft Fix it 50593.


    Enable:  Microsoft Fix it 50590
    Disable: Microsoft Fix it 50593









    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Security Bulletin Advance Notification for January, 2011


    On Tuesday, January 11, 2011, Microsoft is planning to release two (2) security bulletins addressing vulnerabilities in Microsoft Windows.  One bulletins is rated Critical, the second rated Important, both affecting all supported versions of Windows.  


    It was pointed out in the MSRC Blog post that the scheduled January updates will not be addressing Security Advisory 2490606 (public vulnerability affecting Windows Graphics Rendering Engine) and Security Advisory 2488013 (public vulnerability affecting Internet Explorer).

    References:


    Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Tuesday, January 04, 2011

    Microsoft Security Advisory 2490606


    Microsoft released Security Advisory 2490606 to address a publicly disclosed vulnerability affecting Microsoft Windows Graphics Rendering Engine on Windows Vista, Windows Server 2003, and Windows XP.  The vulnerability does not affect Windows 7 or Windows Server 2008 R2.

    Microsoft is not currently aware of any affected customers or of any active attacks, which could occur from visiting a specially crafted malicious Web page or opening a malicious Word or PowerPoint file. Accounts configured as a limited user (fewer user rights) would be less affected by an attack then those running as administrator.  Be sure to apply the latest Microsoft security updates to help make sure that your computer is as protected as possible.

    Additional information is available in the MSRC post and the Security Advisory, linked below.


    References:


    Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Advisory, Vulnerabilities, Information, Windows XP,


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Facebook Page Created for Security Garden

    Like on Facebook Two friends have been encouraging me to create a Facebook page or group for Security Garden.  At first, it seemed like a duplication of information.  After considering the popularity of Facebook ("Facebook passed Google as the most-visited website in the US in 2010."*), I realized that it is another avenue to provide computer information to friends and followers, like one-stop shopping.  They can keep up with friends as well as getting computer security news and information, tips and more without leaving Facebook.

    What really convinced me to create a Facebook page, however, was considering a couple recent comments made on various forums by people I have helped: 
    "I want to express my appreciation to Corrine and others here who work so hard to help all us who somehow mess up our computers.  If you will tell me how, I'd like to make a contribution to the forum or whatever might be best to show my appreciation." 

    "As someone who has benefited from the expertise of Corrine and the LzD folks, I add my congratulations. They are so patient and helpful with us "non techies" on the other end of the keyboard."

    "I am pleased as punch that no threats were found!! . . . I really want to thank Corrine and the other talented folks who keep this forum available!!"
    This next comment by someone I helped with a WinPatrol problem illustrated to me that the ten plus years helping on various forums plus the almost five years of providing information via this blog have apparently reached further than I thought:
    "Corrine, I just realized the you are THE Corrine, of Security Garden, etc."
    Knowing that I have helped someone and receiving a thank you means a lot.  If I can teach those I help how to better secure their computer, all the better.  So, I followed the suggestion of my friends and created a Facebook page for Security Garden, hoping the information I share will help more people stay attuned to computer security issues and help them stay secure.



    Like on Facebook Like Security Garden on Facebook.




    * Facebook: Most Popular Search Term & Most Visited Website in 2010, Hitwise Says

    Clubhouse Tags: Clubhouse, Security, Information, Family Safety, Microsoft, Windows,


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Saturday, January 01, 2011

    Congratulations 2011 Microsoft MVP!‏

    What a great way to start off the New Year! 








    "Congratulations! We are pleased to present you with the 2011 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Consumer Security technical communities during the past year."

    Happy New Year! 

    About the MVP Program:  http://mvp.support.microsoft.com/




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...