# One month after Vista released to manufacturers, there is no major rush to upgrade



## zekrahminator (Dec 31, 2006)

It has been a month since Microsoft released their latest (somewhat) public copy of Windows Vista, and there has been no major upgrade to Windows Vista in most corporations. Since Vista is technologically solid, why is there such a slow adoption of the software? There are several reasons, but the most obvious are pointed out in a quote by Russ Cooper, a senior information security analyst at Cybertrust. 





> I say Microsoft never intended anybody to run Vista prior to January, What works on Vista, beyond Office 2007? I'm going to Vista ... when my VPN supplier tells me that they have drivers that work, and when my anti-virus vendor tells me that they have non-beta versions that work.




The rest of the article shows that the main reasons not to move to Windows Vista are...
Driver support is buggy
Security software is still in beta
Application compatibility is limited
All the major Vista-compatible software will be released in January.
However, once Vista is released to the public on January 30th, there should be a lot less reasons not to move to Vista. And since XP has been around for five years, there is definitely a need for a new operating system. Analysts predict that most companies will have moved to Vista by 2008.

*View at TechPowerUp Main Site*


----------



## Namslas90 (Dec 31, 2006)

Even after the drivers are released it will still be 3-5 years before it all works right anyways.  Microsoft wants us to buy it now, to finance the fixing of it in order to continue to show "good numbers" to their investors,(as allways)!!


----------



## Jimmy 2004 (Dec 31, 2006)

I'll tell you why no one wants it:

it costs a bomb and adds little funtionality over XP  if you install your own AV/ Firewall software and it's a resource hog so slows things down. It looks new but IMO it doesn't really add anything to make it much better than XP, other than DX10 which could have been built to work on XP if M$ wanted to.


----------



## EviLZeD (Dec 31, 2006)

yea i think its a waste i too used to xp but only time i will have to get it is when direct x 10 games go big otherwise i like xp alot


----------



## Steevo (Dec 31, 2006)

"Once Vista is being shipped by OEMs on all new PCs, we won’t be debating why people should move," said Andrew Brust, chief of new technology with consulting firm TwentySix New York. "It will be clear that they will need to do so, sooner or later. And honestly, people can argue until they’re blue in the face about how XP is fine, but the reality is that it’s five years old, technology has changed and a new OS is necessary."


It should also be noted that the man quoted above sleeps in Bill Gates sheets and jacks off to PCworld mags at night.


----------



## mout12 (Dec 31, 2006)

If you guys are going to complain about Microsoft so much, go buy a Mac.  This isn't communist China - you don't have to buy MS products if you don't want to.


----------



## zekrahminator (Jan 1, 2007)

mout12 said:


> This isn't communist China - you don't have to buy MS products if you don't want to.


 Well said, though in a way MS does kinda force us to buy their product. Sure you don't have to buy Vista, but you won't get Crysis, because DX10 is a Vista exclusive. Sure you don't have to buy Vista, but you'll have to compile the drivers for your everything from scratch, which'll take several hours, as opposed to Vista where you can install it in half an hour. Sure you don't have to buy Vista, but you won't run the Vista-exclusive programs...the list goes on and on. The one problem I have with MS.


----------



## jocksteeluk (Jan 1, 2007)

the only vista only programmes comming out so far seem to be ones people can do without, continually updating your office packages make little sence i still use office xp with zero problems and as for Halo 2 for pc m$ can shove that right up themselves, trying to force people to upgrade will only make people resents the product hopefully 2007 is the year a company fully utilises linux ad brings in to the masses


----------



## GLD (Jan 1, 2007)

Steevo said:


> "Once Vista is being shipped by OEMs on all new PCs, we won’t be debating why people should move," said Andrew Brust, chief of new technology with consulting firm TwentySix New York. "It will be clear that they will need to do so, sooner or later. And honestly, people can argue until they’re blue in the face about how XP is fine, but the reality is that it’s five years old, technology has changed and a new OS is necessary."
> 
> 
> It should also be noted that the man quoted above sleeps in Bill Gates sheets and jacks off to PCworld mags at night.



HEY NOW! I jerk the gerkin to PC world mags also! Nah, actually it's PC Gamer.


----------



## Wile E (Jan 1, 2007)

I'm really torn on this whole Vista thing. I'm seriously debating getting Home Premium, as I just don't need the security features that Ultimate adds. The developer of nLite is also currently developing a new program called vLite for Vista. That would be a godsend if he gets it working properly. You should really be able to trim a lot of the unnecessary fat from Vista, making it run a lot like a standard XP install. The problem I have is with pricing. MS just flat out wants too much money for this thing. I mean, come on MS, if Apple can offer a fully featured operating system for only $130, why can't you?


----------



## Jimmy 2004 (Jan 1, 2007)

Well if people don't buy it they'll be forced to reduce their price... problem is, businesses think they need the latest and they make up a huge chunk of the market, when in reality Vista will probably ruin the speed of their PCs. The average business computer won't have much better than a 2GHz Celeron and 512MB of RAM, and that will be very slow with Vista Ultimate, which is what most large businesses will go for I expect.


----------



## peach1971 (Jan 1, 2007)

Found a VERY nice link: 
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt


----------



## Wile E (Jan 1, 2007)

Jimmy 2004 said:


> Well if people don't buy it they'll be forced to reduce their price... problem is, businesses think they need the latest and they make up a huge chunk of the market, when in reality Vista will probably ruin the speed of their PCs. The average business computer won't have much better than a 2GHz Celeron and 512MB of RAM, and that will be very slow with Vista Ultimate, which is what most large businesses will go for I expect.


Actually, most large businesses aren't going to make the switch for some time. Where I work (American Eagle in the distribution center), for example, runs a lot of web based and networked apps for reports and such. They won't even upgrade to IE7, for fear of compatibility issues. The prospect of Vista only compounds the matter. You also have to consider the amount of retraining time they would have to spend on the upgrade. As 90% of the people that use computers there, don't really know much about them, just the basics. So much time would be wasted on simple tech calls alone, what with Vista's new security pop-ups and such.

There's an interview on page 103 of the Jan 07 issue of CPU with Joe Wilcox. He's a senior analyst for JupiterResearch, who does work for Microsoft. In it, his firm's research says that 20% of businesses with 100 or more employees, don't even have plans to upgrade at all. (I'm assuming they mean until it's absolutely necessary) Another 30% said it will be more than a year before they consider it, and half of those 30% said more than 2 years. He went on to say that the biggest push is going to be from the OEM builders. Come late January, Vista will be the only thing being sold on new machines. Microsoft is basically forcing the upgrade to those that prefer the easier route, or don't know enough to build their own pc.


----------



## Steevo (Jan 1, 2007)

:goodpost:



I foresee some nice tools becoming available to sysadmins built on the server side of Vista, but not much on the user side. Forced compliance is one I have been wanting to get a breakdown on for awhile, and it sucks that they took it out of the release, big time loss of clients there.


----------



## Easy Rhino (Jan 1, 2007)

i wish that dx10 would run on XP


----------



## WarEagleAU (Jan 1, 2007)

Of course not. Costs too damn much to upgrade and to make pcs come with it. Too much proprietary and shit needed for it. Its ridiculous


----------



## illusionist435 (Jan 2, 2007)

ok for those of u not minding spending the money for vista but dont like that it cant run all your applications but yet still want it... just run two partitions on your computer 1 with vista and 1 with xp thats what i did to my computer and i can switch with a simple restart of my computer


----------



## Steevo (Jan 2, 2007)

Funny me too. But it doesn't mean that I have to like it.



Or the shit driver support, as MS wasn't releasing the architecture of the OS untill recently, then they want to throw it to the public?


----------



## Wile E (Jan 2, 2007)

Steevo said:


> Funny me too. But it doesn't mean that I have to like it.
> 
> 
> 
> Or the shit driver support, as MS wasn't releasing the architecture of the OS untill recently, then they want to throw it to the public?


They wouldn't even release the low level specs to the security app makers.


----------



## BIOHazard87 (Jan 2, 2007)

Vista isnt all that bad, this complaining and shit happens practically every windows release, mabey slightly more this time since there are more computer users


----------



## Deleted member 3 (Jan 2, 2007)

Wile E said:


> They wouldn't even release the low level specs to the security app makers.



If you are referring to the fact that MS denied kernel access to anti virus makers (they gave them access now though) it's not MS at fault. Denying the access would be good, in fact other anti virus software does work, so it seems Symantec and whichever company was crying about it (I think it was mcafee) are at fault themselves. Oddly enough it was the makers of the crappy bloated packages that were complaining. I see a link there...

MS tried to maker Vista safer, other companies sued. Next people will complain about all kinds of bugs in Vista which could have been prevented if companies like Symantec would just learn how to program.


----------



## Jimmy 2004 (Jan 2, 2007)

BIOHazard87 said:


> Vista isnt all that bad, this complaining and shit happens practically every windows release, mabey slightly more this time since there are more computer users



Well I think XP works great, but Vista just uses too much RAM, which is why I don't intend to upgrade to it until I have a better system. In all fairness, although compared to people on these forums my PC isn't too quick, it's a lot faster than the average PC. I mean it still kicks the sh*t out of most PCs that somewhere like PC World sells, and your average user will go there... those PCs will run so slow with Vista at its default setup.


----------



## Deleted member 3 (Jan 2, 2007)

Jimmy 2004 said:


> Well I think XP works great, but Vista just uses too much RAM, which is why I don't intend to upgrade to it until I have a better system. In all fairness, although compared to people on these forums my PC isn't too quick, it's a lot faster than the average PC. I mean it still kicks the sh*t out of most PCs that somewhere like PC World sells, and your average user will go there... those PCs will run so slow with Vista at its default setup.



XP with 128MB isn't heaven either. In 2-3 years everyone has 4GB of RAM and nobody will care about the RAM Vista uses. It's how the market works.


----------



## peach1971 (Jan 2, 2007)

Did you read about the tilt bits in my link above?
It´s also a CPU sucker for ridiculous reasons!

Damned "premium content"


----------



## Jimmy 2004 (Jan 2, 2007)

DanTheBanjoman said:


> XP with 128MB isn't heaven either. In 2-3 years everyone has 4GB of RAM and nobody will care about the RAM Vista uses. It's how the market works.



The good old days of Windows 95... only needed 8MB of RAM didn't you? My Win95 PC had 16MB but got upgraded to 80MB - that was when PCs used SIMMs so you bought the RAM in pairs. It was really quick for a Windows 95 PC after that and it was still working more or less ok in 2003 when the CD drive messed and I didn't see the point repairing it so got rid of it.


----------



## Carcenomy (Jan 2, 2007)

Peach - don't trust that link too far, it's written by a local disgruntled university techie type...

I don't get this 'five years old', 'due for replacement' mentality, although I don't think Vista is a bad idea. The 9x platform lasted six years and is still in use on many older machines to this day in its three guises. MacOS has spent basically its whole lifespan looking and performing much the same, with the major releases giving very minor updates to the code and slight UI changes - even they were sparse, System 7 looks exactly the same to me as MacOS 9.2 does, and performs much the same with much the same drawbacks.

Hell, Microsoft are considerably more proactive in that respect. When they build another OS they usually build something that's almost all new, or at least overhauled enough that it's effectively new (98... it's 95OSR2.5 with all the updates and patches preapplied and smoothed!). Things could be worse. And I will eventually migrate to Vista. Just not yet.


----------



## Alec§taar (Jan 2, 2007)

It's always SLOW waiting for business' to update/upgrade to new OS, for a pile of reasons...

Mainly, it's added costs (& IT doesn't exactly get the monies, say, that marketing dept.'s traditionally do by way of comparison, by ANY means), & that means being told NO due to "we have a watch that runs fine, why try 'fix it'" type of thinking!

Which MAY be right as rain for a particular company on ALL levels).

Then, it's testing in-house apps w/ it!

(& most places lock you into- limit you to only a certain set of apps you can have on your system installed, period. This is for security's-sake most likely, & also because there's no guarantee (w/ out sourcecode to the apps @ least, or its developer present) that any app will NOT mess up other apps you run (that, or its lib/dll versions installed)).

Not simple to get by either of those...



* However, where you will see VISTA is in new machines & iirc, when I first read this thread yesterday? Someone already mentioned this & is right as rain...

APK

P.S.=> DirectX 10 gaming is another that will probably help VISTA installations on the 'home/domestic' front... gaming is a big market in software & imo? The largest single software type other than Operating System's themselves & possibly AntiVirus/AntiSpyware softwares classes, that is purchased by home buyers... apk


----------



## Carcenomy (Jan 2, 2007)

So true, so true. 15 years on Apple's behalf is a bit sad on it though *chuckle*


----------



## NTBugtraq (Jan 2, 2007)

*Vista Adoption*

Russ Cooper here. FWIW...

>Driver support is buggy

I never said that. Driver support isn't buggy, its non-existant. Either there is a Vista driver, or there isn't and the old one doesn't work. This is true for the vast majority of things, from VPN software to camera drivers.

>Security software is still in beta
>Application compatibility is limited

Little software that is important works with Vista "as is," and very few Vista-specific applications have been released in production form. Anyone doing an in-place upgrade from XP to Vista is in for many nightmares, now, or any time in the future! Just wait until OEM's start shipping Vista against those coupons they gave out, consumers are going to scream bloody murder.

They're either going to have to re-image their machine based on a recovery DVD the OEM sends them (which will basically press an image of Vista pre-installed with whatever add-ons they can find that work); loosing settings and data in the process, or, they'll upgrade only to find out that they have a lot of stuff that isn't Vista compatible.

>All the major Vista-compatible software will be released in January.

I never said that either...;-] I certainly don't expect all of the major Vista-compatible software to be released in January. The PCWorld article quotes IBM as saying they won't have a Lotus Notes version for Vista until mid-2007.

I do believe, however, that Microsoft intended Vista for gamers, not business. After reading Peter Gutmann's extremely informative expose on Vista Content Protection, I'm inclined to recommend that ***NOBODY*** upgrade to Vista. It is ludicrous to encumber our equipment and budgets with anything so ridiculously crafted.

I am currently tasked with coming up with the security reasons people should upgrade to Vista. Thus far, I have only been able to identify disk encryption on laptops, to avoid the publicity boon-doogle that occurs when one is lost or stolen. Hardly sufficient reason to do the following requisite upgrade tasks;

- Major Version upgrade of practically every piece of software used on a PC (probably the biggest cost you're going to incur)
- Training and re-training of staff (not to mention the augmented help desk staffing levels required while the rest of your staff is in training.)
- Hardware upgrades
- Group Policy Object revamp

plus who knows how many other little things like modifying OS detection in web sites, scripts, etc...

And you do all of this because there might be some customer data on a laptop you're going to lose this year?? I doubt it.

So my best advice is for everyone to get more familiar with slipstreaming and making new installation DVDs for XP Pro SP2 that include, as of today, the >100 patches you have to add to SP2 to be up-to-date...and leave Vista to the class action lawyers.

BTW, Peter Gutmann really knows his stuff, and shouldn't be discounted as some geekie university techie type.

As for this garbage about people adopting Vista because its being shipped on every new PC they purchase...balderdash! Firstly, when we're talking about businesses we're not necessarily talking about additional machines when we get a new one. It may just be replacing an older one, which already had an OS license. So its nothing to blast your standard XP build over the Vista garbage on the new machine. This *is* going to happen until corporations have a Vista build, which includes everything their users have and need today...and that's going to be a while.

It's also going to take some killer app to arrive to make the switch "needed." I've read people claiming that corporate users are going to have the Aero interface at home and insist they have it at the office too...crap! When they realize that little works the same as it used to, and they have to learn everything anew...few are going to want Vista on their office machine. Heck, I think few are going to want it on their home machine, but will put up with it if it means they can play the latest games.

If anyone thinks we can't convince MS they've made a mistake with an OS, just try and remember Microsoft Bob! or, for that matter, Windows ME.

In my opinion, Microsoft has a huge problem on its hands when they come to phase out security support for Windows XP SP2. Luckily for us that won't be until November 2014.

Cheers,
Russ


----------



## Steevo (Jan 2, 2007)

I haven't tried Client Access Express on it yet, and there are hundreds of business that still love the e-servers. What if there are bugs? It is a program that really relies upon the openness of windows to use, and use well. 


I can just imagine how grateful everyone will be to be forced to use telnet for connection.


Then again, it is no longer my concern, I was moved to alpha testing security for laptops. Jerkoffs.


----------



## Wile E (Jan 3, 2007)

NTBugtraq said:


> As for this garbage about people adopting Vista because its being shipped on every new PC they purchase...balderdash! Firstly, when we're talking about businesses we're not necessarily talking about additional machines when we get a new one. It may just be replacing an older one, which already had an OS license. So its nothing to blast your standard XP build over the Vista garbage on the new machine. This *is* going to happen until corporations have a Vista build, which includes everything their users have and need today...and that's going to be a while.


If you're refering to me, I wasn't meaning in reference to corporations or businesses, I meant for the less tech savvy home user that buys their machine from Dell, or some other junk peddling OEM. I believe that's where we'll see the most adoption of Vista.


----------



## NTBugtraq (Jan 3, 2007)

Wile E said:


> If you're refering to me, I wasn't meaning in reference to corporations or businesses, I meant for the less tech savvy home user that buys their machine from Dell, or some other junk peddling OEM. I believe that's where we'll see the most adoption of Vista.



No, I wasn't referring to you or anyone who had posted here, I was referring to the quote of Andrew Brust in the original PC World article.

"Once Vista is being shipped by OEMs on all new PCs, we won't be debating why people should move," said Andrew Brust, chief of new technology with consulting firm TwentySix New York. "It will be clear that they will need to do so, sooner or later. And honestly, people can argue until they're blue in the face about how XP is fine, but the reality is that it's five years old, technology has changed, and a new OS is necessary."

1. Yes, I agree with you Wile E that home users will adopt Vista, probably entirely because it is shipped on their machine. However, this isn't going to happen, IMO, at the end of January. As I said in my earlier post, OEMs have a huge problem...how do I (the OEM) provide a System Retore build that includes all of the software I've already given the customer? If I included Symantec AV and Quicken, I need versions of those that work with Vista before I can give my customer a new image. Well, we ain't there yet, and I don't see us being there by the end of January.

2. There is also little in Vista in the way of "changed" technology that makes a new OS necessary. Did the world change as a result of UPnP? No, but it was a new technology included in XP that got talked about (largely because XP's first flaw was announced in UPnP on the day XP was released.) However, XP introduced NT-style security in the desktop OS while keeping the W95-like interface, which made it much better than W2K Pro for corporations. So it got adopted.

There's nothing like this in Vista. About the only technology change (apart from Copy Protection as explained by Gutmann) is the UAC/Standard User concept. However, in the majority of businesses who have a server, this is already being done in XP and works just fine (in fact, it works better for most businesses in XP than it does in Vista!)

So beyond forcing companies to buy new hardware when they don't really need it, and providing an interface that wastes those resources wantonly, while IMO confusing users, I'm at a complete loss as to what changes in technology Brust thinks Vista is addressing.

I had hoped that the virtualization engine was going to provide some ray of hope, but Virtual PC 2007 isn't released yet and what is available only supports 32MB of vRAM per vMachine...you try running Office XP/2003 in that! Again, MS makes you buy honking hardware to run Vista, and then while running it, cripple it in the process.

FWIW, if Vista isn't adopted in businesses, then Office 2007 isn't going to be adopted either, IMO. If businesses don't make these changes, MS shareholders are going to have Balmer's scalp, and again IMO, Vista will flop regardless how many home PCs ship with it.

This all happened in almost the exact same fashion many years ago in the PC world. There used to be a company called MicroPro, who made an excellent and probably the most widely used word process called WordStar. Virtual every keystroke combination you've ever used was created first in WordStar. For some unknown reason they decided, in '87 I think it was, to totally change their UI when they introduced their newest version, WordStar 2000 (the version before that was, I think, WordStar 3.3.) All the old keystrokes were gone and replaced by 3-key combinations (they used to be 2-key for the most part.) Everyone dropped WordStar 2000 and within a year the product was never heard of again.

Cheers,
Russ


----------



## Alec§taar (Jan 3, 2007)

NTBugtraq said:


> "Once Vista is being shipped by OEMs on all new PCs, we won't be debating why people should move," said Andrew Brust, chief of new technology with consulting firm TwentySix New York. "It will be clear that they will need to do so, sooner or later. And honestly, people can argue until they're blue in the face about how XP is fine, but the reality is that it's five years old, technology has changed, and a new OS is necessary."



Bad logic, I agree... the new tech I see in it, doesn't REALLY apply to home level users, until you hit DirectX 10 & games for it (still coming)... 

For "new features" (that I feel are GOOD ones @ least) that MAY apply, @ least somewhat, to home-users (because it is security related)?

Well, there is UAC & also other security features like IE7 (better on VISTA than it is on Windows Server 2003 even) & also Address Space Randomization (where code runs in RAM is scrambled now, to prevent attacks upon it)



NTBugtraq said:


> 1. Yes, I agree with you Wile E that home users will adopt Vista, probably entirely because it is shipped on their machine. However, this isn't going to happen, IMO, at the end of January.



BUT, it's going to happen... & this is where MS always wins imo @ least, & on the "home-front" & everything begins @ home, even your computer use patterns & most skills (as well as your values etc. you learn from parents)... today especially.

Not true in my day, the first time I used computers were @ my ma's workplace (county computer operator on mainframes) & in school later (DEC PDP-11 series, iirc)...



NTBugtraq said:


> 2. There is also little in Vista in the way of "changed" technology that makes a new OS necessary.



Some of the security updates in it, such as UAC, better IE7, & Address Space Randomization are GREAT things... for security, @ least.



NTBugtraq said:


> However, XP introduced NT-style security in the desktop OS while keeping the W95-like interface, which made it much better than W2K Pro for corporations. So it got adopted.



2000 had the same level of security & the same general shell (classic mode as it is referred to, via GDI/Win32 API draw).



NTBugtraq said:


> There's nothing like this in Vista. About the only technology change (apart from Copy Protection as explained by Gutmann) is the UAC/Standard User concept.



A really POWERFUL & good one is Address Space Randomization which I mention above... it stalls a great deal of "buffer overflow" attacks & such by malwares.



NTBugtraq said:


> However, in the majority of businesses who have a server, this is already being done in XP and works just fine (in fact, it works better for most businesses in XP than it does in Vista!)



This is the point I was leading to/making above: Business' are always SLOW to adopt, mainly because "if a watch runs, why fix it?" & "wait out the bugfixes in VISTA (newest OS by MS) first" type thinking... & then, there is fighting for a budget too, to get the licenses (just like pulling teeth).



NTBugtraq said:


> So beyond forcing companies to buy new hardware when they don't really need it, and providing an interface that wastes those resources wantonly, while IMO confusing users, I'm at a complete loss as to what changes in technology Brust thinks Vista is addressing.



IMO? Security largely... between IE7 improvements, UAC, & Address Space Randomization?? That's actually quite a bit, imo @ least, for security!



NTBugtraq said:


> This all happened in almost the exact same fashion many years ago in the PC world. There used to be a company called MicroPro, who made an excellent and probably the most widely used word process called WordStar. Virtual every keystroke combination you've ever used was created first in WordStar. For some unknown reason they decided, in '87 I think it was, to totally change their UI when they introduced their newest version, WordStar 2000 (the version before that was, I think, WordStar 3.3.) All the old keystrokes were gone and replaced by 3-key combinations (they used to be 2-key for the most part.) Everyone dropped WordStar 2000 and within a year the product was never heard of again.
> 
> Cheers,
> Russ



I used to use WordStar, & in fact, it was the VERY FIRST word-processor I ever used on a PC, circa 1989 or so, iirc... most of the (trivia here) compiler keyboard shortcuts I use to this day? Are WordStar ones...

The same thing happened to WordPerfect 5.1 transition (DOS) to WordPerfect for Windows - they changed up nearly ALL of the keyboard shortcuts, dumb, because it made me leave WordPerfect for Ms-Word in fact... in a word-processing program? Keyboard shortcuts are quite a lot, & altering them?? Bad move... drove me away from WordPerfect, much as you describe on WordStar.

APK


----------



## NTBugtraq (Jan 3, 2007)

Well, I'll go out on a limb here and pick a number out of the air...;-]

IMO, <5% of system compromises occurs because of buffer overflows. Heck, let's make that <1%!

If I'm getting a bot or trojan, its likely that I double-clicked on an attachment. No need to overflow buffers if the victim is perfectly willing to execute the code. And the vast majority of those run in the user's security context...no need for Administrator (although most home users are) cause I ain't going to do anything a user can't do anyway. Nothing's changed here in Vista.

If I'm getting a drive-by download, doesn't matter whether I'm running XP or Vista. What really makes a difference is enabling only Administrator Approved ActiveX controls, which can be done in IE 6 (post XP SP2) as well as IE 7. Again, Vista makes no changes here either. A red bar isn't going to affect people as much as SiteAdvisor does, IMO. If the user isn't stopped from going to bad places, they'll go, they want what they think is on the other side of the rainbow no matter how bad the storm is that made it.

We haven't had a code red/blaster/slammer/sobig type event in years, and aren't likely to...they make no money! Yes, a buffer overflow in a malformed Word document may very well net the Chinese government U.S. military secrets...once! For the rest of the world the vulnerability is irrelevent, just as are 99% of all MS patches produced...when it comes to machines being compromised.

Get an ISP who scans your mail for viruses and doesn't allow 139/445 inbound and you'll see how you can put a plain vanilla W95 box bare to the net.

So memory address randomization is great when you're talking to a bunch of security geeks (of which I'm one) who are pummelling you with theoretical this and that, and PoCs that prove their point...but it doesn't have an impact on today's criminal efforts.

UAC is great, providing you don't have to pay for the huge increase in end-user support costs (and, assuming, India and like countries aren't banned from providing those services!) The problem is every consumer is going to have to pay those costs regardless how well we learn how to use our own systems (see the ATI comments about passing the costs to the cosumer in Gutmann's write up.) Consumers will also have to accept the increased loss of privacy as they turn their systems over to remote technicians for help (seen the latest Dell commercials?) And of course as this sort of support becomes more common-place, then we can expect the phishing and other scams to take that direction ("Want to get your PC optimized for free? Click here and we'll walk you through it!")...hrmph, did we increase security or decrease it?

As for IE 7, I'm not aware of how its better on Vista than XP. In fact, as the premise of Bob MacMillan's article showed, its a little worse right now since MS hasn't released a patch for Vista that is available for XP.

Cheers,
Russ


----------



## Jimmy 2004 (Jan 3, 2007)

I am not even going to try and read all those posts... too long!!!

Alec, looks like you have competition in the longest posts contest! j/k

Keep posting detailed info, you help a lot of people and it's *much* better than single line replies... I just don't think I can read a thread like this much more


----------



## Alec§taar (Jan 3, 2007)

Jimmy 2004 said:


> I am not even going to try and read all those posts... too long!!!
> 
> Alec, looks like you have competition in the longest posts contest! j/k
> 
> Keep posting detailed info, you help a lot of people and it's *much* better than single line replies... I just don't think I can read a thread like this much more



Thanks, sorry for the length, but I tend to quote others, to NOT miss replies to their points... Russ of NTBugTraq & I are having a GOOD exchange... I'd recommend reading it.

(BUT, that'd be a 'shameless plug' on my part, but he is into this area, as am I... so, good info. IS up there)

Some of the "long & detailed" exchanges we have here? Are the BEST for learning some crazy stuff imo @ least... I like having them!

APK

P.S.=> Are you from NTBugTraq, Russ? If so, I like your site... it's up there w/ Secunia & SecurityFocus.com imo, & I read them both regularly! If you have ANY corrections or notes/exceptions to the above material I put out?? Please, fire away... room to learn/grow here! apk


----------



## WarEagleAU (Jan 3, 2007)

It suxors and its expensive. Really a pain when you have to pay 600 dollars for something that does not work.


----------



## Alec§taar (Jan 3, 2007)

*IE7 differences present on VISTA vs. XP & Windows Server 2003 even*

Long reply, but answers your questions & some other madness-N-lunacy:



NTBugtraq said:


> As for IE 7, I'm not aware of how its better on Vista than XP.



Well, see these:

http://interviews.slashdot.org/article.pl?sid=06/10/27/1549259

*"In Windows Vista with Protected Mode, IE7 is the first browser to "put itself into a sandbox" and run with low privileges."* - Dean Hachamovitch, (whose formal title is General Manager Internet Explorer at Microsoft Corp).

&

http://weblogs.java.net/blog/chet/archive/2006/10/index.html

*"Internet Explorer 7 (IE7) takes this a step further and protects that entire process from accessing the raw system, so that even if an application inside the browser gains access to the system, it can only perform operations inside the very restricted sandbox that the browser offers."*

&

http://www.nytimes.com/2006/12/25/t...&partner=rssuserland&emc=rss&pagewanted=print

*"However, one of the principal security advances of Internet Explorer 7 is a software “sandbox” that is intended to limit damage even if a malicious program is able to subvert the operation of the browser. That should limit the ability of any attacker to reach other parts of the Vista operating system, or to overwrite files."*

** Note, the last article says a Russian coder has a 'proof of concept' for this & penetrating the IE7 sandbox, but has yet to demonstrate it (@ least @ the time of the article, Dec 2006) - in fact, iirc, this turned up b.s. OR nearly unworkable when he was confronted in trying to prove it. BUT, I could be wrong here too... but, iirc, this was the "joke" one, not really a true bug, but an "April Fool's joke" iirc (there was one of those).

&

http://arstechnica.com/journals/microsoft.ars/2006/8/8/4915

*"IE 7 was to be a Vista-only release, but the rising market share of Firefox made Microsoft decide to release it for Windows XP as well. But the Vista edition was to receive additional features, such as the ability to run in a low-rights sandbox for extra security."*



* I should REALLY bookmark a few, just in case I run into somebody asking this again, regarding security & 'sandboxing' IE! Well, that said? I have, now.

(And yes, it is possible in other forms of IE too, using batches & LOCAL commandline parameter switch on IE's commandline in batch, etc. - IF you need the process & IE commandline + batchwork for this? I believe I STILL have it here online, just ask...).

How 'perfect' is IE7's sandbox security feature on VISTA? Hopefully, moreso than the JAVA allegedly 'impenetrable' one (which proved to be ANYTHING but 'impenetrable' over time now)... Which I never trusted!

Hence, why I turn off scriptings/java/activex control use in my browsers, on the PUBLIC internet @ least (I still use it a lot on the job in intranet environs w/ ASP.NET apps though)!

Again/also: This IS why I will not put Ms-Office online anymore, especially word, since it often integrates in as your std. email reader in FULL outlook (& I use .txt only for reading email, like it or not, OR @ most, use RTF (rich text format))...

*ALSO, here is a "bug/feature" in IE6 & below that Microsoft has mended in IE7 (clipboard accesses) but, iirc, this extends to ALL versions of IE7, not just the VISTA model*:

http://blog.washingtonpost.com/securityfix/2006/12/clipboard_data_theft_optional.html



NTBugtraq said:


> In fact, as the premise of Bob MacMillan's article showed, its a little worse right now since MS hasn't released a patch for Vista that is available for XP.
> 
> Cheers,
> Russ



That was regarding the "Phishing Filter" lag in it, but even for Windows Server 2003, this seems to have been fixed (yes, I use the anti-phishing filter MS provides in IE7 for Windows Server 2003 here, no lag)... on VISTA, a patch is due out THIS month, according to the article you refer to (the one shown in this thread's first post). EDIT PART: That's ONLY 3 days away now, mind you.

If it's done & there for Windows Server 2003 SP #1 fully current hotfix patched here? It should be out this month for VISTA is my guess - Windows Server 2003 IS the initial codebase/core of VISTA, afaik, & the direct OS it was based on.





NTBugtraq said:


> Well, I'll go out on a limb here and pick a number out of the air...;-]
> 
> IMO, <5% of system compromises occurs because of buffer overflows. Heck, let's make that <1%!



The same could be said of ROOTKIT based attacks... but, more & more of this is appearing to hide 'malware' of various sorts... they are on the rise.

(This measure by MS could help stop the buffer-overflow based ones being a factor @ all (nearly)).



NTBugtraq said:


> If I'm getting a bot or trojan, its likely that I double-clicked on an attachment. No need to overflow buffers if the victim is perfectly willing to execute the code. And the vast majority of those run in the user's security context...no need for Administrator (although most home users are) cause I ain't going to do anything a user can't do anyway. Nothing's changed here in Vista.



I don't pity the person that does that though... they bring it on themselves. More & more folks are becoming aware of this though, "don't click on data & programs sent you by folks strange to you" (or, even ones you know, who may not be very "security-conscious").



NTBugtraq said:


> If I'm getting a drive-by download, doesn't matter whether I'm running XP or Vista. What really makes a difference is enabling only Administrator Approved ActiveX controls, which can be done in IE 6 (post XP SP2) as well as IE 7. Again, Vista makes no changes here either.



On XP? Possibly so, albeit done manually in the IE options for IE6... 

However, IE6 & IE7 (and IE6) in Windows Server 2003, by default, run w/ an "enhanced security mode"!

That disallows using ActiveX controls, Java, Java/Active scripting, automagically/by default... you don't even have a SHOT @ running them, unless you turn them on for various sites.

This CAN be done in 2000/XP too, but you have to 'manually' set it in the IE options for IE6 etc. & below.



NTBugtraq said:


> We haven't had a code red/blaster/slammer/sobig type event in years, and aren't likely to...they make no money!



That's what folks said in the Win32 world about ROOTKITS, & the past 2-3 years now? You see them on Win32 as well... And, as far as NOT making money? I could see even using a DOS or DDOS as a form of blackmail, holding a site hostage for example... not easing it up, until the threatened party pays up, etc., but I am not a criminal of this nature... but, I could see it being used thus.



NTBugtraq said:


> Yes, a buffer overflow in a malformed Word document may very well net the Chinese government U.S. military secrets...once! For the rest of the world the vulnerability is irrelevent, just as are 99% of all MS patches produced...when it comes to machines being compromised.



I don't discount ANY vulnerability, & this is part of WHY I quit putting Ms-Office 2003 online here, & keep scriptings (java & activex) + Java & ActiveX Controls turned off period, @ LEAST ON THE PUBLIC INTERNET (zones usage in IE can help here)... & keep up w/ OS patches (as well as compiler patches).

If it can hit something else, server OR user level?? It's a VALID threat imo.



NTBugtraq said:


> Get an ISP who scans your mail for viruses and doesn't allow 139/445 inbound and you'll see how you can put a plain vanilla W95 box bare to the net.



I don't doubt it... & turning off active or java scripting, ActiveX control usage on the public internet as well as Java usage? You can be safe.

I also recommend NOT using Ms-Word as your email editor & switch to plain text (as well as NOT opening attachments sent by strangers especially, or pals you KNOW are not very "security-conscious", again).



NTBugtraq said:


> So memory address randomization is great when you're talking to a bunch of security geeks (of which I'm one) who are pummelling you with theoretical this and that, and PoCs that prove their point...but it doesn't have an impact on today's criminal efforts.



I wouldn't say that... if an attack vector exists, such as ASR usage stopping buffer overflows, & also ROOTKITS (another 'classic' that is theoretically unstoppable afaik)?? Again, it's a valid threat I want @ least SOME protection against.



NTBugtraq said:


> UAC is great



Agreed: Protect an "ignorant" user from themselves... not a put-down - it's just that not everyone is a 'computer security guru'...

APK

P.S.=> Again:  Are you from NTBugTraq, Russ? If so, I like your site... it's up there w/ Secunia & SecurityFocus.com imo, & I read them both regularly! If you have ANY corrections or notes/exceptions to the above material I put out?? Please, fire away... room to learn/grow here! apk


----------



## zekrahminator (Jan 3, 2007)

Wow Russ Cooper, I think you're the first person I've quoted in the news I write to actually respond, welcome to the forums . And I suppose that I summarized a little bit on the points you never said, based on the rest of the article. That story was all presented in a form that made it look like you agreed with all of it. Oh well, at least you voiced your real opinion.

Edit: Fixed original newspost to show that the list I had after your quote did not express your true views, sorry for the misunderstanding.


----------



## Grings (Jan 3, 2007)

buggy driver support, resource hog, flash new interface, and about 1 worthwhile new feature that could have been implemented into the previous system - sound familiar?

and just when xp had got nice and stable!


----------



## NTBugtraq (Jan 4, 2007)

In response to Alec§taar's numerous responses...;-]

>"In Windows Vista with Protected Mode…

When the ActiveX concept was first publicly discussed (I was part of the Design Review a long time before it ever got public mention) there were raging debates over whether there should be some sort of sandbox. At that time Java was seen as the holy grail for security, hence the strong desire of a sandbox.

Firstly, thanks for pointing out Protected Mode, it is something I overlooked about IE7 on Vista.  I found a bit better reference to what PM on Vista means to IE in the IEBlog; 

http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx

Frankly, as the Java sandbox has shown, a sandbox is neat, but not assured. The concept of Trust Zones in IE was always intended to inhibit what rendered script could do on the hosting system…and as we know, it’s never been assured. For the most part, it works, then someone discovers a way through the zones and it gets patched. Should we trust it? If not Trust Zones, then why PM? Why the Java sandbox? They are all designed to limit what can be done…albeit in different ways and to different extents, but none have been perfect or resistant to attack. I’ve no reason to believe that PM in IE on Vista is going to be perfect either. Once someone publishes a flaw, the smoke will dissipate and our ability to tout it as a huge step forward will be undermined…forever.

Also, there will be controls that will leak or provide cross-“zone” facilities. Think in terms of the number of controls that got released which were marked “Safe for Scripting” but shouldn’t have been…this will happen in Vista too. Consider how many controls MS has had to set killbits for in IE. Maybe we’ll actually get CRLs eventually, but until then we’re stuck with finding workarounds.

But the real bottom line is that, even on Vista, IE hands off tasks to objects that run outside of the sandbox after asking the user whether it should do so. This is akin to saying “We’ll keep the matches in some safe place so Junior doesn’t get them…Now Junior, would you please put these matches somewhere safe?”

We are still stuck with the problem of the user having the choice whether to shoot themselves in the foot or not. As I’ve said previously, I believe the vast majority of infected systems get that way with user involvement, and PM in IE on Vista still allows for user involvement.

>Rootkits are on the rise

I’m sorry, but I would disagree, at least using the way I look at things. For example, if we ask the question; “Has the number of systems with criminal rootkit components installed on them risen in the last 12 months?” I would have to answer, unequivocally, NO! The main reason is that such systems are being detected more frequently, whether its by the victim’s ISP, a victim of the victim, the AV on the victim system, or simply because the system failed and was rebuilt without the rootkit. All of these things are happening more often than in the past, so it only stands to reason they’re finding more than before. Meanwhile, the ways rootkits get onto systems hasn’t really changed or improved.

Now if we ask the question; “Have there been more individual pieces of malware found in the wild in 2006 that contain rootkit components?” then I would answer Yes! So what, there has been a considerable jump in the number of individually identifiable pieces of malware in 2006 as criminals have attempted to subvert detection by making minor changes (adding/removing garbage bytes, or re-packing, whatever). Compare 2006 to 2005 in this way and you’re not comparing oranges to oranges.

If you look at the statistics MS put out on what their Malicious Software Removal Tool is finding, you’ll see that the number of infected machines is actually reducing over time, regardless what is infected with.

>more folks are becoming aware (of security issues)

I don’t really think they are. There’s an “all or nothing” stratification I’m seeing in the home user community…they either always pass on jokes and chain letters (even after being told to stop sending them) or they never do. We’ll just have to wait for those who do pass on chain letters to die, I’m afraid.

>IE Enhanced Security Mode in W2K3 disables ActiveX…

You suggest I can enable a control by site. I can’t, only by Zone. In fact, the Enhanced Security Configuration can be established on XP via Group Policy, so automated no manual, if you really want it…but disabling all ActiveX controls and scripting just isn’t realistic in a corporate environment. Besides, I’m not going to install W2K3 on all of my desktops, am I…;-]

>I don't discount ANY vulnerability

This is the biggest obstacle I face daily…people who don’t discount ANY vulnerability. If nobody is attacking, why are you worrying? Do you have a bomb shelter at home? Do you drive? Do you breath? We all accept risk in myriad ways every day, why can’t we do the same thing with computers?

My risk doesn’t increase just because I’ve got a vulnerability. I can’t stay under water as long as a fish can (my vulnerability) but I still swim. The threat doesn’t increase either just because there’s a vulnerability. If I’m not going to get more people using vulnerability #1 than I already get using vulnerability #2, why bother trying to exploit vulnerability #1? Finally, the 3rd factor, cost/impact, also doesn’t change just because of vulnerability. Will there really be an increased cost to resolve a RPC-overflow worm versus a file-share spreading worm? Not necessarily.

Bottom line is your wasting a lot of your time and resources worrying about every vulnerability.

>Are you from NTBugTraq, Russ?

Yup, that’s me!...;-]

Cheers,
Russ


----------



## NTBugtraq (Jan 4, 2007)

zekrahminator said:


> Wow Russ Cooper, I think you're the first person I've quoted in the news I write to actually respond, welcome to the forums . And I suppose that I summarized a little bit on the points you never said, based on the rest of the article. That story was all presented in a form that made it look like you agreed with all of it. Oh well, at least you voiced your real opinion.
> 
> Edit: Fixed original newspost to show that the list I had after your quote did not express your true views, sorry for the misunderstanding.



Hey zekrahminator, no problems. I didn't mean to sound like I was offended or anything like it. It just happened that one of my co-workers asked me about the quote from CNet and I had forgotten giving it (hey, it was Christmas  and I was on holidays when I spoke with Bob  ) When I asked where he'd read it, he sent me your link.

Hope you don't mind my really long posts...I tend to be overly verbose all too often... 

FWIW, being misquoted or quoted out of context is what the majority of many people's reputation is based on. For a 2 line quote like the one Bob had of me, I spend usually an hour with the reporter on the phone. One could then spend the rest of their waking hours explaining what was said during the hour, versus what got in an article.  

Cheers,
Russ


----------



## Jimmy 2004 (Jan 4, 2007)

NTBugtraq said:


> Hope you don't mind my really long posts...I tend to be overly verbose all too often...



Long posts are not a problem, my post was only as a joke to Alec - messages that are more detailed are generally very appreciated on this forum.

I agree with zek and think that it's good to see someone included in a news story actually post a response to it to build on the story directly. Admittedly there wouldn't be any easy way to tell if you're genuine, so we'll have to assume you really are who you say you are!


----------



## Alec§taar (Jan 5, 2007)

*Russ/NTBugTraq: Some more "FYI" for you...*



NTBugtraq said:


> Firstly, thanks for pointing out Protected Mode, it is something I overlooked about IE7 on Vista.



Well, then now you are aware of how IE7, on VISTA specifically, is better than it is on XP, & even over Windows Server 2003 (possibly, but its 'enhanced security mode' of operation 'cuts off' avenues to attack, totally), where you were not before is all.

And, IF you would like the LOCAL commandline switch + batchfile work for doing IE7 in 'a sandbox' on XP? I can provide it to you as well... it works.

You now know @ this point, though, how IE7 on VISTA is truly superior to how it is on Windows XP/Server 2003 even (w/ it's "enhanced security mode", which CAN be emulated/setup-the-same on XP as well, IF you take the time to do it manually, yourself, for the most part).

See? Even a 'security guru', like yourself, can learn a thing or two in the arena of security... forums are great this way.



NTBugtraq said:


> I found a bit better reference to what PM on Vista means to IE in the IEBlog;
> 
> http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx



I DID take a read of that as well, & it actually COUNTERS your next point below in fact, take a read:



NTBugtraq said:


> But the real bottom line is that, even on Vista, IE hands off tasks to objects that run outside of the sandbox after asking the user whether it should do so.



*VISTA & its version of IE7, per the URL you cited? Does counter for THIS, here:

"Mandatory Integrity Control (MIC), a model in which data can be configured to prevent lower-integrity applications from accessing it. The primary integrity levels are Low, Medium, High, and System. Processes are assigned an integrity level in their access token. Securable objects such as files and registry keys have a new mandatory access control entry (ACE) in the System Access Control List (ACL)."*

&

*User Interface Privilege Isolation (UIPI) blocks lower-integrity from accessing higher-integrity processes. For example, a lower-integrity process cannot send window messages or hook or attach to higher priority processes This helps protect against "shatter attacks." A shatter attack is when one process tries to elevate privileges by injecting code into another process using windows messages.*

Some more FYI for you, & counters your argument on that account...

VISTA's IE7 mechanisms above (in collusion w/ UAC on VISTA as well) would even counter imo, for this "false positive" I ran into, regarding IE & SpyBot findings, noted example:

SpyBot, in its latest version as of the date of this post, mistook an IE helper (tools menu) I embed myself, that used the SAME "GUID" I did for a browser extension, that some malware uses!'

I knew mine wasn't: It summoned an .exe I wrote (an enhanced pinger I wrote in Delphi & TOTALLY by hand, no 3rd party VCL used or ActiveX controls) via the IE tools menu, so I had the sourcecode to the app & know it's NOT 'malware', period.



NTBugtraq said:


> This is akin to saying “We’ll keep the matches in some safe place so Junior doesn’t get them…Now Junior, would you please put these matches somewhere safe?”



The entire "object-oriented" (object broker in Win32 actually) based form of operation, & the "document-centric" Ms universe functions on this... handing off or making calls to external libraries & USUALLY, this is done in the SAME process space as the calling process if DLL's/libs are used (in process calls)... 

& if diff. exe's used (as in the case of the false positive I note I found a while back did), & thus, diff. process spaces?

Then, typically, mechanisms like Windows Messages (apps sending one another messages in their numerous multiple message queues they have), via mailslots, RPC, Shared Memory (RAM &/or diskbound files), Winsock, NetBIOS, DDE, clipboard access, named pipes & even the latest from MS (single messaging scope paradigm lately introduced to replace those & more I noted), are also controlled THIS way too.

VISTA is better on many levels, ones end-users don't see, & this is yet another evidence thereof.

This is NOT exclusive to MS either. Other OS' oem's designed this way as well, using shared libs & functions external to program executables & having dependencies on other external libraries (like DLL's in Win32).



NTBugtraq said:


> >Rootkits are on the rise - I’m sorry, but I would disagree, at least using the way I look at things.



I disagree w/ that: From having NO rootkits (@ least known ones) around 1-2 years ago tops in Win32, to having them now out there?

BIG increase... & rising.



NTBugtraq said:


> For example, if we ask the question; “Has the number of systems with criminal rootkit components installed on them risen in the last 12 months?” I would have to answer, unequivocally, NO! The main reason is that such systems are being detected more frequently, whether its by the victim’s ISP, a victim of the victim, the AV on the victim system, or simply because the system failed and was rebuilt without the rootkit. All of these things are happening more often than in the past, so it only stands to reason they’re finding more than before. Meanwhile, the ways rootkits get onto systems hasn’t really changed or improved.



Maybe the ways haven't changed, but the number of rootkits surely is & has gone up... from ZERO a few years ago on Win32 systems, up to whatever the presently found amounts are... increases, definitely.



NTBugtraq said:


> Now if we ask the question; “Have there been more individual pieces of malware found in the wild in 2006 that contain rootkit components?” then I would answer Yes!



And, then, you'd be right as rain...



NTBugtraq said:


> So what, there has been a considerable jump in the number of individually identifiable pieces of malware in 2006 as criminals have attempted to subvert detection by making minor changes (adding/removing garbage bytes, or re-packing, whatever). Compare 2006 to 2005 in this way and you’re not comparing oranges to oranges.



Compare this to 2003-2004, to today? You have a HUGE "order of magnitude" level of increase... from ZERO, to whatever numbers of malware out there today that uses rootkits to avoid detection/removal.

Typically? IF you are found as bearing a rootkit?? Most folks/experts in this area tell you 1 thing: REPAVE!

(Even MS admits currently that once you have one of these things? Redo your rig... removal/disinfection is BEST done via "nuking your setup from orbit" @ this point nowadays @ least!)



NTBugtraq said:


> If you look at the statistics MS put out on what their Malicious Software Removal Tool is finding, you’ll see that the number of infected machines is actually reducing over time, regardless what is infected with.



This is a direct result of folks being more "proactive" on using tools like AntiVirus, Firewalls, & just overall better regarding opening email attachments & such... & also measures implemented by the end-user's ISP/BSP which you mentioned above, also.



NTBugtraq said:


> >I don't discount ANY vulnerability
> 
> This is the biggest obstacle I face daily…people who don’t discount ANY vulnerability. If nobody is attacking, why are you worrying?



*What is the typical statistic? Once a Windows machine is setup, it is typically infected/attacked w/ in 12 minutes of being online??

I set up a pal's machine on XP 2 days ago, we got nearly INSTANTLY "hit" w/ a "Messenger Service" 'attack' (not really an attack, but it was trying to lure he & I into going to some website, & this doubtless was where the REAL attack would be coming from... a mal-scripted website attack most likely too).*



NTBugtraq said:


> Do you have a bomb shelter at home? Do you drive? Do you breath? We all accept risk in myriad ways every day, why can’t we do the same thing with computers?



I don't take risks I shouldn't, TYPICALLY... it's like being sexually promiscuous nowadays... not worth the risk.



NTBugtraq said:


> My risk doesn’t increase just because I’ve got a vulnerability.



I disagree... you are TOTALLY increasing your chances of being hit, just by being vulnerable & NOT taking active measures or workarounds (provided they exist) to not get infected.

Bad business if you don't, imo... using Firewalls (hardware &/or software), AntiVirus, AntiSpyware, & performing scheduled rootkit checks weekly @ least, & doing OS + app patching is a must nowadays.



NTBugtraq said:


> The threat doesn’t increase either just because there’s a vulnerability.



OH, I beg to differ here: If I am immune to plague due to taking vaccination? I can walk thru a party full of plague bearers & be safe... someone who is NOT 'vaccinated' (takes active measures for prevention) is not nearly as safe.

Heck, that party of plague bearers, from my example above? Is the INTERNET itself...



NTBugtraq said:


> Bottom line is your wasting a lot of your time and resources worrying about every vulnerability.



Oh, I have to say otherwise: Mainly because since I have been cutting off ActiveX/ActiveScripting &-or Java/JavaScript usage on public internet based zones @ home in ALL of my browsers?

I rarely, if EVER, suck in virus &/or malwares (had a false positive 3 months ago, but turned up fine, but have not had a virus or other bad thing on my system in rougly a decade or more because of this behaviour on my end)...

IF you'd like the mechanics/specifics on HOW I know it was a 'false postive', one detected by SpyBot? I provided it above earlier for your reference.



NTBugtraq said:


> >more folks are becoming aware (of security issues) I don’t really think they are.



OH, I do... I have listened & watched @ the CompUSA in my area when 'absolutely newbie' type folks buy computers, & when they do? They usually DID opt for tools in softwares like Norton AntiVirus when purchasing their systems... nearly everytime, if not every time.



NTBugtraq said:


> There’s an “all or nothing” stratification I’m seeing in the home user community…they either always pass on jokes and chain letters (even after being told to stop sending them) or they never do. We’ll just have to wait for those who do pass on chain letters to die, I’m afraid.



There are those folks, but the ones that choose to do the opening are not necessarily ALWAYS 'unaware' of the threat, it's more that they don't give a hoot imo.

I see this in relatives of mine & friends in fact... they know they are taking a risk, but do it anyhow.



NTBugtraq said:


> Frankly, as the Java sandbox has shown, a sandbox is neat, but not assured.



Right - which is why I never fully trusted the "Java sandbox" in the first place & turn it off on my browsers when they face the 'public internet'... but, do use Java & JavaScript (as well as ActiveX & ActiveScripting) in INTRANET environs.



NTBugtraq said:


> The concept of Trust Zones in IE was always intended to inhibit what rendered script could do on the hosting system…and as we know, it’s never been assured. For the most part, it works, then someone discovers a way through the zones and it gets patched. Should we trust it? If not Trust Zones, then why PM? Why the Java sandbox? They are all designed to limit what can be done…albeit in different ways and to different extents, but none have been perfect or resistant to attack. I’ve no reason to believe that PM in IE on Vista is going to be perfect either. Once someone publishes a flaw, the smoke will dissipate and our ability to tout it as a huge step forward will be undermined…forever.



Zone use IS "better than nothing", absolutely.

Plus, oh, I don't know about "forever" as you said, but I would trust VISTA's IE7 "protected mode" over that of non-protected mode on Windows Server 2003 &/or XP though for IE7... 

Yes, simply because it IS that much better than IE7 on Windows XP, & even over that on IE7 on Windows Server 2003, w/ it's 'automatic enhanced security mode'...



NTBugtraq said:


> Also, there will be controls that will leak or provide cross-“zone” facilities. Think in terms of the number of controls that got released which were marked “Safe for Scripting” but shouldn’t have been…this will happen in Vista too. Consider how many controls MS has had to set killbits for in IE.



I am not aware of how many that is, but apparently it's more than I am aware of, as far as IE & MS setting up killbits for various ActiveX controls being unsafe... but, this is a good thing to do, when they are spotted as faulty.



NTBugtraq said:


> Maybe we’ll actually get CRLs eventually, but until then we’re stuck with finding workarounds.



Define "CRL" for us please... I am not aware of this term/acronym's meaning... thanks. Did you mean "Common Runtime Library" by this? Not sure, have to ask.



NTBugtraq said:


> We are still stuck with the problem of the user having the choice whether to shoot themselves in the foot or not. As I’ve said previously, I believe the vast majority of infected systems get that way with user involvement, and PM in IE on Vista still allows for user involvement.



Most folks cause 90% of their own problems, computer or other things in life... but, trick is, learn by your mistakes.



NTBugtraq said:


> >IE Enhanced Security Mode in W2K3 disables ActiveX…
> 
> You suggest I can enable a control by site. I can’t, only by Zone.



No, it was about using zones... & you hit on that correctly, per what I was trying to say: you run that site in a zone & let it go from there (& set a zone up properly). I redo ALL of my zones on home machines to be like it is on Windows Server 2003 'enhanced security mode' anyhow.



NTBugtraq said:


> In fact, the Enhanced Security Configuration can be established on XP via Group Policy, so automated no manual, if you really want it…



You COULD do it that way, I agree, but you STILL have to set up the policy manually & THEN, you can extend it to other machines on your LAN in a workgroup/domain.



NTBugtraq said:


> but disabling all ActiveX controls and scripting just isn’t realistic in a corporate environment.



I don't & mention that above... for INTRANET work, on the job? I use both scripts of both types AND ActiveX controls (like Crystal Reports has) extensively during ASP.NET work I do for a living in the MIS/IS/IT environs.



NTBugtraq said:


> Besides, I’m not going to install W2K3 on all of my desktops, am I…;-]



Well, this is the whole argument/issue now, isn't it? Whether VISTA provides enough motivation for folks (or corporate body's) to install it right away... they won't.

Most don't in fact, right away... they wait out new machines coming w/ it & experiment using them seeing how they mix w/ their existing setup both apps & OS setup-wise, plus, they wait out "bugs shaking out"... takes 2-3 years typically, if not more.

This is just what I have seen as a network engineer/admin - coder over 15 years time or so, in numerous companies/sites/jobs I have been on professionally in that timeframe.

A decent sample-set to base my statements on, & really, the only 1 I have, but a GOOD one.





NTBugtraq said:


> >"In Windows Vista with Protected Mode…
> 
> When the ActiveX concept was first publicly discussed (I was part of the Design Review a long time before it ever got public mention) there were raging debates over whether there should be some sort of sandbox. At that time Java was seen as the holy grail for security, hence the strong desire of a sandbox.



It was a bad move then, that they were NOT put into a "protected mode" environs imo as well... I would have 'pushed harder' on your end were you one of those stating this to the MS folks...

* Good discussion...

APK

P.S.=> 





NTBugtraq said:


> In response to Alec§taar's numerous responses...;-]



Ha, right back @ ya!

See my subject-line/title above for this reply back to you, first, & then, this, "in response to your numerous responses", lol (continuing our discussion & sorry for delay, busy @ work & @ home last nite)... apk


----------



## Wile E (Jan 6, 2007)

Alex, I think you just bested your previous longest post. lol Seriously tho, I'm learning a lot from this, keep em comin.


----------



## NTBugtraq (Jan 6, 2007)

>Admittedly there wouldn't be any easy way to tell if you're genuine, so we'll have to assume you really are who you say you are! 

Actually, you can just go to the NTBugtraq home page (www.ntbugtraq.com) and either email me at the address listed there, or call my phone...;-]

>VISTA & its version of IE7, per the URL you cited? Does counter for THIS, here:

I think my point was missed here a little. PM relies on the technologies you cited (MIC and UIPI) to provide enforcement within IE. These technologies govern what a process does. However, when IE prompts the user asking whether they want to install an ActiveX control (providing they’re a member of the Local Administrator’s group) PM then branches to objects that are outside of the PM. The tasks passed can then do anything the user can do, with Administrative privilege.

If this were not true it would be impossible for a user to install an ActiveX control, or modify registry/file settings that may need to be done from time to time (e.g. update an existing ActiveX control.)

This is the “hole” in the PM. I’m not suggesting it’s flawed; only that it is present. And its presence does mean the PM is not truly a sandbox (and I’m not sure I’ve seen MS refer to it as such, to their credit.)

Most malware that ends up on people’s systems gets there by the user double-clicking on something (not via Browser exploits), so as long as IE prompts people to take an action, they will. PM stops drive-by downloads and exploitation of some browser vulnerabilities (not XSS, for example), but if you consider the percentage of people who’ve been infected via IE versus other ways, it is, IMO, solving a very small problem.

I’ll come back to this.

>Rootkits are on the rise. Zero 1-2 years ago.

I have to assume we’re having a problem with the term “rootkits.” My definition is some code which is completely invisible to the user through normal inspection. So it has to be covert enough to not show up in Task Manager and/or Explorer and be invisible to AV. Otherwise, its not a rootkit in my book.

The term has become overly used to refer to anything that does backdoors, and/or covert command and control channels. Have a look at http://www.rootkit.com/ for a list. NT Rootkit, by Greg Hogland, was released initially in 1999. So saying there were ZERO in 2003 is just wrong. 

Even before that there were discussions and Proof-of-Concept (PoC) code that exploited Alternate Data Streams (ADS) to hide themselves on disk (albeit not being able to hide the running process.) So we’ve had rootkits for a long time.

I will, again, say IMO that the number of machines infected with completely undetectable malware components is not a significantly higher percentage than it was in 2003. FWIW, my employer (Cybertrust/ICSA Labs) manages the WildList.org site, which tracks In-the-Wild malware. You can have a look at the October 2006 data (latest posted) and get an idea of what’s out there. You can then lookup the names of the malware to see what it does.

http://www.wildlist.org/WildList/200610.htm

This doesn’t mean that you can rely on AV to completely remove an infection. I agree that rebuilding after an infection is discovered is the Best Practice.

But again we have to stop looking at infections as a binary object, the same way we have to stop looking at vulnerability as being binary.

Let me take your example of walking through a party full of plague’d people. Yes, if you do that, and you’re vaccinated, you are more protected than if you’re not vaccinated.

However, why is it that we all don’t get vaccinated for the plague? It’s simple, it’s because the vast majority of us will never come into contact with anyone who has an active case that can infect us. Is it impossible for me to become infected? No! But the threat of me being infected is near zero, hence we don’t vaccinate against it. Yet the cost of being infected could be death…still we don’t get vaccinated.

So, in the case of the plague and people in, say, North America:

Vulnerability Prevalence = 100%
Cost of Infection = Death (let’s call it 100%)
Threat Rate = 100 people with active infections within the U.S. (~300m people)

Risk = Vulnerability Prevalence * Cost of Infection * Threat Rate
Risk = 100% * 100% * 0.000000333

This is your risk if you do nothing. Now consider what happens when you travel outside of the U.S., to a country where plague is present. The Threat Rate increases, possibly dramatically.

CountryX where plague is known to be present. Let’s say 1% of their population has plague, and the country has 100m people

Threat Rate = 1m/100m = 1%
Risk = 1% * 100% * 1%

Wow, now that’s a HUGE increase in risk, 3m% increase in fact! But it doesn’t consider all of the facts:

-	What’s the chance I am going to meet one of those people?
-	What’s the chance they’ll have an active infection when I do meet them?
-	What’s the chance I’ll have no indications I might be getting near plague victims?
-	What’s the chance my contact will actually lead to plague?

Each of these (and more) affect the final risk value, and any that are less than 100% cause that initial 1% risk to reduce.

Now apply this thinking to computer security and vulnerabilities:

Adobe PDFs can be used to cause Cross Site Scripting (XSS) in Firefox.

Vulnerability Prevalence = 35%?? (whatever market share value you want to give to Firefox is fine by me.)
Cost of Exploitation = Let’s say 100% again, as in being exploited means you lose all of your bank balance??
Threat Rate = 0% (We’ve had no reports of any sites hosting exploits)

Risk = 35% * 100% * 0%

Anything times 0% is 0, right?

Ok, so let’s revise the Threat Rate. Let us assume that some 10,000 sites are currently hosting PDF/XSS attacks today.

Threat Rate = 0.000093567 (10,000/106,875,138 – number of sites reported by Netcraft in January 2007)

Risk = 35% * 100% * 0.000093567 = 0.00327485%

Now this is from a world perspective. This is how we look at the risk in the world as a result of some new thing. If you ran Firefox, the number would be different:

Risk = 100% * 100% * 0.000093567 = 0. 0093567%

We’re still less than 1/100 of a percent.

So how much of your time should you spend on something that carries that much risk? And don’t forget, we haven’t even applied mitigators to this yet:

-	Chances the malicious site is still up by the time I get there
-	Chances the criminals actually succeed in getting all of my money, despite having my credentials
-	Chances the bank isn’t going to give me all my money back

Etc…

Vulnerability-based thinking is binary. You are, or you’re not. You either have something to do, or you don’t. It’s very easy, however it’s enormously time consuming and wastes ridiculous amounts of resources world-wide every day.

It happens because, for most people, it’s impossible to do the risk calculation to the extent they think they should. In the above example most people would be stumped on the Threat Rate. “How do I know how many criminal sites are out there exploiting the vulnerability?” But if you look at it reasonably, before I even have a 1% risk, there’d have to be a million sites exploiting the vulnerability. For that to be true that would be 1 out of every 100 web sites exploiting this vulnerability.

I would argue that it would be impossible to imagine that 1 out of every 100 web sites is criminal and exploiting anything. That’s just way more criminal activity than has ever been seen before. So take any other browser exploiting vulnerability you can think and apply the above math and you’ll see that browser exploits just aren’t worth worrying about.

Now don’t get me wrong, it’s not as if we say “Oh just go anywhere you want with your browser and do nothing to it” to be secure. It’s a question of resources, and how you should spend them.

Do you give up what Active Scripting and ActiveX provides to the average person on a site (usually a better experience) because we fear such a small risk? Or, do we do a better job of educating our users to ensure they don’t end up at 1 of the 10,000, or 100,000, criminal sites?

Do we take the time and resource we put into patching and apply it to better Group Policy Object definition, or better proxy/IDS (Intrusion Detection System)/IPS (Intrusion Prevention System) filters? Do we instead focus on the few people in a company who, typically, repeatedly get infected versus the balance who never do?

There are so many ways to lower that Risk number without ever having to patch anything…honestly.

Hopefully this sheds some light on why being vulnerable is not equal to having a risk, or why an increased threat doesn’t necessarily translate to increased risk either.

The concepts above are not really difficult to understand, but I do know that they are hard to believe and/or accept. But in my 30 years experience in the business they are the most effective at reducing and/or eliminating risk.

>I set up a pal's machine on XP 2 days ago; we got nearly INSTANTLY "hit" w/ a "Messenger Service" 'attack'

Well, you must have done something wrong as XP SP2 installs by default with the Windows Firewall enabled, meaning Messenger shouldn’t have been exposed!

Alternatively, had you installed attached to any of the $50 routers, Wireless Access Points (WAP) or Cable Modems, you’d have what we call “Default Deny” enabled and it wouldn’t have got past it.

>Killbits in Internet Explorer 6.0

http://support.microsoft.com/kb/240797/en-us provides detailed instructions on how to set them. Basically, IE checks in the registry to see whether it should or should not run a given control. You can take any given control and set it such that IE will not run it, but it will run in other applications. As long as the control is registered (and virtually every DLL is) you merely have to figure out its Class ID (CLSID) and then add it to the IE list and it cannot be invoked from within IE 6.0.

>CRLs

Certificate Revocation Lists. When a Digital Certificate is produced, it is signed by a Root Trust Authority. It has parameters that state how long it should be valid for, amongst other things. Once a certificate has expired, it should, and is, no longer trusted. However, what if you need to make a certificate not trustworthy for some other reason?

Imagine that you private key, the key you use for signing your software, is stolen. Since you don’t know where it is, you don’t know if someone else is going to use it to try and leverage the trust someone else might have in you (via your cert.) So you need to revoke the cert. You can’t simply alter the expiration date.

This is where CRLs come in. The concept of PKI (Public Key Infrastructure) always included the ability to revoke a cert. When you are presented with a certificate, your system was supposed to check with a trusted authority to find out whether the cert had been revoked. For myriad reasons, this was rarely implemented (including not being supported at all in Windows.)

CRLs are now supported in Vista…and now we just have to wait and see if the Certificate Issuers are going to deliver them (FWIW, we Cybertrust are a Trusted Root Certificate Authority – GTE Cybertrust Root.) 

Cheers,
Russ


----------



## Steevo (Jan 6, 2007)

I still stand by that the user is the biggest security threat. I opened up NetBios broadcasts and set our remote location server (my old PC) to announce Master Browser. Guess how many hits a hour I got on our IP? 




200+ unique IP's.


Talk about loading a gun and aiming it? Now what would happen if the standard home user bought a PC from someplace and it happened to be setup incorrectly? DSL modems or encapsulating programs are a way through or around. 


Vista or no, the biggest threat is still users. Independent process control, execution control, but no user control. And once in, most will write it off as a minor slow down.


----------



## Alec§taar (Jan 7, 2007)

NTBugtraq said:


> Have a look at http://www.rootkit.com/ for a list. NT Rootkit, by Greg Hogland, was released initially in 1999. So saying there were ZERO in 2003 is just wrong.



Oh, they were around FAR before 1999 in the UNIX world, first of all & iirc, I stated that early on... 

For Win32? You could be right there, because I hit that site also (rootkit.com) quite a bit...

There were proofs of concept code blocks for that there... 

Still, the point was *ARE THEY ON THE RISE AS FAR AS USAGE BY MALWARE AUTHORS?*, as far as rootkit use being more prevalent than before & rising??

See this 2006 article (as just 1 example of agreement w/ my point):

*Rootkits on the rise says McAfee*

http://www.cbronline.com/article_news.asp?guid=8C8CB070-F7E6-4062-8081-EC4F596C717E

I tend to agree. They've been around for a while on NT-based OS', but they are more widely used now & rising in their usage by the "malware crowd"...



NTBugtraq said:


> I think my point was missed here a little. PM relies on the technologies you cited (MIC and UIPI) to provide enforcement within IE. These technologies govern what a process does.



Exactly! In fact, the very article URL you put up states it, & the bolded portion above notes the 'salient' portion regarding what IE7 can do, or NOT do, regarding addons (Tools menu, separate executables OR libs w/ GUI interfaces, & yes, DLL's can have them too) & WHAT they can do when called from IE.

Again:

*VISTA & its version of IE7, per the URL you cited? Does counter for THIS, here:

http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx

"Mandatory Integrity Control (MIC), a model in which data can be configured to prevent lower-integrity applications from accessing it. The primary integrity levels are Low, Medium, High, and System. Processes are assigned an integrity level in their access token. Securable objects such as files and registry keys have a new mandatory access control entry (ACE) in the System Access Control List (ACL)."

&

User Interface Privilege Isolation (UIPI) blocks lower-integrity from accessing higher-integrity processes. For example, a lower-integrity process cannot send window messages or hook or attach to higher priority processes This helps protect against "shatter attacks." A shatter attack is when one process tries to elevate privileges by injecting code into another process using windows messages.*



NTBugtraq said:


> However, when IE prompts the user asking whether they want to install an ActiveX control (providing they’re a member of the Local Administrator’s group) PM then branches to objects that are outside of the PM.



For installation? Yes, but ONLY afaik for "in-process" libs/dlls (activeX controls/OLEServers)... ActiveX executables though, out of process ones? Self-register first time they are run!

For usage?? No... not typically when speaking of in process ones & especially NOT for out of process ones, as they 'self register' first time they are run (see "in process" vs. "out of process" & ActiveX controls online, or just read the following).

http://support.microsoft.com/kb/297279



NTBugtraq said:


> The tasks passed can then do anything the user can do, with Administrative privilege.



For installation? Again - yes. 

For usage??? No... see, as far as ActiveX controls??? 

You're NOT 'branching outside' of the IE process, TYPICALLY, when using ActiveX controls in a browser OR applications... 

Usually, they are written as "In-Process calls", running in the same memory space as the browser (IE), or Application that uses them, & w/ reasons for performance (no "cross-process" messaging is why afaik/iirc).

Are there "out-of-process" calls to ActiveX/OLEServers possible? Yes... but w/ that comes overheads via passing messages across process boundaries in memory.

Would it help to STOP this being a problem, by using "out of process" COM/DCOM/OLEServer/ActiveX control usage being a problem for security? 

Yes, & it is used to NOT violate the calling process' memory space, but it has message passing overheads.



NTBugtraq said:


> If this were not true it would be impossible for a user to install an ActiveX control, or modify registry/file settings that may need to be done from time to time (e.g. update an existing ActiveX control.)



Not "impossible", & especially for an ADMIN level user (this is why UAC is SO valued really, to limit what the logged on interactive user CAN do & we are in agreement there)... he can raise anyone's rights, including his own, to "SYSTEM ENTITY" priveleges (almost). 

Heck - you CAN elevate any user's rights really, to levels beyond std. "Administrator" even using secpol.msc's LOCAL POLICIES section, & once that is set, you can alter registry hives ACL's too & NTFS filesystem ones as well...



NTBugtraq said:


> This is the “hole” in the PM. I’m not suggesting it’s flawed; only that it is present. And its presence does mean the PM is not truly a sandbox (and I’m not sure I’ve seen MS refer to it as such, to their credit.)



Could be, it wouldn't surprise me... this is new tech, & usually w/ new stuff, you get "holes" of some sort discovered.



NTBugtraq said:


> Most malware that ends up on people’s systems gets there by the user double-clicking on something (not via Browser exploits), so as long as IE prompts people to take an action, they will. PM stops drive-by downloads and exploitation of some browser vulnerabilities (not XSS, for example), but if you consider the percentage of people who’ve been infected via IE versus other ways, it is, IMO, solving a very small problem.



Well, like Steevo stated? The user IS the weakest link... & I agree.



NTBugtraq said:


> I have to assume we’re having a problem with the term “rootkits.” My definition is some code which is completely invisible to the user through normal inspection. So it has to be covert enough to not show up in Task Manager and/or Explorer and be invisible to AV. Otherwise, its not a rootkit in my book. The term has become overly used to refer to anything that does backdoors, and/or covert command and control channels.



No, I never had a problem understanding what you meant by "rootkit" @ all, AND, thus, we are agreed on that note: 

A rootkit is INVISIBLE typically, to the Win32 API afaik... 

& as far as NTRootkit.com? Hehe, I've been taking "peeks" @ that site for a couple years now... amazing stuff.



NTBugtraq said:


> Even before that there were discussions and Proof-of-Concept (PoC) code that exploited Alternate Data Streams (ADS) to hide themselves on disk (albeit not being able to hide the running process.)



Alternate Data Streams only survive on local drives though... they do not "stream" across the net... it isn't something to worry about as long as you don't haul in files that create them.



NTBugtraq said:


> So we’ve had rootkits for a long time.



Not nearly as long as the UNIX world has had them though, was my point. They are a relatively "new" concept for attack vector on Win32 OS'...



NTBugtraq said:


> I will, again, say IMO that the number of machines infected with completely undetectable malware components is not a significantly higher percentage than it was in 2003.



McAfee feels otherwise, as do I, per the article above.



NTBugtraq said:


> FWIW, my employer (Cybertrust/ICSA Labs) manages the WildList.org site, which tracks In-the-Wild malware. You can have a look at the October 2006 data (latest posted) and get an idea of what’s out there. You can then lookup the names of the malware to see what it does.
> 
> http://www.wildlist.org/WildList/200610.htm



Decent reference, & I will take a peek @ it... never hurts to do so, to be aware of symptoms & just in general what is what.



NTBugtraq said:


> This doesn’t mean that you can rely on AV to completely remove an infection. I agree that rebuilding after an infection is discovered is the Best Practice.



Agreed, unfortunately... lol!



NTBugtraq said:


> Do you give up what Active Scripting and ActiveX provides to the average person on a site (usually a better experience) because we fear such a small risk? Or, do we do a better job of educating our users to ensure they don’t end up at 1 of the 10,000, or 100,000, criminal sites? Do we take the time and resource we put into patching and apply it to better Group Policy Object definition, or better proxy/IDS (Intrusion Detection System)/IPS (Intrusion Prevention System) filters? Do we instead focus on the few people in a company who, typically, repeatedly get infected versus the balance who never do?



A bit of both...



NTBugtraq said:


> There are so many ways to lower that Risk number without ever having to patch anything…honestly.



Agreed: "An ounce of prevention is worth a pound of cure"... & I agree: By NOT using Java/JavaScript & ActiveX controls or Active Scripting alone on the PUBLIC internet? I never suck any bad stuff in really.

Other stuff too... by not allowing adbanners in here I save myself that as well, and practicing using ONLY RichText or Text as my default email read format & FAR more.

(Done via HOSTS files blocking of known adbanner servers, using IE restricted sites, & also special cascading style sheets used as my "user style" here, I filter them out also as my proxy... why? They're been shown to harbor malware, believe-it-or-not... typically, they don't, but they have been shown to!)



NTBugtraq said:


> >I set up a pal's machine on XP 2 days ago; we got nearly INSTANTLY "hit" w/ a "Messenger Service" 'attack'
> 
> Well, you must have done something wrong as XP SP2 installs by default with the Windows Firewall enabled, meaning Messenger shouldn’t have been exposed!



This wasn't SP #2... it was an original XP disk...

(He's in school, & not for comp. sci.... he just needs to write papers, & WordPad is enough for that).



NTBugtraq said:


> Alternatively, had you installed attached to any of the $50 routers, Wireless Access Points (WAP) or Cable Modems, you’d have what we call “Default Deny” enabled and it wouldn’t have got past it.



No router/NAT "Firewalling" router... just std. connection. He's LITERALLY a "poor student", albeit one looking to better his life.

APK

P.S.=> GOOD discussion, & good review... apk


----------



## Ketxxx (Jan 8, 2007)

Lets not forget, as M$ are trying to badge Vista as THE gaming OS, that OGL isnt supported, making games like Q4 look like crap. I dont remember the exact details but hardware sound or something along those lines has been ditched as well - meaning your very expensive X-fi card or x-meridian, or prodigy 192 or the like is no better than your standard AC97 CODEC.

Vista can go to hell in a nutshell. I have some coder buddies who are hacking DX10 apart as I type intending to make it work with XP.

Vista isnt a step forward, its several steps back.


----------



## Alec§taar (Jan 8, 2007)

Ketxxx said:


> Lets not forget, as M$ are trying to badge Vista as THE gaming OS, that OGL isnt supported, making games like Q4 look like crap.



Yup, "Z" showed us an example of that, iirc... & it is what is holding me back from using VISTA here period.

I like OpenGL...



* BUT, iirc as well, I think MS is 'backpeddling' now in regard to this & has a method of making OpenGL display 'natively' as it does in NT/2000/XP/Server 2003 as well, but you have to MANUALLY install it again...

(Correct me here if I am wrong, but I remember we had discussions about that here @ some point earlier on)

APK


----------



## Ketxxx (Jan 8, 2007)

Indeed we have. Would be nice to dig up more info on this Vista sound thing too. Its a rather important point, but has been somewhat hidden. Dont know about the masses of prodigy, x-meridian and x-fi owners, but i know id be PISSED if i got Vista, then realised none of my VERY EXPENSIVE soundcard hardware features would actually be utilised via hardware.


----------



## Wile E (Jan 8, 2007)

Hey Alex, I just wanted to point out that I have no proactive secure measures running on my machine. No firewall, no proactive spyware, and no proactive anti vir. I do own Spyware Doctor and Kaspersky Internet Security, but their proactive defenses are disabled 90% of the time. The only time I enable them is when I plan on visiting sites I'm not familiar with. With weekly scans, I've never had anything come up in either program. Could it be that a vulnerability is only an issue if you don't surf safely? I feel I should add that I don't IM on anything but my Macs, and I have removed a few of the more easily exploited features of XP (Messenger and anything to do with remote desktop connection jump to the forefront of my mind). And I know this is making your skin crawl, but I haven't updated this installation of XP SP2 yet, at all(about 2 weeks now). lol I'm about as lax as someone can get with security, short of someone that doesn't even own a security app. I guess what I'm gettin at is, how do we determine risk? Could I just get a random attack if I don't visit unfamiliar sites? And how? (honest questions, btw)


----------



## NTBugtraq (Jan 8, 2007)

>ActiveX controls

FWIW, an ActiveX control is merely an executable that happens to have registered entry points. That allows it to be hosted in another application. No version of IE has ever verified that an object being called *as an ActiveX control* is *actually an ActiveX control*. I can, therefore, hand off anything I want to IE's ActiveX processing, from CALC.exe to a multi-process installer routine.

So if I hand off in this way from within IE to a process not limited by the Protected Mode features, it can then install itself whatever way it wants...including spawning processes during that installation that launches malware. While PM can control what malware can do within IE, it doesn't control what it can do on the machine or outside IE, beyond limiting its effects to the single user.

So PM stops things like Gator and some other BHO (Browser Helper Object) malware/spyware, but not MyTOB or its ilk. It also doesn't stop the IE configuration from being altered from outside of IE.

Again, I'm not bashing, just trying to point out the difference between PM and a true sandbox.

Again, FWIW, I am working on my complete Vista Security White Paper and hope to have it ready soon for our customers. For those of you interested, I'd be happy to copy you on the drafts as they're produced for your feedback. Just email me privately (at whatever email address makes you comfortable, @rc.on.ca or @cybertrust.com.) I expect it to show that upgrading to Vista for security is a waste of resources, and that nothing of alleged security value in Vista can't already be done in XP as effectively and for less cost.

Cheers,
Russ


----------



## bhaskar15 (Jan 8, 2007)

I'm using Vista Ultimate right now, no jokin, looks gr8. I got it as birthday gift. But if others want it, they can download it from torrents  Otherwise there is no other possible way of getting the eye candy glass-like look and DX10 even if ya have 8800


----------



## Alec§taar (Jan 8, 2007)

*LONG READ NtBugTraq/Russ, but decent discussion/review*



NTBugtraq said:


> >ActiveX controls FWIW, an ActiveX control is merely an executable that happens to have registered entry points.



I'm going to extend that, JUST a little bit:

It's a form of library that doesn't have the ability to launch itself, like a DLL (dynamic link library) is, BUT, is registered by GUID (actually a CLSID (class identifier, which makes sense: You design classes to create ActiveX controls))... 

Marshalled (launched) this way, you don't run into "dll hell" because it is identified by GUID (globally unique identifier) &/or CLSID (Class Identifier). OLEServer DLL's are much the same also, vs. "old school/classic" DLL's, which are launched by NAME only!

Usually DLL's (std. oldschool type) are started by LoadLibrary Win32 API calls, or by referencing them in various languages (such as VB declare statements, &/or Delphi using extern references under its VAR (pascal) clause).

*Non-"LoadLibrary" autoloaded DLL references in various languages (std. DLLs) examples:* vs. LoadLibrary

Delphi E.G.-> function DxFileClean (OldSpecChar):Integer; stdcall; external 'Stamin32.DLL';

VB E.G.-> Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)

* The NICE part about using LoadLibrary though, is you can DYNAMICALLY unload libs/dlls you call... not having them loaded in the same process, for its entire duration... 

Whereas loading them @ program instancing would force you to use the reg hack "AlwaysUnloadDLL" in the registry, forcing the OS memory mgr. to do it for you once the program 'dies'!

(... of course, this slows loadtime for other progs referencing that DLL (if they already don't have OPEN ref counters to said lib already in place, forcing it to stay open/loaded anyhow)).

*Additionally, IE7 also allows you to control ANY ActiveX installed & used by IE, from w/ in its TOOLS menu, Manage Addons Submenu... some "FYI", @ least in Windows Server 2003's version of it.*, some "FYI" there on that account.



NTBugtraq said:


> I can, therefore, hand off anything I want to IE's ActiveX processing, from CALC.exe to a multi-process installer routine.



Typically, when you extend IE's TOOLs menu for example? You do it via a GUID/CLSID, as noted here & where I ran into a "false positive" (which I mentioned earlier while using SpyBot, it ID'd an app I wrote for myself as a malware of some sort, by the CLSID I used (totally random on my part) & I have to write SpyBot folks about this - I changed the registry .reg merge file I use for installing it to another CLSID for now) extending said menu in IE6/IE7, thus, in the registry:

--------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{10954C80-4F0F-11d3-B17C-00C0DFE39736}]
"APK IE Plugin 1 -> C:\\WINDOWS\\APKPING32.exe"="APK IE Plugin 1 -> C:\\WINDOWS\\APKPING32.exe"
"MenuText"="APK IE PlugIn 1 -> C:\\WINDOWS\\APKPING32.exe"
"MenuStatusBar"="Run Script"
"ClSid"="{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
"Default Visible"="Yes"
"Exec"="C:\\WINDOWS\\APKPING32.exe"
"HotIcon"="C:\\WINDOWSWSOCKET.ICO"
"Icon"="C:\\WINDOWSWSOCKET.ICO"

--------------------------------------

NOW, IF you launch a document via 'association' (part of the Microsoft 'document-centric' paradigm)? Then, you might have a point...

*Again though:*

IE7 also allows you to control ANY ActiveX installed & used by IE, from w/ in its TOOLS menu, Manage Addons Submenu... Me? I burn ANY ActiveX control usage on the PUBLIC internet (not for INTRANET work though)... why??

Take a read here:

*Acer May Be Bugging Computers*

http://yro.slashdot.org/yro/07/01/08/0515200.shtml

A control, marked safe for scripting no less, has RUN commands in it... bad business by ACER computers imo, since 1998 no less!

(Some "FYI", @ least in Windows Server 2003's version of it., some "FYI" there on that account).

NOTE: I am NOT aware of your example in Calc.exe having associations w/ any known file or datatype (some FYI for you), but, I get your point here.



NTBugtraq said:


> That allows it to be hosted in another application. No version of IE has ever verified that an object being called *as an ActiveX control* is *actually an ActiveX control*.



The OS does, per my explanation above!

CLSID (class identifiers) essentially do, for OLEServer DLL's & ActiveX controls... differentiating them from 'oldschool' DLL's @ least + "id'ing" them as such, because they are marshalled!

However, for .exe types, you have a point (note the IE tools menu addon technique I used, it will launch them that way via CLSID too - you have a point, but this is why doubtless WHY Ms provided the control for addons (even .exe type) in its TOOLS menu I mentioned above, now in IE7).

I had to help a guy remove an IE tools menu addon recently (his IE would not launch due to SOME addon not working anymore), & that CLSID path I note above for IE addons was the way we went about it in fact.



NTBugtraq said:


> So if I hand off in this way from within IE to a process not limited by the Protected Mode features, it can then install itself whatever way it wants...



Do you mean by say, launching a WORD doc from off the web? By File Association?? I wouldn't recommend it... not w/ WORD docs! They have 'macroing' possible...



NTBugtraq said:


> including spawning processes during that installation that launches malware.



Right & what I was leading into above... That is what I was stating to in the preceeding paragraph, when I assumed you meant loading a document into its associated datatype application: 

IMO, IT'S NOT A GOOD IDEA TO TYPICALLY PRACTICE THOUGH (@ least not w/ sites you might not know well or trust)! 

Just not good 'safe' surfing habit... this is part of WHY I make Outlook/Outlook Express LIMIT what I can open as an attachment. I think Wile E earlier/above on this page alludes to this as well... just "surfing smart" can help you, a TON.



NTBugtraq said:


> While PM can control what malware can do within IE, it doesn't control what it can do on the machine or outside IE, beyond limiting its effects to the single user.



It seems to say that in the bolded description I posted about it though from the URL you noted... again:

http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx

*User Interface Privilege Isolation (UIPI) blocks lower-integrity from accessing higher-integrity processes. For example, a lower-integrity process cannot send window messages or hook or attach to higher priority processes This helps protect against "shatter attacks." A shatter attack is when one process tries to elevate privileges by injecting code into another process using windows messages.*

Also, ANY application YOU run? Runs in YOUR USER ID CONTEXT... 

So, by stopping/stalling changes in apps run under YOUR User Context (as it seems to say above per that URL you provided) seems to be enough to stop this!

Also, imo & regardless of using Windows NT/2000/XP/Server 2003 messaging methods/IPC (inter-process control) methods (mailslots, RPC, Shared Memory (RAM &/or diskbound files), Winsock, NetBIOS, DDE, clipboard access, named pipes, etc. et al) OR, VISTA's new "Windows Messaging Foundation" even, especially... it sounds faily solid!



NTBugtraq said:


> So PM stops things like Gator and some other BHO (Browser Helper Object) malware/spyware, but not MyTOB or its ilk.



BHO's are like the registry .reg file export I pasted in above, & I agree, this really IS IE controlleable... manually, via its menus noted above, OR via "VISTA PM"... which I have yet to try, but it does sound good... @ least, vs. how IE of ANY KIND runs on other OS'...



NTBugtraq said:


> It also doesn't stop the IE configuration from being altered from outside of IE.



http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx

*"Mandatory Integrity Control (MIC), a model in which data can be configured to prevent lower-integrity applications from accessing it. The primary integrity levels are Low, Medium, High, and System. Processes are assigned an integrity level in their access token. Securable objects such as files and registry keys have a new mandatory access control entry (ACE) in the System Access Control List (ACL)."*

That SEEMS to state otherwise... especially regarding registry areas.

The LOCAL commandline switch/file creation (IEXPLORE.exe.local) for IE & some batchfile work can also isolate this as well... 

1.) Unzipping/extracting the distro file's files to an IE7 folder

2.) Deleting the UPDATE subfolder that formed under it

3.) Deleting the shlwapi.dll in that IE7 folder you made & extracted the IE7 distro files to (optional - it runs WITH IT IN PLACE!)

4.) + lastly creating a BLANK FILE called IEXPLORE.exe.local with notepad.exe & putting it into the IE7 folder you made & extracted all the files from the Ie7 distro into.

E.G. (which automates it for you to run side by side installs of IE6 & IE7)-> 

=========================

@ECHO OFF
TITLE IE7 Launcher

ECHO IE7 STANDALONE LAUNCHER
ECHO.
ECHO Do not close this window or it will not clean up after itself properly.
ECHO You can pass a URL into this batch file, like this: 
ECHO     ie7.bat www.microsoft.com
ECHO.
ECHO When you close IE7, this will remove the registry key and shut itself down.
ECHO.
ECHO Setting up IE7 for standalone mode...
REN SHLWAPI.DLL SHLWAPI.DLL.BAK
TYPE NUL > IEXPLORE.exe.local
ECHO Running IE7...
iexplore.exe "%1"

ECHO Removing IE7 registry key.
> %TEMP%.\IE7Fix.reg ECHO REGEDIT4
>>%TEMP%.\IE7Fix.reg ECHO.
>>%TEMP%.\IE7Fix.reg ECHO [-HKEY_CLASSES_ROOT\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}]
>>%TEMP%.\IE7Fix.reg ECHO.

:: Merge the REG file to delete the IE7 standalone entry
REGEDIT /S %TEMP%.\IE7Fix.reg
:: Delete the temporary REG file
DEL %TEMP%.\IE7Fix.reg

ECHO Removing IE7 standalone files...
REN SHLWAPI.DLL.BAK SHLWAPI.DLL
DEL IEXPLORE.exe.local
ECHO Complete, closing...

=========================

& here is the "IE7Fix.reg" file content (to eliminate changes/additions to the registry) made by IE7 in isolated local mode:

--------------------------------

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}]

--------------------------------

Burning anything it added in the registry, by removing the entire path/value key.

Heck, here is what they thought about it @ SLASHDOT:

http://slashdot.org/comments.pl?sid=175857&cid=14615222

"Modded up" 3 points, as "interesting"... it is, & it works, & NOT just for IE7 afaik, but also other older models of IE!

*It allows "side-by-side" loads of diff. versions of IE (I used it to try IE7, while keeping IE6 as my loaded/default windows webbrowser in fact), & protects them both & @ the registry level no less.*



NTBugtraq said:


> Again, I'm not bashing, just trying to point out the difference between PM and a true sandbox.



I tend to disagree w/ SOME of what you wrote, & some I agree with... per the descriptions noted from the URL you gave us to look at.

Still, it's one HECK of a lot better than even Opera (fastest, most std.'s compliant, & most secure browser there is w/ least known bugs afaik) & FireFox in this capacity @ this point, especially on VISTA.



NTBugtraq said:


> Again, FWIW, I am working on my complete Vista Security White Paper and hope to have it ready soon for our customers. For those of you interested, I'd be happy to copy you on the drafts as they're produced for your feedback. Just email me privately (at whatever email address makes you comfortable, @rc.on.ca or @cybertrust.com.) I expect it to show that upgrading to Vista for security is a waste of resources, and that nothing of alleged security value in Vista can't already be done in XP as effectively and for less cost.
> 
> Cheers,
> Russ



That would be COOL to see & have, so I hope this point about VISTA having a BETTER SECURITY SETUP, via its "Protected Mode" on VISTA, helps make that paper of yours better... along w/ our discussions of ActiveX & such too!

*ALL IN ALL, great discussion/review, as my title of this post states!*

I love this stuff, & this is great review, especially w/ someone of your stature-position in THIS field for me, & doubtless others here reading (lol, IF they have the stamina for our rather "HUGE & VERBOSE" posts in this exchange!)...

APK

P.S.=> *This is interesting also, an undocumented switch for IE (eval), & sounds good here also in regard to protecting IE from itself & other installed versions of IE:*

http://blogs.msdn.com/ie/archive/2005/12/16/504864.aspx

iexplore.exe (the Internet Explorer front-end) has an undocumented switch, -eval, which will put it into "evaluation mode", where it will preload the following DLLs before yielding to the actual Internet Explorer main loop (in shdocvw.dll): 

comctl32.dll 
browseui.dll 
shdocvw.dll 
wininet.dll 
urlmon.dll 
mlang.dll 
mshtml.dll 
jscript.dll 

If you put these in the iexplore.exe directory, they will be loaded instead of those in the system directory, and the older version of Internet Explorer implemented by that set of DLLs will load (which makes Total Sense - Win32 Portable Executables (PE's) always look in their OWN directory/folder FIRST, for libs they call to load, these are privatized... otherwise, they hit publicly accessible system %PATH% ones (there is far more rules to it, but this covers the generalities).

Or so it used to work in Windows 98. I believe in Windows 2000 and later you'd have to use an iexplore.exe.local hack (LoadLibrary() has been somewhat hardened since then), and in Windows XP and later you could use application manifests 

All the versions "installed" this way will share their settings, history and cache (the latter two being especially problematic, since their on-disk format may have changed), but I believe you can use the Application Compatibility Administrator to apply the virtual registry shim and redirect the relevant keys 

Your mileage may vary. On the internet you can find detailed guides on how to do it, or even pre-made applications that will do everything for you. This is obviously unsupported, not to mention unused (hence untested) since Internet Explorer 4.0, and may have quirks or not work outright 

Finally, all applications using Internet Explorer components will use the system-wide version - unless the relevant DLLs aren't redirected in a way similar to how iexplore.exe does

apk


----------



## Alec§taar (Jan 8, 2007)

Wile E said:


> Hey Alex, I just wanted to point out that I have no proactive secure measures running on my machine. No firewall, no proactive spyware, and no proactive anti vir. I do own Spyware Doctor and Kaspersky Internet Security, but their proactive defenses are disabled 90% of the time. The only time I enable them is when I plan on visiting sites I'm not familiar with. With weekly scans, I've never had anything come up in either program. Could it be that a vulnerability is only an issue if you don't surf safely? I feel I should add that I don't IM on anything but my Macs, and I have removed a few of the more easily exploited features of XP (Messenger and anything to do with remote desktop connection jump to the forefront of my mind). And I know this is making your skin crawl, but I haven't updated this installation of XP SP2 yet, at all(about 2 weeks now). lol I'm about as lax as someone can get with security, short of someone that doesn't even own a security app. I guess what I'm gettin at is, how do we determine risk? Could I just get a random attack if I don't visit unfamiliar sites? And how? (honest questions, btw)



Yes, I think that IF you 'surf smart' & only frequent sites that are reputable (or, have something to lose, lol, if they screwup)? You are doing yourself 'right'... in addition to other smart surfing habits.

What MIGHT help? Is a tool from McAfee called "McAfee SiteAdvisor"... you might want to check it out, AND, you can submit sites for them to look over too!

See here:

http://www.siteadvisor.com/download/iemedia.html?cid=21638&gclid=CO-LlcS00YkCFSNJGgodEQjWkg



What I think helps, the MOST? Cutting off the use of ActiveX/ActiveScripting &/or Java/JavaScripting ON THE PUBLIC INTERNET (I still use it for internal INTRANET code for shops I work @)... 

Though webmasters may say I am cutting off what the browser can do via these mechanisms? It also keeps me safe... or, safe as can be, from browser-based attacks typically!

I do this stuff noted earlier, in addition to adbanner filtering via HOSTS files &/or IE restricted sites list usage, & other browser hacks (proxy .pac files in each of my webbrowsers help here as well), + keeping up-to-date on browser & OS patches too (big one).

Why do I filter adbanners? Because I pay for my linetime mainly... I don't want to waste my bandwidth calling out to their servers & transferring their data & loading them, mostly... so, primarily? It's for "added speed", but also because adbanners have been found to bear "malware scripting" in them a few times over the past 3-4 years now.

I get the "best of all worlds" this way, HBO T.V. style INTERNET:

No commercials, online & more speed/efficiency, + NO "malware bearing adbanners scripts" (for lack of a better term)... though, webmasters may not like it.

In fact, I know a couple that don't in majorgeeks.com & have them in an .Mp3 saying to their users in a radioshow they do "that DNS servers are as fast or faster than HOSTS file usage" & I feel like calling them up on their Sat. A.M. show & saying "PROVE IT"...

They can't & I know it, lol... 

However, a PING command will prove it for me & show this method, works, & is largely faster than DNS resolutions!

(Not adbanner blocking alone, but also adding in sites you like to speed them up, provided the site does not change its HOSTING PROVIDER IP for said URL? Helps speed up access to said site... & IF a website does change its IP address? SIMPLE: You edit your HOSTS file using notepad.exe temporarily removing it (& in XP/Server2003, you can do this & NOT reboot... 2000 & below you have to), reping the site, get its IP & put it back into your HOSTS file w/ the correct IP Address to URL equation in HOSTS)

Heh, there is NO WAY calling out to a DNS server is going to be as far as a HOSTS file w/ a URL resolved to an IP addy in it is going to be as quick as local disk & memory access on your system (no way)... 

In fact, it's MANY ORDERS OF MAGNITUDE FASTER using a HOSTS file w/ a URL to IP address preset resolution in it, instead of calling out to a DNS server from your ISP, period!

Also, blocking out banners a site loads, immensely helps that as well.

(Also, shielding the "other side" of IE, in Outlook Express... limiting what it can open as attachments, & reading mail in ONLY .rtf Rich Text Format, or plain text)

APK


----------



## NTBugtraq (Jan 9, 2007)

MIC and much of PM is implemented to prevent certain problems:

1. An exploitable buffer overflow (BO) in, say, an IE module should not lead you to have system-wide Administrator/System privileges. You will be limited, even though you're operating outside of the paradigm of the process you've overflowed the buffer in, to whatever that process' privilege was originally.

This is great. I can't use a BO to over-write system files (e.g. trojan Explorer.exe) or grab the SAM.

2. "Shatter" attacks. Shatter attacks are where a process is launched which, as you've been referring to regarding messages between processes, feeds events/messages to other processes that have higher privilege. For example, in the past many AV programs had a core that ran as SYSTEM, and then UI processes that ran in the context of the running user. These components had methods to talk to each other. If I could gain control of the user component, I might be able to exploit the SYSTEM component...thereby gaining elevated privilege.

3. IE is now stricter about how it can be extended, meaning that for something to function within IE (as in a Toolbar control or BHO) it must be properly registered.

Think of it like trust zones for processes.

But all of this description pertains to existing processes being taken control of by malicious code.

When I install something, be it an ActiveX control (meaning, something I install because a web page uses an Object tag to reference it) or via CD, I'm not hijacking an existing process. The installation process needs, no *MUST HAVE*, adequate privilege to allow full installation...whether that's a driver, an OS Kernel update, or a cute game/app.

Vista restricts what can be done without user intervention, but in the Home user case it will prompt the user when they try to use privileges above those of Standard User. So if something is trying to set itself up to run every time the system is booted, they'll be prompted...but not prevented. If the object they're running attempts to modify IE, or IE's installation/configuration, they'll be prompted...but not prevented.

All that you cite from documentation covers what happens right up to the point where the user is prompted...and then all bets are off...;-]

Now in a corporate environment its a little different. Users aren't likely to be members of the Local Administrator's group, so will be shut out completely from the issues I've been talking about related to ActiveX. That's a Good Thing(tm). But its really no different than it is now in the corporate environment. MS believe that it is, because they let Standard Users install printers, update existing software, and a few other things which they couldn't do before (as members of the Users Group.) They could do these things if they were members of the Power Users group, but that level of privilege also meant they could do other things (like install new programs.)

So, for Home users, people will now be prompted to shoot themselves in the foot where before they could get drive-by downloads.

In the Corporate users space, as long as you can deny the user the ability to install a new program, you can prevent *some* rogue code.

FWIW, the vast majority of malware runs just fine in the security context of a user in the Users group. The idea that malware needs to run as Administrator, or SYSTEM, is largely false. So, many of the new security features in Vista aren't doing anything to prevent existing malware, or the way malware works/gets installed...largely because its nearly impossible to distinguish new malware from a new program when its being installed/run.

Finally, one more comment on the ActiveX topic. ActiveX isn't a technology. It isn't a specification of how an application is coded. Its a marketing rename of Object Linking and Embedding (OLE).

The specifications you're citing are for controls...any control, whether its to be used in IE, Word, or the game you're playing. When I reference the Object tag in a web page, I can use it to call anything. I don't need to use it to call up, for example, a Word document...I can rely on file mapping or magic byte detection to figure out what application is required to render any recognizable file format. The Object tag spawns a process, and it makes no difference whether that process is a control, full PE executable, or whatever...it merely needs to be referenceable by a CLSID...and if it isn't present, it will be downloaded, installed, and executed.

Cheers,
Russ


----------



## NTBugtraq (Jan 9, 2007)

*ActiveX and NT Security*

FWIW, here's an article I wrote on July 7, 1998, describing ActiveX, Sandboxes, and NT Security.

http://www.ntbugtraq.com/default.aspx?sid=1&pid=47&aid=3

Cheers,
Russ


----------



## Steevo (Jan 9, 2007)

I still feel like there are obvious flaws in it. But I haven't used RTM yet, and they might be patched. There has to be a procedure entry point and rights assignment, correct? I think of the windows system as a multi-piece cylinder that all processes attach to and each part of the cylinder is a session. System, Network, User, Terminal, etc...


How do you start a process under the system credentials? First and foremost there has to be a trust list or a digital signature, and all things digital? Just a bunch of zeros and ones.





I will have to install it and try to get infected. But not on this machine and not now.


For the time being how about a mirror of Kontrabands media? 



FTP://71.208.255.13


----------



## Alec§taar (Jan 9, 2007)

Steevo said:


> I still feel like there are obvious flaws in it. But I haven't used RTM yet, and they might be patched.



There will be, there usually IS in "new code"... but, for NtBugTraq's example above, AntiVirus services buffer overflow privelege escalation attacks, for example?

WELL! We folks here @ this forums (lol, sinister mad-scientist laff on my part)? WE HAVE A SOLUTION FOR THAT particular one, now don't we?

http://reference.techpowerup.com/Securing_Windows_Services

LOL!



* It's one that MS seems to like as well...



Steevo said:


> How do you start a process under the system credentials?



Lookup more on "buffer overflow attack" & "privelege escalation attack", or "impersonation in code"... it will tell you more, & in detail (bit techno-complex though, warning you now) how it works really, & why... 

Far more in detail than what Russ/NtBugTraq & I discuss above!

APK


----------



## Steevo (Jan 9, 2007)

Terrible to think that I have had almost the same thoughts.


----------



## Steevo (Jan 9, 2007)

Alec§taar said:


> Lookup more on "buffer overflow attack" & "privelege escalation attack", or "impersonation in code"... it will tell you more, & in detail (bit techno-complex though, warning you now) how it works really, & why...
> 
> Far more in detail than what Russ/NtBugTraq & I discuss above!
> 
> APK



It was more of a rhetorical queation. 


http://www.codeguru.com/Cpp/W-P/system/misc/article.php/c5667


----------



## Alec§taar (Jan 9, 2007)

Steevo said:


> It was more of a rhetorical queation.
> 
> 
> http://www.codeguru.com/Cpp/W-P/system/misc/article.php/c5667



Yup, that covers another "interesting one", & via a technique I mentioned above: DLL INJECTION!



* It's interesting stuff...

APK

P.S.=> We mention securing services, but a "performance thing" we tweaking types do is also more than just that (by gaining back memory & I/O cycles + CPU time given services we do NOT need to run)

Heh, I showed folks that doing it gained larger benchmarks scores alone in ScienceMark 2.0 (the most popular test we have run here with TONS of takers)!

Afaik the oldest article for that online is one I authored back in 1998 for NTCompatible.com & before that on the 3dfiles.com forums circa 1997-1998 for speeding up systems via cutting off services (folks @ arstechnica used to laff @ it, but now? It's a NORM for security and speed)...

Here, that literally got them 10-20% score gains in that test... but on this topic?

Also, that it also potentially is GREAT FOR SECURITY TOO, against vulnerable services!

If you can cut them off, that is & live w/ out them (not all possible for all services).

Those you CANNOT set to less than SYSTEM as their logon entity, NETWORK SERVICE or LOCAL SERVICE being the goal in them, with FULL functionality, which my article topic is about... 

Hey - if you don't need to run a service? DON'T! Be faster, more efficient, & yes, potentially MORE secure! apk


----------



## Steevo (Jan 9, 2007)

Again though, what happens when the controlling process crashes? Do the files running just not attach to it again?



This is just from memory and I can't reboot right now to check, but I am pretty sure.
I use the ATI drivers for a example. Start CCC and see what happens, it asks for user input. So long as it wasn't started at boot time. However once it is running? End explorer and try again?


Buffer overflow? No need, attach to a current running process when another causes a system hang. Adobe anyone?


----------



## bhaskar15 (Jan 9, 2007)

4Vista 3-4gb ram is required4 a gamer, 'cause I have Vista RTM and XP vs Vista give only 4-18% increase with both havin 2gb ram but, 3 or 4gb may do some wonders.So, stickin w/ XP is good until mid-2007 comes. Btw I read this in tech magz.


----------



## Alec§taar (Jan 9, 2007)

Steevo said:


> Again though, what happens when the controlling process crashes? Do the files running just not attach to it again?



Afaik, IF the invading API call hooking process OR DLL injection works to boost/escalate priveleges beyond the current user's abilities to do a particular "malware task"? 

Then, for example, in said buffer overflow, they can do pretty much anything @ that point the SYSTEM can do, if they assume that logon entities' privelege level... 

Heck, possibly even write out small code & execute it after compiling it. Then, who CARES if the calling process dies... this new one's on its own @ this point, & probably NOT a "child process" anyhow. 

*EDIT PART:* I just checked & DEBUG (the command) runs under NTVDM.EXE (so, it's STILL 16 bit) - so much for THAT idea, & using the DEBUG command (a primitive assembler for 16 bit .com style no Win16/32 PE header type apps I used to use in the DOS days @ times in lieu of MASM)... oh well!



Steevo said:


> Buffer overflow? No need, attach to a current running process when another causes a system hang. Adobe anyone?



I have no idea what this one's about, but I do know Adobe issued an update to their reader recently... is this what you mean & what the problem w/ it was (the reader portion of Acrobat that is)? If so, can you show me some detail/documentation on this... 

I am always curious in this area, when I am not familiar w/ a problematic app in it + HOW a particular exploit, works & what damages it can cause... 

Thanks, & mainly because I load Adobe Acrobat Reader & want to KNOW if it has problems!

APK

P.S.=> "Signing off" for tonite... tomorrow's another day, & one I have to be up EARLY for in the "a.m."... & I.M. FRIED tired, so g'nite all... apk


----------



## Steevo (Jan 9, 2007)

You must understand what happens when someone finds a "secuity hole". It is like when viewing too many .avi's in Windows XP, the machine locks up for a second and then if you close the window explorer restarts. During that time I believe there is a list of running processes that are allowed to reattach themselves to explorer if you will.


So a program with no or little authority could for example add itself to a running process while explorer was downed, and thus gain access to higher privileges than it should.  I used Adobe as a example as who her has not had AcroRdr32 cause problems? Simple cause a restart of explorer and insert malicious code into a dll that is going to reattach, and that has system or higher level authority.


----------



## NTBugtraq (Jan 9, 2007)

DCOM/RPC Vulnerabilities FAQ v4 (from summer 2003)
http://www.ntbugtraq.com/default.aspx?sid=1&pid=47&aid=77

Alec, you've a minor problem with repeating yourself...;-] I haven't been trying to challenge your knowledge, only try to explain how you're talking about one thing, and I'm talking about something else.

In conclusion, as you repeatedly pointed out by citing the ways you've done it already, there's nothing in Vista security-wise that's signficant that I can't already do in XP. UAC + PM + Vista simply means the user will be prompted before they do what they are currently doing without a prompt. The prompt has been proven to not be able to make a difference.

BTW, Steevo is probably referring to MS06-020, vulnerabilities in the Adobe Flash Player and how it handled SWF files patched in May, which resulted in a MySpace worm in July...but I could be wrong.

Cheers,
Russ


----------



## Wile E (Jan 9, 2007)

Alec§taar said:


> Yes, I think that IF you 'surf smart' & only frequent sites that are reputable (or, have something to lose, lol, if they screwup)? You are doing yourself 'right'... in addition to other smart surfing habits.
> 
> What MIGHT help? Is a tool from McAfee called "McAfee SiteAdvisor"... you might want to check it out, AND, you can submit sites for them to look over too!
> 
> ...


I probably should've mentioned that I use Firefox with the NoScript, Adblock and Adblock Filterset.G extensions. I also use strictly web based mail, set to show only plain text. I know that doesn't keep me 100% safe, but what would be the odds of me getting a "fly by" install? What other possible security risks might I face?


----------



## Alec§taar (Jan 9, 2007)

NTBugtraq said:


> In conclusion, as you repeatedly pointed out by citing the ways you've done it already, there's nothing in Vista security-wise that's signficant that I can't already do in XP.



That's NOT true (entirely) & especially about point #1 here below next... 


*E.G. #1->  The best one, imo? Address Space Randomization! No other MS OS has *

No other Microsoft Operating System has it... you state XP does, since you stated all of these features are 'doable' in XP? How so, w/ out 3rd party tools (if any exist for this @ ALL in the first place, & I discovered one 2 days ago @ SLASHDOT, that might but not sure)??


*E.G. #2-> IE7 in VISTA has the "protected mode" features that neither XP nor Windows Server 2003's version of IE have*

& 'warning only' or not? It's better than NO WARNING @ ALL! Warnings are given usually for some pretty SOLID reasons... it's best to @ least pay attention @ the very least.


*E.G. #3-> IE7 (of all forms for all OS it runs on) has a "Manage Addons" GUI feature that allows the end-user to UNINSTALL any addons they may have inadvertently added*...

Good stuff, because for MOST folks? Working via a GUI front to registry settings is easier for them, AND SAFER, than 'registry spelunking & hacking', & especially when CLSID's &/or GUID's are involved... many don't realize those 'cascade' (sometime) to more than just this area where many addons are in the system:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]


*E.G. #4-> UAC is another & it is probably one of its BEST security features! It may be a 'warning' only, but this is better than nothing @ all*...

(That in combination w/ VISTA's lesser privelege logons used, helps even more)

However, as you state? Some 'bad addons' don't require ADMINISTRATOR priveleges...

SO, if they turned up bad, & the user notes problems? This is where "Manage Addons", my E.G. #3, helps them make it easier to fix it, by giving users a GUI front to do this removal with.

(Are there more? Probably... I haven't touched the FULL list of improvements in VISTA over XP or even Server 2003 really!)

Do they work? Sure... PM warns the user, UAC stalls what they can do for some things that COULD potentially be a threat (even installing them), & ASR is great for other forms of attack + NO OTHER OS BY MS HAS THIS IN PLACE (but, other Os do). 

*This is all good stuff in VISTA, especially "Protected Mode" for IE7 (when no other MS OS offers this for IE7) & moreso, imo @ least, via "Address Space Randomization" in VISTA (which neither XP, nor Windows Server 2003 has period for IE7 natively/afaik)*

(@ least imo, & nothing exists from MS like it in older Windows, especially Address Space Randomization which I mentioned earlier, not natively/afaik)



NTBugtraq said:


> UAC + PM + Vista simply means the user will be prompted before they do what they are currently doing without a prompt. The prompt has been proven to not be able to make a difference.



With careless folks, or foolish ones? Agreed, 110%... or folks that could care less about maintaining a long-running system, fully patched & tweaked, so it's solid & does not lose their work (or their time, redoing a system).

It would for myself, & doubtless many others, who are security conscious... & who have the sense to @ least read & possibly HEED, warnings given thus! It is ONLY SENSIBLE TO DO.

E.G.-> Right now, using IE7 w/ Windows Server 2003 SP #1 fully hotfix patched, & using SpyBot's "immunize" feature, when I hit pages that are 'blocked' by Spybot's immunize, I get warnings on installation of ActiveX controls etc.... do I allow them?

No... I know better. The system's giving me advice/feedback on what NOT to do!

The controls being asked for me to install really don't gain me ANY features I need for sites that are blocked by SpyBot that I can see @ least... 

Thus, I do NOT allow their install & load. Makes a LOT of sense to me to pay attention to said warnings... maybe not for others, but hey, you can "lead a horse to water, but making him drink?" Another story...

APK


----------



## Steevo (Jan 9, 2007)

I refer to a unpatched flaw that i believe exists, but have not had time to test. And i don't have RTM Vista installed so i do not know if it has been addressed yet.




i will have to try tonight perhaps.


----------



## Alec§taar (Jan 9, 2007)

Steevo said:


> I refer to a unpatched flaw that i believe exists, but have not had time to test. And i don't have RTM Vista installed so i do not know if it has been addressed yet. i will have to try tonight perhaps.



Right, & neither do I (as far as VISTA RTM, but, I have the last "beta/ctp" though, but haven't had time, or to be honest, the desire OR inclination, to install it yet here - mostly, lol, I want to use AERO more than anything in it)...

Still, I would like to hear more on your finding... sounds pretty good!



* Today's "patch Tuesday" guys, & guess what? 

A Windows 2000 & Windows Server 2003 patch for RPC came out only an hour ago (will wonders NEVER cease, & "Speak-of-the-Devil", lol, per our discussion here)... 

*Windows Server 2003 RPC hotfix*

http://www.microsoft.com/downloads/...c4-62d1-4338-854e-436edc83805a&DisplayLang=en

&

*Windows 2000 RPC hotfix*

http://www.microsoft.com/downloads/...b8-5dd7-42d5-b2d7-bfb9f954dc75&DisplayLang=en

Not for what we discussed here imo, but good to see anyhow!

(AND, it seems more of them are coming all day, for all MS stuff (looks like a fairly "big/extensive" patchday today))

... have @ 'em!

APK


----------



## Alec§taar (Jan 10, 2007)

*Russ/NtBugTraq: SECURE AGAINST BUFFEROVERFLOW PRIVELEGE ESCALATION IN SERVICES*

On the topic of articles Russ/NtBugTraq, since you mentioned a couple you wrote & this applies to countering one of your examples (vulnerable services via bufferoverflow privlege escalations)? 

Well, see the article I authored (URL's below) that this site hosts for awhile now (w/ some software's I wrote in Delphi) who's techniques work against vulnerable/insecure services per the example you noted.



NTBugtraq said:


> 2. "Shatter" attacks. Shatter attacks are where a process is launched which, as you've been referring to regarding messages between processes, feeds events/messages to other processes that have higher privilege. For example, in the past many AV programs had a core that ran as SYSTEM, and then UI processes that ran in the context of the running user. These components had methods to talk to each other. If I could gain control of the user component, I might be able to exploit the SYSTEM component...thereby gaining elevated privilege.



A safe & easy to implement technique vs. THIS VERY THING you note in exploitable services running as SYSTEM when they don't HAVE TO BE as their logon entity.

*SECURING VULNERABLE SERVICES AGAINST ATTACK FORUM POST:*

http://forums.techpowerup.com/showthread.php?t=16097

& later here, when the folks here "wikipediafied it":

*SECURING VULNERABLE SERVICES AGAINST ATTACK TPU WIKI:*

reference.techpowerup.com/Securing_Windows_Services

The technique noted by myself counters for services buffer overflow escalation attacks (the very thing you noted as an example, & it works against it, by lowering services logon privelege entities - very safe & simple) IF the service in question is securable thus (not ALL are unfortunately due to WHAT they may have to be able to do, priveleges wise).

Many antivirus makers' ware can have their services/daemons can be limited to NETWORK PROCESS entity levels, & lower, like LOCAL PROCESS levels.

Also, NORTON ANTIVIRUS (corporate edition @ least, post v.10.1 iirc) has "ANTITAMPER PROTECTION" as well, keeping its services list running no matter what - works well, I can't even MANUALLY SHUTDOWN 10.2 IF I TRY AS ADMIN!)...

(NO, even though MS has the same basic material up there on their knowledgebase/technet site now, 6 mo. after mine? I am not saying Ms' technical staff plagiarized me, but... well, if you have ever seen "THE OUTER LIMITS" new series episode "The FINAL EXAM", they may have just thought it up later than I did)

Quoting the main character's words here:

*"WHEN A SCIENCE IS READY? IT CAN'T HELP BUT HAVE THE NEXT DISCOVERY MADE!"*

As he describes how the first thought of the Atomic Bomb came to be...

I.E.-> If one guy can think of it? Others will soon as well... 

(There truly is very LITTLE original thought imo, & usually these "insights" tend to come in groups, from experienced folks who built it up from "standing on the shoulders of giants" before them, just via accumulated bits & pieces of knowledge out here!)



NTBugtraq said:


> MIC and much of PM is implemented to prevent certain problems:



Yes, alongside UAC in VISTA, & especially VISTA's IE7 "protected mode"... as well as IE7 TOOLS menu, Manage Addons submenu that I noted above help with.



NTBugtraq said:


> 1. An exploitable buffer overflow (BO) in, say, an IE module should not lead you to have system-wide Administrator/System privileges. You will be limited, even though you're operating outside of the paradigm of the process you've overflowed the buffer in, to whatever that process' privilege was originally. This is great. I can't use a BO to over-write system files (e.g. trojan Explorer.exe) or grab the SAM.



Agreed - no impersonation possible (impersonation's a term for nabbing SuperUser or SYSTEM level priveleges in code)... I agree!

Your E.G.-> AntiVirus services buffer overflow privelege escalation attacks!

HOWEVER: Above, My article premise counters for it in services to a large extent (SYSTEM PRIVLEGES RUNNING SERVICES IS NOT ALWAYS REQUIRED, but is foolishly the DEFAULT logon entity of many that do NOT need it, period, & they work fully + fine as lesser entities - IF they allow for this & function FULLY/PROPERLY if this IS implemented)...



NTBugtraq said:


> 3. IE is now stricter about how it can be extended, meaning that for something to function within IE (as in a Toolbar control or BHO) it must be properly registered. Think of it like trust zones for processes.



I do, & it's WHY I like it... also remember: diskbound files are protected by it, like the REGISTRY as well! This isn't just like in memory protection, only...

I know this, mainly because I've been professionally writing this stuff coding & working w/ it as a software engineer for 15++ years (& in total, including Academia + 1/2 decade as a network admin/engineer in there too, since 1981)...

That's around 26 years TOTAL time around this field. 

Lately the past 2-3 years now, & largely most of it coding this stuff professionally using VB.NET & ASP.NET (usually to Oracle or SQLServer) but, for a decade before it, it was VB6, Access, & Delphi mostly (some C/C++).

So, I suppose "I'm no stranger to it", & actually creating them for apps... The creation & use of ActiveX Controls, all the way from classes to User Control objects creation was done in that timeframe by myself... OLEServers/COM/DCOM up to web services @ this point.

I've been using it actively, since its outset via VB4 really. 1994-1995 onwards...

ALSO/AGAIN:  You can reghack the system as well, against running DCOM (remote OLE) mind you. Ask if you want the reghack... VERY short & simple.



NTBugtraq said:


> But all of this description pertains to existing processes being taken control of by malicious code.



Via messaging yes... but, "IMPERSONATION" is possible, IF buffer overflows & like attacks (DLL injection can iirc as well) are possible on errant code not protected against it!

It's usually due to a possible hole in the OS (like buffer overflows code) or the applications even + POSSIBLY, their called libs! The SLASHDOT ASUS EXAMPLE astounded me just a bit... in fact, moreso than bufferoverflows would (these are stoppeable in services, per your example)...

All to gain other user's priveleges, mainly the Administrator, OR "System" entity is the only way around this... & a goal of crackers, imo.

"Become the System, or SuperUser"...

*Still, I provide a method to stall the VERY THING you noted in AntiVirus services w/ bufferoverflow doorway attacks to SuperUser/SYSTEM level priveleges*

See, fact is? Your VERY EXAMPLE can be stalled quickly in fact even by end user admins if what I wrote on securing services is practiced... Though, as I state above, those writing the services should test to see if their service runs as a lesser entity... many do, just fine, & function fully.

(I never denied this is a possible, due to code defects like buffer overflows though,  BUT, I offer a valid & working method against the very example you note (attack NAV or other AntiVirus user controls to get to their services running as SYSTEM (& many do NOT have to be in many AntiVirus progs))

That, & users installing "anything", but, in IE7? 

End-Users now have an EASY TOOLS MENU OPTION TO UNINSTALL THEM AS WELL (good thing, no more registry spelunking or techno know-how required on the end-users part in IE7))



NTBugtraq said:


> When I install something, be it an ActiveX control (meaning, something I install because a web page uses an Object tag to reference it) or via CD, I'm not hijacking an existing process. The installation process needs, no *MUST HAVE*, adequate privilege to allow full installation...whether that's a driver, an OS Kernel update, or a cute game/app.



First, that takes a user allowing it...

UAC stalls much of that on VISTA & IE7, unless the user is "less cautious" etc. & this is THEIR OWN FAULT IF THEY CHOOSE TO INSTALL A BAD CONTROL, period.

PLUS, again, the first time you run an "Out of Process" ActiveX control? It won't run... You have to re-run the calling process to call it again for it to work, some repeated "FYI" there.

You have to also realize now that in IE7, if you don't know this (I mentioned it above)? 

*Users CAN uninstall various Addons (Tools menu, Manage Addons) themselves, no reghacking required (as I did for folks here before IE7, & noted above, using that .reg file excerpt above as the example WHERE to do so, manually).*



NTBugtraq said:


> Vista restricts what can be done without user intervention



Yes, it does... especially it's version of IE7 + "protected mode" & VISTA UAC!

(IMO, MS ought to set it up more restrictively even, much more than just a Group Software Policy for IE does (you COULD make one like this though, for some users logons), but how Windows Server 2003 does w/ IE6 + IE7, which is how I have been running it for years: NO ACTIVEX/ NO ACTIVESCRIPTING/ NO JAVA/ NO JAVASCRIPT by default, on the PUBLIC INTERNET FACING ZONES @ least, & more... it works! You can't run & install things you can't use, anyhow)



NTBugtraq said:


> but in the Home user case it will prompt the user when they try to use privileges above those of Standard User. So if something is trying to set itself up to run every time the system is booted, they'll be prompted...but not prevented. If the object they're running attempts to modify IE, or IE's installation/configuration, they'll be prompted...but not prevented.



See Steevo's last reply... it sums that up ("weakest link = uninformed end-users")... other than Group Policies, or local software policies, you have to educate them imo! They need to know that in IE7, again, Users CAN uninstall various Addons (Tools menu, Manage Addons) themselves, no reghacking required (as I did for folks here before IE7, & noted above, using that .reg file excerpt above as the example WHERE to do so, manually).



NTBugtraq said:


> All that you cite from documentation covers what happens right up to the point where the user is prompted...and then all bets are off...;-]



Some of it's documentation (so it verifies what I say, from places like McAfee & such), but most of its my own experience w/ coding this stuff @ a few levels over a fairly long period & diff. tools... 

BUT, lol, I never contested THAT (users themselves), NOT once, as to users being a weak link, & UAC helps here... Heck - Especially when Steevo brought it up! Fact is, I requoted it (not directly, but in summation) 2x now in fact, in utter agreement. He brought it up first, that I noticed @ least.



NTBugtraq said:


> *Now in a corporate environment its a little different. Users aren't likely to be members of the Local Administrator's group, so will be shut out completely from the issues I've been talking about related to ActiveX.*



True to a good extent. Some are though, I as a developer often am, & am often a junior level NETWORK WIDE Admin user group member most times while coding & certainly so while network engineering.



NTBugtraq said:


> *In the Corporate users space, as long as you can deny the user the ability to install a new program, you can prevent *some* rogue code.*



Yes, & thus, Group Policies, ActiveDirectory, & even older style logon scripts + reskit tools rock... good for security. I still think NDS is a bit better than AD, but it's a Microsoft world now imo, largely.



NTBugtraq said:


> FWIW, the vast majority of malware runs just fine in the security context of a user in the Users group. The idea that malware needs to run as Administrator, or SYSTEM, is largely false.



Well, the 'general goal' of most crackers, is to become "SuperUser" &/or gain SYSTEM entity priveleges. AND, getting this usernames/groups names off NT-based Systems (if not patched or hardened against it via registry hacks) is not a huge trick for a usernames list, remotely, mind you. Then it's just brute force cracks (suck) & other methods (hashwork).



NTBugtraq said:


> So, many of the new security features in Vista aren't doing anything to prevent existing malware, or the way malware works/gets installed...largely because its nearly impossible to distinguish new malware from a new program when its being installed/run.



That's user fault... what can you do about that? Educate, imo, is the only way. That, & good antivirus, & antispyware, + scheduled antirootkit scans. That & secure your services too!



NTBugtraq said:


> Finally, one more comment on the ActiveX topic. ActiveX isn't a technology. It isn't a specification of how an application is coded. Its a marketing rename of Object Linking and Embedding (OLE).



Again, I know... I have done it for a lot of years professionally (entire time the technology existed in fact, via VB4 originally). OLE first, then COM, then DCOM... this was the technologies' evolution pathway.



NTBugtraq said:


> The specifications you're citing are for controls...any control, whether its to be used in IE, Word, or the game you're playing. When I reference the Object tag in a web page, I can use it to call anything.



If it has no RUN/Spawn/Exec type functions in it (like the ACER example from slashdot above, who have one publishing those function no less since 1998, lol), how so? And, if a buffer overflow is possible in say, a SERVICE like you mention??

LESSEN THAT SERVICES' LOGON ENTITY LEVEL... to NETWORK SERVICE level entity first, & then if possible, LOCAL SERVICE ONLY... & if it runs like normal? DO IT!



* It works against that which you mention as your specific example in fact, in vulnerable services...!

I will NEVER understand why MS & other developers don't test for this first, & run services as SYSTEM if some run FINE w/ out it.



NTBugtraq said:


> I don't need to use it to call up, for example, a Word document...



That was just an example I used... it's better than the calc.exe one you chose imo, because WORD has macroing, & functions via CLSID file type associations on documents (the Shift Key while Word opens can stop macroing, as it does in Excel, Access, etc. as LONG AS YOU DO THAT, for AutoExec macro stoppage in Office Docs).

APK


----------



## Alec§taar (Jan 10, 2007)

First of all, As per usual? GOOD DISCUSSION & GREAT TOPIC + LOTS OF GOOD DATA!

Secondly, some things to note in your site URL you WILL want to know from this post imo @ least, & here we go:



NTBugtraq said:


> DCOM/RPC Vulnerabilities FAQ v4 (from summer 2003)
> http://www.ntbugtraq.com/default.aspx?sid=1&pid=47&aid=77



I just read thru this, because it is NOT (fully regarding COM+ securing, see my P.S. below for the .reg file hack area) like the method I use... Also, upon reading thru it?

I have NO "RpcProxy" hive key, or value, in Windows Server 2003 SP #1, & yet that MS article says there is one... this is led from YOUR URL, to this one specifically for Windows Server 2003:

http://support.microsoft.com/default.aspx?kbid=826382

Odd! BUT, that MIGHT be 'stale info.', OR my installation does not have or demand it being in place. It's a workstation mode Win2k3 install, here, the default type & SCW (security configuration wizard) was run over it + I later hardened it more manually via various registry hacks (but this was NOT one of them I can assure you, since I do not have the entry noted in the registry period of RpcProxy).

See, the stuff you put up? I verify, as I have earlier & found things/exceptions etc. et al ... I can stand to gain by them is why, so I take active looks @ the material you post is all - yes, takes time, but worth it in the long run, on THIS very topic! We BOTH get stronger via this!

Does one lose some "functionality"? Yes, possibly so, depending on what their apps use to do say, remote communications like "live updates"... but, it does work for securing vulnerabilities here (@ least until they are patched).

Still, losing function or NOT?

It would be the SAME thing webmasters might say about disabling cookies, or disabling Java/JavaScript OR ActiveX/ActiveScripting... sure, you lose some 'bells & whistles' & possibly SOME needed function, but... YOU ARE SAFE FROM EXPLOITS OF THEM BY THE SAME TOKEN!

APK

P.S.=> *(Edit part: Your site URL does NOT have this one, & it is current afaik + works UNIVERSALLY ACROSS MOST WINDOWS NT-BASED OS INSTALLS for DCOM remote attack stalling - verify it if you wish for BOTH our sakes by looking up what "COM+" is, as it applies here):*

===============================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3] 

RemoteAccessEnabled = dword:00000000
Com+Enabled = dword:00000000

===============================

(Stalls BOTH remote access to distributed COM ('modern OLE' as you called it) & it even being enabled in the 2nd part (optional))!

I like that your page noted this potential loss of function & apps you ran that need it... 

See, I know that feeling:

For the article hosted here regarding services securing I wrote up - Well, IF I COULD RUN EVERY SERVICE THERE IS? My article that MS also did later on "Securing Services" would be THAT MORE SOLID... but, I haven't run every service daemon under the sun either!

(However... but, I ask on the page where I initially post it for addons/improvements (services I haven't tested w/ that technique) or problems others run into I have not)... apk


----------



## Alec§taar (Jan 10, 2007)

NTBugtraq said:


> Alec, you've a minor problem with repeating yourself...;-]



As did yourself, regarding user's being the problem (Steevo stated this before anyone iirc, & you repeated this quite a lot above, per the quotes in this & my last posting in fact as evidence thereof).

AND, repeats or not? WELL, I offered working solutions to your example above regarding AntiVirus services (via their user components) being bufferoverflow attack vulnerable though, no doubt about it, in doing so.

I also 'turned you onto" VISTA + IE7 operating in a "protected mode", which IS better than how it works on XP/Server 2003 as well, which you were admittedly NOT aware of @ all, period...!

(Even though Windows Server 2003 & IE6.x in it has the default IE6 type "enhanced mode" security too, this can be emulated manually by the end user to be like that on XP too - IE7 functions this way in Windows Server 2003 as well! It's GOOD stuff, & how I've been running my browsers for YEARS now in fact (safe)).

See, I just quote what you write, & write back what is appropriate & applies is all... it may be a 'downside' of quoting others directly, bloating my posts in size @ most as far as being 'bad', but MY using DIRECT quoting of others? It's a 'working formula' in discussion though &, for NOT missing details/points but it has 'risks' of repeating info. (especially if you did yourself & I just re-reply to your points).



NTBugtraq said:


> I haven't been trying to challenge your knowledge



The point is, I WANT YOU TO... 

(NO, not for a fight, but to correct me if I make errors or just as importantly, make errors in missing details OR exceptions, as I had for some of your points earlier for workarounds, & in the next post below regarding COM+!)

Hmmm, I never felt you were out to hassle me though... To me? THIS was PURE discussion w/ a peer in this area (securing OS), so we could exchange tricks/tips/techniques really, & exchange views.

Everyone reading our exchange here gains:  We both (and all others reading) GET STRONGER FOR THIS DISCUSSION!

*You'll want to note my next post, about this link on your website:*

http://www.ntbugtraq.com/default.aspx?sid=1&pid=47&aid=77

SOME links on it are dead (2003 date is why no doubt, we ALL know this happens & thing change on MS websites & I WISH THEY WOULD NOT LOL, as I am sure you do also) + OS patches (possibly) & such seem to have invalidated the Windows Server 2003 suggestions there (in default installation workstation mode here, my installation here doesn't match it in that I don't have the RpcProxy value in place, @ all)

*& again, lastly, I have one method you do NOT list (dealing in COM+)... NOTED IN MY LAST POST'S P.S. ABOVE!*



NTBugtraq said:


> only try to explain how you're talking about one thing, and I'm talking about something else.



What exactly would this be about? 

I only respond to the examples you put up is all, & w/ a pretty simple method for countering for an example in security weakness' YOU put out, specifically/again:  

The AntiVirus service problem in older NAV, & possibly other AntiVirus solutions out there by other OEM/software publishing houses & attacking its user components to get to its services running as SYSTEM (if vulnerable to this in the first place @ all)...

I.E.-> My goal was to show a working "work-around" for your statement about AntiVirus services (specifically Norton, the one I use in fact) having services vulnerable, & attacked via bufferoverflow attack thru their end-user vulnerable components, using impersonation in code for privelege escalations, which you used as an example... 

& also regarding Windows VISTA + IE7's "protected mode" being different & better than IE7 offers in XP/Server 2003 in some ways & this was something you didn't even know about.

I simply provided a work-around that works, & information you lacked on your part! So, again, how is this NOT related to what you wrote as your example?



* *So, there you are: And now? I'd think it's time to explain what YOU meant in the statement I quoted of yours above...*

(Thanks!)

APK


----------



## Alec§taar (Jan 11, 2007)

*NtBugTraq/Russ: Where are you?*

See my subject-line/title above for this reply, first, & then this:

I'm waiting on reply to my last 3 posts from you, + their content... 

& especially the last post I made...



* MY guess is, that by now? I'll probably be waiting for a LOT more than the last 2-3 days now for reply back to the points I made above in my last 3 posts, vs. yours (which those reply to), I imagine @ this point...

(Oh, well...)

APK


----------

