TechVirtuoso

Why lazy sysadmins and IE 6 make the net unsafe

January 16th, 2010 at 11:14 AM  3 Comments

The number of businesses still using Internet Explorer 6 is painful to see. Coupled with the fact that all of them are on Windows XP or Windows 2000, it turns from pain into terror, especially when it comes to security.

For a lot of system administrators, the reasons to stay outweigh the reasons to upgrade. Websites that break, plugins that won’t load, old software that isn’t updated anymore. Trust me, I’ve been there. However, a lot of it boils down to lazy and poor practices of system administration.

Yes, you’re lazy and you’re bad at your job. Internet Explorer 6 was released in 2001. Yes, 2001, most of us don’t even drive cars that old, let alone unleash people on the “information superhighway” with a browser that old. It was designed at a time when security was not the issue it is today. It was designed to work on operating systems like Windows 98 and Windows ME. Would you let people use Windows ME on your network? No! So why are you letting them use a browser that was built for it?! (more…)

January 'Patch Tuesday' to be very light on security

January 7th, 2010 at 7:21 PM  2 Comments

This patch Tuesday will be one of the lightest ones for security in recent memory. According to the Security Bulletin Advance Notification for this month, Microsoft will only be releasing one patch for Windows, and none for Internet Explorer or Office. The patch will be issued on Tuesday, January 12, and will be followed on January 13 by a 90 minute webcast at 11:00 AM Pacific. In addition to the one patch for Windows, Microsoft will also release an updated version of the Malicious Software Removal Tool.

The patch is considered critical for Windows 2000 users, and low for all other versions, and relates to a remote code execution venerability. Effected operating system versions include every currently supported edition both on the client and server side:

  • Windows 2000 Service Pack 4 [Critical]
  • Windows XP Service Pack 2 & Service Pack 3
  • Windows XP x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2 (32-bit, 64-bit & Itanium)
  • Windows Vista Service Pack 1 & Service Pack 2 (32-bit & 64-bit)
  • Windows Server 2008 Service Pack 2 (32-bit, 64-bit & Itanium – except Server Core installs)
  • Windows 7 (32-bit & 64-bit)
  • Windows Server 2008 R2 (64-bit & Itanium – except Server Core installs)

Microsoft will still be releasing one or more non-security but high-priority update through Windows Update and Windows Server Update Services, but has not yet disclosed details.

Yahoo Webmail Security Vulnerability

September 22nd, 2009 at 2:12 PM  1 Comment

Users of Yahoo’s mail service are warned that a vulnerability in the service could be allowing hackers to easily access their accounts and steal their information.

Director of application security research at Breach Security Corp, Ryan Barnett, said that the problem starts with a web application that is designed to automate the login process for the service. Unfortunately the application does not adhere to the same security checks that the login page itself uses creating what Barnett describes as “some sort of water tunnel that the bad guys are walking right through.”

Hackers are using the application to carry out brute force attacks on user accounts, which is not being registered and blocked as most pages would do so.

Backend applications are a key factor in the increasing success of account hijacking cases targeting social networks and portal sites. Once hacked, the accounts can be used to send out spam and malware, or hackers may also choose to use the account details to try to access banking accounts, as many people use the same or similar passwords on multiple accounts.

Yahoo is said to be investigating.

Microsoft to drop support for Windows 2000 next July

September 17th, 2009 at 11:01 PM  1 Comment

Windows_2000_logoWindows administrators, mark your calendar for the drop dead date to get those old servers upgraded. Microsoft has outlined July 13, 2010 as the date Windows 2000 will no longer be supported by Microsoft. There are already a variety of security threats in the wild where Microsoft has said they will not be releasing updates to protect Windows 2000 because they say it is not feasible. After next July, no support or new updates (except for online self-help) will be available.

These changes were posted by Crissy House, the Windows Server operations manager, on their team’s blog.

House also announced that there would be no more service packs for Windows 2003 or Windows 2003 R2. Both 2003 releases will move to extended-support on July 13, 2010, which means only security updates will be published for these operating systems. Non-security hotfixes developed during this phase will be provided only to customers who enroll in Extended Hotfix Support (EHS).

Microsoft released Windows Server 2000 in February 2000, Windows Server 2003 was released in April 2003 and Windows Server 2003 R2 was released in February 2006. In February 2008, Microsoft released Windows Server 2008 which was developed along side Windows Vista, but will quickly supplant it with Windows Server 2008 R2 which was developed along side Windows 7 and will be released along side the client OS on October 22, 2009.

Windows Server 2008 R2 will only be avaliable in x86-64 and Itanium editions, so administrators needing to run 32-bit implementations of  2008 will need to use the original 2008 release.

Snow Leopard lacks security features present in Windows Vista/7

September 17th, 2009 at 10:23 PM  2 Comments

Random_Access_MemoryNoted Apple security analyst Charlie Miller, author of The Mac Hackers Handbook and two-time winner of the Pwn2Own hacking contest has said, in an interview with TechWorld, that the latest version of Apple OS X (10.6 AKA Snow Leopard) lacks full and proper implementation of memory address space layout randomization (ASLR). ALSR is a technology, present in Windows Vista and Windows 7, that randomly assigns data to memory to make it difficult for attackers to determine the address of critical operating system functions being stored in memory, and therefore making it harder for them to create exploits.

“It’s the exact same ASLR as in Leopard, which means it’s not very good,” Miller said, “Apple didn’t change anything. I don’t understand why they didn’t. But Apple missed an opportunity with Snow Leopard.”

When OS X 10.5 (Leopard) was released, Miller and others were critical of Apple not fully implementing ASLR. While there is ASLR present in both Leopard and Snow Leopard, they fail to the heap, the stack and the dynamic linker, the parts of the operating system that are most open to attack. Linux also has what many consider a weak implementation of ASLR since kernel version 2.6.12, although some distributions include better ASLR then the stock kernel based on third party code.

Miller did say that there are elements of Snow Leopard that show Apple did do some things to improve security, most notably the inclusion of data execution prevention or DEP, which utilizes both processor-hardware and software based security programming to help prevent buffer overflow attacks by blocking code from running in memory spaces that’s supposed to contain only data.

However, Apple may be late to the game with implementation of DEP, as it has been present in Windows operating systems since Windows XP Service Pack 2, with further refinements made in Windows Vista and Windows 7.

By incorporating both technologies, Miller says it becomes extremely difficult to craft memory attack exploits. “If you don’t have either, or just one of the two [ASLR or DEP], you can still exploit bugs, but with both, it’s much, much harder. Snow Leopard’s more secure than Leopard, but it’s not as secure as Vista or Windows 7.”

Canon extends partnership with Adobe

September 17th, 2009 at 9:30 PM  1 Comment

Canon_logoCanon told the press today that they will be extending the partnership with Adobe with a new software agreement designed to boost security and usability of the company’s products.

Canon and Adobe formed said partnership back in 2005 for various projects, with the printing giant now planning to offer integration with the Adobe LiveCycle Rights Management ES system into all of its new imageRunner Advance series of products, allowing users to apply security policies to scanned documents on the fly.

Canon’s European marketing manager, Paul Rowntree, gave a demonstration of how the system works, and showed how certain policies will do things such as prevent unauthorised users printing a certain document.

“This type of security is unique to Canon and shows how our printers fit with a secure document management system,” Rowntree said.

Users will also be able to assemble documents with material from multiple sources using easy drag-and-drop functionality, according to the firm. Now that Canon holds a niche feature set with combined document security and compilation software, it will be interesting to see if this helps them recover from the economic struggles of the first two quarters of this year.

Apple OS X 10.6 to include anti-malware scanning

August 26th, 2009 at 12:43 PM  2 Comments

According to a report from The Mac Security Blog, a previously undocumented feature of Apple OS X 10.6 “Snow Leopard” is that it includes a built-in anti-malware scanner. While there are few details on exactly how this works, ZDNet seems to think that it has entered into some type of agreement with a commercial anti-virus company, as they have confirmed that it is not using the open-source ClamAV engine.

Currently the Security page on the Apple website makes no mention of the feature directly, but it does highlight some of the other security measures in place for Snow Leopard, and anti-phishing technologies built into Safari. At the bottom of the page Apple does acknowledge that “since no system can be 100 percent immune from every threat, antivirus software may offer additional protection.”

snow_malware_blocker

OS X 10.6 will be shipping this Friday, August 28.

« Newer Posts

Copyright © 2009-2011 TechVirtuoso, LLC. All trademarks are property of their respective owners.