Page 1 of 2 12 LastLast
Results 1 to 15 of 18
  1. #1
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Yet another Microsoft Security Bulletin ((All))

    "A vulnerability exists because it is possible to craft a URL that
    can allow sites to gain unauthorized access to user's cookies and
    potentially modify the values contained in them. Because some web
    sites store sensitive information in a user's cookies, it is also
    possible that personal information could be exposed.

    Microsoft is preparing a patch for this issue, but in the meantime
    customers can protect their systems by disabling active
    scripting. (The FAQ provides step-by-step instructions for doing
    this). This will protect against both the web-hosted and the
    mail-borne variants discussed above. When the patch is complete,
    Microsoft will re-release this bulletin and provide details on
    obtaining and using it."

    The bulletin is <A target="_blank" HREF=http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-055.asp>here</A>.

    You will note ONCE AGAIN Microsoft recommends disabling Active Script until this patch can be made and distributed. This demonstrates yet another vulnerability in IE because of Active Scripting.

    YES, I love the benefits of Scripting -- but I have to temper that with the risks.

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Yet another Microsoft Security Bulletin ((All))

    Another workaround would be to temporarily move all your cookies into another folder, retaining only the Lounge cookie. No one cares what's in my Lounge cookie. <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

    Update: So I did it, sliding them into a temp folder under Cookies. (Note: couldn't move Index.dat, but apparently I don't need to. Let's not get into another long thread on Index.dat tonight.) When it's safe to come out again, I figure I can move them back.

  3. #3
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Yet another Microsoft Security Bulletin ((All))

    Here is more information on this issue:
    two.

    You will note they have a similar solution -- essentially disable cookies.

  4. #4
    Bronze Lounger
    Join Date
    Feb 2001
    Location
    England
    Posts
    1,306
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Yet another Microsoft Security Bulletin ((All))

    Hi
    Haven't we all set Internet in IE Security to 'almost-the-same-as-Restricted' so that Active Scripting (and other Active Content types) are Disabled by default? If not, do it now. Then pop over to my web site, press the Index button and get the doc (red button) or PDF (green button) at 'Active Content and Security' to see why this is a Good Idea. It is a distillation of previous correspondence, and seems to me to advise a cautious approach, suited to the less experienced.
    I'd like to acknowledge 'rmrucker' therein in a little more detail, but I don't have any....

    Rgds

  5. #5
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Yet another Microsoft Security Bulletin ((All))

    MerC-

    You don't have to acknowledge me. This is all anonymous anyway.<img src=/S/smile.gif border=0 alt=smile width=15 height=15> But thanks.

    As a side note, <A target="_blank" HREF=http://www.solutions.fi/index.cgi/extra_iebug?lang=eng>this link</A> leads to a page that will test this vulnerability. If you use IE6 and have third-party cookies blocked (this is NOT the default), then this vulnerability is also thwarted.

  6. #6
    ileacy
    Guest

    Re: Yet another Microsoft Security Bulletin ((All))

    This <A target="_blank" HREF=http://www.vnunet.com/News/1126734>article</A> gives another interesting perspective on the state of the world and the need for comprehensive security.

    Now, I am still trying to figure out a way to set up a reasonably secure environment that will not have relatively computer illiterate users complaining all the time about not being able to get to their sites.

    <img src=/S/sigh.gif border=0 alt=sigh width=15 height=15>

  7. #7
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Yet another Microsoft Security Bulletin ((All))

    I have been looking into these firewall leaks quite extensively. I will post some information on this next. But, first off, I am not entirely sure this is possible:

    "...a way to set up a reasonably secure environment that will not have relatively computer illiterate users complaining all the time about not being able to get to their sites."

    There will always be compaints!<img src=/S/smile.gif border=0 alt=smile width=15 height=15> If the site is that important to them, they are going to have to choose to enter it in their Trusted sites. If the site is not worthy, well, it was their choice. You cannot make all the decisions for them. They are going to have to make some of the choices -- good or bad -- themselves.

  8. #8
    ileacy
    Guest

    Re: Yet another Microsoft Security Bulletin ((All))

    I actually have a fair amount of leverage and some constraints. I think I am coming close.

    My major constraint is limited budgets (not-for-profit and charitable clients).

    The leverage is that I am in the process of doing planning for upgrades and security with time frames from immediate to 2 years.

    The building blocks I am looking at so far are:

    Zone Alarm for some client leak reporting.
    <A target="_blank" HREF=http://www.grisoft.com/html/us_index.html>AVG Antivirus</A> for active client virus checking, and finally
    <A target="_blank" HREF=http://www.microsoft.com/windows/ieak/downloads/ieak6/default.asp>IEAK6</A> to pre-configure and control settings.

  9. #9
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Software Firewall Leaks.

    Above, Ian references an article regarding the relative "insecurity" of software firewalls. The article is entitled, "Trojans make firewalls futile" -- but I think this over states the present state of affairs. A better title might be, "Trojans COULD POTENTIALLY make firewalls futile". To the best of my knowledge, there is no Trojan in the wild that actually utilizes the described vulnerabilities. If these vulnerabilities were being rapidly exploited, we would all know about it. [If someone knows of a specific Trojan infection that *is* presently using these vulnerabilities, please let me know.]

    So far, most software firewalls have done a good job of preventing "Remote Access" or "Backdoor" Trojans from "phoning home". However, there are two widely identified vulnerabilities in most software firewalls that could be exploited by Trojan programs. These could make software firewalls ineffective at preventing the outgoing connections.

    The first vulnerability involves the ability of a Trojan program to utilize *your browser* as the program to make the outgoing connection. Since MOST software firewall users have allowed their browser unencumbered access the Internet (it is much more convenient), firewalls will NOT be effective at preventing this connection. If the user does force the firewall to display a warning each and everytime the browser tries to access the Internet, then the firewall WILL be protective. As usual, this is a matter of convenience versus risk...

    A second vulnerability was also described last week. This involves sending packets from a lower layer in the TCP/IP stack -- the TDI layer. SOME firewalls will not catch packets that are sent from this layer.

    The various tests out there to examine these "firewall leaks" are as follows:
    ______________________________________________

    YALTA from Trojan Trap) that will likely stop these and other leaks. It reportedly will cost around $40 when it goes gold.

    ______________________________________________

    TooLeaky from keir.net (Robin Keir).
    This is the program that utilizes "SetWindowsHookEx" through a DLL (FireDLL.dll). This program also relies on your browser being granted permission to access the Internet. Therefore, if you have NOT granted your browser access to the Internet through your firewall, your firewall will PASS this test. If your browser does have unencumbered access to the Internet, your firewall will fail this test.

    This tester does not appear to rely specifically on IE -- and regardless, the vulnerability it tests does NOT appear to be browser-specific. This tester uses your browser to create TCP/IP (http) packets. It can be optionally set up so that your browser window is hidden (invisible). It does give you the ability to test various IP addresses and various ports at a given IP address. It is therefore useful as a simple TCP/IP "packet generator" that you can use in conjunction with a packet sniffer to test the relative security of another computer.

    This tester seems to suffer from the same problem that the YALTA program does -- it is NOT able to truthfully tell you that the packets were "sent". But this time it is in the opposite direction! Packets WERE sent, but FireHole essentially says they were NOT!

    If you try sending TCP/IP packets to a closed port, the FireHole program reports back that "Something prevented the program from sending the message..."

    This is not entirely correct -- but it is a matter of semantics. The blue box at the bottom is correct -- it says "Failed to Connect - Failed to send message". Well THAT part is true -- it does NOT "connect" with the port in question. However, my firewall DID let packets out. No "connection" was made and the subsequent message -- "I have successfully bypassed the personal firewall" -- is not really "sent".

    Therefore it is all how you look at it. My firewall DID "leak" the packets, but since I did not "connect", the text message was not "sent". Since this test is supposed to identify software LEAKS -- and not to identify the ability to make a 3-way handshake connections -- I think it is not giving us the correct information.

    Both of the leak testers that I describe as "packet generators" above -- YALTA and FireHole -- are BEST when utilized with a packet sniffer. Otherwise the results may not indicate exactly what you expect them to...
    ______________________________________________

    LeakTest2 from <A target="_blank" HREF=https://grc.com/x/news.exe?cmd=article&group=grc.news&item=231>GRC.c om</A> (Steve Gibson)
    The above link is to Mr. Gibson's announcement of the upcoming LeakTest2 program. I suspect this will replace all of the above tests, but we shall have to wait until it is finished. Since this tester is going to connect to a server at GRC.com, this tester should accurately identify firewall leaks. I look forward with great anticipation.
    ______________________________________________

    The bottom line is this:

    1) Software Firewalls will likely never be perfect, so even though the firewall manufacturers are supposedly working on solutions for these vulnerabilities, there will potentially be other leaks discovered in the future. Security cannot rely on one solution.

    2) If you avoid getting the Trojan infection in the first place, you are in far better shape. Using a strict Internet zone and being careful with email will likely prevent the vast majority of these infections. This should be your first line of defense -- the firewall 'solution' should only be considered a backup plan.

  10. #10
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Yet another Microsoft Security Bulletin ((All))

    Ian, there is another free software program that might interest you -- Script Sentry from <A target="_blank" HREF=http://www.jasons-toolbox.com>Jason Levine</A>. It is very useful at preventing someone from accidently running script, scrap files, .hta files, or .reg files. It can also include .doc and .xls files. It has the following advantages:

    1) It allows you to leave WSH intact in case the user later needs to use it.
    2) It covers more file types than Windows Script files -- therefore it is superior to simply removing WSH.
    3) It protects you from .shs files -- something that ZA's MailSafe neglected to include.
    4) It protects you from multiple file types regardless of whether the source is from an email attachment, a floppy disk, or a file downloaded by some rogue web site.

    Since many virus/worm/trojan infections are simple due to users inadvertantly running a file they shouldn't have, this little program might be very useful for you. The price is right...

  11. #11
    Bronze Lounger
    Join Date
    Feb 2001
    Location
    England
    Posts
    1,306
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Yet another Microsoft Security Bulletin ((All))

    Hi
    Does Script Sentry offer any advantages over MoOutlook Security (other than a better name)?

    Rgds

  12. #12
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Yet another Microsoft Security Bulletin ((All))

    In the end, I never installed MoOutlook, so I am not sure exactly how it works. Perhaps we can compare and contrast...

    Right-click on your desktop and choose New > Text Document. Don't name it yet, just open it in Notepad. Type several x's in the file, then close it. Right-click on this file and rename it "Junk.vbs". You will get a warning to make sure you want to change the file extension. Click "Yes".

    You have now created a bogus .vbs file on your computer. Double-click this file and try to run it. What happens? Does MoOutlook prevent you from running this file?

    This would be the equivalent of downloading a .vbs file to your hard disk -- either intentionally or if it was done subversively. Additionally, this would be the same as copying a .vbs file from a floppy disk. The file could contain a virus, you don't know.

    If you double-click the file and you get the "Windows Script Host" error box -- warning you of "Error: Type mismatch: 'xxxx'" -- you will know that MoOutlook did not protect you. If this had been a real .vbs virus, the program would have run.

    However, if you don't see the WSH warning box and instead see something from MoOutlook, you will know that MoOutlook is protecting you from .vbs files that are on your hard disk.

    Script Sentry will prevent the .vbs file from directly running. It will also attempt to tell you what the file will do IF you run it. You then have the option to Run, Delete, Mark the File as "Safe", or View the file in NotePad.

    Script Sentry will catch the following file extensions:
    vbs, vbe, js, jse, wsh, wsf, shs, shb, hta, reg, doc, xls.

  13. #13
    ileacy
    Guest

    Re: Yet another Microsoft Security Bulletin ((All))

    Tx rm. But the Zone Alarm Mail Safe function does the same thing (I think).

    I ran Jason's test e-mail defenses and Mail Safe caught the problem.

  14. #14
    5 Star Lounger
    Join Date
    Feb 2001
    Location
    Youngstown, Ohio, USA
    Posts
    705
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Re: Yet another Microsoft Security Bulletin ((All))

    I found that MoOutlook Security had a rather serious drawback that forced me to uninstall it...

    Although MoOutlook hammered my email far less than the SP2 Outlook update, its restrictions on IE6 were a little too rough. Some of the sites that I have visited absolutely require scripting -- and I really did not have a choice to not go to those sites. Without MoOutlook Security, I could just add the site to my Trusted list (even if only temporarily), do my business, and close up. I had found that MoOutlook does not offer any sort of 'toggle' ability, so the only way I could access these sites was to uninstall. (Thankfully that is still an option with MoOutlook, as opposed to SP2.)

  15. #15
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Yet another Microsoft Security Bulletin ((All))

    Yes, Jason's "Email Defense test" -- whatever he calls it -- only addresses the email attachment issue. If you download his Script Sentry, there is another test for .vbs files downloaded on to your system.

    MailSafe is excellent for email attachments, but that is it. It has one hole -- the .shs extension. Not a huge issue -- unless YOU get hit with a .shs virus... The Pro version of ZA ($$) allows you to close this hole manually.

    Script Sentry will catch the .shs extension, plus adds protection for files that arrive from methods other than email attachments. SInce it is free, it is worth a look.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •