|
View Full Version : MS issued advisory, current exploit potential
Roger Abell [MVP] wrote:
[color=blue]
> "imhotep" wrote in message
> news:QKmdnWzeKZJtJI3YnZ2dnUVZ_qednZ2d@adelphia.com...[color=green]
>> David H. Lipman wrote:
>>[color=darkred]
>>> From: "Roger Abell [MVP]"
>>>
>>> | Today Microsoft issued the advisory
>>> |
>>> | Vulnerability in Vector Markup Language Could Allow Remote Code
>>> | Execution
>>> [url]http://www.microsoft.com/technet/security/advisory/925568.mspx[/url]
>>> |
>>> | The exploit is said to be both released in code form and to be
>>> | currently,
>>> | actively exploited to some extent. You can find bulletin from most
>>> | groups and vendors by now.
>>> |
>>> | See the advisory for action you can take.
>>> |
>>> | Also, see the info Jesper Johansson's blogged (with help of Alun
>>> Jones,
>>> | who you see in these newsgroups) for an AD GPO based approach
>>> |
>>>[/color]
>>[/color][/color]
[url]http://msinfluentials.com/blogs/jesper/archive/2006/09/19/Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx[/url][color=blue][color=green][color=darkred]
>>> | i.e. [url]http://tinyurl.com/mtcbd[/url]
>>> | .
>>> | Roger
>>> |
>>>
>>> Too many so called "Zero Day Exploits" in the last fortnight.
>>>
>>> MS Word
>>> [url]http://www.us-cert.gov/cas/alerts/SA06-250A.html[/url]
>>>
>>> MS Publisher
>>> [url]http://www.us-cert.gov/cas/alerts/SA06-255A.html[/url]
>>>
>>> ActiveX DirectAnimation
>>> [url]http://www.us-cert.gov/cas/alerts/SA06-258A.html[/url]
>>>
>>> And now VML in HTML vulnerability.
>>> [url]http://www.us-cert.gov/cas/alerts/SA06-262A.html[/url]
>>>
>>>
>>> MCSE - Microsoft Can't Secure Enough
>>>[/color]
>>
>>
>> Thanks for the information!!!!
>>[/color]
>
> Just see
> [url]http://www.microsoft.com/technet/security/advisory[/url]
> for RSS feed and IM alert info, and the 5 advisories
> issued this September
>
> Roger[/color]
Thanks...
|
From: "MowGreen [MVP]"
| And, from eWeek:
|
| Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole
| [url]http://www.eweek.com/article2/0,1895,2017626,00.asp[/url]
|[color=blue][color=green]
>> The newest zero-day flaw in the Microsoft Windows implementation of the Vector
>> Markup Language is being used to flood infected machines with a massive collection of
>> bots, Trojan downloaders, spyware and rootkits.
>>
>> Less than 24 hours after researchers at Sunbelt Software discovered an active malware
>> attack [[url]http://www.eweek.com/article2/0,1895,2017407,00.asp][/url] against fully patched
>> versions of Windows, virus hunters say the Web-based exploits are serving up
>> botnet-building Trojans and installations of ad-serving spyware.
>>
>> "This is a massive malware run," says Roger Thompson, chief technical officer at
>> Atlanta-based Exploit Prevention Labs. In an interview with eWEEK, Thompson confirmed
>> the drive-by attacks are hosing infected machines with browser tool bars and spyware
>> programs with stealth rootkit capabilities.
>>
>> The laundry list of malware programs seeded on Russian porn sites also includes a
>> dangerous keystroke logger capable of stealing data from computers and a banker Trojan
>> that specifically hijacks log-in information from financial Web sites.[/color][/color]
|
| MowGreen [MVP 2003-2006]
| ===============
| *-343-* FDNY
| Never Forgotten
| ===============
|
Thanx MowGreen !!
--
Dave
[url]http://www.claymania.com/removal-trojan-adware.html[/url]
[url]http://www.ik-cs.com/got-a-virus.htm[/url]
|
From secguru.com:
-------
1. Click Start, click Run, type "regsvr32 -u "%ProgramFiles%\Common
Files\Microsoft Shared\VGX\vgx.dll " (without the quotation marks), and then
click OK.
2. A dialog box appears to confirm that the un-registration process has
succeeded. Click OK to close the dialog box.
Impact of Workaround: Applications that render VML will no longer do so once
Vgx.dll has been unregistered. To undo this change, re-register Vgx.dll by
following the above steps. Replace the text in Step 1 with “regsvr32
"%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll”
------
Personally I'd rather remove the defective file as the chances of it ever
being used are near-zero, but I guess WFP might just replace it if I do.
|
David H. Lipman wrote:
[color=blue]
> From: "Roger Abell [MVP]"
>
> | Today Microsoft issued the advisory
> |
> | Vulnerability in Vector Markup Language Could Allow Remote Code
> | Execution [url]http://www.microsoft.com/technet/security/advisory/925568.mspx[/url]
> |
> | The exploit is said to be both released in code form and to be
> | currently,
> | actively exploited to some extent. You can find bulletin from most
> | groups and vendors by now.
> |
> | See the advisory for action you can take.
> |
> | Also, see the info Jesper Johansson's blogged (with help of Alun Jones,
> | who you see in these newsgroups) for an AD GPO based approach
> |
>[/color]
[url]http://msinfluentials.com/blogs/jesper/archive/2006/09/19/Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx[/url][color=blue]
> | i.e. [url]http://tinyurl.com/mtcbd[/url]
> | .
> | Roger
> |
>
> Too many so called "Zero Day Exploits" in the last fortnight.
>
> MS Word
> [url]http://www.us-cert.gov/cas/alerts/SA06-250A.html[/url]
>
> MS Publisher
> [url]http://www.us-cert.gov/cas/alerts/SA06-255A.html[/url]
>
> ActiveX DirectAnimation
> [url]http://www.us-cert.gov/cas/alerts/SA06-258A.html[/url]
>
> And now VML in HTML vulnerability.
> [url]http://www.us-cert.gov/cas/alerts/SA06-262A.html[/url]
>
>
> MCSE - Microsoft Can't Secure Enough
>[/color]
Thanks for the information!!!!
Imhotep
|
"imhotep" wrote in message
news:QKmdnWzeKZJtJI3YnZ2dnUVZ_qednZ2d@adelphia.com...[color=blue]
> David H. Lipman wrote:
>[color=green]
>> From: "Roger Abell [MVP]"
>>
>> | Today Microsoft issued the advisory
>> |
>> | Vulnerability in Vector Markup Language Could Allow Remote Code
>> | Execution
>> [url]http://www.microsoft.com/technet/security/advisory/925568.mspx[/url]
>> |
>> | The exploit is said to be both released in code form and to be
>> | currently,
>> | actively exploited to some extent. You can find bulletin from most
>> | groups and vendors by now.
>> |
>> | See the advisory for action you can take.
>> |
>> | Also, see the info Jesper Johansson's blogged (with help of Alun
>> Jones,
>> | who you see in these newsgroups) for an AD GPO based approach
>> |
>>[/color]
> [url]http://msinfluentials.com/blogs/jesper/archive/2006/09/19/Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx[/url][color=green]
>> | i.e. [url]http://tinyurl.com/mtcbd[/url]
>> | .
>> | Roger
>> |
>>
>> Too many so called "Zero Day Exploits" in the last fortnight.
>>
>> MS Word
>> [url]http://www.us-cert.gov/cas/alerts/SA06-250A.html[/url]
>>
>> MS Publisher
>> [url]http://www.us-cert.gov/cas/alerts/SA06-255A.html[/url]
>>
>> ActiveX DirectAnimation
>> [url]http://www.us-cert.gov/cas/alerts/SA06-258A.html[/url]
>>
>> And now VML in HTML vulnerability.
>> [url]http://www.us-cert.gov/cas/alerts/SA06-262A.html[/url]
>>
>>
>> MCSE - Microsoft Can't Secure Enough
>>[/color]
>
>
> Thanks for the information!!!!
>[/color]
Just see
[url]http://www.microsoft.com/technet/security/advisory[/url]
for RSS feed and IM alert info, and the 5 advisories
issued this September
Roger
|
And, from eWeek:
Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole
[url]http://www.eweek.com/article2/0,1895,2017626,00.asp[/url]
[color=blue]
> The newest zero-day flaw in the Microsoft Windows implementation of the Vector
> Markup Language is being used to flood infected machines with a massive collection of
> bots, Trojan downloaders, spyware and rootkits.
>
> Less than 24 hours after researchers at Sunbelt Software discovered an active malware
> attack [[url]http://www.eweek.com/article2/0,1895,2017407,00.asp][/url] against fully patched
> versions of Windows, virus hunters say the Web-based exploits are serving up
> botnet-building Trojans and installations of ad-serving spyware.
>
> "This is a massive malware run," says Roger Thompson, chief technical officer at
> Atlanta-based Exploit Prevention Labs. In an interview with eWEEK, Thompson confirmed
> the drive-by attacks are hosing infected machines with browser tool bars and spyware
> programs with stealth rootkit capabilities.
>
> The laundry list of malware programs seeded on Russian porn sites also includes a
> dangerous keystroke logger capable of stealing data from computers and a banker Trojan
> that specifically hijacks log-in information from financial Web sites.[/color]
MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============
Roger Abell [MVP] wrote:
[color=blue]
> Today Microsoft issued the advisory
>
> Vulnerability in Vector Markup Language Could Allow Remote Code Execution
> [url]http://www.microsoft.com/technet/security/advisory/925568.mspx[/url]
>
> The exploit is said to be both released in code form and to be currently,
> actively exploited to some extent. You can find bulletin from most groups
> and vendors by now.
>
> See the advisory for action you can take.
>
> Also, see the info Jesper Johansson's blogged (with help of Alun Jones,
> who you see in these newsgroups) for an AD GPO based approach
> [url]http://msinfluentials.com/blogs/jesper/archive/2006/09/19/Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx[/url]
> i.e. [url]http://tinyurl.com/mtcbd[/url]
> .
> Roger
>[/color]
|
>> Personally I'd rather remove the defective file as the chances of it ever[color=blue][color=green]
>> being used are near-zero, but I guess WFP might just replace it if I do.[/color][/color]
Or, one could use an up to date alternative browser. ;)
MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============
Ian wrote:
[color=blue]
> From secguru.com:
>
> -------
>
> 1. Click Start, click Run, type "regsvr32 -u "%ProgramFiles%\Common
> Files\Microsoft Shared\VGX\vgx.dll " (without the quotation marks), and then
> click OK.
>
> 2. A dialog box appears to confirm that the un-registration process has
> succeeded. Click OK to close the dialog box.
>
> Impact of Workaround: Applications that render VML will no longer do so once
> Vgx.dll has been unregistered. To undo this change, re-register Vgx.dll by
> following the above steps. Replace the text in Step 1 with “regsvr32
> "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll”
>
> ------
>
> Personally I'd rather remove the defective file as the chances of it ever
> being used are near-zero, but I guess WFP might just replace it if I do.
>
>[/color]
|
Roger Abell [MVP] wrote:[color=blue]
> "karl levinson, mvp" wrote in message
> news:%23fB0x3X5GHA.1244@TK2MSFTNGP03.phx.gbl...[color=green]
>> "Dan W." wrote in message
>> news:%23pwuYuV5GHA.508@TK2MSFTNGP06.phx.gbl...
>>[color=darkred]
>>> If you say so but the solution is a tri-source code based upon 9x, NT
>>> (New Technology) and open source technology that may be released in a
>>> Windows Classic series to allow people to fully run their older computer
>>> games, educational programs and other software. I am currently in
>>> discussions with Microsoft about this and the feasibility of it and if
>>> you want this then please let Microsoft know about it. I have the
>>> support of the Albuquerque public schools for who I work for and hope
>>> soon to get the support of all the public schools in the United States
>>> since many of the schools run 98 Second Edition and XP Professional and
>>> need a 98 Second Edition replacement to run all of their educational
>>> programs for the children. Ladies and gentlemen, I implore you to do the
>>> right thing and support this Classic series and let Microsoft know you
>>> want it for the good of all your children and to help the public schools
>>> save money on replacing all of our older software that is needed for
>>> teaching your children.[/color]
>> Sorry, I think it's a terrible idea. Microsoft's security problems are in
>> part due to the time, trouble and money it costs them to support so many
>> different software variations. The customers are much better off if
>> Microsoft picks one code base and runs with it. Windows 98 is only more
>> secure if you focus on just one very narrow definition of security... and
>> a new release of Win98 with RPC/DCOM and other things added, who knows how
>> secure that might be. I don't believe Win98 will make shared lab
>> computers in public schools more secure. A significant problem for such
>> environments is insider attacks and privilege escalation attacks. While
>> XP is far from perfect in this area, at least it tries; Win98 has zero
>> defenses here. The main advantage of Win98 was the lower cost, but that's
>> not a security feature. If Win98 is attacked less often, it's because
>> it's becoming less common. A new release of Win98 would become a popular
>> target of attack.
>>
>>[/color]
>
> Although I am a server and infrastructure person fundementally, I do have
> a hand in running parts of the student accessible Windows resources at the
> largest university in the US, and from that perspective I am
>
> totally in agreement with you comments Karl
>[/color]
Well, I have the support of the Albuquerque public schools and we need a
solution that is more secure and allows the schools to run older
software despite what you say. It deprives the schools of much needed
funds to have to replace all the older software that works great in
teaching our children. I am following through with Microsoft on this
but thanks anyway.
|
Roger Abell [MVP] wrote:[color=blue] > "Dan W." wrote in message
> news:OoEgNyI5GHA.1252@TK2MSFTNGP04.phx.gbl...[color=green]
>> Roger Abell [MVP] wrote:[color=darkred]
>>> "David H. Lipman" wrote in message
>>> news:uc7eYzz4GHA.3732@TK2MSFTNGP05.phx.gbl...
>>>> From: "MowGreen"
>>>>
>>>> | I'm sorry for posting that trite media hype. " Massive malware run "
>>>> my
>>>> | butt. At least those who frequent seedy pRon sites were aware of the
>>>> issue.
>>>> |
>>>> | As Roger and Karl have pointed out there was/is potential for this
>>>> | vulnerability to be exploited still, even though MS did a fine job in
>>>> | getting the update out in a timely manner.
>>>> |
>>>> | The only thing massive about the vuln was the shrill hype coming from
>>>> | the so-called "Tech media". The "regular" media just follow along
>>>> since
>>>> | the sensational always is good for ratings and sells papers.
>>>> |
>>>> | Mowa culpa ;)
>>>> |
>>>> | MowGreen [MVP 2003-2006]
>>>> | ===============
>>>> | *-343-* FDNY
>>>> | Never Forgotten
>>>> | ===============
>>>> |
>>>>
>>>>
>>>> Sorry guys, I just got a report of a US Gov't. computer get infected via
>>>> this Exploit while
>>>> access a US Gov't. web site.
>>>>
>>>> I am not at liberty, in public, to disclose the infected site and the
>>>> infector site.
>>>>
>>>>
>>> No need to be sorry about anything Dave.
>>> The dust will probably be settling out for some time, especially if the
>>> reports about the cPanel exploited, perpetrator sites is accurate.
>>> MS has over the past couple years done an amazing job at driving
>>> up patch coverage and driving down time to patch, but millions are
>>> likely not in the loop in any timely way.
>>>
>>> Roger[/color]
>> Good point, Roger. The only thing that I could see helping is always have
>> notification(s) of patches on Microsoft's main web site which I think
>> Microsoft already always does and for the mainstream media to get the word
>> out that it is time to patch your computers. I was certainly[/color]
>
> They tried leveraging that in the early days of Windows Update.
> IMO it turned out terribly with overly sensational alerts on the
> morning business and nightly news, even just to the release of
> the schedule monthly round of patching.
> There needs perhaps to be a mechanism between what runs
> risks of "cry wolf" syndrome and what relies on self-subscription.
>
> Roger
>[color=green]
>> relieved that Microsoft did not wait for the second Tuesday of the month
>> with this patch --- it certainly looks like it is shaping up to be
>> potentially really terrible if users do not update their system(s).[/color]
>
>[/color]
I agree and thanks for your views Roger.
Dan W.
Computer User
|
karl levinson, mvp wrote:[color=blue]
> "Dan W." wrote in message
> news:%23pwuYuV5GHA.508@TK2MSFTNGP06.phx.gbl...
>[color=green]
>> If you say so but the solution is a tri-source code based upon 9x, NT (New
>> Technology) and open source technology that may be released in a Windows
>> Classic series to allow people to fully run their older computer games,
>> educational programs and other software. I am currently in discussions
>> with Microsoft about this and the feasibility of it and if you want this
>> then please let Microsoft know about it. I have the support of the
>> Albuquerque public schools for who I work for and hope soon to get the
>> support of all the public schools in the United States since many of the
>> schools run 98 Second Edition and XP Professional and need a 98 Second
>> Edition replacement to run all of their educational programs for the
>> children. Ladies and gentlemen, I implore you to do the right thing and
>> support this Classic series and let Microsoft know you want it for the
>> good of all your children and to help the public schools save money on
>> replacing all of our older software that is needed for teaching your
>> children.[/color]
>
> Sorry, I think it's a terrible idea. Microsoft's security problems are in
> part due to the time, trouble and money it costs them to support so many
> different software variations. The customers are much better off if
> Microsoft picks one code base and runs with it. Windows 98 is only more
> secure if you focus on just one very narrow definition of security... and a
> new release of Win98 with RPC/DCOM and other things added, who knows how
> secure that might be. I don't believe Win98 will make shared lab computers
> in public schools more secure. A significant problem for such environments
> is insider attacks and privilege escalation attacks. While XP is far from
> perfect in this area, at least it tries; Win98 has zero defenses here. The
> main advantage of Win98 was the lower cost, but that's not a security
> feature. If Win98 is attacked less often, it's because it's becoming less
> common. A new release of Win98 would become a popular target of attack.
>
>[/color]
I am referring to a release that combined the elements of the three
source codes into one. If this could be accomplished and leveraged in
order to provide legacy support for Windows 3.1 programs and DOS
programs then this would be great. Chris Quirke, talks about the
problems with the NT technology code base.
|
"David H. Lipman" wrote in message
news:%23tj6dfA5GHA.4064@TK2MSFTNGP03.phx.gbl...[color=blue]
> From: "Roger Abell [MVP]"
>
>
> | No need to be sorry about anything Dave.
> | The dust will probably be settling out for some time, especially if the
> | reports about the cPanel exploited, perpetrator sites is accurate.
> | MS has over the past couple years done an amazing job at driving
> | up patch coverage and driving down time to patch, but millions are
> | likely not in the loop in any timely way.
> |
> | Roger
> |
>
> Today I got an update. This was a TARGETED attack. A US Gov't. site
> apperas to have been
> hacked wit the VML in HTML exploit installed with installable malware.
> Users were sent
> emails to go to said site. Being a Gov't. installation receiving email
> that purported to be
> from the Gov't. entity indicating they should vist the compramised Gov't.
> web site. I was
> told 70 Gov't. computers were thusly compramised !
>
> Additionally, the same (nameless) Gov't. installation has been receiving
> targeted PowerPoint
> Exploits in PowerPoint slides. Symantec has been calling them
> "Trojan.Dropper" and
> "Trojan.PPDropper".
>[/color]
Quite the harbinger of the world we have entered Dave.
We, and other countries, too often appear far too ill-prepared
for an "all fronts" encounter (sorry Karl) with a technically
advanced adversary.
Roger
|
"Dan W." wrote in message
news:OoEgNyI5GHA.1252@TK2MSFTNGP04.phx.gbl...[color=blue]
> Roger Abell [MVP] wrote:[color=green]
>> "David H. Lipman" wrote in message
>> news:uc7eYzz4GHA.3732@TK2MSFTNGP05.phx.gbl...[color=darkred]
>>> From: "MowGreen"
>>>
>>> | I'm sorry for posting that trite media hype. " Massive malware run "
>>> my
>>> | butt. At least those who frequent seedy pRon sites were aware of the
>>> issue.
>>> |
>>> | As Roger and Karl have pointed out there was/is potential for this
>>> | vulnerability to be exploited still, even though MS did a fine job in
>>> | getting the update out in a timely manner.
>>> |
>>> | The only thing massive about the vuln was the shrill hype coming from
>>> | the so-called "Tech media". The "regular" media just follow along
>>> since
>>> | the sensational always is good for ratings and sells papers.
>>> |
>>> | Mowa culpa ;)
>>> |
>>> | MowGreen [MVP 2003-2006]
>>> | ===============
>>> | *-343-* FDNY
>>> | Never Forgotten
>>> | ===============
>>> |
>>>
>>>
>>> Sorry guys, I just got a report of a US Gov't. computer get infected via
>>> this Exploit while
>>> access a US Gov't. web site.
>>>
>>> I am not at liberty, in public, to disclose the infected site and the
>>> infector site.
>>>
>>>[/color]
>>
>> No need to be sorry about anything Dave.
>> The dust will probably be settling out for some time, especially if the
>> reports about the cPanel exploited, perpetrator sites is accurate.
>> MS has over the past couple years done an amazing job at driving
>> up patch coverage and driving down time to patch, but millions are
>> likely not in the loop in any timely way.
>>
>> Roger[/color]
>
> Good point, Roger. The only thing that I could see helping is always have
> notification(s) of patches on Microsoft's main web site which I think
> Microsoft already always does and for the mainstream media to get the word
> out that it is time to patch your computers. I was certainly[/color]
They tried leveraging that in the early days of Windows Update.
IMO it turned out terribly with overly sensational alerts on the
morning business and nightly news, even just to the release of
the schedule monthly round of patching.
There needs perhaps to be a mechanism between what runs
risks of "cry wolf" syndrome and what relies on self-subscription.
Roger
[color=blue]
> relieved that Microsoft did not wait for the second Tuesday of the month
> with this patch --- it certainly looks like it is shaping up to be
> potentially really terrible if users do not update their system(s).[/color]
|
From: "karl levinson, mvp"
|
| Sorry, I think it's a terrible idea. Microsoft's security problems are in
| part due to the time, trouble and money it costs them to support so many
| different software variations. The customers are much better off if
| Microsoft picks one code base and runs with it. Windows 98 is only more
| secure if you focus on just one very narrow definition of security... and a
| new release of Win98 with RPC/DCOM and other things added, who knows how
| secure that might be. I don't believe Win98 will make shared lab computers
| in public schools more secure. A significant problem for such environments
| is insider attacks and privilege escalation attacks. While XP is far from
| perfect in this area, at least it tries; Win98 has zero defenses here. The
| main advantage of Win98 was the lower cost, but that's not a security
| feature. If Win98 is attacked less often, it's because it's becoming less
| common. A new release of Win98 would become a popular target of attack.
|
I am in total agreement with all that you stated Karl.
--
Dave
[url]http://www.claymania.com/removal-trojan-adware.html[/url]
[url]http://www.ik-cs.com/got-a-virus.htm[/url]
|
"karl levinson, mvp" wrote in message
news:%23fB0x3X5GHA.1244@TK2MSFTNGP03.phx.gbl...[color=blue]
>
> "Dan W." wrote in message
> news:%23pwuYuV5GHA.508@TK2MSFTNGP06.phx.gbl...
>[color=green]
>> If you say so but the solution is a tri-source code based upon 9x, NT
>> (New Technology) and open source technology that may be released in a
>> Windows Classic series to allow people to fully run their older computer
>> games, educational programs and other software. I am currently in
>> discussions with Microsoft about this and the feasibility of it and if
>> you want this then please let Microsoft know about it. I have the
>> support of the Albuquerque public schools for who I work for and hope
>> soon to get the support of all the public schools in the United States
>> since many of the schools run 98 Second Edition and XP Professional and
>> need a 98 Second Edition replacement to run all of their educational
>> programs for the children. Ladies and gentlemen, I implore you to do the
>> right thing and support this Classic series and let Microsoft know you
>> want it for the good of all your children and to help the public schools
>> save money on replacing all of our older software that is needed for
>> teaching your children.[/color]
>
> Sorry, I think it's a terrible idea. Microsoft's security problems are in
> part due to the time, trouble and money it costs them to support so many
> different software variations. The customers are much better off if
> Microsoft picks one code base and runs with it. Windows 98 is only more
> secure if you focus on just one very narrow definition of security... and
> a new release of Win98 with RPC/DCOM and other things added, who knows how
> secure that might be. I don't believe Win98 will make shared lab
> computers in public schools more secure. A significant problem for such
> environments is insider attacks and privilege escalation attacks. While
> XP is far from perfect in this area, at least it tries; Win98 has zero
> defenses here. The main advantage of Win98 was the lower cost, but that's
> not a security feature. If Win98 is attacked less often, it's because
> it's becoming less common. A new release of Win98 would become a popular
> target of attack.
>
>[/color]
Although I am a server and infrastructure person fundementally, I do have
a hand in running parts of the student accessible Windows resources at the
largest university in the US, and from that perspective I am
totally in agreement with you comments Karl
--
Roger
|
"Dan W." wrote in message
news:%23pwuYuV5GHA.508@TK2MSFTNGP06.phx.gbl...
[color=blue]
> If you say so but the solution is a tri-source code based upon 9x, NT (New
> Technology) and open source technology that may be released in a Windows
> Classic series to allow people to fully run their older computer games,
> educational programs and other software. I am currently in discussions
> with Microsoft about this and the feasibility of it and if you want this
> then please let Microsoft know about it. I have the support of the
> Albuquerque public schools for who I work for and hope soon to get the
> support of all the public schools in the United States since many of the
> schools run 98 Second Edition and XP Professional and need a 98 Second
> Edition replacement to run all of their educational programs for the
> children. Ladies and gentlemen, I implore you to do the right thing and
> support this Classic series and let Microsoft know you want it for the
> good of all your children and to help the public schools save money on
> replacing all of our older software that is needed for teaching your
> children.[/color]
Sorry, I think it's a terrible idea. Microsoft's security problems are in
part due to the time, trouble and money it costs them to support so many
different software variations. The customers are much better off if
Microsoft picks one code base and runs with it. Windows 98 is only more
secure if you focus on just one very narrow definition of security... and a
new release of Win98 with RPC/DCOM and other things added, who knows how
secure that might be. I don't believe Win98 will make shared lab computers
in public schools more secure. A significant problem for such environments
is insider attacks and privilege escalation attacks. While XP is far from
perfect in this area, at least it tries; Win98 has zero defenses here. The
main advantage of Win98 was the lower cost, but that's not a security
feature. If Win98 is attacked less often, it's because it's becoming less
common. A new release of Win98 would become a popular target of attack.
|
From: "Dan W."
| Thank Goodness for that and a true reason the 9x source code needs to
| continue as well since it may not currently be as secure as the NT
| source code but it is safe. Chris Quirke, MVP has talked about this and
| it is well-documented from the secunia.com website and I have added my
| feedback as well.
You are in denial. Win9x/ME would have been just as vulnerable in this case and woul NOT
have afforded any more protection nor less.
--
Dave
[url]http://www.claymania.com/removal-trojan-adware.html[/url]
[url]http://www.ik-cs.com/got-a-virus.htm[/url]
|
David H. Lipman wrote:[color=blue]
> From: "Dan W."
>
>
> | Thank Goodness for that and a true reason the 9x source code needs to
> | continue as well since it may not currently be as secure as the NT
> | source code but it is safe. Chris Quirke, MVP has talked about this and
> | it is well-documented from the secunia.com website and I have added my
> | feedback as well.
>
> You are in denial. Win9x/ME would have been just as vulnerable in this case and woul NOT
> have afforded any more protection nor less.
>[/color]
If you say so but the solution is a tri-source code based upon 9x, NT
(New Technology) and open source technology that may be released in a
Windows Classic series to allow people to fully run their older computer
games, educational programs and other software. I am currently in
discussions with Microsoft about this and the feasibility of it and if
you want this then please let Microsoft know about it. I have the
support of the Albuquerque public schools for who I work for and hope
soon to get the support of all the public schools in the United States
since many of the schools run 98 Second Edition and XP Professional and
need a 98 Second Edition replacement to run all of their educational
programs for the children. Ladies and gentlemen, I implore you to do
the right thing and support this Classic series and let Microsoft know
you want it for the good of all your children and to help the public
schools save money on replacing all of our older software that is needed
for teaching your children.
|
karl levinson, mvp wrote:[color=blue] > "David H. Lipman" wrote in message
> news:utgX8hA5GHA.4256@TK2MSFTNGP03.phx.gbl...
>[color=green]
>> | Yes, absolutely there is SOME real risk.
>> |
>> | But on the other hand, I bet that agency was aware of and accepted that
>> | risk.
>> |
>> | I'm guessing that computer was probably not running antivirus with the
>> | latest definitions.
>> |
>> | And the vulnerability used to compromise the web site is probably not
>> | anything new.
>> |
>>
>> No. There is ZERO Acceptable Risk.
>> Productivity takes a backseat to security.[/color]
>
> Wouldn't you have to be inside the agency to know what risk they had and had
> not accepted?
>
> Am I misunderstanding? There aren't too many places where productivity
> really takes a back seat to security in actual practice. I doubt there is
> anywhere on the face of the planet where management does everything that
> computer security personnel advise. I'm not sure it's possible to get to
> zero acceptable risk, there's always risk, and that risk needs to be
> accepted. And some countermeasures increase the risk of other security
> issues, like loss of availability at the expense of confidentiality. There
> are other countermeasures, such as manually re-configuring millions of
> computers, that are possible in theory, but prohibitively expensive to the
> point of jeopardizing the mission. The end goal is almost never security
> for security's sake, but security that is appropriate to the success of the
> mission. There are times when security measures, such as removing a system
> that is vital to a mission or that whose absence could jeapordize human
> life, could conflict with the success of the mission. There are times when
> taking a security measure reveals or validates information that should not
> be revealed or validated.
>[color=green]
>> The computers were up-to-date. See my other reply.[/color]
>
> But there were workarounds from Microsoft that an organization that serious
> about security could choose to implement.
>
>[/color]
True, Microsoft is very good at providing security providing the user(s)
can understand the technical nature of security and the importance and
need of many users to start implementing ASAP the multi-layered defense
strategy that Microsoft talks about on TechNet.
(I have to include the 98 general newsgroup on this since there are some
really smart people in that group as well and this issue does indeed
encompass all of Microsoft Windows)
|
David H. Lipman wrote:[color=blue] > From: "karl levinson, mvp"
>
> |
> | "David H. Lipman" wrote in message
> | news:utgX8hA5GHA.4256@TK2MSFTNGP03.phx.gbl...
> |
> |>> Yes, absolutely there is SOME real risk.
> |>>
> |>> But on the other hand, I bet that agency was aware of and accepted that
> |>> risk.
> |>>
> |>> I'm guessing that computer was probably not running antivirus with the
> |>> latest definitions.
> |>>
> |>> And the vulnerability used to compromise the web site is probably not
> |>> anything new.
> |>>[color=green][color=darkred]
>>> No. There is ZERO Acceptable Risk.
>>> Productivity takes a backseat to security.[/color][/color]
> |
> | Wouldn't you have to be inside the agency to know what risk they had and had
> | not accepted?
>
>
> Sorry, I will NOT answer that one :-)
>
>
> < snip >
>
> | There are times when security measures, such as removing a system
> | that is vital to a mission or that whose absence could jeapordize human
> | life, could conflict with the success of the mission.
>
>
> I repeat. Productivity takes a backseat to security.
>
>[/color]
Thank Goodness for that and a true reason the 9x source code needs to
continue as well since it may not currently be as secure as the NT
source code but it is safe. Chris Quirke, MVP has talked about this and
it is well-documented from the secunia.com website and I have added my
feedback as well.
|
David H. Lipman wrote:[color=blue]
> From: "karl levinson, mvp"
>
>
> |
> | Yes, absolutely there is SOME real risk.
> |
> | But on the other hand, I bet that agency was aware of and accepted that
> | risk.
> |
> | I'm guessing that computer was probably not running antivirus with the
> | latest definitions.
> |
> | And the vulnerability used to compromise the web site is probably not
> | anything new.
> |
>
> No. There is ZERO Acceptable Risk.
> Productivity takes a backseat to security.
>
> The computers were up-to-date. See my other reply.
>[/color]
I see them David and can we take the attacks to the enemy now please. I
am sure we can work this out with the National Security Agency,
Department of Defense, the United States Justice Department and
Microsoft and f. up the crackers (hackers) up so bad (their computers I
am referring to -- smile) in comparison to their hits on our machines
that they regret the day they starting hitting computers.
|
From: "karl levinson, mvp"
|
| "David H. Lipman" wrote in message
| news:utgX8hA5GHA.4256@TK2MSFTNGP03.phx.gbl...
|
|>> Yes, absolutely there is SOME real risk.
|>>
|>> But on the other hand, I bet that agency was aware of and accepted that
|>> risk.
|>>
|>> I'm guessing that computer was probably not running antivirus with the
|>> latest definitions.
|>>
|>> And the vulnerability used to compromise the web site is probably not
|>> anything new.
|>>[color=blue][color=green]
>> No. There is ZERO Acceptable Risk.
>> Productivity takes a backseat to security.[/color][/color]
|
| Wouldn't you have to be inside the agency to know what risk they had and had
| not accepted?
Sorry, I will NOT answer that one :-)
< snip >
| There are times when security measures, such as removing a system
| that is vital to a mission or that whose absence could jeapordize human
| life, could conflict with the success of the mission.
I repeat. Productivity takes a backseat to security.
--
Dave
[url]http://www.claymania.com/removal-trojan-adware.html[/url]
[url]http://www.ik-cs.com/got-a-virus.htm[/url]
|
MowGreen wrote:[color=blue]
> I'm sorry for posting that trite media hype. " Massive malware run " my
> butt. At least those who frequent seedy pRon sites were aware of the issue.
>
> As Roger and Karl have pointed out there was/is potential for this
> vulnerability to be exploited still, even though MS did a fine job in
> getting the update out in a timely manner.
>
> The only thing massive about the vuln was the shrill hype coming from
> the so-called "Tech media". The "regular" media just follow along since
> the sensational always is good for ratings and sells papers.
>
> Mowa culpa ;)
>
>
> MowGreen [MVP 2003-2006]
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
>
> Roger Abell [MVP] wrote:[color=green]
>> "karl levinson, mvp" wrote in message
>> news:evjObEi4GHA.1188@TK2MSFTNGP05.phx.gbl...[color=darkred]
>>> "MowGreen [MVP]" wrote in message
>>> news:eFHlJcO3GHA.1548@TK2MSFTNGP02.phx.gbl...
>>>> And, from eWeek:
>>>>
>>>> Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole
>>>> [url]http://www.eweek.com/article2/0,1895,2017626,00.asp[/url]
>>>>
>>>>> "This is a massive malware run," says Roger Thompson, chief
>>>>> technical officer at Atlanta-based Exploit Prevention Labs. In an
>>>>> interview with eWEEK, Thompson confirmed
>>>>> the drive-by attacks are hosing infected machines with browser tool
>>>>> bars and spyware
>>>>> programs with stealth rootkit capabilities.
>>> We can see from Trend Micro's numbers for the VML exploit that there
>>> is no "flooding" or "massive malware run" going on. Or rather, the
>>> "flooding" they are talking about is that one web site was observed
>>> loading 49 different adware tools onto one infected system, not that
>>> massive numbers of systems were being infected. For example:
>>>
>>> [url]http://blogs.securiteam.com/index.php/archives/623[/url]
>>>
>>>[/color]
>>
>> To use the words of one notorious poster, it would appear the
>> news report came from "spin masters" ;-(
>>
>> In all probability we will be seeing much more use of the VML
>> vulnerability in coming weeks, in metasploit now, etc.
>>
>> Now, we sit an watch as few if many acknowledge the great job
>> MS did on the turn-around for response to VML vulnerability
>> and even fewer taking note of fact that machines running the Vista
>> or the IE 7 rcs just rode out this as a non-event for them.
>>
>> Roger
>>[/color][/color]
Exactly, I concur and no need for apology, MowGreen. It is so easy for
any of us to get caught up in the media hype. I certainly am glad
Microsoft listened to us on the dangers of this particular vulnerability
and released a patch so quickly. This particular vulnerability had the
potential for chaos but Microsoft responded to user's needs for a patch
and delivered.
|
David H. Lipman wrote:[color=blue]
> From: "MowGreen"
>
> | I'm sorry for posting that trite media hype. " Massive malware run " my
> | butt. At least those who frequent seedy pRon sites were aware of the issue.
> |
> | As Roger and Karl have pointed out there was/is potential for this
> | vulnerability to be exploited still, even though MS did a fine job in
> | getting the update out in a timely manner.
> |
> | The only thing massive about the vuln was the shrill hype coming from
> | the so-called "Tech media". The "regular" media just follow along since
> | the sensational always is good for ratings and sells papers.
> |
> | Mowa culpa ;)
> |
> | MowGreen [MVP 2003-2006]
> | ===============
> | *-343-* FDNY
> | Never Forgotten
> | ===============
> |
>
>
> Sorry guys, I just got a report of a US Gov't. computer get infected via this Exploit while
> access a US Gov't. web site.
>
> I am not at liberty, in public, to disclose the infected site and the infector site.
>[/color]
F___ing s__t, those crazies who put out cracks (hacks) to screw with
people's system(s). Some day, I hope the government can work with
Microsoft and select security professionals to start cleaning up the web
for all of the scum floating around. I even got a virus hit when I
clicked on a post in the 98 general newsgroup that someone was asking
about whether it was malicious or not. Fortunately, I called up the
Microsoft security hotline last night and walked through with the
technician about fixing my computer. Actually, I knew all the right
steps but it was certainly nice to have someone on the telephone in case
the whole system wants to go Kabloiee! I had to do a full anti-virus
scan with AVG which fortunately picked up this baddie right away. The
baddie is currently quarantined in AVG vault and I will pass it to you
David for analysis if you are interested to see vector exploit. It
talked about affecting LSASS in Windows system according to notes about
it from AVG. I also had to unistall and reinstall Outlook Express and
then download the latest security update for Outlook Express. For added
peace of mind --- I installed over Mozilla Thunderbird and Mozilla
Firefox. I use Mozilla Thunderbird to post in the Microsoft newsgroups.
I am just so pleased that my defense network picked it up right away
and I extremely pleased to report that a multi-layered defense strategy
as outlined in Microsoft technical articles is awesome in protecting
your system(s) and network(s). who f__k with my system(s)>
I apologize for the cussing and have concealed most of the words but
cusses only explain how I really feel and please except my apologies in
advance if this post offends anyone. Actually, I rarely cuss except
when I get really emotional as in this case.
|
Roger Abell [MVP] wrote:[color=blue] > "David H. Lipman" wrote in message
> news:uc7eYzz4GHA.3732@TK2MSFTNGP05.phx.gbl...[color=green]
>> From: "MowGreen"
>>
>> | I'm sorry for posting that trite media hype. " Massive malware run " my
>> | butt. At least those who frequent seedy pRon sites were aware of the
>> issue.
>> |
>> | As Roger and Karl have pointed out there was/is potential for this
>> | vulnerability to be exploited still, even though MS did a fine job in
>> | getting the update out in a timely manner.
>> |
>> | The only thing massive about the vuln was the shrill hype coming from
>> | the so-called "Tech media". The "regular" media just follow along since
>> | the sensational always is good for ratings and sells papers.
>> |
>> | Mowa culpa ;)
>> |
>> | MowGreen [MVP 2003-2006]
>> | ===============
>> | *-343-* FDNY
>> | Never Forgotten
>> | ===============
>> |
>>
>>
>> Sorry guys, I just got a report of a US Gov't. computer get infected via
>> this Exploit while
>> access a US Gov't. web site.
>>
>> I am not at liberty, in public, to disclose the infected site and the
>> infector site.
>>
>>[/color]
>
> No need to be sorry about anything Dave.
> The dust will probably be settling out for some time, especially if the
> reports about the cPanel exploited, perpetrator sites is accurate.
> MS has over the past couple years done an amazing job at driving
> up patch coverage and driving down time to patch, but millions are
> likely not in the loop in any timely way.
>
> Roger
>
>[/color]
Good point, Roger. The only thing that I could see helping is always
have notification(s) of patches on Microsoft's main web site which I
think Microsoft already always does and for the mainstream media to get
the word out that it is time to patch your computers. I was certainly
relieved that Microsoft did not wait for the second Tuesday of the month
with this patch --- it certainly looks like it is shaping up to be
potentially really terrible if users do not update their system(s).
|
David H. Lipman wrote:[color=blue]
> From: "Roger Abell [MVP]"
>
>
> | No need to be sorry about anything Dave.
> | The dust will probably be settling out for some time, especially if the
> | reports about the cPanel exploited, perpetrator sites is accurate.
> | MS has over the past couple years done an amazing job at driving
> | up patch coverage and driving down time to patch, but millions are
> | likely not in the loop in any timely way.
> |
> | Roger
> |
>
> Today I got an update. This was a TARGETED attack. A US Gov't. site apperas to have been
> hacked wit the VML in HTML exploit installed with installable malware. Users were sent
> emails to go to said site. Being a Gov't. installation receiving email that purported to be
> from the Gov't. entity indicating they should vist the compramised Gov't. web site. I was
> told 70 Gov't. computers were thusly compramised !
>
> Additionally, the same (nameless) Gov't. installation has been receiving targeted PowerPoint
> Exploits in PowerPoint slides. Symantec has been calling them "Trojan.Dropper" and
> "Trojan.PPDropper".
>[/color]
It is getting really BAD out there, David. The bad people are stepping
up their efforts to hit all machines especially those connected with
broadband. Take a look at my post where I was briefly compromised and
this has not happened to me in a long time except for a bit of Adware a
little while ago. I want and need a solution to start hitting the bad
people's sites ASAP. An Active and Powerful Firewall that has Offensive
Capabilities must be provided to as many users as possible ASAP. War
has been declared by the hackers (crackers) and we must start hitting
them even harder then they are hitting us now. It is the only solution,
I am afraid that we must start engaging in cyber-warfare with these
machines and not just sit back with this now flawed only purely
defensive strategy. What are the options for the attack vectors, David
and please lead us in the charge to reclaim the Internet for all users.
|
"David H. Lipman" wrote in message
news:utgX8hA5GHA.4256@TK2MSFTNGP03.phx.gbl...
[color=blue]
> | Yes, absolutely there is SOME real risk.
> |
> | But on the other hand, I bet that agency was aware of and accepted that
> | risk.
> |
> | I'm guessing that computer was probably not running antivirus with the
> | latest definitions.
> |
> | And the vulnerability used to compromise the web site is probably not
> | anything new.
> |
>
> No. There is ZERO Acceptable Risk.
> Productivity takes a backseat to security.[/color]
Wouldn't you have to be inside the agency to know what risk they had and had
not accepted?
Am I misunderstanding? There aren't too many places where productivity
really takes a back seat to security in actual practice. I doubt there is
anywhere on the face of the planet where management does everything that
computer security personnel advise. I'm not sure it's possible to get to
zero acceptable risk, there's always risk, and that risk needs to be
accepted. And some countermeasures increase the risk of other security
issues, like loss of availability at the expense of confidentiality. There
are other countermeasures, such as manually re-configuring millions of
computers, that are possible in theory, but prohibitively expensive to the
point of jeopardizing the mission. The end goal is almost never security
for security's sake, but security that is appropriate to the success of the
mission. There are times when security measures, such as removing a system
that is vital to a mission or that whose absence could jeapordize human
life, could conflict with the success of the mission. There are times when
taking a security measure reveals or validates information that should not
be revealed or validated.
[color=blue]
> The computers were up-to-date. See my other reply.[/color]
But there were workarounds from Microsoft that an organization that serious
about security could choose to implement.
|
I'm sorry for posting that trite media hype. " Massive malware run " my
butt. At least those who frequent seedy pRon sites were aware of the issue.
As Roger and Karl have pointed out there was/is potential for this
vulnerability to be exploited still, even though MS did a fine job in
getting the update out in a timely manner.
The only thing massive about the vuln was the shrill hype coming from
the so-called "Tech media". The "regular" media just follow along since
the sensational always is good for ratings and sells papers.
Mowa culpa ;)
MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============
Roger Abell [MVP] wrote:[color=blue]
> "karl levinson, mvp" wrote in message
> news:evjObEi4GHA.1188@TK2MSFTNGP05.phx.gbl...[color=green]
>> "MowGreen [MVP]" wrote in message
>> news:eFHlJcO3GHA.1548@TK2MSFTNGP02.phx.gbl...[color=darkred]
>>> And, from eWeek:
>>>
>>> Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole
>>> [url]http://www.eweek.com/article2/0,1895,2017626,00.asp[/url]
>>>
>>>> "This is a massive malware run," says Roger Thompson, chief technical
>>>> officer at Atlanta-based Exploit Prevention Labs. In an interview with
>>>> eWEEK, Thompson confirmed
>>>> the drive-by attacks are hosing infected machines with browser tool bars
>>>> and spyware
>>>> programs with stealth rootkit capabilities.[/color]
>> We can see from Trend Micro's numbers for the VML exploit that there is no
>> "flooding" or "massive malware run" going on. Or rather, the "flooding"
>> they are talking about is that one web site was observed loading 49
>> different adware tools onto one infected system, not that massive numbers
>> of systems were being infected. For example:
>>
>> [url]http://blogs.securiteam.com/index.php/archives/623[/url]
>>
>>[/color]
>
> To use the words of one notorious poster, it would appear the
> news report came from "spin masters" ;-(
>
> In all probability we will be seeing much more use of the VML
> vulnerability in coming weeks, in metasploit now, etc.
>
> Now, we sit an watch as few if many acknowledge the great job
> MS did on the turn-around for response to VML vulnerability
> and even fewer taking note of fact that machines running the Vista
> or the IE 7 rcs just rode out this as a non-event for them.
>
> Roger
>
>[/color]
|
From: "MowGreen"
| I'm sorry for posting that trite media hype. " Massive malware run " my
| butt. At least those who frequent seedy pRon sites were aware of the issue.
|
| As Roger and Karl have pointed out there was/is potential for this
| vulnerability to be exploited still, even though MS did a fine job in
| getting the update out in a timely manner.
|
| The only thing massive about the vuln was the shrill hype coming from
| the so-called "Tech media". The "regular" media just follow along since
| the sensational always is good for ratings and sells papers.
|
| Mowa culpa ;)
|
| MowGreen [MVP 2003-2006]
| ===============
| *-343-* FDNY
| Never Forgotten
| ===============
|
Sorry guys, I just got a report of a US Gov't. computer get infected via this Exploit while
access a US Gov't. web site.
I am not at liberty, in public, to disclose the infected site and the infector site.
--
Dave
[url]http://www.claymania.com/removal-trojan-adware.html[/url]
[url]http://www.ik-cs.com/got-a-virus.htm[/url]
|
"David H. Lipman" wrote in message
news:uc7eYzz4GHA.3732@TK2MSFTNGP05.phx.gbl...[color=blue]
> From: "MowGreen"
>
> | I'm sorry for posting that trite media hype. " Massive malware run " my
> | butt. At least those who frequent seedy pRon sites were aware of the
> issue.
> |
> | As Roger and Karl have pointed out there was/is potential for this
> | vulnerability to be exploited still, even though MS did a fine job in
> | getting the update out in a timely manner.
> |
> | The only thing massive about the vuln was the shrill hype coming from
> | the so-called "Tech media". The "regular" media just follow along since
> | the sensational always is good for ratings and sells papers.
> |
> | Mowa culpa ;)
> |
> | MowGreen [MVP 2003-2006]
> | ===============
> | *-343-* FDNY
> | Never Forgotten
> | ===============
> |
>
>
> Sorry guys, I just got a report of a US Gov't. computer get infected via
> this Exploit while
> access a US Gov't. web site.
>
> I am not at liberty, in public, to disclose the infected site and the
> infector site.
>
>[/color]
No need to be sorry about anything Dave.
The dust will probably be settling out for some time, especially if the
reports about the cPanel exploited, perpetrator sites is accurate.
MS has over the past couple years done an amazing job at driving
up patch coverage and driving down time to patch, but millions are
likely not in the loop in any timely way.
Roger
|
"David H. Lipman" wrote in message
news:uc7eYzz4GHA.3732@TK2MSFTNGP05.phx.gbl...
[color=blue]
> Sorry guys, I just got a report of a US Gov't. computer get infected via
> this Exploit while
> access a US Gov't. web site.
>
> I am not at liberty, in public, to disclose the infected site and the
> infector site.[/color]
Yes, absolutely there is SOME real risk.
But on the other hand, I bet that agency was aware of and accepted that
risk.
I'm guessing that computer was probably not running antivirus with the
latest definitions.
And the vulnerability used to compromise the web site is probably not
anything new.
|
From: "Roger Abell [MVP]"
| No need to be sorry about anything Dave.
| The dust will probably be settling out for some time, especially if the
| reports about the cPanel exploited, perpetrator sites is accurate.
| MS has over the past couple years done an amazing job at driving
| up patch coverage and driving down time to patch, but millions are
| likely not in the loop in any timely way.
|
| Roger
|
Today I got an update. This was a TARGETED attack. A US Gov't. site apperas to have been
hacked wit the VML in HTML exploit installed with installable malware. Users were sent
emails to go to said site. Being a Gov't. installation receiving email that purported to be
from the Gov't. entity indicating they should vist the compramised Gov't. web site. I was
told 70 Gov't. computers were thusly compramised !
Additionally, the same (nameless) Gov't. installation has been receiving targeted PowerPoint
Exploits in PowerPoint slides. Symantec has been calling them "Trojan.Dropper" and
"Trojan.PPDropper".
--
Dave
[url]http://www.claymania.com/removal-trojan-adware.html[/url]
[url]http://www.ik-cs.com/got-a-virus.htm[/url]
|
From: "karl levinson, mvp"
|
| Yes, absolutely there is SOME real risk.
|
| But on the other hand, I bet that agency was aware of and accepted that
| risk.
|
| I'm guessing that computer was probably not running antivirus with the
| latest definitions.
|
| And the vulnerability used to compromise the web site is probably not
| anything new.
|
No. There is ZERO Acceptable Risk.
Productivity takes a backseat to security.
The computers were up-to-date. See my other reply.
--
Dave
[url]http://www.claymania.com/removal-trojan-adware.html[/url]
[url]http://www.ik-cs.com/got-a-virus.htm[/url]
|
"karl levinson, mvp" wrote in message
news:evjObEi4GHA.1188@TK2MSFTNGP05.phx.gbl...[color=blue]
>
> "MowGreen [MVP]" wrote in message
> news:eFHlJcO3GHA.1548@TK2MSFTNGP02.phx.gbl...[color=green]
>> And, from eWeek:
>>
>> Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole
>> [url]http://www.eweek.com/article2/0,1895,2017626,00.asp[/url]
>>[color=darkred]
>>> "This is a massive malware run," says Roger Thompson, chief technical
>>> officer at Atlanta-based Exploit Prevention Labs. In an interview with
>>> eWEEK, Thompson confirmed
>>> the drive-by attacks are hosing infected machines with browser tool bars
>>> and spyware
>>> programs with stealth rootkit capabilities.[/color][/color]
>
> We can see from Trend Micro's numbers for the VML exploit that there is no
> "flooding" or "massive malware run" going on. Or rather, the "flooding"
> they are talking about is that one web site was observed loading 49
> different adware tools onto one infected system, not that massive numbers
> of systems were being infected. For example:
>
> [url]http://blogs.securiteam.com/index.php/archives/623[/url]
>
>[/color]
To use the words of one notorious poster, it would appear the
news report came from "spin masters" ;-(
In all probability we will be seeing much more use of the VML
vulnerability in coming weeks, in metasploit now, etc.
Now, we sit an watch as few if many acknowledge the great job
MS did on the turn-around for response to VML vulnerability
and even fewer taking note of fact that machines running the Vista
or the IE 7 rcs just rode out this as a non-event for them.
Roger
|
"MowGreen [MVP]" wrote in message
news:eFHlJcO3GHA.1548@TK2MSFTNGP02.phx.gbl...[color=blue]
> And, from eWeek:
>
> Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole
> [url]http://www.eweek.com/article2/0,1895,2017626,00.asp[/url]
>[color=green]
>> "This is a massive malware run," says Roger Thompson, chief technical
>> officer at Atlanta-based Exploit Prevention Labs. In an interview with
>> eWEEK, Thompson confirmed
>> the drive-by attacks are hosing infected machines with browser tool bars
>> and spyware
>> programs with stealth rootkit capabilities.[/color][/color]
We can see from Trend Micro's numbers for the VML exploit that there is no
"flooding" or "massive malware run" going on. Or rather, the "flooding"
they are talking about is that one web site was observed loading 49
different adware tools onto one infected system, not that massive numbers of
systems were being infected. For example:
[url]http://blogs.securiteam.com/index.php/archives/623[/url]
|
cquirke (MVP Windows shell/user) On Sun, 1 Oct 2006 13:19:08 -0400, "karl levinson, mvp"[color=blue]
>"Dan W." wrote in message[/color]
[color=blue][color=green]
>> If you say so but the solution is a tri-source code based upon 9x, NT (New
>> Technology) and open source technology that may be released in a Windows
>> Classic series to allow people to fully run their older computer games,
>> educational programs and other software.[/color][/color]
The trick there is to use a solid code base that then encapsulates and
sand-boxes the other non-native OSs. This is particulary beneficial
for DOS and Win9x, as these need their view of the system speed and
capacities to be less than it really is - so the performance impact of
the emulation overhead is not a problem.
In 2006, you should really see DOS, Win9x, and even Win9x as
non-native with respect to today's hardware. This will become even
more of a factor as 64-bit, EFI, no-execute etc. take hold; it's
already demanded by USB, >137G, large RAM, fast CPU clock speeds,
altered relative timings for different CPU instructions, and less
attention paid to legacy BIOS standards.
[color=blue]
>Sorry, I think it's a terrible idea. Microsoft's security problems are in
>part due to the time, trouble and money it costs them to support so many
>different software variations. The customers are much better off if
>Microsoft picks one code base and runs with it.[/color]
This is potentially true. Alas, real-world mileage has been poor
because MS doesn't grasp how different are the needs outside of NT's
non-traditional market, or they undervalue the importance of these.
The problems consumers have with XP are not because it's a pure Win432
code base that doesn't properly support Win9x, DOS and Win3.yuk apps.
Instead, it's because the XP use is unchanged from the design
requirements of professionally-administered network computing.
[color=blue]
>Windows 98 is only more secure if you focus on just one very narrow
>definition of security... and a new release of Win98 with RPC/DCOM
>and other things added, who knows how secure that might be.[/color]
I'm with Karl on this one. Win9x is safer only because there is less
of it - and especially because it doesn't open itself up to be used as
a network chew-toy, as NT is designed to do.
Once you port those mistakes into Win9x, you'd have all the un-safety
of the original XP plus all the insecurity of Win9x. What a mess!
Instead, how about rolling back NT to the bare-bones kernel, and then
applying the Win9x stand-alone design to delevoping it back up to a
full OS? IOW, none of that RPC, LSASS etc. and no facilities
whatsoever for any sort of remote admin. If you aren't physically at
the keyboard, you don't even have the right to speak to the OS unless
invited to do so by some outward-going traffic to your IP address, and
even thn, you don't have any admin access at all.
That gives you the safety of Win9x on the stability of NT, and uses a
common core code base for ease of support. The code base is better
not only because it's NT-based, but also because it's up to managing
modern hardware, in the same way that Win9x definitely is NOT.
[color=blue]
>I don't believe Win98 will make shared lab computers in public schools
>more secure. A significant problem for such environments is insider
>attacks and privilege escalation attacks. While XP is far from perfect
>in this area, at least it tries; Win98 has zero defenses here.[/color]
Agreed. Kiosk PCs (i.e. those for use by a careless public) are hard
to manage, and while the simplicity of Win9x helps, it's not enough.
[color=blue]
>The main advantage of Win98 was the lower cost[/color]
And that evaporated when XP Home was released...
[color=blue]
>---------- ----- ---- --- -- - - - -[/color]
Proverbs Unscrolled #37
"Build it and they will come and break it"[color=blue]
>---------- ----- ---- --- -- - - - -[/color]
|
cquirke (MVP Windows shell/user) On Sun, 01 Oct 2006 20:38:16 -0600, "Dan W."[color=blue][color=green]
>> "Dan W." wrote in message[/color][/color]
[color=blue][color=green][color=darkred]
>>> If you say so but the solution is a tri-source code based upon 9x, NT (New
>>> Technology) and open source technology[/color][/color][/color]
[color=blue]
>I am referring to a release that combined the elements of the three
>source codes into one. If this could be accomplished and leveraged in
>order to provide legacy support for Windows 3.1 programs and DOS
>programs then this would be great. Chris Quirke, talks about the
>problems with the NT technology code base.[/color]
If what you're after is an OS that runs apps written for multiple
platforms, then that's another story...
- DOS; via emulator
- Win3.x; via emulator
- Win9x; via emulator or "compatibility mode"
- open source ...?
"Open source" is a licensing model, not a platform - there's plenty of
open source written for Windows, some of it written my MS themselves,
so there's no special requirements there.
Are you referring to open source OSs, such as Linux? If so, then
that's trickier. The usual thought is that Linux needs less hardware
than Windows, and therefore one could emulate it as one would older
Win9x, Win3.yuk and DOS apps. The reality is that Linux apps may
require full performance, and that may mean peering the OS.
MS has entered these waters before, e.g. the POSIX component of NT.
I'm not sure if they should do so again, for various reasons.
Firstly, what are the ethics of an "OS monopolist" hosting a competing
platform's applications?
Is it in Linux's interests for all those applications not to need
Linux as a prerequisite for use?
Is it in MS's interests, or the interests of developers who write for
Windows, to enable all these competing applications?
Then there's the question of security and safety. A combination of
parallel *NIX and MS functionalities would double the number of things
to check and patch, and that's before you consider the surface between
them, e.g. attacks made by crossing between the two.
IMO, Windows is "rich" enough with integration points and exploitable
surfaces as it is; I don't want to have to run after the whole of
Linux as well. If I wanted exposure to all of Linux's possible
exploits and intrusions, I'd run Linux. I'm not running Linux, so
that implies I need these extra hassles like a hole in the head.
NT and *NIX grew up separately, and have completely different security
models - so I see cross-escalation opportunities as a huge risk.
[color=blue]
>------------ ----- --- -- - - - -[/color]
Drugs are usually safe. Inject? (Y/n)[color=blue]
>------------ ----- --- -- - - - -[/color]
|
David H. Lipman wrote:[color=blue]
> From: "Gerry Hickman"
>
> | Hi Roger,
> |
> | I'd be interested to know if the "70 computers compromised" were running
> | with Admin rights? I work in this sector too and we certainly don't
> | allow it.
> |
>
> And what sector would that be ? :-)
>
>[/color]
Interesting no reply from poster. hmm -- I wonder why not! You guys
know that I already work in the security arena and I deal with getting
infected computers back to working state again where it ceases to amuse
me and I move on to the next compromised machine.
--
Dan W.
Computer User
|
Gerry Hickman wrote:[color=blue]
> Hi Dan W.,
>[color=green]
>> True, Microsoft is very good at providing security providing the
>> user(s) can understand the technical nature of security and the
>> importance and need of many users to start implementing ASAP the
>> multi-layered defense strategy that Microsoft talks about on TechNet.[/color]
>
> Well said.
>[/color]
Thank you, Gerry.
--
Dan W.
Computer User
|
From: "Gerry Hickman"
| Hi Roger,
|
| I'd be interested to know if the "70 computers compromised" were running
| with Admin rights? I work in this sector too and we certainly don't
| allow it.
|
And what sector would that be ? :-)
--
Dave
[url]http://www.claymania.com/removal-trojan-adware.html[/url]
[url]http://www.ik-cs.com/got-a-virus.htm[/url]
|
Hi Roger, I'd be interested to know if the "70 computers compromised" were running with Admin rights? I work in this sector too and we certainly don't allow it. Roger Abell [MVP] wrote:[color=blue] > "David H. Lipman" wrote in message
> news:%23tj6dfA5GHA.4064@TK2MSFTNGP03.phx.gbl...[color=green]
>> From: "Roger Abell [MVP]"
>>
>>
>> | No need to be sorry about anything Dave.
>> | The dust will probably be settling out for some time, especially if the
>> | reports about the cPanel exploited, perpetrator sites is accurate.
>> | MS has over the past couple years done an amazing job at driving
>> | up patch coverage and driving down time to patch, but millions are
>> | likely not in the loop in any timely way.
>> |
>> | Roger
>> |
>>
>> Today I got an update. This was a TARGETED attack. A US Gov't. site
>> apperas to have been
>> hacked wit the VML in HTML exploit installed with installable malware.
>> Users were sent
>> emails to go to said site. Being a Gov't. installation receiving email
>> that purported to be
>> from the Gov't. entity indicating they should vist the compramised Gov't.
>> web site. I was
>> told 70 Gov't. computers were thusly compramised !
>>
>> Additionally, the same (nameless) Gov't. installation has been receiving
>> targeted PowerPoint
>> Exploits in PowerPoint slides. Symantec has been calling them
>> "Trojan.Dropper" and
>> "Trojan.PPDropper".
>>[/color]
>
> Quite the harbinger of the world we have entered Dave.
> We, and other countries, too often appear far too ill-prepared
> for an "all fronts" encounter (sorry Karl) with a technically
> advanced adversary.
>
> Roger
>
>[/color]
--
Gerry Hickman (London UK)
|
Hi Dan W.,
[color=blue]
> True, Microsoft is very good at providing security providing the user(s)
> can understand the technical nature of security and the importance and
> need of many users to start implementing ASAP the multi-layered defense
> strategy that Microsoft talks about on TechNet.[/color]
Well said.
--
Gerry Hickman (London UK)
|
From: "Roger Abell [MVP]"
| Today Microsoft issued the advisory
|
| Vulnerability in Vector Markup Language Could Allow Remote Code Execution
| [url]http://www.microsoft.com/technet/security/advisory/925568.mspx[/url]
|
| The exploit is said to be both released in code form and to be currently,
| actively exploited to some extent. You can find bulletin from most groups
| and vendors by now.
|
| See the advisory for action you can take.
|
| Also, see the info Jesper Johansson's blogged (with help of Alun Jones,
| who you see in these newsgroups) for an AD GPO based approach
|
[url]http://msinfluentials.com/blogs/jesper/archive/2006/09/19/Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx[/url]
| i.e. [url]http://tinyurl.com/mtcbd[/url]
| .
| Roger
|
Too many so called "Zero Day Exploits" in the last fortnight.
MS Word
[url]http://www.us-cert.gov/cas/alerts/SA06-250A.html[/url]
MS Publisher
[url]http://www.us-cert.gov/cas/alerts/SA06-255A.html[/url]
ActiveX DirectAnimation
[url]http://www.us-cert.gov/cas/alerts/SA06-258A.html[/url]
And now VML in HTML vulnerability.
[url]http://www.us-cert.gov/cas/alerts/SA06-262A.html[/url]
MCSE - Microsoft Can't Secure Enough
--
Dave
[url]http://www.claymania.com/removal-trojan-adware.html[/url]
[url]http://www.ik-cs.com/got-a-virus.htm[/url]
|
Today Microsoft issued the advisory
Vulnerability in Vector Markup Language Could Allow Remote Code Execution
[url]http://www.microsoft.com/technet/security/advisory/925568.mspx[/url]
The exploit is said to be both released in code form and to be currently,
actively exploited to some extent. You can find bulletin from most groups
and vendors by now.
See the advisory for action you can take.
Also, see the info Jesper Johansson's blogged (with help of Alun Jones,
who you see in these newsgroups) for an AD GPO based approach
[url]http://msinfluentials.com/blogs/jesper/archive/2006/09/19/Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx[/url]
i.e. [url]http://tinyurl.com/mtcbd[/url]
..
Roger
--
Roger Abell
Microsoft MVP (Windows Server : Security)
|
Roger Abell [MVP] wrote:[color=blue]
> "Dan W." wrote in message
> news:Oi7zTwc5GHA.856@TK2MSFTNGP03.phx.gbl...[color=green]
>> Roger Abell [MVP] wrote:[color=darkred]
>>> "karl levinson, mvp" wrote in message
>>> news:%23fB0x3X5GHA.1244@TK2MSFTNGP03.phx.gbl...
>>>> "Dan W." wrote in message
>>>> news:%23pwuYuV5GHA.508@TK2MSFTNGP06.phx.gbl...
>>>>
>>>>> If you say so but the solution is a tri-source code based upon 9x, NT
>>>>> (New Technology) and open source technology that may be released in a
>>>>> Windows Classic series to allow people to fully run their older
>>>>> computer games, educational programs and other software. I am
>>>>> currently in discussions with Microsoft about this and the feasibility
>>>>> of it and if you want this then please let Microsoft know about it. I
>>>>> have the support of the Albuquerque public schools for who I work for
>>>>> and hope soon to get the support of all the public schools in the
>>>>> United States since many of the schools run 98 Second Edition and XP
>>>>> Professional and need a 98 Second Edition replacement to run all of
>>>>> their educational programs for the children. Ladies and gentlemen, I
>>>>> implore you to do the right thing and support this Classic series and
>>>>> let Microsoft know you want it for the good of all your children and to
>>>>> help the public schools save money on replacing all of our older
>>>>> software that is needed for teaching your children.
>>>> Sorry, I think it's a terrible idea. Microsoft's security problems are
>>>> in part due to the time, trouble and money it costs them to support so
>>>> many different software variations. The customers are much better off
>>>> if Microsoft picks one code base and runs with it. Windows 98 is only
>>>> more secure if you focus on just one very narrow definition of
>>>> security... and a new release of Win98 with RPC/DCOM and other things
>>>> added, who knows how secure that might be. I don't believe Win98 will
>>>> make shared lab computers in public schools more secure. A significant
>>>> problem for such environments is insider attacks and privilege
>>>> escalation attacks. While XP is far from perfect in this area, at least
>>>> it tries; Win98 has zero defenses here. The main advantage of Win98 was
>>>> the lower cost, but that's not a security feature. If Win98 is attacked
>>>> less often, it's because it's becoming less common. A new release of
>>>> Win98 would become a popular target of attack.
>>>>
>>>>
>>> Although I am a server and infrastructure person fundementally, I do have
>>> a hand in running parts of the student accessible Windows resources at
>>> the
>>> largest university in the US, and from that perspective I am
>>>
>>> totally in agreement with you comments Karl
>>>[/color]
>> Well, I have the support of the Albuquerque public schools and we need a
>> solution that is more secure and allows the schools to run older software
>> despite what you say. It deprives the schools of much needed funds to
>> have to replace all the older software that works great in teaching our
>> children. I am following through with Microsoft on this but thanks
>> anyway.[/color]
>
> Dan,
>
> What I simply cannot buy into is your repeated comment that
> Win 9x is a secure solution. From all I know that is simply not
> a supportable claim as Win 9x is an OS without any security
> model implemented in it.
>
> If you cannot run the suite of applications on which you rely
> within an application compatibility mode, then perhaps you
> could within a virtual environment (given that the virtual products
> are now free from VMWare and from Microsoft).
>
> I do not see how there could be the hybrid OS that you seem
> to be trying to obtain, since the DOS family and the NT family
> are fundementally different as their very roots, so one would
> have to select one way or the other of rooting onto the hardware.
>
> Roger
>
>[/color]
Well, if it cannot be a hybrid operating system then just make it
Windows 98 Second Edition and combine the good aspects of Windows
Millennium and add some extra features and you have a Windows Classic
Edition that will appeal to the schools with their old software and the
consumers who want to buy newer machines but still want to play their
old DOS games and programs. I think this is the main reason why Windows
98/98SE continues to have such a large market share. If I had been
smarter, I would have just skipped over XP Professional and waited for
Vista like PCR of the 98 general newsgroup is doing. I know supporting
2 lines of code NT (New Technology) and 9x is expensive for Microsoft
but if they release the Classic Edition of Windows correctly and it
really is good and supports the older Windows 3.1 programs and DOS
programs then it will have selling potential. The school in Albuquerque
is really excited about this as are higher ups in the Albuquerque Public
School District. It is a chance for us to continue to use older
software that still works well and have a new operating system that will
not compete with Vista because it has a different mission and purpose.
I really think Microsoft was stupid for trying to eliminate 9x source
code since people still want to use their older programs that will not
run or run poorly on Vista. Security is not as necessary a requirement
in a school as in a cooperation and anyway the domain is able to stop
many attacks before they even reach the individual computers so it would
not even matter if their was only one all purpose account there anyway.
I plan to continue supporting all the Windows 98 Second Edition
computers at our school for as long as possible. I will even branch out
to start fixing 98SE computers at other schools as needed. I feel that
passionate about the importance of providing a good education for our
children and lots of the older educational software that is for Windows
3.1 refuses to run on XP but will run on 98SE. Since Microsoft decided
to end support on July 11, 2006 for 98SE then the public schools are now
fighting for this Classic Edition since they need the older software
that will not run on XP computers. Lesson Plans have been created
incorporating these older programs. I guess no one can understand
unless they are a teacher or perhaps a parent that sends their children
to the public schools.
|
"Dan W." wrote in message
news:Oi7zTwc5GHA.856@TK2MSFTNGP03.phx.gbl...[color=blue]
> Roger Abell [MVP] wrote:[color=green]
>> "karl levinson, mvp" wrote in message
>> news:%23fB0x3X5GHA.1244@TK2MSFTNGP03.phx.gbl...[color=darkred]
>>> "Dan W." wrote in message
>>> news:%23pwuYuV5GHA.508@TK2MSFTNGP06.phx.gbl...
>>>
>>>> If you say so but the solution is a tri-source code based upon 9x, NT
>>>> (New Technology) and open source technology that may be released in a
>>>> Windows Classic series to allow people to fully run their older
>>>> computer games, educational programs and other software. I am
>>>> currently in discussions with Microsoft about this and the feasibility
>>>> of it and if you want this then please let Microsoft know about it. I
>>>> have the support of the Albuquerque public schools for who I work for
>>>> and hope soon to get the support of all the public schools in the
>>>> United States since many of the schools run 98 Second Edition and XP
>>>> Professional and need a 98 Second Edition replacement to run all of
>>>> their educational programs for the children. Ladies and gentlemen, I
>>>> implore you to do the right thing and support this Classic series and
>>>> let Microsoft know you want it for the good of all your children and to
>>>> help the public schools save money on replacing all of our older
>>>> software that is needed for teaching your children.
>>> Sorry, I think it's a terrible idea. Microsoft's security problems are
>>> in part due to the time, trouble and money it costs them to support so
>>> many different software variations. The customers are much better off
>>> if Microsoft picks one code base and runs with it. Windows 98 is only
>>> more secure if you focus on just one very narrow definition of
>>> security... and a new release of Win98 with RPC/DCOM and other things
>>> added, who knows how secure that might be. I don't believe Win98 will
>>> make shared lab computers in public schools more secure. A significant
>>> problem for such environments is insider attacks and privilege
>>> escalation attacks. While XP is far from perfect in this area, at least
>>> it tries; Win98 has zero defenses here. The main advantage of Win98 was
>>> the lower cost, but that's not a security feature. If Win98 is attacked
>>> less often, it's because it's becoming less common. A new release of
>>> Win98 would become a popular target of attack.
>>>
>>>[/color]
>>
>> Although I am a server and infrastructure person fundementally, I do have
>> a hand in running parts of the student accessible Windows resources at
>> the
>> largest university in the US, and from that perspective I am
>>
>> totally in agreement with you comments Karl
>>[/color]
>
> Well, I have the support of the Albuquerque public schools and we need a
> solution that is more secure and allows the schools to run older software
> despite what you say. It deprives the schools of much needed funds to
> have to replace all the older software that works great in teaching our
> children. I am following through with Microsoft on this but thanks
> anyway.[/color]
Dan,
What I simply cannot buy into is your repeated comment that
Win 9x is a secure solution. From all I know that is simply not
a supportable claim as Win 9x is an OS without any security
model implemented in it.
If you cannot run the suite of applications on which you rely
within an application compatibility mode, then perhaps you
could within a virtual environment (given that the virtual products
are now free from VMWare and from Microsoft).
I do not see how there could be the hybrid OS that you seem
to be trying to obtain, since the DOS family and the NT family
are fundementally different as their very roots, so one would
have to select one way or the other of rooting onto the hardware.
Roger
|
|
|
|