Category Archives: Security

For the security-minded: get the truth about Bruce Schneier, popular crypto-pundit.

I’ve been spending a lot of time working with various client-side anti-phishing products, including GeoTrust’s TrustWatch. Turns out it appears to have a fairly serious bug: if you go to an unverified site (which should show a yellow icon), then visit a verified site, the toolbar icon won’t update– so the known-good site still shows as untrusted! If you click the toolbar icon itself, the detailed site report is correct. However, this problem a) makes it hard for me to have a lot of confidence in TrustWatch’s services and b) is certainly misleading, since it makes good sites appear to be bad.

Update: not only is this a bug, it’s inconsistent. Sometimes refreshing the page fixes it, but not always. Sometimes moving through the page history fixes it, but not always. There’s also a case that looks like a bug but isn’t: when page A (which shows up as unverified) redirects to page B (which is verified), the icon will change.

Steve Riley has a great blog post on mandatory integrity control (MIC) in Windows Vista. MIC is an old concept I fondly remember the old Multics machine that USL had; Multics was one of the first machines to implement MIC in any meaningful way. Anyway, the Vista implementation of MIC is pretty interesting; read Steve’s blog to find out more.

I haven’t had time to post the slides yet, but Hunter gives a pretty good overview of what I covered. (Thankfully, he didn’t mention the icy-cold room or the mysterious problem we had with the lights, both of which cost me in my session evaluations; this guy mentioned the lights, though)

Great news from Microsoft’s Core Infrastructure Solutions group: they’ve released a new guide called the Regulatory Compliance Planning Guide. It explains how to use a control-based framework to help ensure that your company complies with various regulations, including Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, the EU Data Protection Directive, and ISO 17799. Good stuff.

From CERT yesterday, an announcement of Oracle’s latest security patch. They’re so clueless it’s not even worth making fun of them at this point.

Various Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

Hot on the heels of the recent BackupExec vulns, the folks at NGS have been busy finding similar buffer overflow vulnerabilities in the StorageExec product. This Windows IT Pro article credits NGS, but NGS’ own web site doesn’t seem to have an alert. Anyway, Symantec has released hotfixes for StorageExec and StorageCentral.

Of course, the real question is whether Symantec is going to institute the same kind of deep-dive security effort that Microsoft did with their Secure Windows Initiative and Trustworthy Computing. Vendors who don’t do that (paging Mr. Ellison! paging Mr. Ellison to the white security phone!) are going to continue to get their pants pulled down by eager, skilled firms like NGS.

Wow, this is hard to stomach. CERT is reporting TA05-224A: “VERITAS BackupExec Uses Hard-Coded Authentication Credentials”. It’s astonishing that any company could be so stupid as to ship a product that still uses hard-coded credentials; it’s a wonder that it’s taken this long for an exploit to start circulating. (Note that this is different than the vuln-o-rama announced last month.)

According to Symantec’s page on the vuln, only BE versions 8.0, 8.5, and 8.6 have the flaw. I’d bet that’s a significant portion of the installed base, so a) I hope they’re protected and b) I sure would feel more comfortable if the page also said “hey, don’t worry, we fixed the problem in BE 9”. My concern is that BE 9.x and 10.x have the same, or similar, problem but that attackers haven’t found the creds yet.

Update: Symantec updated the vuln page last night with this additional page. Turns out that BE 9.0, 9.1, and 10.0 are vulnerable too. Sheesh. Making things worse, to fix the remote agent you have to uninstall the remote agent, reboot, install the new version of the agent, and reboot again. There’s no hotfix.

Last week, Veritas released a set of advisories for security flaws in various versions of BackupExec. This flaw, a buffer overflow in the BackupExec remote agent, is apparently being attacked in the wild. InformationWeek reported yesterday that the vuln is already being actively attacked by a W32.Toxbot variant. If you’re running BackupExec, make sure you get the patch, and don’t allow remote traffic to TCP port 10000 (not that you should normally be doing that anyway, but still…)

This month’s Security Tuesday only includes one bulletin: 04-026. It fixes a cross-site scripting/script injection vulnerability in Exchange 5.5’s Outlook Web Access component. If you’re using OWA 5.5, a) you should get this fix and b) you should probably be upgrading.

Continue reading →

Microsoft has taken the unusual step of releasing a security fix outside of their normal release cycle. The bulletin, MS04-025, is a cumulative update that addresses three separate vulns in IE: CAN-2004-0549, CAN-2004-0566, and CAN-2003-1048.

Continue reading →

It’s Security Tuesday again. This month, we get MS04-015, which covers a vuln in Help and Support Center on XP SP1 and Windows 2003 RTM (32- and 64-bit versions), and updates to MS04-014 (pretty much everyone) and MS01-052 (NT4.0 TSE SP6 and Windows 2000 SP2). Happy patching!

Well, it’s the second Tuesday of the month, so it must be time for the latest crop of Microsoft security bulletins. The summary is here. There are four bulletins (MS04-011, MS04-012, MS04-013, and MS04-014), and all of them are rated “critical”. Patch now.