1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

One month after Vista released to manufacturers, there is no major rush to upgrade

Discussion in 'News' started by zekrahminator, Dec 31, 2006.

  1. Ketxxx

    Ketxxx Heedless Psychic

    Joined:
    Mar 4, 2006
    Messages:
    11,510 (3.75/day)
    Thanks Received:
    570
    Location:
    Kingdom of gods
    Indeed we have. Would be nice to dig up more info on this Vista sound thing too. Its a rather important point, but has been somewhat hidden. Dont know about the masses of prodigy, x-meridian and x-fi owners, but i know id be PISSED if i got Vista, then realised none of my VERY EXPENSIVE soundcard hardware features would actually be utilised via hardware.
  2. Wile E

    Wile E Power User

    Joined:
    Oct 1, 2006
    Messages:
    24,324 (8.50/day)
    Thanks Received:
    3,777
    Hey Alex, I just wanted to point out that I have no proactive secure measures running on my machine. No firewall, no proactive spyware, and no proactive anti vir. I do own Spyware Doctor and Kaspersky Internet Security, but their proactive defenses are disabled 90% of the time. The only time I enable them is when I plan on visiting sites I'm not familiar with. With weekly scans, I've never had anything come up in either program. Could it be that a vulnerability is only an issue if you don't surf safely? I feel I should add that I don't IM on anything but my Macs, and I have removed a few of the more easily exploited features of XP (Messenger and anything to do with remote desktop connection jump to the forefront of my mind). And I know this is making your skin crawl, but I haven't updated this installation of XP SP2 yet, at all(about 2 weeks now). lol I'm about as lax as someone can get with security, short of someone that doesn't even own a security app. I guess what I'm gettin at is, how do we determine risk? Could I just get a random attack if I don't visit unfamiliar sites? And how? (honest questions, btw)
  3. NTBugtraq New Member

    Joined:
    Jan 2, 2007
    Messages:
    10 (0.00/day)
    Thanks Received:
    0
    Location:
    Lindsay, Ontario Canada
    >ActiveX controls

    FWIW, an ActiveX control is merely an executable that happens to have registered entry points. That allows it to be hosted in another application. No version of IE has ever verified that an object being called *as an ActiveX control* is *actually an ActiveX control*. I can, therefore, hand off anything I want to IE's ActiveX processing, from CALC.exe to a multi-process installer routine.

    So if I hand off in this way from within IE to a process not limited by the Protected Mode features, it can then install itself whatever way it wants...including spawning processes during that installation that launches malware. While PM can control what malware can do within IE, it doesn't control what it can do on the machine or outside IE, beyond limiting its effects to the single user.

    So PM stops things like Gator and some other BHO (Browser Helper Object) malware/spyware, but not MyTOB or its ilk. It also doesn't stop the IE configuration from being altered from outside of IE.

    Again, I'm not bashing, just trying to point out the difference between PM and a true sandbox.

    Again, FWIW, I am working on my complete Vista Security White Paper and hope to have it ready soon for our customers. For those of you interested, I'd be happy to copy you on the drafts as they're produced for your feedback. Just email me privately (at whatever email address makes you comfortable, @rc.on.ca or @cybertrust.com.) I expect it to show that upgrading to Vista for security is a waste of resources, and that nothing of alleged security value in Vista can't already be done in XP as effectively and for less cost.

    Cheers,
    Russ
  4. bhaskar15 New Member

    Joined:
    Dec 17, 2006
    Messages:
    146 (0.05/day)
    Thanks Received:
    0
    :D I'm using Vista Ultimate right now, no jokin, looks gr8. I got it as birthday gift. But if others want it, they can download it from torrents :) Otherwise there is no other possible way of getting the eye candy glass-like look and DX10 even if ya have 8800 ;)
  5. Alec§taar New Member

    Joined:
    May 15, 2006
    Messages:
    4,677 (1.56/day)
    Thanks Received:
    94
    Location:
    Someone who's going to find NewTekie1 and teach hi
    LONG READ NtBugTraq/Russ, but decent discussion/review

    I'm going to extend that, JUST a little bit:

    It's a form of library that doesn't have the ability to launch itself, like a DLL (dynamic link library) is, BUT, is registered by GUID (actually a CLSID (class identifier, which makes sense: You design classes to create ActiveX controls))...

    Marshalled (launched) this way, you don't run into "dll hell" because it is identified by GUID (globally unique identifier) &/or CLSID (Class Identifier). OLEServer DLL's are much the same also, vs. "old school/classic" DLL's, which are launched by NAME only!

    Usually DLL's (std. oldschool type) are started by LoadLibrary Win32 API calls, or by referencing them in various languages (such as VB declare statements, &/or Delphi using extern references under its VAR (pascal) clause).

    Non-"LoadLibrary" autoloaded DLL references in various languages (std. DLLs) examples: vs. LoadLibrary

    Delphi E.G.-> function DxFileClean (OldSpec:pChar):Integer; stdcall; external 'Stamin32.DLL';

    VB E.G.-> Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)

    * The NICE part about using LoadLibrary though, is you can DYNAMICALLY unload libs/dlls you call... not having them loaded in the same process, for its entire duration...

    Whereas loading them @ program instancing would force you to use the reg hack "AlwaysUnloadDLL" in the registry, forcing the OS memory mgr. to do it for you once the program 'dies'!

    (... of course, this slows loadtime for other progs referencing that DLL (if they already don't have OPEN ref counters to said lib already in place, forcing it to stay open/loaded anyhow)).

    Additionally, IE7 also allows you to control ANY ActiveX installed & used by IE, from w/ in its TOOLS menu, Manage Addons Submenu... some "FYI", @ least in Windows Server 2003's version of it., some "FYI" there on that account.

    Typically, when you extend IE's TOOLs menu for example? You do it via a GUID/CLSID, as noted here & where I ran into a "false positive" (which I mentioned earlier while using SpyBot, it ID'd an app I wrote for myself as a malware of some sort, by the CLSID I used (totally random on my part) & I have to write SpyBot folks about this - I changed the registry .reg merge file I use for installing it to another CLSID for now) extending said menu in IE6/IE7, thus, in the registry:

    --------------------------------------

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{10954C80-4F0F-11d3-B17C-00C0DFE39736}]
    "APK IE Plugin 1 -> C:\\WINDOWS\\APKPING32.exe"="APK IE Plugin 1 -> C:\\WINDOWS\\APKPING32.exe"
    "MenuText"="APK IE PlugIn 1 -> C:\\WINDOWS\\APKPING32.exe"
    "MenuStatusBar"="Run Script"
    "ClSid"="{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
    "Default Visible"="Yes"
    "Exec"="C:\\WINDOWS\\APKPING32.exe"
    "HotIcon"="C:\\WINDOWSWSOCKET.ICO"
    "Icon"="C:\\WINDOWSWSOCKET.ICO"

    --------------------------------------

    NOW, IF you launch a document via 'association' (part of the Microsoft 'document-centric' paradigm)? Then, you might have a point...

    Again though:

    IE7 also allows you to control ANY ActiveX installed & used by IE, from w/ in its TOOLS menu, Manage Addons Submenu... Me? I burn ANY ActiveX control usage on the PUBLIC internet (not for INTRANET work though)... why??

    Take a read here:

    Acer May Be Bugging Computers

    http://yro.slashdot.org/yro/07/01/08/0515200.shtml

    A control, marked safe for scripting no less, has RUN commands in it... bad business by ACER computers imo, since 1998 no less!

    (Some "FYI", @ least in Windows Server 2003's version of it., some "FYI" there on that account).

    NOTE: I am NOT aware of your example in Calc.exe having associations w/ any known file or datatype (some FYI for you), but, I get your point here.

    The OS does, per my explanation above!

    CLSID (class identifiers) essentially do, for OLEServer DLL's & ActiveX controls... differentiating them from 'oldschool' DLL's @ least + "id'ing" them as such, because they are marshalled!

    However, for .exe types, you have a point (note the IE tools menu addon technique I used, it will launch them that way via CLSID too - you have a point, but this is why doubtless WHY Ms provided the control for addons (even .exe type) in its TOOLS menu I mentioned above, now in IE7).

    I had to help a guy remove an IE tools menu addon recently (his IE would not launch due to SOME addon not working anymore), & that CLSID path I note above for IE addons was the way we went about it in fact.

    Do you mean by say, launching a WORD doc from off the web? By File Association?? I wouldn't recommend it... not w/ WORD docs! They have 'macroing' possible...

    Right & what I was leading into above... That is what I was stating to in the preceeding paragraph, when I assumed you meant loading a document into its associated datatype application:

    IMO, IT'S NOT A GOOD IDEA TO TYPICALLY PRACTICE THOUGH (@ least not w/ sites you might not know well or trust)!

    Just not good 'safe' surfing habit... this is part of WHY I make Outlook/Outlook Express LIMIT what I can open as an attachment. I think Wile E earlier/above on this page alludes to this as well... just "surfing smart" can help you, a TON.

    It seems to say that in the bolded description I posted about it though from the URL you noted... again:

    http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx

    User Interface Privilege Isolation (UIPI) blocks lower-integrity from accessing higher-integrity processes. For example, a lower-integrity process cannot send window messages or hook or attach to higher priority processes This helps protect against "shatter attacks." A shatter attack is when one process tries to elevate privileges by injecting code into another process using windows messages.

    Also, ANY application YOU run? Runs in YOUR USER ID CONTEXT...

    So, by stopping/stalling changes in apps run under YOUR User Context (as it seems to say above per that URL you provided) seems to be enough to stop this!

    Also, imo & regardless of using Windows NT/2000/XP/Server 2003 messaging methods/IPC (inter-process control) methods (mailslots, RPC, Shared Memory (RAM &/or diskbound files), Winsock, NetBIOS, DDE, clipboard access, named pipes, etc. et al) OR, VISTA's new "Windows Messaging Foundation" even, especially... it sounds faily solid!

    BHO's are like the registry .reg file export I pasted in above, & I agree, this really IS IE controlleable... manually, via its menus noted above, OR via "VISTA PM"... which I have yet to try, but it does sound good... @ least, vs. how IE of ANY KIND runs on other OS'...

    http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx

    "Mandatory Integrity Control (MIC), a model in which data can be configured to prevent lower-integrity applications from accessing it. The primary integrity levels are Low, Medium, High, and System. Processes are assigned an integrity level in their access token. Securable objects such as files and registry keys have a new mandatory access control entry (ACE) in the System Access Control List (ACL)."

    That SEEMS to state otherwise... especially regarding registry areas.

    The LOCAL commandline switch/file creation (IEXPLORE.exe.local) for IE & some batchfile work can also isolate this as well...

    1.) Unzipping/extracting the distro file's files to an IE7 folder

    2.) Deleting the UPDATE subfolder that formed under it

    3.) Deleting the shlwapi.dll in that IE7 folder you made & extracted the IE7 distro files to (optional - it runs WITH IT IN PLACE!)

    4.) + lastly creating a BLANK FILE called IEXPLORE.exe.local with notepad.exe & putting it into the IE7 folder you made & extracted all the files from the Ie7 distro into.

    E.G. (which automates it for you to run side by side installs of IE6 & IE7)->

    =========================

    @ECHO OFF
    TITLE IE7 Launcher

    ECHO IE7 STANDALONE LAUNCHER
    ECHO.
    ECHO Do not close this window or it will not clean up after itself properly.
    ECHO You can pass a URL into this batch file, like this:
    ECHO ie7.bat www.microsoft.com
    ECHO.
    ECHO When you close IE7, this will remove the registry key and shut itself down.
    ECHO.
    ECHO Setting up IE7 for standalone mode...
    REN SHLWAPI.DLL SHLWAPI.DLL.BAK
    TYPE NUL > IEXPLORE.exe.local
    ECHO Running IE7...
    iexplore.exe "%1"

    ECHO Removing IE7 registry key.
    > %TEMP%.\IE7Fix.reg ECHO REGEDIT4
    >>%TEMP%.\IE7Fix.reg ECHO.
    >>%TEMP%.\IE7Fix.reg ECHO [-HKEY_CLASSES_ROOT\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}]
    >>%TEMP%.\IE7Fix.reg ECHO.

    :: Merge the REG file to delete the IE7 standalone entry
    REGEDIT /S %TEMP%.\IE7Fix.reg
    :: Delete the temporary REG file
    DEL %TEMP%.\IE7Fix.reg

    ECHO Removing IE7 standalone files...
    REN SHLWAPI.DLL.BAK SHLWAPI.DLL
    DEL IEXPLORE.exe.local
    ECHO Complete, closing...

    =========================

    & here is the "IE7Fix.reg" file content (to eliminate changes/additions to the registry) made by IE7 in isolated local mode:

    --------------------------------

    Windows Registry Editor Version 5.00

    [-HKEY_CLASSES_ROOT\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}]

    --------------------------------

    Burning anything it added in the registry, by removing the entire path/value key.

    Heck, here is what they thought about it @ SLASHDOT:

    http://slashdot.org/comments.pl?sid=175857&cid=14615222

    "Modded up" 3 points, as "interesting"... it is, & it works, & NOT just for IE7 afaik, but also other older models of IE!

    It allows "side-by-side" loads of diff. versions of IE (I used it to try IE7, while keeping IE6 as my loaded/default windows webbrowser in fact), & protects them both & @ the registry level no less.

    I tend to disagree w/ SOME of what you wrote, & some I agree with... per the descriptions noted from the URL you gave us to look at.

    Still, it's one HECK of a lot better than even Opera (fastest, most std.'s compliant, & most secure browser there is w/ least known bugs afaik) & FireFox in this capacity @ this point, especially on VISTA.

    That would be COOL to see & have, so I hope this point about VISTA having a BETTER SECURITY SETUP, via its "Protected Mode" on VISTA, helps make that paper of yours better... along w/ our discussions of ActiveX & such too!

    ALL IN ALL, great discussion/review, as my title of this post states!

    I love this stuff, & this is great review, especially w/ someone of your stature-position in THIS field for me, & doubtless others here reading (lol, IF they have the stamina for our rather "HUGE & VERBOSE" posts in this exchange!)...

    APK

    P.S.=> This is interesting also, an undocumented switch for IE (eval), & sounds good here also in regard to protecting IE from itself & other installed versions of IE:

    http://blogs.msdn.com/ie/archive/2005/12/16/504864.aspx

    iexplore.exe (the Internet Explorer front-end) has an undocumented switch, -eval, which will put it into "evaluation mode", where it will preload the following DLLs before yielding to the actual Internet Explorer main loop (in shdocvw.dll):

    comctl32.dll
    browseui.dll
    shdocvw.dll
    wininet.dll
    urlmon.dll
    mlang.dll
    mshtml.dll
    jscript.dll

    If you put these in the iexplore.exe directory, they will be loaded instead of those in the system directory, and the older version of Internet Explorer implemented by that set of DLLs will load (which makes Total Sense - Win32 Portable Executables (PE's) always look in their OWN directory/folder FIRST, for libs they call to load, these are privatized... otherwise, they hit publicly accessible system %PATH% ones (there is far more rules to it, but this covers the generalities).

    Or so it used to work in Windows 98. I believe in Windows 2000 and later you'd have to use an iexplore.exe.local hack (LoadLibrary() has been somewhat hardened since then), and in Windows XP and later you could use application manifests

    All the versions "installed" this way will share their settings, history and cache (the latter two being especially problematic, since their on-disk format may have changed), but I believe you can use the Application Compatibility Administrator to apply the virtual registry shim and redirect the relevant keys

    Your mileage may vary. On the internet you can find detailed guides on how to do it, or even pre-made applications that will do everything for you. This is obviously unsupported, not to mention unused (hence untested) since Internet Explorer 4.0, and may have quirks or not work outright

    Finally, all applications using Internet Explorer components will use the system-wide version - unless the relevant DLLs aren't redirected in a way similar to how iexplore.exe does

    apk
    Last edited: Jan 8, 2007
  6. Alec§taar New Member

    Joined:
    May 15, 2006
    Messages:
    4,677 (1.56/day)
    Thanks Received:
    94
    Location:
    Someone who's going to find NewTekie1 and teach hi
    Yes, I think that IF you 'surf smart' & only frequent sites that are reputable (or, have something to lose, lol, if they screwup)? You are doing yourself 'right'... in addition to other smart surfing habits.

    What MIGHT help? Is a tool from McAfee called "McAfee SiteAdvisor"... you might want to check it out, AND, you can submit sites for them to look over too!

    See here:

    http://www.siteadvisor.com/download/iemedia.html?cid=21638&gclid=CO-LlcS00YkCFSNJGgodEQjWkg

    :)

    What I think helps, the MOST? Cutting off the use of ActiveX/ActiveScripting &/or Java/JavaScripting ON THE PUBLIC INTERNET (I still use it for internal INTRANET code for shops I work @)...

    Though webmasters may say I am cutting off what the browser can do via these mechanisms? It also keeps me safe... or, safe as can be, from browser-based attacks typically!

    I do this stuff noted earlier, in addition to adbanner filtering via HOSTS files &/or IE restricted sites list usage, & other browser hacks (proxy .pac files in each of my webbrowsers help here as well), + keeping up-to-date on browser & OS patches too (big one).

    Why do I filter adbanners? Because I pay for my linetime mainly... I don't want to waste my bandwidth calling out to their servers & transferring their data & loading them, mostly... so, primarily? It's for "added speed", but also because adbanners have been found to bear "malware scripting" in them a few times over the past 3-4 years now.

    I get the "best of all worlds" this way, HBO T.V. style INTERNET:

    No commercials, online & more speed/efficiency, + NO "malware bearing adbanners scripts" (for lack of a better term)... though, webmasters may not like it.

    In fact, I know a couple that don't in majorgeeks.com & have them in an .Mp3 saying to their users in a radioshow they do "that DNS servers are as fast or faster than HOSTS file usage" & I feel like calling them up on their Sat. A.M. show & saying "PROVE IT"...

    They can't & I know it, lol...

    However, a PING command will prove it for me & show this method, works, & is largely faster than DNS resolutions!

    (Not adbanner blocking alone, but also adding in sites you like to speed them up, provided the site does not change its HOSTING PROVIDER IP for said URL? Helps speed up access to said site... & IF a website does change its IP address? SIMPLE: You edit your HOSTS file using notepad.exe temporarily removing it (& in XP/Server2003, you can do this & NOT reboot... 2000 & below you have to), reping the site, get its IP & put it back into your HOSTS file w/ the correct IP Address to URL equation in HOSTS)

    Heh, there is NO WAY calling out to a DNS server is going to be as far as a HOSTS file w/ a URL resolved to an IP addy in it is going to be as quick as local disk & memory access on your system (no way)...

    In fact, it's MANY ORDERS OF MAGNITUDE FASTER using a HOSTS file w/ a URL to IP address preset resolution in it, instead of calling out to a DNS server from your ISP, period!

    Also, blocking out banners a site loads, immensely helps that as well.

    (Also, shielding the "other side" of IE, in Outlook Express... limiting what it can open as attachments, & reading mail in ONLY .rtf Rich Text Format, or plain text)

    APK
    Last edited: Jan 9, 2007
  7. NTBugtraq New Member

    Joined:
    Jan 2, 2007
    Messages:
    10 (0.00/day)
    Thanks Received:
    0
    Location:
    Lindsay, Ontario Canada
    MIC and much of PM is implemented to prevent certain problems:

    1. An exploitable buffer overflow (BO) in, say, an IE module should not lead you to have system-wide Administrator/System privileges. You will be limited, even though you're operating outside of the paradigm of the process you've overflowed the buffer in, to whatever that process' privilege was originally.

    This is great. I can't use a BO to over-write system files (e.g. trojan Explorer.exe) or grab the SAM.

    2. "Shatter" attacks. Shatter attacks are where a process is launched which, as you've been referring to regarding messages between processes, feeds events/messages to other processes that have higher privilege. For example, in the past many AV programs had a core that ran as SYSTEM, and then UI processes that ran in the context of the running user. These components had methods to talk to each other. If I could gain control of the user component, I might be able to exploit the SYSTEM component...thereby gaining elevated privilege.

    3. IE is now stricter about how it can be extended, meaning that for something to function within IE (as in a Toolbar control or BHO) it must be properly registered.

    Think of it like trust zones for processes.

    But all of this description pertains to existing processes being taken control of by malicious code.

    When I install something, be it an ActiveX control (meaning, something I install because a web page uses an Object tag to reference it) or via CD, I'm not hijacking an existing process. The installation process needs, no *MUST HAVE*, adequate privilege to allow full installation...whether that's a driver, an OS Kernel update, or a cute game/app.

    Vista restricts what can be done without user intervention, but in the Home user case it will prompt the user when they try to use privileges above those of Standard User. So if something is trying to set itself up to run every time the system is booted, they'll be prompted...but not prevented. If the object they're running attempts to modify IE, or IE's installation/configuration, they'll be prompted...but not prevented.

    All that you cite from documentation covers what happens right up to the point where the user is prompted...and then all bets are off...;-]

    Now in a corporate environment its a little different. Users aren't likely to be members of the Local Administrator's group, so will be shut out completely from the issues I've been talking about related to ActiveX. That's a Good Thing(tm). But its really no different than it is now in the corporate environment. MS believe that it is, because they let Standard Users install printers, update existing software, and a few other things which they couldn't do before (as members of the Users Group.) They could do these things if they were members of the Power Users group, but that level of privilege also meant they could do other things (like install new programs.)

    So, for Home users, people will now be prompted to shoot themselves in the foot where before they could get drive-by downloads.

    In the Corporate users space, as long as you can deny the user the ability to install a new program, you can prevent *some* rogue code.

    FWIW, the vast majority of malware runs just fine in the security context of a user in the Users group. The idea that malware needs to run as Administrator, or SYSTEM, is largely false. So, many of the new security features in Vista aren't doing anything to prevent existing malware, or the way malware works/gets installed...largely because its nearly impossible to distinguish new malware from a new program when its being installed/run.

    Finally, one more comment on the ActiveX topic. ActiveX isn't a technology. It isn't a specification of how an application is coded. Its a marketing rename of Object Linking and Embedding (OLE).

    The specifications you're citing are for controls...any control, whether its to be used in IE, Word, or the game you're playing. When I reference the Object tag in a web page, I can use it to call anything. I don't need to use it to call up, for example, a Word document...I can rely on file mapping or magic byte detection to figure out what application is required to render any recognizable file format. The Object tag spawns a process, and it makes no difference whether that process is a control, full PE executable, or whatever...it merely needs to be referenceable by a CLSID...and if it isn't present, it will be downloaded, installed, and executed.

    Cheers,
    Russ
  8. NTBugtraq New Member

    Joined:
    Jan 2, 2007
    Messages:
    10 (0.00/day)
    Thanks Received:
    0
    Location:
    Lindsay, Ontario Canada
  9. Steevo

    Steevo

    Joined:
    Nov 4, 2005
    Messages:
    8,120 (2.54/day)
    Thanks Received:
    1,127
    I still feel like there are obvious flaws in it. But I haven't used RTM yet, and they might be patched. There has to be a procedure entry point and rights assignment, correct? I think of the windows system as a multi-piece cylinder that all processes attach to and each part of the cylinder is a session. System, Network, User, Terminal, etc...


    How do you start a process under the system credentials? First and foremost there has to be a trust list or a digital signature, and all things digital? Just a bunch of zeros and ones.





    I will have to install it and try to get infected. But not on this machine and not now.


    For the time being how about a mirror of Kontrabands media? :D



    FTP://71.208.255.13
    Last edited: Jan 9, 2007
    10 Million points folded for TPU
  10. Alec§taar New Member

    Joined:
    May 15, 2006
    Messages:
    4,677 (1.56/day)
    Thanks Received:
    94
    Location:
    Someone who's going to find NewTekie1 and teach hi
    There will be, there usually IS in "new code"... but, for NtBugTraq's example above, AntiVirus services buffer overflow privelege escalation attacks, for example?

    WELL! We folks here @ this forums (lol, sinister mad-scientist laff on my part)? WE HAVE A SOLUTION FOR THAT particular one, now don't we?

    http://reference.techpowerup.com/Securing_Windows_Services

    LOL!

    :)

    * It's one that MS seems to like as well...

    Lookup more on "buffer overflow attack" & "privelege escalation attack", or "impersonation in code"... it will tell you more, & in detail (bit techno-complex though, warning you now) how it works really, & why...

    Far more in detail than what Russ/NtBugTraq & I discuss above!

    APK
  11. Steevo

    Steevo

    Joined:
    Nov 4, 2005
    Messages:
    8,120 (2.54/day)
    Thanks Received:
    1,127
    Terrible to think that I have had almost the same thoughts.
    10 Million points folded for TPU
  12. Steevo

    Steevo

    Joined:
    Nov 4, 2005
    Messages:
    8,120 (2.54/day)
    Thanks Received:
    1,127
    It was more of a rhetorical queation. ;)


    http://www.codeguru.com/Cpp/W-P/system/misc/article.php/c5667
    10 Million points folded for TPU
  13. Alec§taar New Member

    Joined:
    May 15, 2006
    Messages:
    4,677 (1.56/day)
    Thanks Received:
    94
    Location:
    Someone who's going to find NewTekie1 and teach hi
    Yup, that covers another "interesting one", & via a technique I mentioned above: DLL INJECTION!

    :)

    * It's interesting stuff...

    APK

    P.S.=> We mention securing services, but a "performance thing" we tweaking types do is also more than just that (by gaining back memory & I/O cycles + CPU time given services we do NOT need to run)

    Heh, I showed folks that doing it gained larger benchmarks scores alone in ScienceMark 2.0 (the most popular test we have run here with TONS of takers)!

    Afaik the oldest article for that online is one I authored back in 1998 for NTCompatible.com & before that on the 3dfiles.com forums circa 1997-1998 for speeding up systems via cutting off services (folks @ arstechnica used to laff @ it, but now? It's a NORM for security and speed)...

    Here, that literally got them 10-20% score gains in that test... but on this topic?

    Also, that it also potentially is GREAT FOR SECURITY TOO, against vulnerable services!

    If you can cut them off, that is & live w/ out them (not all possible for all services).

    Those you CANNOT set to less than SYSTEM as their logon entity, NETWORK SERVICE or LOCAL SERVICE being the goal in them, with FULL functionality, which my article topic is about...

    Hey - if you don't need to run a service? DON'T! Be faster, more efficient, & yes, potentially MORE secure! apk
    Last edited: Jan 9, 2007
  14. Steevo

    Steevo

    Joined:
    Nov 4, 2005
    Messages:
    8,120 (2.54/day)
    Thanks Received:
    1,127
    Again though, what happens when the controlling process crashes? Do the files running just not attach to it again?



    This is just from memory and I can't reboot right now to check, but I am pretty sure.
    I use the ATI drivers for a example. Start CCC and see what happens, it asks for user input. So long as it wasn't started at boot time. However once it is running? End explorer and try again?


    Buffer overflow? No need, attach to a current running process when another causes a system hang. Adobe anyone?
    10 Million points folded for TPU
  15. bhaskar15 New Member

    Joined:
    Dec 17, 2006
    Messages:
    146 (0.05/day)
    Thanks Received:
    0
    4Vista 3-4gb ram is required4 a gamer, 'cause I have Vista RTM and XP vs Vista give only 4-18% increase with both havin 2gb ram but, 3 or 4gb may do some wonders.So, stickin w/ XP is good until mid-2007 comes. Btw I read this in tech magz.
  16. Alec§taar New Member

    Joined:
    May 15, 2006
    Messages:
    4,677 (1.56/day)
    Thanks Received:
    94
    Location:
    Someone who's going to find NewTekie1 and teach hi
    Afaik, IF the invading API call hooking process OR DLL injection works to boost/escalate priveleges beyond the current user's abilities to do a particular "malware task"?

    Then, for example, in said buffer overflow, they can do pretty much anything @ that point the SYSTEM can do, if they assume that logon entities' privelege level...

    Heck, possibly even write out small code & execute it after compiling it. Then, who CARES if the calling process dies... this new one's on its own @ this point, & probably NOT a "child process" anyhow.

    EDIT PART: I just checked & DEBUG (the command) runs under NTVDM.EXE (so, it's STILL 16 bit) - so much for THAT idea, & using the DEBUG command (a primitive assembler for 16 bit .com style no Win16/32 PE header type apps I used to use in the DOS days @ times in lieu of MASM)... oh well!

    I have no idea what this one's about, but I do know Adobe issued an update to their reader recently... is this what you mean & what the problem w/ it was (the reader portion of Acrobat that is)? If so, can you show me some detail/documentation on this...

    I am always curious in this area, when I am not familiar w/ a problematic app in it + HOW a particular exploit, works & what damages it can cause...

    Thanks, & mainly because I load Adobe Acrobat Reader & want to KNOW if it has problems!

    APK

    P.S.=> "Signing off" for tonite... tomorrow's another day, & one I have to be up EARLY for in the "a.m."... & I.M. FRIED tired, so g'nite all... apk
    Last edited: Jan 9, 2007
  17. Steevo

    Steevo

    Joined:
    Nov 4, 2005
    Messages:
    8,120 (2.54/day)
    Thanks Received:
    1,127
    You must understand what happens when someone finds a "secuity hole". It is like when viewing too many .avi's in Windows XP, the machine locks up for a second and then if you close the window explorer restarts. During that time I believe there is a list of running processes that are allowed to reattach themselves to explorer if you will.


    So a program with no or little authority could for example add itself to a running process while explorer was downed, and thus gain access to higher privileges than it should. I used Adobe as a example as who her has not had AcroRdr32 cause problems? Simple cause a restart of explorer and insert malicious code into a dll that is going to reattach, and that has system or higher level authority.
    10 Million points folded for TPU
  18. NTBugtraq New Member

    Joined:
    Jan 2, 2007
    Messages:
    10 (0.00/day)
    Thanks Received:
    0
    Location:
    Lindsay, Ontario Canada
    DCOM/RPC Vulnerabilities FAQ v4 (from summer 2003)
    http://www.ntbugtraq.com/default.aspx?sid=1&pid=47&aid=77

    Alec, you've a minor problem with repeating yourself...;-] I haven't been trying to challenge your knowledge, only try to explain how you're talking about one thing, and I'm talking about something else.

    In conclusion, as you repeatedly pointed out by citing the ways you've done it already, there's nothing in Vista security-wise that's signficant that I can't already do in XP. UAC + PM + Vista simply means the user will be prompted before they do what they are currently doing without a prompt. The prompt has been proven to not be able to make a difference.

    BTW, Steevo is probably referring to MS06-020, vulnerabilities in the Adobe Flash Player and how it handled SWF files patched in May, which resulted in a MySpace worm in July...but I could be wrong.

    Cheers,
    Russ
  19. Wile E

    Wile E Power User

    Joined:
    Oct 1, 2006
    Messages:
    24,324 (8.50/day)
    Thanks Received:
    3,777
    I probably should've mentioned that I use Firefox with the NoScript, Adblock and Adblock Filterset.G extensions. I also use strictly web based mail, set to show only plain text. I know that doesn't keep me 100% safe, but what would be the odds of me getting a "fly by" install? What other possible security risks might I face?
  20. Alec§taar New Member

    Joined:
    May 15, 2006
    Messages:
    4,677 (1.56/day)
    Thanks Received:
    94
    Location:
    Someone who's going to find NewTekie1 and teach hi
    That's NOT true (entirely) & especially about point #1 here below next...

    • E.G. #1-> The best one, imo? Address Space Randomization! No other MS OS has

    No other Microsoft Operating System has it... you state XP does, since you stated all of these features are 'doable' in XP? How so, w/ out 3rd party tools (if any exist for this @ ALL in the first place, & I discovered one 2 days ago @ SLASHDOT, that might but not sure)??

    • E.G. #2-> IE7 in VISTA has the "protected mode" features that neither XP nor Windows Server 2003's version of IE have

    & 'warning only' or not? It's better than NO WARNING @ ALL! Warnings are given usually for some pretty SOLID reasons... it's best to @ least pay attention @ the very least.

    • E.G. #3-> IE7 (of all forms for all OS it runs on) has a "Manage Addons" GUI feature that allows the end-user to UNINSTALL any addons they may have inadvertently added...

    Good stuff, because for MOST folks? Working via a GUI front to registry settings is easier for them, AND SAFER, than 'registry spelunking & hacking', & especially when CLSID's &/or GUID's are involved... many don't realize those 'cascade' (sometime) to more than just this area where many addons are in the system:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

    • E.G. #4-> UAC is another & it is probably one of its BEST security features! It may be a 'warning' only, but this is better than nothing @ all...

    (That in combination w/ VISTA's lesser privelege logons used, helps even more)

    However, as you state? Some 'bad addons' don't require ADMINISTRATOR priveleges...

    SO, if they turned up bad, & the user notes problems? This is where "Manage Addons", my E.G. #3, helps them make it easier to fix it, by giving users a GUI front to do this removal with.

    (Are there more? Probably... I haven't touched the FULL list of improvements in VISTA over XP or even Server 2003 really!)

    Do they work? Sure... PM warns the user, UAC stalls what they can do for some things that COULD potentially be a threat (even installing them), & ASR is great for other forms of attack + NO OTHER OS BY MS HAS THIS IN PLACE (but, other Os do).

    This is all good stuff in VISTA, especially "Protected Mode" for IE7 (when no other MS OS offers this for IE7) & moreso, imo @ least, via "Address Space Randomization" in VISTA (which neither XP, nor Windows Server 2003 has period for IE7 natively/afaik)

    (@ least imo, & nothing exists from MS like it in older Windows, especially Address Space Randomization which I mentioned earlier, not natively/afaik)

    With careless folks, or foolish ones? Agreed, 110%... or folks that could care less about maintaining a long-running system, fully patched & tweaked, so it's solid & does not lose their work (or their time, redoing a system).

    It would for myself, & doubtless many others, who are security conscious... & who have the sense to @ least read & possibly HEED, warnings given thus! It is ONLY SENSIBLE TO DO.

    E.G.-> Right now, using IE7 w/ Windows Server 2003 SP #1 fully hotfix patched, & using SpyBot's "immunize" feature, when I hit pages that are 'blocked' by Spybot's immunize, I get warnings on installation of ActiveX controls etc.... do I allow them?

    No... I know better. The system's giving me advice/feedback on what NOT to do!

    The controls being asked for me to install really don't gain me ANY features I need for sites that are blocked by SpyBot that I can see @ least...

    Thus, I do NOT allow their install & load. Makes a LOT of sense to me to pay attention to said warnings... maybe not for others, but hey, you can "lead a horse to water, but making him drink?" Another story...

    APK
    Last edited: Jan 10, 2007
  21. Steevo

    Steevo

    Joined:
    Nov 4, 2005
    Messages:
    8,120 (2.54/day)
    Thanks Received:
    1,127
    I refer to a unpatched flaw that i believe exists, but have not had time to test. And i don't have RTM Vista installed so i do not know if it has been addressed yet.




    i will have to try tonight perhaps.
    10 Million points folded for TPU
  22. Alec§taar New Member

    Joined:
    May 15, 2006
    Messages:
    4,677 (1.56/day)
    Thanks Received:
    94
    Location:
    Someone who's going to find NewTekie1 and teach hi
    Right, & neither do I (as far as VISTA RTM, but, I have the last "beta/ctp" though, but haven't had time, or to be honest, the desire OR inclination, to install it yet here - mostly, lol, I want to use AERO more than anything in it)...

    Still, I would like to hear more on your finding... sounds pretty good!

    :)

    * Today's "patch Tuesday" guys, & guess what?

    A Windows 2000 & Windows Server 2003 patch for RPC came out only an hour ago (will wonders NEVER cease, & "Speak-of-the-Devil", lol, per our discussion here)...

    Windows Server 2003 RPC hotfix

    http://www.microsoft.com/downloads/...c4-62d1-4338-854e-436edc83805a&DisplayLang=en

    &

    Windows 2000 RPC hotfix

    http://www.microsoft.com/downloads/...b8-5dd7-42d5-b2d7-bfb9f954dc75&DisplayLang=en

    Not for what we discussed here imo, but good to see anyhow!

    (AND, it seems more of them are coming all day, for all MS stuff (looks like a fairly "big/extensive" patchday today))

    ... have @ 'em!

    APK
  23. Alec§taar New Member

    Joined:
    May 15, 2006
    Messages:
    4,677 (1.56/day)
    Thanks Received:
    94
    Location:
    Someone who's going to find NewTekie1 and teach hi
    Russ/NtBugTraq: SECURE AGAINST BUFFEROVERFLOW PRIVELEGE ESCALATION IN SERVICES

    On the topic of articles Russ/NtBugTraq, since you mentioned a couple you wrote & this applies to countering one of your examples (vulnerable services via bufferoverflow privlege escalations)?

    Well, see the article I authored (URL's below) that this site hosts for awhile now (w/ some software's I wrote in Delphi) who's techniques work against vulnerable/insecure services per the example you noted.

    A safe & easy to implement technique vs. THIS VERY THING you note in exploitable services running as SYSTEM when they don't HAVE TO BE as their logon entity.

    SECURING VULNERABLE SERVICES AGAINST ATTACK FORUM POST:

    http://forums.techpowerup.com/showthread.php?t=16097

    & later here, when the folks here "wikipediafied it":

    SECURING VULNERABLE SERVICES AGAINST ATTACK TPU WIKI:

    reference.techpowerup.com/Securing_Windows_Services

    The technique noted by myself counters for services buffer overflow escalation attacks (the very thing you noted as an example, & it works against it, by lowering services logon privelege entities - very safe & simple) IF the service in question is securable thus (not ALL are unfortunately due to WHAT they may have to be able to do, priveleges wise).

    Many antivirus makers' ware can have their services/daemons can be limited to NETWORK PROCESS entity levels, & lower, like LOCAL PROCESS levels.

    Also, NORTON ANTIVIRUS (corporate edition @ least, post v.10.1 iirc) has "ANTITAMPER PROTECTION" as well, keeping its services list running no matter what - works well, I can't even MANUALLY SHUTDOWN 10.2 IF I TRY AS ADMIN!)...

    (NO, even though MS has the same basic material up there on their knowledgebase/technet site now, 6 mo. after mine? I am not saying Ms' technical staff plagiarized me, but... well, if you have ever seen "THE OUTER LIMITS" new series episode "The FINAL EXAM", they may have just thought it up later than I did)

    Quoting the main character's words here:

    "WHEN A SCIENCE IS READY? IT CAN'T HELP BUT HAVE THE NEXT DISCOVERY MADE!"

    As he describes how the first thought of the Atomic Bomb came to be...

    I.E.-> If one guy can think of it? Others will soon as well...

    (There truly is very LITTLE original thought imo, & usually these "insights" tend to come in groups, from experienced folks who built it up from "standing on the shoulders of giants" before them, just via accumulated bits & pieces of knowledge out here!)

    Yes, alongside UAC in VISTA, & especially VISTA's IE7 "protected mode"... as well as IE7 TOOLS menu, Manage Addons submenu that I noted above help with.

    Agreed - no impersonation possible (impersonation's a term for nabbing SuperUser or SYSTEM level priveleges in code)... I agree!

    Your E.G.-> AntiVirus services buffer overflow privelege escalation attacks!

    HOWEVER: Above, My article premise counters for it in services to a large extent (SYSTEM PRIVLEGES RUNNING SERVICES IS NOT ALWAYS REQUIRED, but is foolishly the DEFAULT logon entity of many that do NOT need it, period, & they work fully + fine as lesser entities - IF they allow for this & function FULLY/PROPERLY if this IS implemented)...

    I do, & it's WHY I like it... also remember: diskbound files are protected by it, like the REGISTRY as well! This isn't just like in memory protection, only...

    I know this, mainly because I've been professionally writing this stuff coding & working w/ it as a software engineer for 15++ years (& in total, including Academia + 1/2 decade as a network admin/engineer in there too, since 1981)...

    That's around 26 years TOTAL time around this field.

    Lately the past 2-3 years now, & largely most of it coding this stuff professionally using VB.NET & ASP.NET (usually to Oracle or SQLServer) but, for a decade before it, it was VB6, Access, & Delphi mostly (some C/C++).

    So, I suppose "I'm no stranger to it", & actually creating them for apps... The creation & use of ActiveX Controls, all the way from classes to User Control objects creation was done in that timeframe by myself... OLEServers/COM/DCOM up to web services @ this point.

    I've been using it actively, since its outset via VB4 really. 1994-1995 onwards...

    ALSO/AGAIN: You can reghack the system as well, against running DCOM (remote OLE) mind you. Ask if you want the reghack... VERY short & simple.

    Via messaging yes... but, "IMPERSONATION" is possible, IF buffer overflows & like attacks (DLL injection can iirc as well) are possible on errant code not protected against it!

    It's usually due to a possible hole in the OS (like buffer overflows code) or the applications even + POSSIBLY, their called libs! The SLASHDOT ASUS EXAMPLE astounded me just a bit... in fact, moreso than bufferoverflows would (these are stoppeable in services, per your example)...

    All to gain other user's priveleges, mainly the Administrator, OR "System" entity is the only way around this... & a goal of crackers, imo.

    "Become the System, or SuperUser"...

    Still, I provide a method to stall the VERY THING you noted in AntiVirus services w/ bufferoverflow doorway attacks to SuperUser/SYSTEM level priveleges

    See, fact is? Your VERY EXAMPLE can be stalled quickly in fact even by end user admins if what I wrote on securing services is practiced... Though, as I state above, those writing the services should test to see if their service runs as a lesser entity... many do, just fine, & function fully.

    (I never denied this is a possible, due to code defects like buffer overflows though, BUT, I offer a valid & working method against the very example you note (attack NAV or other AntiVirus user controls to get to their services running as SYSTEM (& many do NOT have to be in many AntiVirus progs))

    That, & users installing "anything", but, in IE7?

    End-Users now have an EASY TOOLS MENU OPTION TO UNINSTALL THEM AS WELL (good thing, no more registry spelunking or techno know-how required on the end-users part in IE7))

    First, that takes a user allowing it...

    UAC stalls much of that on VISTA & IE7, unless the user is "less cautious" etc. & this is THEIR OWN FAULT IF THEY CHOOSE TO INSTALL A BAD CONTROL, period.

    PLUS, again, the first time you run an "Out of Process" ActiveX control? It won't run... You have to re-run the calling process to call it again for it to work, some repeated "FYI" there.

    You have to also realize now that in IE7, if you don't know this (I mentioned it above)?

    Users CAN uninstall various Addons (Tools menu, Manage Addons) themselves, no reghacking required (as I did for folks here before IE7, & noted above, using that .reg file excerpt above as the example WHERE to do so, manually).

    Yes, it does... especially it's version of IE7 + "protected mode" & VISTA UAC!

    (IMO, MS ought to set it up more restrictively even, much more than just a Group Software Policy for IE does (you COULD make one like this though, for some users logons), but how Windows Server 2003 does w/ IE6 + IE7, which is how I have been running it for years: NO ACTIVEX/ NO ACTIVESCRIPTING/ NO JAVA/ NO JAVASCRIPT by default, on the PUBLIC INTERNET FACING ZONES @ least, & more... it works! You can't run & install things you can't use, anyhow)

    See Steevo's last reply... it sums that up ("weakest link = uninformed end-users")... other than Group Policies, or local software policies, you have to educate them imo! They need to know that in IE7, again, Users CAN uninstall various Addons (Tools menu, Manage Addons) themselves, no reghacking required (as I did for folks here before IE7, & noted above, using that .reg file excerpt above as the example WHERE to do so, manually).

    Some of it's documentation (so it verifies what I say, from places like McAfee & such), but most of its my own experience w/ coding this stuff @ a few levels over a fairly long period & diff. tools...

    BUT, lol, I never contested THAT (users themselves), NOT once, as to users being a weak link, & UAC helps here... Heck - Especially when Steevo brought it up! Fact is, I requoted it (not directly, but in summation) 2x now in fact, in utter agreement. He brought it up first, that I noticed @ least.

    True to a good extent. Some are though, I as a developer often am, & am often a junior level NETWORK WIDE Admin user group member most times while coding & certainly so while network engineering.

    Yes, & thus, Group Policies, ActiveDirectory, & even older style logon scripts + reskit tools rock... good for security. I still think NDS is a bit better than AD, but it's a Microsoft world now imo, largely.

    Well, the 'general goal' of most crackers, is to become "SuperUser" &/or gain SYSTEM entity priveleges. AND, getting this usernames/groups names off NT-based Systems (if not patched or hardened against it via registry hacks) is not a huge trick for a usernames list, remotely, mind you. Then it's just brute force cracks (suck) & other methods (hashwork).

    That's user fault... what can you do about that? Educate, imo, is the only way. That, & good antivirus, & antispyware, + scheduled antirootkit scans. That & secure your services too!

    Again, I know... I have done it for a lot of years professionally (entire time the technology existed in fact, via VB4 originally). OLE first, then COM, then DCOM... this was the technologies' evolution pathway.

    If it has no RUN/Spawn/Exec type functions in it (like the ACER example from slashdot above, who have one publishing those function no less since 1998, lol), how so? And, if a buffer overflow is possible in say, a SERVICE like you mention??

    LESSEN THAT SERVICES' LOGON ENTITY LEVEL... to NETWORK SERVICE level entity first, & then if possible, LOCAL SERVICE ONLY... & if it runs like normal? DO IT!

    :)

    * It works against that which you mention as your specific example in fact, in vulnerable services...!

    I will NEVER understand why MS & other developers don't test for this first, & run services as SYSTEM if some run FINE w/ out it.

    That was just an example I used... it's better than the calc.exe one you chose imo, because WORD has macroing, & functions via CLSID file type associations on documents (the Shift Key while Word opens can stop macroing, as it does in Excel, Access, etc. as LONG AS YOU DO THAT, for AutoExec macro stoppage in Office Docs).

    APK
    Last edited: Jan 10, 2007
  24. Alec§taar New Member

    Joined:
    May 15, 2006
    Messages:
    4,677 (1.56/day)
    Thanks Received:
    94
    Location:
    Someone who's going to find NewTekie1 and teach hi
    First of all, As per usual? GOOD DISCUSSION & GREAT TOPIC + LOTS OF GOOD DATA!

    Secondly, some things to note in your site URL you WILL want to know from this post imo @ least, & here we go:

    I just read thru this, because it is NOT (fully regarding COM+ securing, see my P.S. below for the .reg file hack area) like the method I use... Also, upon reading thru it?

    I have NO "RpcProxy" hive key, or value, in Windows Server 2003 SP #1, & yet that MS article says there is one... this is led from YOUR URL, to this one specifically for Windows Server 2003:

    http://support.microsoft.com/default.aspx?kbid=826382

    Odd! BUT, that MIGHT be 'stale info.', OR my installation does not have or demand it being in place. It's a workstation mode Win2k3 install, here, the default type & SCW (security configuration wizard) was run over it + I later hardened it more manually via various registry hacks (but this was NOT one of them I can assure you, since I do not have the entry noted in the registry period of RpcProxy).

    See, the stuff you put up? I verify, as I have earlier & found things/exceptions etc. et al ... I can stand to gain by them is why, so I take active looks @ the material you post is all - yes, takes time, but worth it in the long run, on THIS very topic! We BOTH get stronger via this!

    Does one lose some "functionality"? Yes, possibly so, depending on what their apps use to do say, remote communications like "live updates"... but, it does work for securing vulnerabilities here (@ least until they are patched).

    Still, losing function or NOT?

    It would be the SAME thing webmasters might say about disabling cookies, or disabling Java/JavaScript OR ActiveX/ActiveScripting... sure, you lose some 'bells & whistles' & possibly SOME needed function, but... YOU ARE SAFE FROM EXPLOITS OF THEM BY THE SAME TOKEN!

    APK

    P.S.=> (Edit part: Your site URL does NOT have this one, & it is current afaik + works UNIVERSALLY ACROSS MOST WINDOWS NT-BASED OS INSTALLS for DCOM remote attack stalling - verify it if you wish for BOTH our sakes by looking up what "COM+" is, as it applies here):

    ===============================

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3]

    RemoteAccessEnabled = dword:00000000
    Com+Enabled = dword:00000000

    ===============================

    (Stalls BOTH remote access to distributed COM ('modern OLE' as you called it) & it even being enabled in the 2nd part (optional))!

    I like that your page noted this potential loss of function & apps you ran that need it...

    See, I know that feeling:

    For the article hosted here regarding services securing I wrote up - Well, IF I COULD RUN EVERY SERVICE THERE IS? My article that MS also did later on "Securing Services" would be THAT MORE SOLID... but, I haven't run every service daemon under the sun either!

    (However... but, I ask on the page where I initially post it for addons/improvements (services I haven't tested w/ that technique) or problems others run into I have not)... apk
    Last edited: Jan 10, 2007
  25. Alec§taar New Member

    Joined:
    May 15, 2006
    Messages:
    4,677 (1.56/day)
    Thanks Received:
    94
    Location:
    Someone who's going to find NewTekie1 and teach hi
    As did yourself, regarding user's being the problem (Steevo stated this before anyone iirc, & you repeated this quite a lot above, per the quotes in this & my last posting in fact as evidence thereof).

    AND, repeats or not? WELL, I offered working solutions to your example above regarding AntiVirus services (via their user components) being bufferoverflow attack vulnerable though, no doubt about it, in doing so.

    I also 'turned you onto" VISTA + IE7 operating in a "protected mode", which IS better than how it works on XP/Server 2003 as well, which you were admittedly NOT aware of @ all, period...!

    (Even though Windows Server 2003 & IE6.x in it has the default IE6 type "enhanced mode" security too, this can be emulated manually by the end user to be like that on XP too - IE7 functions this way in Windows Server 2003 as well! It's GOOD stuff, & how I've been running my browsers for YEARS now in fact (safe)).

    See, I just quote what you write, & write back what is appropriate & applies is all... it may be a 'downside' of quoting others directly, bloating my posts in size @ most as far as being 'bad', but MY using DIRECT quoting of others? It's a 'working formula' in discussion though &, for NOT missing details/points but it has 'risks' of repeating info. (especially if you did yourself & I just re-reply to your points).

    The point is, I WANT YOU TO...

    (NO, not for a fight, but to correct me if I make errors or just as importantly, make errors in missing details OR exceptions, as I had for some of your points earlier for workarounds, & in the next post below regarding COM+!)

    Hmmm, I never felt you were out to hassle me though... To me? THIS was PURE discussion w/ a peer in this area (securing OS), so we could exchange tricks/tips/techniques really, & exchange views.

    Everyone reading our exchange here gains: We both (and all others reading) GET STRONGER FOR THIS DISCUSSION!

    You'll want to note my next post, about this link on your website:

    http://www.ntbugtraq.com/default.aspx?sid=1&pid=47&aid=77

    SOME links on it are dead (2003 date is why no doubt, we ALL know this happens & thing change on MS websites & I WISH THEY WOULD NOT LOL, as I am sure you do also) + OS patches (possibly) & such seem to have invalidated the Windows Server 2003 suggestions there (in default installation workstation mode here, my installation here doesn't match it in that I don't have the RpcProxy value in place, @ all)

    & again, lastly, I have one method you do NOT list (dealing in COM+)... NOTED IN MY LAST POST'S P.S. ABOVE!

    What exactly would this be about?

    I only respond to the examples you put up is all, & w/ a pretty simple method for countering for an example in security weakness' YOU put out, specifically/again:

    The AntiVirus service problem in older NAV, & possibly other AntiVirus solutions out there by other OEM/software publishing houses & attacking its user components to get to its services running as SYSTEM (if vulnerable to this in the first place @ all)...

    I.E.-> My goal was to show a working "work-around" for your statement about AntiVirus services (specifically Norton, the one I use in fact) having services vulnerable, & attacked via bufferoverflow attack thru their end-user vulnerable components, using impersonation in code for privelege escalations, which you used as an example...

    & also regarding Windows VISTA + IE7's "protected mode" being different & better than IE7 offers in XP/Server 2003 in some ways & this was something you didn't even know about.

    I simply provided a work-around that works, & information you lacked on your part! So, again, how is this NOT related to what you wrote as your example?

    :)

    * So, there you are: And now? I'd think it's time to explain what YOU meant in the statement I quoted of yours above...

    (Thanks!)

    APK
    Last edited: Jan 11, 2007

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page