Sunday, December 31st 2006

One month after Vista released to manufacturers, there is no major rush to upgrade

It has been a month since Microsoft released their latest (somewhat) public copy of Windows Vista, and there has been no major upgrade to Windows Vista in most corporations. Since Vista is technologically solid, why is there such a slow adoption of the software? There are several reasons, but the most obvious are pointed out in a quote by Russ Cooper, a senior information security analyst at Cybertrust.
I say Microsoft never intended anybody to run Vista prior to January, What works on Vista, beyond Office 2007? I'm going to Vista ... when my VPN supplier tells me that they have drivers that work, and when my anti-virus vendor tells me that they have non-beta versions that work.


The rest of the article shows that the main reasons not to move to Windows Vista are...
  • Driver support is buggy
  • Security software is still in beta
  • Application compatibility is limited
  • All the major Vista-compatible software will be released in January.
However, once Vista is released to the public on January 30th, there should be a lot less reasons not to move to Vista. And since XP has been around for five years, there is definitely a need for a new operating system. Analysts predict that most companies will have moved to Vista by 2008.Source: Itworld
Add your own comment

75 Comments on One month after Vista released to manufacturers, there is no major rush to upgrade

#1
Alec§taar
It's always SLOW waiting for business' to update/upgrade to new OS, for a pile of reasons...

Mainly, it's added costs (& IT doesn't exactly get the monies, say, that marketing dept.'s traditionally do by way of comparison, by ANY means), & that means being told NO due to "we have a watch that runs fine, why try 'fix it'" type of thinking!

Which MAY be right as rain for a particular company on ALL levels).

Then, it's testing in-house apps w/ it!

(& most places lock you into- limit you to only a certain set of apps you can have on your system installed, period. This is for security's-sake most likely, & also because there's no guarantee (w/ out sourcecode to the apps @ least, or its developer present) that any app will NOT mess up other apps you run (that, or its lib/dll versions installed)).

Not simple to get by either of those...

:(

* However, where you will see VISTA is in new machines & iirc, when I first read this thread yesterday? Someone already mentioned this & is right as rain...

APK

P.S.=> DirectX 10 gaming is another that will probably help VISTA installations on the 'home/domestic' front... gaming is a big market in software & imo? The largest single software type other than Operating System's themselves & possibly AntiVirus/AntiSpyware softwares classes, that is purchased by home buyers... apk
Posted on Reply
#2
Carcenomy
So true, so true. 15 years on Apple's behalf is a bit sad on it though *chuckle*
Posted on Reply
#3
NTBugtraq
Vista Adoption

Russ Cooper here. FWIW...

>Driver support is buggy

I never said that. Driver support isn't buggy, its non-existant. Either there is a Vista driver, or there isn't and the old one doesn't work. This is true for the vast majority of things, from VPN software to camera drivers.

>Security software is still in beta
>Application compatibility is limited

Little software that is important works with Vista "as is," and very few Vista-specific applications have been released in production form. Anyone doing an in-place upgrade from XP to Vista is in for many nightmares, now, or any time in the future! Just wait until OEM's start shipping Vista against those coupons they gave out, consumers are going to scream bloody murder.

They're either going to have to re-image their machine based on a recovery DVD the OEM sends them (which will basically press an image of Vista pre-installed with whatever add-ons they can find that work); loosing settings and data in the process, or, they'll upgrade only to find out that they have a lot of stuff that isn't Vista compatible.

>All the major Vista-compatible software will be released in January.

I never said that either...;-] I certainly don't expect all of the major Vista-compatible software to be released in January. The PCWorld article quotes IBM as saying they won't have a Lotus Notes version for Vista until mid-2007.

I do believe, however, that Microsoft intended Vista for gamers, not business. After reading Peter Gutmann's extremely informative expose on Vista Content Protection, I'm inclined to recommend that ***NOBODY*** upgrade to Vista. It is ludicrous to encumber our equipment and budgets with anything so ridiculously crafted.

I am currently tasked with coming up with the security reasons people should upgrade to Vista. Thus far, I have only been able to identify disk encryption on laptops, to avoid the publicity boon-doogle that occurs when one is lost or stolen. Hardly sufficient reason to do the following requisite upgrade tasks;

- Major Version upgrade of practically every piece of software used on a PC (probably the biggest cost you're going to incur)
- Training and re-training of staff (not to mention the augmented help desk staffing levels required while the rest of your staff is in training.)
- Hardware upgrades
- Group Policy Object revamp

plus who knows how many other little things like modifying OS detection in web sites, scripts, etc...

And you do all of this because there might be some customer data on a laptop you're going to lose this year?? I doubt it.

So my best advice is for everyone to get more familiar with slipstreaming and making new installation DVDs for XP Pro SP2 that include, as of today, the >100 patches you have to add to SP2 to be up-to-date...and leave Vista to the class action lawyers.

BTW, Peter Gutmann really knows his stuff, and shouldn't be discounted as some geekie university techie type.

As for this garbage about people adopting Vista because its being shipped on every new PC they purchase...balderdash! Firstly, when we're talking about businesses we're not necessarily talking about additional machines when we get a new one. It may just be replacing an older one, which already had an OS license. So its nothing to blast your standard XP build over the Vista garbage on the new machine. This *is* going to happen until corporations have a Vista build, which includes everything their users have and need today...and that's going to be a while.

It's also going to take some killer app to arrive to make the switch "needed." I've read people claiming that corporate users are going to have the Aero interface at home and insist they have it at the office too...crap! When they realize that little works the same as it used to, and they have to learn everything anew...few are going to want Vista on their office machine. Heck, I think few are going to want it on their home machine, but will put up with it if it means they can play the latest games.

If anyone thinks we can't convince MS they've made a mistake with an OS, just try and remember Microsoft Bob! or, for that matter, Windows ME.

In my opinion, Microsoft has a huge problem on its hands when they come to phase out security support for Windows XP SP2. Luckily for us that won't be until November 2014.

Cheers,
Russ
Posted on Reply
#4
Steevo
I haven't tried Client Access Express on it yet, and there are hundreds of business that still love the e-servers. What if there are bugs? It is a program that really relies upon the openness of windows to use, and use well.


I can just imagine how grateful everyone will be to be forced to use telnet for connection.


Then again, it is no longer my concern, I was moved to alpha testing security for laptops. Jerkoffs.
Posted on Reply
#5
Wile E
Power User
NTBugtraq said:
As for this garbage about people adopting Vista because its being shipped on every new PC they purchase...balderdash! Firstly, when we're talking about businesses we're not necessarily talking about additional machines when we get a new one. It may just be replacing an older one, which already had an OS license. So its nothing to blast your standard XP build over the Vista garbage on the new machine. This *is* going to happen until corporations have a Vista build, which includes everything their users have and need today...and that's going to be a while.
If you're refering to me, I wasn't meaning in reference to corporations or businesses, I meant for the less tech savvy home user that buys their machine from Dell, or some other junk peddling OEM. I believe that's where we'll see the most adoption of Vista.
Posted on Reply
#6
NTBugtraq
Wile E said:
If you're refering to me, I wasn't meaning in reference to corporations or businesses, I meant for the less tech savvy home user that buys their machine from Dell, or some other junk peddling OEM. I believe that's where we'll see the most adoption of Vista.
No, I wasn't referring to you or anyone who had posted here, I was referring to the quote of Andrew Brust in the original PC World article.

"Once Vista is being shipped by OEMs on all new PCs, we won't be debating why people should move," said Andrew Brust, chief of new technology with consulting firm TwentySix New York. "It will be clear that they will need to do so, sooner or later. And honestly, people can argue until they're blue in the face about how XP is fine, but the reality is that it's five years old, technology has changed, and a new OS is necessary."

1. Yes, I agree with you Wile E that home users will adopt Vista, probably entirely because it is shipped on their machine. However, this isn't going to happen, IMO, at the end of January. As I said in my earlier post, OEMs have a huge problem...how do I (the OEM) provide a System Retore build that includes all of the software I've already given the customer? If I included Symantec AV and Quicken, I need versions of those that work with Vista before I can give my customer a new image. Well, we ain't there yet, and I don't see us being there by the end of January.

2. There is also little in Vista in the way of "changed" technology that makes a new OS necessary. Did the world change as a result of UPnP? No, but it was a new technology included in XP that got talked about (largely because XP's first flaw was announced in UPnP on the day XP was released.) However, XP introduced NT-style security in the desktop OS while keeping the W95-like interface, which made it much better than W2K Pro for corporations. So it got adopted.

There's nothing like this in Vista. About the only technology change (apart from Copy Protection as explained by Gutmann) is the UAC/Standard User concept. However, in the majority of businesses who have a server, this is already being done in XP and works just fine (in fact, it works better for most businesses in XP than it does in Vista!)

So beyond forcing companies to buy new hardware when they don't really need it, and providing an interface that wastes those resources wantonly, while IMO confusing users, I'm at a complete loss as to what changes in technology Brust thinks Vista is addressing.

I had hoped that the virtualization engine was going to provide some ray of hope, but Virtual PC 2007 isn't released yet and what is available only supports 32MB of vRAM per vMachine...you try running Office XP/2003 in that! Again, MS makes you buy honking hardware to run Vista, and then while running it, cripple it in the process.

FWIW, if Vista isn't adopted in businesses, then Office 2007 isn't going to be adopted either, IMO. If businesses don't make these changes, MS shareholders are going to have Balmer's scalp, and again IMO, Vista will flop regardless how many home PCs ship with it.

This all happened in almost the exact same fashion many years ago in the PC world. There used to be a company called MicroPro, who made an excellent and probably the most widely used word process called WordStar. Virtual every keystroke combination you've ever used was created first in WordStar. For some unknown reason they decided, in '87 I think it was, to totally change their UI when they introduced their newest version, WordStar 2000 (the version before that was, I think, WordStar 3.3.) All the old keystrokes were gone and replaced by 3-key combinations (they used to be 2-key for the most part.) Everyone dropped WordStar 2000 and within a year the product was never heard of again.

Cheers,
Russ
Posted on Reply
#7
Alec§taar
NTBugtraq said:
"Once Vista is being shipped by OEMs on all new PCs, we won't be debating why people should move," said Andrew Brust, chief of new technology with consulting firm TwentySix New York. "It will be clear that they will need to do so, sooner or later. And honestly, people can argue until they're blue in the face about how XP is fine, but the reality is that it's five years old, technology has changed, and a new OS is necessary."
Bad logic, I agree... the new tech I see in it, doesn't REALLY apply to home level users, until you hit DirectX 10 & games for it (still coming)...

For "new features" (that I feel are GOOD ones @ least) that MAY apply, @ least somewhat, to home-users (because it is security related)?

Well, there is UAC & also other security features like IE7 (better on VISTA than it is on Windows Server 2003 even) & also Address Space Randomization (where code runs in RAM is scrambled now, to prevent attacks upon it)

NTBugtraq said:
1. Yes, I agree with you Wile E that home users will adopt Vista, probably entirely because it is shipped on their machine. However, this isn't going to happen, IMO, at the end of January.
BUT, it's going to happen... & this is where MS always wins imo @ least, & on the "home-front" & everything begins @ home, even your computer use patterns & most skills (as well as your values etc. you learn from parents)... today especially.

Not true in my day, the first time I used computers were @ my ma's workplace (county computer operator on mainframes) & in school later (DEC PDP-11 series, iirc)...

NTBugtraq said:
2. There is also little in Vista in the way of "changed" technology that makes a new OS necessary.
Some of the security updates in it, such as UAC, better IE7, & Address Space Randomization are GREAT things... for security, @ least.

NTBugtraq said:
However, XP introduced NT-style security in the desktop OS while keeping the W95-like interface, which made it much better than W2K Pro for corporations. So it got adopted.
2000 had the same level of security & the same general shell (classic mode as it is referred to, via GDI/Win32 API draw).

NTBugtraq said:
There's nothing like this in Vista. About the only technology change (apart from Copy Protection as explained by Gutmann) is the UAC/Standard User concept.
A really POWERFUL & good one is Address Space Randomization which I mention above... it stalls a great deal of "buffer overflow" attacks & such by malwares.

NTBugtraq said:
However, in the majority of businesses who have a server, this is already being done in XP and works just fine (in fact, it works better for most businesses in XP than it does in Vista!)
This is the point I was leading to/making above: Business' are always SLOW to adopt, mainly because "if a watch runs, why fix it?" & "wait out the bugfixes in VISTA (newest OS by MS) first" type thinking... & then, there is fighting for a budget too, to get the licenses (just like pulling teeth).

NTBugtraq said:
So beyond forcing companies to buy new hardware when they don't really need it, and providing an interface that wastes those resources wantonly, while IMO confusing users, I'm at a complete loss as to what changes in technology Brust thinks Vista is addressing.
IMO? Security largely... between IE7 improvements, UAC, & Address Space Randomization?? That's actually quite a bit, imo @ least, for security!

NTBugtraq said:
This all happened in almost the exact same fashion many years ago in the PC world. There used to be a company called MicroPro, who made an excellent and probably the most widely used word process called WordStar. Virtual every keystroke combination you've ever used was created first in WordStar. For some unknown reason they decided, in '87 I think it was, to totally change their UI when they introduced their newest version, WordStar 2000 (the version before that was, I think, WordStar 3.3.) All the old keystrokes were gone and replaced by 3-key combinations (they used to be 2-key for the most part.) Everyone dropped WordStar 2000 and within a year the product was never heard of again.

Cheers,
Russ
I used to use WordStar, & in fact, it was the VERY FIRST word-processor I ever used on a PC, circa 1989 or so, iirc... most of the (trivia here) compiler keyboard shortcuts I use to this day? Are WordStar ones...

The same thing happened to WordPerfect 5.1 transition (DOS) to WordPerfect for Windows - they changed up nearly ALL of the keyboard shortcuts, dumb, because it made me leave WordPerfect for Ms-Word in fact... in a word-processing program? Keyboard shortcuts are quite a lot, & altering them?? Bad move... drove me away from WordPerfect, much as you describe on WordStar.

APK
Posted on Reply
#8
NTBugtraq
Well, I'll go out on a limb here and pick a number out of the air...;-]

IMO, <5% of system compromises occurs because of buffer overflows. Heck, let's make that <1%!

If I'm getting a bot or trojan, its likely that I double-clicked on an attachment. No need to overflow buffers if the victim is perfectly willing to execute the code. And the vast majority of those run in the user's security context...no need for Administrator (although most home users are) cause I ain't going to do anything a user can't do anyway. Nothing's changed here in Vista.

If I'm getting a drive-by download, doesn't matter whether I'm running XP or Vista. What really makes a difference is enabling only Administrator Approved ActiveX controls, which can be done in IE 6 (post XP SP2) as well as IE 7. Again, Vista makes no changes here either. A red bar isn't going to affect people as much as SiteAdvisor does, IMO. If the user isn't stopped from going to bad places, they'll go, they want what they think is on the other side of the rainbow no matter how bad the storm is that made it.

We haven't had a code red/blaster/slammer/sobig type event in years, and aren't likely to...they make no money! Yes, a buffer overflow in a malformed Word document may very well net the Chinese government U.S. military secrets...once! For the rest of the world the vulnerability is irrelevent, just as are 99% of all MS patches produced...when it comes to machines being compromised.

Get an ISP who scans your mail for viruses and doesn't allow 139/445 inbound and you'll see how you can put a plain vanilla W95 box bare to the net.

So memory address randomization is great when you're talking to a bunch of security geeks (of which I'm one) who are pummelling you with theoretical this and that, and PoCs that prove their point...but it doesn't have an impact on today's criminal efforts.

UAC is great, providing you don't have to pay for the huge increase in end-user support costs (and, assuming, India and like countries aren't banned from providing those services!) The problem is every consumer is going to have to pay those costs regardless how well we learn how to use our own systems (see the ATI comments about passing the costs to the cosumer in Gutmann's write up.) Consumers will also have to accept the increased loss of privacy as they turn their systems over to remote technicians for help (seen the latest Dell commercials?) And of course as this sort of support becomes more common-place, then we can expect the phishing and other scams to take that direction ("Want to get your PC optimized for free? Click here and we'll walk you through it!")...hrmph, did we increase security or decrease it?

As for IE 7, I'm not aware of how its better on Vista than XP. In fact, as the premise of Bob MacMillan's article showed, its a little worse right now since MS hasn't released a patch for Vista that is available for XP.

Cheers,
Russ
Posted on Reply
#9
Jimmy 2004
I am not even going to try and read all those posts... too long!!!

Alec, looks like you have competition in the longest posts contest! j/k

Keep posting detailed info, you help a lot of people and it's much better than single line replies... I just don't think I can read a thread like this much more :D
Posted on Reply
#10
Alec§taar
Jimmy 2004 said:
I am not even going to try and read all those posts... too long!!!

Alec, looks like you have competition in the longest posts contest! j/k

Keep posting detailed info, you help a lot of people and it's much better than single line replies... I just don't think I can read a thread like this much more :D
Thanks, sorry for the length, but I tend to quote others, to NOT miss replies to their points... Russ of NTBugTraq & I are having a GOOD exchange... I'd recommend reading it.

(BUT, that'd be a 'shameless plug' on my part, but he is into this area, as am I... so, good info. IS up there)

Some of the "long & detailed" exchanges we have here? Are the BEST for learning some crazy stuff imo @ least... I like having them!

APK

P.S.=> Are you from NTBugTraq, Russ? If so, I like your site... it's up there w/ Secunia & SecurityFocus.com imo, & I read them both regularly! If you have ANY corrections or notes/exceptions to the above material I put out?? Please, fire away... room to learn/grow here! apk
Posted on Reply
#11
WarEagleAU
Bird of Prey
It suxors and its expensive. Really a pain when you have to pay 600 dollars for something that does not work.
Posted on Reply
#12
Alec§taar
IE7 differences present on VISTA vs. XP & Windows Server 2003 even

Long reply, but answers your questions & some other madness-N-lunacy:

NTBugtraq said:
As for IE 7, I'm not aware of how its better on Vista than XP.
Well, see these:

http://interviews.slashdot.org/article.pl?sid=06/10/27/1549259

"In Windows Vista with Protected Mode, IE7 is the first browser to "put itself into a sandbox" and run with low privileges." - Dean Hachamovitch, (whose formal title is General Manager Internet Explorer at Microsoft Corp).

&

http://weblogs.java.net/blog/chet/archive/2006/10/index.html

"Internet Explorer 7 (IE7) takes this a step further and protects that entire process from accessing the raw system, so that even if an application inside the browser gains access to the system, it can only perform operations inside the very restricted sandbox that the browser offers."

&

http://www.nytimes.com/2006/12/25/technology/25vista.html?ei=5090&en=49a6ffcc2da87302&ex=1324702800&partner=rssuserland&emc=rss&pagewanted=print

"However, one of the principal security advances of Internet Explorer 7 is a software “sandbox” that is intended to limit damage even if a malicious program is able to subvert the operation of the browser. That should limit the ability of any attacker to reach other parts of the Vista operating system, or to overwrite files."

** Note, the last article says a Russian coder has a 'proof of concept' for this & penetrating the IE7 sandbox, but has yet to demonstrate it (@ least @ the time of the article, Dec 2006) - in fact, iirc, this turned up b.s. OR nearly unworkable when he was confronted in trying to prove it. BUT, I could be wrong here too... but, iirc, this was the "joke" one, not really a true bug, but an "April Fool's joke" iirc (there was one of those).

&

http://arstechnica.com/journals/microsoft.ars/2006/8/8/4915

"IE 7 was to be a Vista-only release, but the rising market share of Firefox made Microsoft decide to release it for Windows XP as well. But the Vista edition was to receive additional features, such as the ability to run in a low-rights sandbox for extra security."

:)

* I should REALLY bookmark a few, just in case I run into somebody asking this again, regarding security & 'sandboxing' IE! Well, that said? I have, now.

(And yes, it is possible in other forms of IE too, using batches & LOCAL commandline parameter switch on IE's commandline in batch, etc. - IF you need the process & IE commandline + batchwork for this? I believe I STILL have it here online, just ask...).

How 'perfect' is IE7's sandbox security feature on VISTA? Hopefully, moreso than the JAVA allegedly 'impenetrable' one (which proved to be ANYTHING but 'impenetrable' over time now)... Which I never trusted!

Hence, why I turn off scriptings/java/activex control use in my browsers, on the PUBLIC internet @ least (I still use it a lot on the job in intranet environs w/ ASP.NET apps though)!

Again/also: This IS why I will not put Ms-Office online anymore, especially word, since it often integrates in as your std. email reader in FULL outlook (& I use .txt only for reading email, like it or not, OR @ most, use RTF (rich text format))...

ALSO, here is a "bug/feature" in IE6 & below that Microsoft has mended in IE7 (clipboard accesses) but, iirc, this extends to ALL versions of IE7, not just the VISTA model:

http://blog.washingtonpost.com/securityfix/2006/12/clipboard_data_theft_optional.html

NTBugtraq said:
In fact, as the premise of Bob MacMillan's article showed, its a little worse right now since MS hasn't released a patch for Vista that is available for XP.

Cheers,
Russ
That was regarding the "Phishing Filter" lag in it, but even for Windows Server 2003, this seems to have been fixed (yes, I use the anti-phishing filter MS provides in IE7 for Windows Server 2003 here, no lag)... on VISTA, a patch is due out THIS month, according to the article you refer to (the one shown in this thread's first post). EDIT PART: That's ONLY 3 days away now, mind you.

If it's done & there for Windows Server 2003 SP #1 fully current hotfix patched here? It should be out this month for VISTA is my guess - Windows Server 2003 IS the initial codebase/core of VISTA, afaik, & the direct OS it was based on.

:)

NTBugtraq said:
Well, I'll go out on a limb here and pick a number out of the air...;-]

IMO, <5% of system compromises occurs because of buffer overflows. Heck, let's make that <1%!
The same could be said of ROOTKIT based attacks... but, more & more of this is appearing to hide 'malware' of various sorts... they are on the rise.

(This measure by MS could help stop the buffer-overflow based ones being a factor @ all (nearly)).

NTBugtraq said:
If I'm getting a bot or trojan, its likely that I double-clicked on an attachment. No need to overflow buffers if the victim is perfectly willing to execute the code. And the vast majority of those run in the user's security context...no need for Administrator (although most home users are) cause I ain't going to do anything a user can't do anyway. Nothing's changed here in Vista.
I don't pity the person that does that though... they bring it on themselves. More & more folks are becoming aware of this though, "don't click on data & programs sent you by folks strange to you" (or, even ones you know, who may not be very "security-conscious").

NTBugtraq said:
If I'm getting a drive-by download, doesn't matter whether I'm running XP or Vista. What really makes a difference is enabling only Administrator Approved ActiveX controls, which can be done in IE 6 (post XP SP2) as well as IE 7. Again, Vista makes no changes here either.
On XP? Possibly so, albeit done manually in the IE options for IE6...

However, IE6 & IE7 (and IE6) in Windows Server 2003, by default, run w/ an "enhanced security mode"!

That disallows using ActiveX controls, Java, Java/Active scripting, automagically/by default... you don't even have a SHOT @ running them, unless you turn them on for various sites.

This CAN be done in 2000/XP too, but you have to 'manually' set it in the IE options for IE6 etc. & below.

NTBugtraq said:
We haven't had a code red/blaster/slammer/sobig type event in years, and aren't likely to...they make no money!
That's what folks said in the Win32 world about ROOTKITS, & the past 2-3 years now? You see them on Win32 as well... And, as far as NOT making money? I could see even using a DOS or DDOS as a form of blackmail, holding a site hostage for example... not easing it up, until the threatened party pays up, etc., but I am not a criminal of this nature... but, I could see it being used thus.

NTBugtraq said:
Yes, a buffer overflow in a malformed Word document may very well net the Chinese government U.S. military secrets...once! For the rest of the world the vulnerability is irrelevent, just as are 99% of all MS patches produced...when it comes to machines being compromised.
I don't discount ANY vulnerability, & this is part of WHY I quit putting Ms-Office 2003 online here, & keep scriptings (java & activex) + Java & ActiveX Controls turned off period, @ LEAST ON THE PUBLIC INTERNET (zones usage in IE can help here)... & keep up w/ OS patches (as well as compiler patches).

If it can hit something else, server OR user level?? It's a VALID threat imo.

NTBugtraq said:
Get an ISP who scans your mail for viruses and doesn't allow 139/445 inbound and you'll see how you can put a plain vanilla W95 box bare to the net.
I don't doubt it... & turning off active or java scripting, ActiveX control usage on the public internet as well as Java usage? You can be safe.

I also recommend NOT using Ms-Word as your email editor & switch to plain text (as well as NOT opening attachments sent by strangers especially, or pals you KNOW are not very "security-conscious", again).

NTBugtraq said:
So memory address randomization is great when you're talking to a bunch of security geeks (of which I'm one) who are pummelling you with theoretical this and that, and PoCs that prove their point...but it doesn't have an impact on today's criminal efforts.
I wouldn't say that... if an attack vector exists, such as ASR usage stopping buffer overflows, & also ROOTKITS (another 'classic' that is theoretically unstoppable afaik)?? Again, it's a valid threat I want @ least SOME protection against.

NTBugtraq said:
UAC is great
Agreed: Protect an "ignorant" user from themselves... not a put-down - it's just that not everyone is a 'computer security guru'...

APK

P.S.=> Again: Are you from NTBugTraq, Russ? If so, I like your site... it's up there w/ Secunia & SecurityFocus.com imo, & I read them both regularly! If you have ANY corrections or notes/exceptions to the above material I put out?? Please, fire away... room to learn/grow here! apk
Posted on Reply
#13
zekrahminator
McLovin
Wow Russ Cooper, I think you're the first person I've quoted in the news I write to actually respond, welcome to the forums :). And I suppose that I summarized a little bit on the points you never said, based on the rest of the article. That story was all presented in a form that made it look like you agreed with all of it. Oh well, at least you voiced your real opinion.

Edit: Fixed original newspost to show that the list I had after your quote did not express your true views, sorry for the misunderstanding.
Posted on Reply
#14
Grings
buggy driver support, resource hog, flash new interface, and about 1 worthwhile new feature that could have been implemented into the previous system - sound familiar?

and just when xp had got nice and stable!
Posted on Reply
#15
NTBugtraq
In response to Alec§taar's numerous responses...;-]

>"In Windows Vista with Protected Mode…

When the ActiveX concept was first publicly discussed (I was part of the Design Review a long time before it ever got public mention) there were raging debates over whether there should be some sort of sandbox. At that time Java was seen as the holy grail for security, hence the strong desire of a sandbox.

Firstly, thanks for pointing out Protected Mode, it is something I overlooked about IE7 on Vista. I found a bit better reference to what PM on Vista means to IE in the IEBlog;

http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx

Frankly, as the Java sandbox has shown, a sandbox is neat, but not assured. The concept of Trust Zones in IE was always intended to inhibit what rendered script could do on the hosting system…and as we know, it’s never been assured. For the most part, it works, then someone discovers a way through the zones and it gets patched. Should we trust it? If not Trust Zones, then why PM? Why the Java sandbox? They are all designed to limit what can be done…albeit in different ways and to different extents, but none have been perfect or resistant to attack. I’ve no reason to believe that PM in IE on Vista is going to be perfect either. Once someone publishes a flaw, the smoke will dissipate and our ability to tout it as a huge step forward will be undermined…forever.

Also, there will be controls that will leak or provide cross-“zone” facilities. Think in terms of the number of controls that got released which were marked “Safe for Scripting” but shouldn’t have been…this will happen in Vista too. Consider how many controls MS has had to set killbits for in IE. Maybe we’ll actually get CRLs eventually, but until then we’re stuck with finding workarounds.

But the real bottom line is that, even on Vista, IE hands off tasks to objects that run outside of the sandbox after asking the user whether it should do so. This is akin to saying “We’ll keep the matches in some safe place so Junior doesn’t get them…Now Junior, would you please put these matches somewhere safe?”

We are still stuck with the problem of the user having the choice whether to shoot themselves in the foot or not. As I’ve said previously, I believe the vast majority of infected systems get that way with user involvement, and PM in IE on Vista still allows for user involvement.

>Rootkits are on the rise

I’m sorry, but I would disagree, at least using the way I look at things. For example, if we ask the question; “Has the number of systems with criminal rootkit components installed on them risen in the last 12 months?” I would have to answer, unequivocally, NO! The main reason is that such systems are being detected more frequently, whether its by the victim’s ISP, a victim of the victim, the AV on the victim system, or simply because the system failed and was rebuilt without the rootkit. All of these things are happening more often than in the past, so it only stands to reason they’re finding more than before. Meanwhile, the ways rootkits get onto systems hasn’t really changed or improved.

Now if we ask the question; “Have there been more individual pieces of malware found in the wild in 2006 that contain rootkit components?” then I would answer Yes! So what, there has been a considerable jump in the number of individually identifiable pieces of malware in 2006 as criminals have attempted to subvert detection by making minor changes (adding/removing garbage bytes, or re-packing, whatever). Compare 2006 to 2005 in this way and you’re not comparing oranges to oranges.

If you look at the statistics MS put out on what their Malicious Software Removal Tool is finding, you’ll see that the number of infected machines is actually reducing over time, regardless what is infected with.

>more folks are becoming aware (of security issues)

I don’t really think they are. There’s an “all or nothing” stratification I’m seeing in the home user community…they either always pass on jokes and chain letters (even after being told to stop sending them) or they never do. We’ll just have to wait for those who do pass on chain letters to die, I’m afraid.

>IE Enhanced Security Mode in W2K3 disables ActiveX…

You suggest I can enable a control by site. I can’t, only by Zone. In fact, the Enhanced Security Configuration can be established on XP via Group Policy, so automated no manual, if you really want it…but disabling all ActiveX controls and scripting just isn’t realistic in a corporate environment. Besides, I’m not going to install W2K3 on all of my desktops, am I…;-]

>I don't discount ANY vulnerability

This is the biggest obstacle I face daily…people who don’t discount ANY vulnerability. If nobody is attacking, why are you worrying? Do you have a bomb shelter at home? Do you drive? Do you breath? We all accept risk in myriad ways every day, why can’t we do the same thing with computers?

My risk doesn’t increase just because I’ve got a vulnerability. I can’t stay under water as long as a fish can (my vulnerability) but I still swim. The threat doesn’t increase either just because there’s a vulnerability. If I’m not going to get more people using vulnerability #1 than I already get using vulnerability #2, why bother trying to exploit vulnerability #1? Finally, the 3rd factor, cost/impact, also doesn’t change just because of vulnerability. Will there really be an increased cost to resolve a RPC-overflow worm versus a file-share spreading worm? Not necessarily.

Bottom line is your wasting a lot of your time and resources worrying about every vulnerability.

>Are you from NTBugTraq, Russ?

Yup, that’s me!...;-]

Cheers,
Russ
Posted on Reply
#16
NTBugtraq
zekrahminator said:
Wow Russ Cooper, I think you're the first person I've quoted in the news I write to actually respond, welcome to the forums :). And I suppose that I summarized a little bit on the points you never said, based on the rest of the article. That story was all presented in a form that made it look like you agreed with all of it. Oh well, at least you voiced your real opinion.

Edit: Fixed original newspost to show that the list I had after your quote did not express your true views, sorry for the misunderstanding.
Hey zekrahminator, no problems. I didn't mean to sound like I was offended or anything like it. It just happened that one of my co-workers asked me about the quote from CNet and I had forgotten giving it (hey, it was Christmas :ohwell: and I was on holidays when I spoke with Bob :toast: ) When I asked where he'd read it, he sent me your link.

Hope you don't mind my really long posts...I tend to be overly verbose all too often...:banghead:

FWIW, being misquoted or quoted out of context is what the majority of many people's reputation is based on. For a 2 line quote like the one Bob had of me, I spend usually an hour with the reporter on the phone. One could then spend the rest of their waking hours explaining what was said during the hour, versus what got in an article. :confused:

Cheers,
Russ
Posted on Reply
#17
Jimmy 2004
NTBugtraq said:
Hope you don't mind my really long posts...I tend to be overly verbose all too often...:banghead:
Long posts are not a problem, my post was only as a joke to Alec - messages that are more detailed are generally very appreciated on this forum.

I agree with zek and think that it's good to see someone included in a news story actually post a response to it to build on the story directly. Admittedly there wouldn't be any easy way to tell if you're genuine, so we'll have to assume you really are who you say you are! :D
Posted on Reply
#18
Alec§taar
Russ/NTBugTraq: Some more "FYI" for you...

NTBugtraq said:
Firstly, thanks for pointing out Protected Mode, it is something I overlooked about IE7 on Vista.
Well, then now you are aware of how IE7, on VISTA specifically, is better than it is on XP, & even over Windows Server 2003 (possibly, but its 'enhanced security mode' of operation 'cuts off' avenues to attack, totally), where you were not before is all.

And, IF you would like the LOCAL commandline switch + batchfile work for doing IE7 in 'a sandbox' on XP? I can provide it to you as well... it works.

You now know @ this point, though, how IE7 on VISTA is truly superior to how it is on Windows XP/Server 2003 even (w/ it's "enhanced security mode", which CAN be emulated/setup-the-same on XP as well, IF you take the time to do it manually, yourself, for the most part).

See? Even a 'security guru', like yourself, can learn a thing or two in the arena of security... forums are great this way.

NTBugtraq said:
I found a bit better reference to what PM on Vista means to IE in the IEBlog;

http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx
I DID take a read of that as well, & it actually COUNTERS your next point below in fact, take a read:

NTBugtraq said:
But the real bottom line is that, even on Vista, IE hands off tasks to objects that run outside of the sandbox after asking the user whether it should do so.
VISTA & its version of IE7, per the URL you cited? Does counter for THIS, here:

"Mandatory Integrity Control (MIC), a model in which data can be configured to prevent lower-integrity applications from accessing it. The primary integrity levels are Low, Medium, High, and System. Processes are assigned an integrity level in their access token. Securable objects such as files and registry keys have a new mandatory access control entry (ACE) in the System Access Control List (ACL)."


&

User Interface Privilege Isolation (UIPI) blocks lower-integrity from accessing higher-integrity processes. For example, a lower-integrity process cannot send window messages or hook or attach to higher priority processes This helps protect against "shatter attacks." A shatter attack is when one process tries to elevate privileges by injecting code into another process using windows messages.

Some more FYI for you, & counters your argument on that account...

VISTA's IE7 mechanisms above (in collusion w/ UAC on VISTA as well) would even counter imo, for this "false positive" I ran into, regarding IE & SpyBot findings, noted example:

SpyBot, in its latest version as of the date of this post, mistook an IE helper (tools menu) I embed myself, that used the SAME "GUID" I did for a browser extension, that some malware uses!'

I knew mine wasn't: It summoned an .exe I wrote (an enhanced pinger I wrote in Delphi & TOTALLY by hand, no 3rd party VCL used or ActiveX controls) via the IE tools menu, so I had the sourcecode to the app & know it's NOT 'malware', period.

NTBugtraq said:
This is akin to saying “We’ll keep the matches in some safe place so Junior doesn’t get them…Now Junior, would you please put these matches somewhere safe?”
The entire "object-oriented" (object broker in Win32 actually) based form of operation, & the "document-centric" Ms universe functions on this... handing off or making calls to external libraries & USUALLY, this is done in the SAME process space as the calling process if DLL's/libs are used (in process calls)...

& if diff. exe's used (as in the case of the false positive I note I found a while back did), & thus, diff. process spaces?

Then, typically, mechanisms like Windows Messages (apps sending one another messages in their numerous multiple message queues they have), via mailslots, RPC, Shared Memory (RAM &/or diskbound files), Winsock, NetBIOS, DDE, clipboard access, named pipes & even the latest from MS (single messaging scope paradigm lately introduced to replace those & more I noted), are also controlled THIS way too.

VISTA is better on many levels, ones end-users don't see, & this is yet another evidence thereof.

This is NOT exclusive to MS either. Other OS' oem's designed this way as well, using shared libs & functions external to program executables & having dependencies on other external libraries (like DLL's in Win32).

NTBugtraq said:
>Rootkits are on the rise - I’m sorry, but I would disagree, at least using the way I look at things.
I disagree w/ that: From having NO rootkits (@ least known ones) around 1-2 years ago tops in Win32, to having them now out there?

BIG increase... & rising.

NTBugtraq said:
For example, if we ask the question; “Has the number of systems with criminal rootkit components installed on them risen in the last 12 months?” I would have to answer, unequivocally, NO! The main reason is that such systems are being detected more frequently, whether its by the victim’s ISP, a victim of the victim, the AV on the victim system, or simply because the system failed and was rebuilt without the rootkit. All of these things are happening more often than in the past, so it only stands to reason they’re finding more than before. Meanwhile, the ways rootkits get onto systems hasn’t really changed or improved.
Maybe the ways haven't changed, but the number of rootkits surely is & has gone up... from ZERO a few years ago on Win32 systems, up to whatever the presently found amounts are... increases, definitely.

NTBugtraq said:
Now if we ask the question; “Have there been more individual pieces of malware found in the wild in 2006 that contain rootkit components?” then I would answer Yes!
And, then, you'd be right as rain...

NTBugtraq said:
So what, there has been a considerable jump in the number of individually identifiable pieces of malware in 2006 as criminals have attempted to subvert detection by making minor changes (adding/removing garbage bytes, or re-packing, whatever). Compare 2006 to 2005 in this way and you’re not comparing oranges to oranges.
Compare this to 2003-2004, to today? You have a HUGE "order of magnitude" level of increase... from ZERO, to whatever numbers of malware out there today that uses rootkits to avoid detection/removal.

Typically? IF you are found as bearing a rootkit?? Most folks/experts in this area tell you 1 thing: REPAVE!

(Even MS admits currently that once you have one of these things? Redo your rig... removal/disinfection is BEST done via "nuking your setup from orbit" @ this point nowadays @ least!)

NTBugtraq said:
If you look at the statistics MS put out on what their Malicious Software Removal Tool is finding, you’ll see that the number of infected machines is actually reducing over time, regardless what is infected with.
This is a direct result of folks being more "proactive" on using tools like AntiVirus, Firewalls, & just overall better regarding opening email attachments & such... & also measures implemented by the end-user's ISP/BSP which you mentioned above, also.

NTBugtraq said:
>I don't discount ANY vulnerability

This is the biggest obstacle I face daily…people who don’t discount ANY vulnerability. If nobody is attacking, why are you worrying?
What is the typical statistic? Once a Windows machine is setup, it is typically infected/attacked w/ in 12 minutes of being online??

I set up a pal's machine on XP 2 days ago, we got nearly INSTANTLY "hit" w/ a "Messenger Service" 'attack' (not really an attack, but it was trying to lure he & I into going to some website, & this doubtless was where the REAL attack would be coming from... a mal-scripted website attack most likely too).


NTBugtraq said:
Do you have a bomb shelter at home? Do you drive? Do you breath? We all accept risk in myriad ways every day, why can’t we do the same thing with computers?
I don't take risks I shouldn't, TYPICALLY... it's like being sexually promiscuous nowadays... not worth the risk.

NTBugtraq said:
My risk doesn’t increase just because I’ve got a vulnerability.
I disagree... you are TOTALLY increasing your chances of being hit, just by being vulnerable & NOT taking active measures or workarounds (provided they exist) to not get infected.

Bad business if you don't, imo... using Firewalls (hardware &/or software), AntiVirus, AntiSpyware, & performing scheduled rootkit checks weekly @ least, & doing OS + app patching is a must nowadays.

NTBugtraq said:
The threat doesn’t increase either just because there’s a vulnerability.
OH, I beg to differ here: If I am immune to plague due to taking vaccination? I can walk thru a party full of plague bearers & be safe... someone who is NOT 'vaccinated' (takes active measures for prevention) is not nearly as safe.

Heck, that party of plague bearers, from my example above? Is the INTERNET itself...

NTBugtraq said:
Bottom line is your wasting a lot of your time and resources worrying about every vulnerability.
Oh, I have to say otherwise: Mainly because since I have been cutting off ActiveX/ActiveScripting &-or Java/JavaScript usage on public internet based zones @ home in ALL of my browsers?

I rarely, if EVER, suck in virus &/or malwares (had a false positive 3 months ago, but turned up fine, but have not had a virus or other bad thing on my system in rougly a decade or more because of this behaviour on my end)...

IF you'd like the mechanics/specifics on HOW I know it was a 'false postive', one detected by SpyBot? I provided it above earlier for your reference.

NTBugtraq said:
>more folks are becoming aware (of security issues) I don’t really think they are.
OH, I do... I have listened & watched @ the CompUSA in my area when 'absolutely newbie' type folks buy computers, & when they do? They usually DID opt for tools in softwares like Norton AntiVirus when purchasing their systems... nearly everytime, if not every time.

NTBugtraq said:
There’s an “all or nothing” stratification I’m seeing in the home user community…they either always pass on jokes and chain letters (even after being told to stop sending them) or they never do. We’ll just have to wait for those who do pass on chain letters to die, I’m afraid.
There are those folks, but the ones that choose to do the opening are not necessarily ALWAYS 'unaware' of the threat, it's more that they don't give a hoot imo.

I see this in relatives of mine & friends in fact... they know they are taking a risk, but do it anyhow.

NTBugtraq said:
Frankly, as the Java sandbox has shown, a sandbox is neat, but not assured.
Right - which is why I never fully trusted the "Java sandbox" in the first place & turn it off on my browsers when they face the 'public internet'... but, do use Java & JavaScript (as well as ActiveX & ActiveScripting) in INTRANET environs.

NTBugtraq said:
The concept of Trust Zones in IE was always intended to inhibit what rendered script could do on the hosting system…and as we know, it’s never been assured. For the most part, it works, then someone discovers a way through the zones and it gets patched. Should we trust it? If not Trust Zones, then why PM? Why the Java sandbox? They are all designed to limit what can be done…albeit in different ways and to different extents, but none have been perfect or resistant to attack. I’ve no reason to believe that PM in IE on Vista is going to be perfect either. Once someone publishes a flaw, the smoke will dissipate and our ability to tout it as a huge step forward will be undermined…forever.
Zone use IS "better than nothing", absolutely.

Plus, oh, I don't know about "forever" as you said, but I would trust VISTA's IE7 "protected mode" over that of non-protected mode on Windows Server 2003 &/or XP though for IE7...

Yes, simply because it IS that much better than IE7 on Windows XP, & even over that on IE7 on Windows Server 2003, w/ it's 'automatic enhanced security mode'...

NTBugtraq said:
Also, there will be controls that will leak or provide cross-“zone” facilities. Think in terms of the number of controls that got released which were marked “Safe for Scripting” but shouldn’t have been…this will happen in Vista too. Consider how many controls MS has had to set killbits for in IE.
I am not aware of how many that is, but apparently it's more than I am aware of, as far as IE & MS setting up killbits for various ActiveX controls being unsafe... but, this is a good thing to do, when they are spotted as faulty.

NTBugtraq said:
Maybe we’ll actually get CRLs eventually, but until then we’re stuck with finding workarounds.
Define "CRL" for us please... I am not aware of this term/acronym's meaning... thanks. Did you mean "Common Runtime Library" by this? Not sure, have to ask.

NTBugtraq said:
We are still stuck with the problem of the user having the choice whether to shoot themselves in the foot or not. As I’ve said previously, I believe the vast majority of infected systems get that way with user involvement, and PM in IE on Vista still allows for user involvement.
Most folks cause 90% of their own problems, computer or other things in life... but, trick is, learn by your mistakes.

NTBugtraq said:
>IE Enhanced Security Mode in W2K3 disables ActiveX…

You suggest I can enable a control by site. I can’t, only by Zone.
No, it was about using zones... & you hit on that correctly, per what I was trying to say: you run that site in a zone & let it go from there (& set a zone up properly). I redo ALL of my zones on home machines to be like it is on Windows Server 2003 'enhanced security mode' anyhow.

NTBugtraq said:
In fact, the Enhanced Security Configuration can be established on XP via Group Policy, so automated no manual, if you really want it…
You COULD do it that way, I agree, but you STILL have to set up the policy manually & THEN, you can extend it to other machines on your LAN in a workgroup/domain.

NTBugtraq said:
but disabling all ActiveX controls and scripting just isn’t realistic in a corporate environment.
I don't & mention that above... for INTRANET work, on the job? I use both scripts of both types AND ActiveX controls (like Crystal Reports has) extensively during ASP.NET work I do for a living in the MIS/IS/IT environs.

NTBugtraq said:
Besides, I’m not going to install W2K3 on all of my desktops, am I…;-]
Well, this is the whole argument/issue now, isn't it? Whether VISTA provides enough motivation for folks (or corporate body's) to install it right away... they won't.

Most don't in fact, right away... they wait out new machines coming w/ it & experiment using them seeing how they mix w/ their existing setup both apps & OS setup-wise, plus, they wait out "bugs shaking out"... takes 2-3 years typically, if not more.

This is just what I have seen as a network engineer/admin - coder over 15 years time or so, in numerous companies/sites/jobs I have been on professionally in that timeframe.

A decent sample-set to base my statements on, & really, the only 1 I have, but a GOOD one.

:)

NTBugtraq said:
>"In Windows Vista with Protected Mode…

When the ActiveX concept was first publicly discussed (I was part of the Design Review a long time before it ever got public mention) there were raging debates over whether there should be some sort of sandbox. At that time Java was seen as the holy grail for security, hence the strong desire of a sandbox.
It was a bad move then, that they were NOT put into a "protected mode" environs imo as well... I would have 'pushed harder' on your end were you one of those stating this to the MS folks...

* Good discussion...

APK

P.S.=>
NTBugtraq said:
In response to Alec§taar's numerous responses...;-]
Ha, right back @ ya!

See my subject-line/title above for this reply back to you, first, & then, this, "in response to your numerous responses", lol (continuing our discussion & sorry for delay, busy @ work & @ home last nite)... apk
Posted on Reply
#19
Wile E
Power User
Alex, I think you just bested your previous longest post. lol Seriously tho, I'm learning a lot from this, keep em comin.
Posted on Reply
#20
NTBugtraq
>Admittedly there wouldn't be any easy way to tell if you're genuine, so we'll have to assume you really are who you say you are!

Actually, you can just go to the NTBugtraq home page (ntbugtraq.com) and either email me at the address listed there, or call my phone...;-]

>VISTA & its version of IE7, per the URL you cited? Does counter for THIS, here:

I think my point was missed here a little. PM relies on the technologies you cited (MIC and UIPI) to provide enforcement within IE. These technologies govern what a process does. However, when IE prompts the user asking whether they want to install an ActiveX control (providing they’re a member of the Local Administrator’s group) PM then branches to objects that are outside of the PM. The tasks passed can then do anything the user can do, with Administrative privilege.

If this were not true it would be impossible for a user to install an ActiveX control, or modify registry/file settings that may need to be done from time to time (e.g. update an existing ActiveX control.)

This is the “hole” in the PM. I’m not suggesting it’s flawed; only that it is present. And its presence does mean the PM is not truly a sandbox (and I’m not sure I’ve seen MS refer to it as such, to their credit.)

Most malware that ends up on people’s systems gets there by the user double-clicking on something (not via Browser exploits), so as long as IE prompts people to take an action, they will. PM stops drive-by downloads and exploitation of some browser vulnerabilities (not XSS, for example), but if you consider the percentage of people who’ve been infected via IE versus other ways, it is, IMO, solving a very small problem.

I’ll come back to this.

>Rootkits are on the rise. Zero 1-2 years ago.

I have to assume we’re having a problem with the term “rootkits.” My definition is some code which is completely invisible to the user through normal inspection. So it has to be covert enough to not show up in Task Manager and/or Explorer and be invisible to AV. Otherwise, its not a rootkit in my book.

The term has become overly used to refer to anything that does backdoors, and/or covert command and control channels. Have a look at http://www.rootkit.com/ for a list. NT Rootkit, by Greg Hogland, was released initially in 1999. So saying there were ZERO in 2003 is just wrong.

Even before that there were discussions and Proof-of-Concept (PoC) code that exploited Alternate Data Streams (ADS) to hide themselves on disk (albeit not being able to hide the running process.) So we’ve had rootkits for a long time.

I will, again, say IMO that the number of machines infected with completely undetectable malware components is not a significantly higher percentage than it was in 2003. FWIW, my employer (Cybertrust/ICSA Labs) manages the WildList.org site, which tracks In-the-Wild malware. You can have a look at the October 2006 data (latest posted) and get an idea of what’s out there. You can then lookup the names of the malware to see what it does.

http://www.wildlist.org/WildList/200610.htm

This doesn’t mean that you can rely on AV to completely remove an infection. I agree that rebuilding after an infection is discovered is the Best Practice.

But again we have to stop looking at infections as a binary object, the same way we have to stop looking at vulnerability as being binary.

Let me take your example of walking through a party full of plague’d people. Yes, if you do that, and you’re vaccinated, you are more protected than if you’re not vaccinated.

However, why is it that we all don’t get vaccinated for the plague? It’s simple, it’s because the vast majority of us will never come into contact with anyone who has an active case that can infect us. Is it impossible for me to become infected? No! But the threat of me being infected is near zero, hence we don’t vaccinate against it. Yet the cost of being infected could be death…still we don’t get vaccinated.

So, in the case of the plague and people in, say, North America:

Vulnerability Prevalence = 100%
Cost of Infection = Death (let’s call it 100%)
Threat Rate = 100 people with active infections within the U.S. (~300m people)

Risk = Vulnerability Prevalence * Cost of Infection * Threat Rate
Risk = 100% * 100% * 0.000000333

This is your risk if you do nothing. Now consider what happens when you travel outside of the U.S., to a country where plague is present. The Threat Rate increases, possibly dramatically.

CountryX where plague is known to be present. Let’s say 1% of their population has plague, and the country has 100m people

Threat Rate = 1m/100m = 1%
Risk = 1% * 100% * 1%

Wow, now that’s a HUGE increase in risk, 3m% increase in fact! But it doesn’t consider all of the facts:

- What’s the chance I am going to meet one of those people?
- What’s the chance they’ll have an active infection when I do meet them?
- What’s the chance I’ll have no indications I might be getting near plague victims?
- What’s the chance my contact will actually lead to plague?

Each of these (and more) affect the final risk value, and any that are less than 100% cause that initial 1% risk to reduce.

Now apply this thinking to computer security and vulnerabilities:

Adobe PDFs can be used to cause Cross Site Scripting (XSS) in Firefox.

Vulnerability Prevalence = 35%?? (whatever market share value you want to give to Firefox is fine by me.)
Cost of Exploitation = Let’s say 100% again, as in being exploited means you lose all of your bank balance??
Threat Rate = 0% (We’ve had no reports of any sites hosting exploits)

Risk = 35% * 100% * 0%

Anything times 0% is 0, right?

Ok, so let’s revise the Threat Rate. Let us assume that some 10,000 sites are currently hosting PDF/XSS attacks today.

Threat Rate = 0.000093567 (10,000/106,875,138 – number of sites reported by Netcraft in January 2007)

Risk = 35% * 100% * 0.000093567 = 0.00327485%

Now this is from a world perspective. This is how we look at the risk in the world as a result of some new thing. If you ran Firefox, the number would be different:

Risk = 100% * 100% * 0.000093567 = 0. 0093567%

We’re still less than 1/100 of a percent.

So how much of your time should you spend on something that carries that much risk? And don’t forget, we haven’t even applied mitigators to this yet:

- Chances the malicious site is still up by the time I get there
- Chances the criminals actually succeed in getting all of my money, despite having my credentials
- Chances the bank isn’t going to give me all my money back

Etc…

Vulnerability-based thinking is binary. You are, or you’re not. You either have something to do, or you don’t. It’s very easy, however it’s enormously time consuming and wastes ridiculous amounts of resources world-wide every day.

It happens because, for most people, it’s impossible to do the risk calculation to the extent they think they should. In the above example most people would be stumped on the Threat Rate. “How do I know how many criminal sites are out there exploiting the vulnerability?” But if you look at it reasonably, before I even have a 1% risk, there’d have to be a million sites exploiting the vulnerability. For that to be true that would be 1 out of every 100 web sites exploiting this vulnerability.

I would argue that it would be impossible to imagine that 1 out of every 100 web sites is criminal and exploiting anything. That’s just way more criminal activity than has ever been seen before. So take any other browser exploiting vulnerability you can think and apply the above math and you’ll see that browser exploits just aren’t worth worrying about.

Now don’t get me wrong, it’s not as if we say “Oh just go anywhere you want with your browser and do nothing to it” to be secure. It’s a question of resources, and how you should spend them.

Do you give up what Active Scripting and ActiveX provides to the average person on a site (usually a better experience) because we fear such a small risk? Or, do we do a better job of educating our users to ensure they don’t end up at 1 of the 10,000, or 100,000, criminal sites?

Do we take the time and resource we put into patching and apply it to better Group Policy Object definition, or better proxy/IDS (Intrusion Detection System)/IPS (Intrusion Prevention System) filters? Do we instead focus on the few people in a company who, typically, repeatedly get infected versus the balance who never do?

There are so many ways to lower that Risk number without ever having to patch anything…honestly.

Hopefully this sheds some light on why being vulnerable is not equal to having a risk, or why an increased threat doesn’t necessarily translate to increased risk either.

The concepts above are not really difficult to understand, but I do know that they are hard to believe and/or accept. But in my 30 years experience in the business they are the most effective at reducing and/or eliminating risk.

>I set up a pal's machine on XP 2 days ago; we got nearly INSTANTLY "hit" w/ a "Messenger Service" 'attack'

Well, you must have done something wrong as XP SP2 installs by default with the Windows Firewall enabled, meaning Messenger shouldn’t have been exposed!

Alternatively, had you installed attached to any of the $50 routers, Wireless Access Points (WAP) or Cable Modems, you’d have what we call “Default Deny” enabled and it wouldn’t have got past it.

>Killbits in Internet Explorer 6.0

http://support.microsoft.com/kb/240797/en-us provides detailed instructions on how to set them. Basically, IE checks in the registry to see whether it should or should not run a given control. You can take any given control and set it such that IE will not run it, but it will run in other applications. As long as the control is registered (and virtually every DLL is) you merely have to figure out its Class ID (CLSID) and then add it to the IE list and it cannot be invoked from within IE 6.0.

>CRLs

Certificate Revocation Lists. When a Digital Certificate is produced, it is signed by a Root Trust Authority. It has parameters that state how long it should be valid for, amongst other things. Once a certificate has expired, it should, and is, no longer trusted. However, what if you need to make a certificate not trustworthy for some other reason?

Imagine that you private key, the key you use for signing your software, is stolen. Since you don’t know where it is, you don’t know if someone else is going to use it to try and leverage the trust someone else might have in you (via your cert.) So you need to revoke the cert. You can’t simply alter the expiration date.

This is where CRLs come in. The concept of PKI (Public Key Infrastructure) always included the ability to revoke a cert. When you are presented with a certificate, your system was supposed to check with a trusted authority to find out whether the cert had been revoked. For myriad reasons, this was rarely implemented (including not being supported at all in Windows.)

CRLs are now supported in Vista…and now we just have to wait and see if the Certificate Issuers are going to deliver them (FWIW, we Cybertrust are a Trusted Root Certificate Authority – GTE Cybertrust Root.)

Cheers,
Russ
Posted on Reply
#21
Steevo
I still stand by that the user is the biggest security threat. I opened up NetBios broadcasts and set our remote location server (my old PC) to announce Master Browser. Guess how many hits a hour I got on our IP?




200+ unique IP's.


Talk about loading a gun and aiming it? Now what would happen if the standard home user bought a PC from someplace and it happened to be setup incorrectly? DSL modems or encapsulating programs are a way through or around.


Vista or no, the biggest threat is still users. Independent process control, execution control, but no user control. And once in, most will write it off as a minor slow down.
Posted on Reply
#22
Alec§taar
NTBugtraq said:
Have a look at http://www.rootkit.com/ for a list. NT Rootkit, by Greg Hogland, was released initially in 1999. So saying there were ZERO in 2003 is just wrong.
Oh, they were around FAR before 1999 in the UNIX world, first of all & iirc, I stated that early on...

For Win32? You could be right there, because I hit that site also (rootkit.com) quite a bit...

There were proofs of concept code blocks for that there...

Still, the point was ARE THEY ON THE RISE AS FAR AS USAGE BY MALWARE AUTHORS?, as far as rootkit use being more prevalent than before & rising??

See this 2006 article (as just 1 example of agreement w/ my point):

Rootkits on the rise says McAfee

http://www.cbronline.com/article_news.asp?guid=8C8CB070-F7E6-4062-8081-EC4F596C717E

I tend to agree. They've been around for a while on NT-based OS', but they are more widely used now & rising in their usage by the "malware crowd"...

NTBugtraq said:
I think my point was missed here a little. PM relies on the technologies you cited (MIC and UIPI) to provide enforcement within IE. These technologies govern what a process does.
Exactly! In fact, the very article URL you put up states it, & the bolded portion above notes the 'salient' portion regarding what IE7 can do, or NOT do, regarding addons (Tools menu, separate executables OR libs w/ GUI interfaces, & yes, DLL's can have them too) & WHAT they can do when called from IE.

Again:

VISTA & its version of IE7, per the URL you cited? Does counter for THIS, here:

http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx

"Mandatory Integrity Control (MIC), a model in which data can be configured to prevent lower-integrity applications from accessing it. The primary integrity levels are Low, Medium, High, and System. Processes are assigned an integrity level in their access token. Securable objects such as files and registry keys have a new mandatory access control entry (ACE) in the System Access Control List (ACL)."

&

User Interface Privilege Isolation (UIPI) blocks lower-integrity from accessing higher-integrity processes. For example, a lower-integrity process cannot send window messages or hook or attach to higher priority processes This helps protect against "shatter attacks." A shatter attack is when one process tries to elevate privileges by injecting code into another process using windows messages.


NTBugtraq said:
However, when IE prompts the user asking whether they want to install an ActiveX control (providing they’re a member of the Local Administrator’s group) PM then branches to objects that are outside of the PM.
For installation? Yes, but ONLY afaik for "in-process" libs/dlls (activeX controls/OLEServers)... ActiveX executables though, out of process ones? Self-register first time they are run!

For usage?? No... not typically when speaking of in process ones & especially NOT for out of process ones, as they 'self register' first time they are run (see "in process" vs. "out of process" & ActiveX controls online, or just read the following).

http://support.microsoft.com/kb/297279

NTBugtraq said:
The tasks passed can then do anything the user can do, with Administrative privilege.
For installation? Again - yes.

For usage??? No... see, as far as ActiveX controls???

You're NOT 'branching outside' of the IE process, TYPICALLY, when using ActiveX controls in a browser OR applications...

Usually, they are written as "In-Process calls", running in the same memory space as the browser (IE), or Application that uses them, & w/ reasons for performance (no "cross-process" messaging is why afaik/iirc).

Are there "out-of-process" calls to ActiveX/OLEServers possible? Yes... but w/ that comes overheads via passing messages across process boundaries in memory.

Would it help to STOP this being a problem, by using "out of process" COM/DCOM/OLEServer/ActiveX control usage being a problem for security?

Yes, & it is used to NOT violate the calling process' memory space, but it has message passing overheads.

NTBugtraq said:
If this were not true it would be impossible for a user to install an ActiveX control, or modify registry/file settings that may need to be done from time to time (e.g. update an existing ActiveX control.)
Not "impossible", & especially for an ADMIN level user (this is why UAC is SO valued really, to limit what the logged on interactive user CAN do & we are in agreement there)... he can raise anyone's rights, including his own, to "SYSTEM ENTITY" priveleges (almost).

Heck - you CAN elevate any user's rights really, to levels beyond std. "Administrator" even using secpol.msc's LOCAL POLICIES section, & once that is set, you can alter registry hives ACL's too & NTFS filesystem ones as well...

NTBugtraq said:
This is the “hole” in the PM. I’m not suggesting it’s flawed; only that it is present. And its presence does mean the PM is not truly a sandbox (and I’m not sure I’ve seen MS refer to it as such, to their credit.)
Could be, it wouldn't surprise me... this is new tech, & usually w/ new stuff, you get "holes" of some sort discovered.

NTBugtraq said:
Most malware that ends up on people’s systems gets there by the user double-clicking on something (not via Browser exploits), so as long as IE prompts people to take an action, they will. PM stops drive-by downloads and exploitation of some browser vulnerabilities (not XSS, for example), but if you consider the percentage of people who’ve been infected via IE versus other ways, it is, IMO, solving a very small problem.
Well, like Steevo stated? The user IS the weakest link... & I agree.

NTBugtraq said:
I have to assume we’re having a problem with the term “rootkits.” My definition is some code which is completely invisible to the user through normal inspection. So it has to be covert enough to not show up in Task Manager and/or Explorer and be invisible to AV. Otherwise, its not a rootkit in my book. The term has become overly used to refer to anything that does backdoors, and/or covert command and control channels.
No, I never had a problem understanding what you meant by "rootkit" @ all, AND, thus, we are agreed on that note:

A rootkit is INVISIBLE typically, to the Win32 API afaik...

& as far as NTRootkit.com? Hehe, I've been taking "peeks" @ that site for a couple years now... amazing stuff.

NTBugtraq said:
Even before that there were discussions and Proof-of-Concept (PoC) code that exploited Alternate Data Streams (ADS) to hide themselves on disk (albeit not being able to hide the running process.)
Alternate Data Streams only survive on local drives though... they do not "stream" across the net... it isn't something to worry about as long as you don't haul in files that create them.

NTBugtraq said:
So we’ve had rootkits for a long time.
Not nearly as long as the UNIX world has had them though, was my point. They are a relatively "new" concept for attack vector on Win32 OS'...

NTBugtraq said:
I will, again, say IMO that the number of machines infected with completely undetectable malware components is not a significantly higher percentage than it was in 2003.
McAfee feels otherwise, as do I, per the article above.

NTBugtraq said:
FWIW, my employer (Cybertrust/ICSA Labs) manages the WildList.org site, which tracks In-the-Wild malware. You can have a look at the October 2006 data (latest posted) and get an idea of what’s out there. You can then lookup the names of the malware to see what it does.

http://www.wildlist.org/WildList/200610.htm
Decent reference, & I will take a peek @ it... never hurts to do so, to be aware of symptoms & just in general what is what.

NTBugtraq said:
This doesn’t mean that you can rely on AV to completely remove an infection. I agree that rebuilding after an infection is discovered is the Best Practice.
Agreed, unfortunately... lol!

NTBugtraq said:
Do you give up what Active Scripting and ActiveX provides to the average person on a site (usually a better experience) because we fear such a small risk? Or, do we do a better job of educating our users to ensure they don’t end up at 1 of the 10,000, or 100,000, criminal sites? Do we take the time and resource we put into patching and apply it to better Group Policy Object definition, or better proxy/IDS (Intrusion Detection System)/IPS (Intrusion Prevention System) filters? Do we instead focus on the few people in a company who, typically, repeatedly get infected versus the balance who never do?
A bit of both...

NTBugtraq said:
There are so many ways to lower that Risk number without ever having to patch anything…honestly.
Agreed: "An ounce of prevention is worth a pound of cure"... & I agree: By NOT using Java/JavaScript & ActiveX controls or Active Scripting alone on the PUBLIC internet? I never suck any bad stuff in really.

Other stuff too... by not allowing adbanners in here I save myself that as well, and practicing using ONLY RichText or Text as my default email read format & FAR more.

(Done via HOSTS files blocking of known adbanner servers, using IE restricted sites, & also special cascading style sheets used as my "user style" here, I filter them out also as my proxy... why? They're been shown to harbor malware, believe-it-or-not... typically, they don't, but they have been shown to!)

NTBugtraq said:
>I set up a pal's machine on XP 2 days ago; we got nearly INSTANTLY "hit" w/ a "Messenger Service" 'attack'

Well, you must have done something wrong as XP SP2 installs by default with the Windows Firewall enabled, meaning Messenger shouldn’t have been exposed!
This wasn't SP #2... it was an original XP disk...

(He's in school, & not for comp. sci.... he just needs to write papers, & WordPad is enough for that).

NTBugtraq said:
Alternatively, had you installed attached to any of the $50 routers, Wireless Access Points (WAP) or Cable Modems, you’d have what we call “Default Deny” enabled and it wouldn’t have got past it.
No router/NAT "Firewalling" router... just std. connection. He's LITERALLY a "poor student", albeit one looking to better his life.

APK

P.S.=> GOOD discussion, & good review... apk
Posted on Reply
#23
Ketxxx
Heedless Psychic
Lets not forget, as M$ are trying to badge Vista as THE gaming OS, that OGL isnt supported, making games like Q4 look like crap. I dont remember the exact details but hardware sound or something along those lines has been ditched as well - meaning your very expensive X-fi card or x-meridian, or prodigy 192 or the like is no better than your standard AC97 CODEC.

Vista can go to hell in a nutshell. I have some coder buddies who are hacking DX10 apart as I type intending to make it work with XP.

Vista isnt a step forward, its several steps back.
Posted on Reply
#24
Alec§taar
Ketxxx said:
Lets not forget, as M$ are trying to badge Vista as THE gaming OS, that OGL isnt supported, making games like Q4 look like crap.
Yup, "Z" showed us an example of that, iirc... & it is what is holding me back from using VISTA here period.

I like OpenGL...

:)

* BUT, iirc as well, I think MS is 'backpeddling' now in regard to this & has a method of making OpenGL display 'natively' as it does in NT/2000/XP/Server 2003 as well, but you have to MANUALLY install it again...

(Correct me here if I am wrong, but I remember we had discussions about that here @ some point earlier on)

APK
Posted on Reply
#25
Ketxxx
Heedless Psychic
Indeed we have. Would be nice to dig up more info on this Vista sound thing too. Its a rather important point, but has been somewhat hidden. Dont know about the masses of prodigy, x-meridian and x-fi owners, but i know id be PISSED if i got Vista, then realised none of my VERY EXPENSIVE soundcard hardware features would actually be utilised via hardware.
Posted on Reply
Add your own comment