31 posts • joined 10 Aug 2007
Re: The retail license changed, too
ASLR is supported in Vista and later (in Windows). But that doesn't mean all software necessarily opts into that capability, unless you force the issue with something akin to Microsoft EMET.
Further reading on the subject: the U.S. CERT's security shootout between various versions of Microsoft Office and OpenOffice: http://www.cert.org/blogs/certcc/2011/04/office_shootout_microsoft_offi.html The third graph on the page delivers the message pretty clearly. They also cover some other aspects, such as the updating mechanisms. I could remark on some other security aspects, like the ability to specify and enforce MS Office security configurations using Group Policy and Security Configuration Editor, but it would make for a long reply ;)
As for Java security, if a JRE is installed as part of the package, then I see the risk for it to end up enabled in web browsers, which has proven to be a prime attack vector in real life (Flashback botnet on Macs, exploit kit attacks on Windows, etc). I'm not comfortable with having it installed, period.
The retail license changed, too
The perpetual license has become less perpetual. Now it's only valid for the first computer it's activated on. It can't be transferred. Period. And unlike previous retail versions, one 2013 license cannot be installed on the same user's desktop and laptop. That would require buying a second license. Ouch. I'm not one to obsess about the up-front cost, but that's a bitter pill to swallow. Someone at Microsoft is doing their very best to discourage the traditional perpetual license scheme.
To the people touting OpenOffice or LibreOffice, you might be surprised if you audited how much of the code is not taking advantage of ASLR and other security features. And last I checked, OpenOffice will try to cram Java down your throat. Nice try, but given Java's security record, that's a non-starter.
1. You can format the hard drive during the installation of an Upgrade if you wish. Obviously this fixes the unstable-upgrade scenario at the cost of having to reinstall and reconfigure software.
2. You can get the Personal Use license if you want the full version, with transfer rights. I believe this will be revealed after launch, and be available directly from teh Microsoft.
Re: So I shell out for the full version of the OS...
They have a version coming just for you. The System Builder license with the Personal Use license. Apparently Microsoft will sell this directly. Transfer to your heart's content.
Re: But system builder licenses
Until now. See yonder article: http://www.zdnet.com/microsoft-radically-overhauls-license-agreements-for-windows-8-7000002866/
Re: windows 8 hum
Security advancements. High-entropy ASLR, AppContainer, Safeboot (on supporting hardware, anyway)... when preparing to be besieged by the bad guys for the next 5-10 years in an increasingly digital world, I'd prefer to have Win8.
Re: That pretty much screws people who build their own PCs.
Wny not? The new security advancements? The cloud features? The SSD performance tweaks? The system-builder license that can be transferred to my new computers legitimately? Yeah, I'd hate to have any of that nonsense.
If you don't like the new UI, smack Classic Shell or Start8 onto it. Tada! A reasonable approximation of ________ (your favorite Windows version's interface) with the latest security enhancements under the hood.
The article here is incorrect, if they're right at ZDNet:
System Builder licenses can be transferred.
Re: Physical Access
I think an important case is being overlooked here: EFS-encrypted files. If an attacker has the laptop in their posession, they need the user's password in order to log in as that user and see that user's EFS-encrypted files. If the attacker changes the account's password from a different account, those EFS-encrypted files can no longer be opened, since the certificate went *POOF* when the password was changed from "outside" the account. For example, starting the system in Safe Mode and using the built-in Administrator account to reset or remove the user's password would permanently lock down that user's EFS-protected files.
But if an attacker can exploit AuthenTec's feeble encryption, they can get the user's password, log in as that user, and access that user's EFS-encrypted stuff. If you don't use EFS, then no harm, no foul. If you do, there's probably a good reason for doing so, and you don't want to be leaving easy workarounds laying about.
They do have some good security advancements under the hood that Win7 isn't likely to get. High-entropy ASLR and declarative permissions for apps, for example. Enhanced Protected Mode on IE also looks promising.
I don't like the new I-can't-make-up-my-mind UI, but if I can use one of the utilities mentioned in the article to get a fair approximation of the traditional Windows UI, then I'm interested. I think Microsoft will eventually recognize their two-faced UI as the Mother Of All Goof-ups, and trot out an option pack that basically does what these third-party fixes do: let the customer decide for themselves.
Re: Hold on there...
To be more succinct, in that scenario, the attacker needs the user's encryption certificate that was used to encrypt the EFS-protected files. And that certificate is unique to that user account, and will be invalid if the account's password is forcibly changed.
So let's say I find your lost laptop, start it in Safe Mode, log in as the system's built-in Administrator (blank password by default), and change your user account's password to something I know. Now I can log on as you, but I've lost access to your EFS-protected files forever, because I changed your password from another account.
This is where the attacker would see "OH, it has a fingerprint scanner... let me try that no-brainer UPEK workaround I read about," and could then access your password, log in as you, and have the keys to the kingdom including your encrypted files.
I have a half-dozen systems using the affected software myself. I'm not lying awake at night about this, but I look forward to a fix in due course.
...plus Sandboxie. Then you'd be getting somewhere. Remember that one of your trusted sites can become compromised, and there goes your NoScript protection. Statistically, more than half the malicious websites out there are legit sites that got compromised.
FireFox's lack of sandboxing or Low-integrity operation is hard to excuse.
" Enterprises aren't going to go anywhere near it without any sort of LTS version. "
That, and central manageability / enforcability / patching / auditing. I think Mozilla is on the record as being Officially NOT INTERESTED in the enterprise market, though. So it's IE and Chrome's game for now (on Windows).
...but will they get on the Low-integrity/sandbox bandwagon?
I think they should prioritize mitigation features. As it is, they're still running the browser with the user's Integrity level (on Windows Vista/7), so they're right up there with... uh... Internet Explorer 5 & 6.
If you need Java to do your job, then 1) make sure it's up-to-date, and 2) make sure it's only permitted to run on the sites where it's needed. If you use IE and have Admin privileges available, you can do this by arbitrarily disabling Java in the Internet Zone. Then set the Trusted Zone security to Medium-High and add the necessary sites to it. Now test your config using a Java-driven site like www.time.gov (click a time zone).
I'll also add 3) use Microsoft's EMET to add mitigations to Java.exe, as well as your web browsers, media players, PDF software, and other Internet-facing software.
Java-free and glad of it
"All it takes is one bad website to get Flash or Java open, and all your carefully crafted privacy defences are wiped out."
In regards to the browser's privacy/security-zones settings, they're enforced by GPO.
Regarding Java, part of the reason it's such a pariah was illustrated nicely by Dino Dai Zovi in slide #10 of his "Attacker Math 101" presentation. It's an easy way to leapfrog the mitigations of the browser, escape the sandbox and integrity restrictions in the case of Chrome or IE, and move right on with the attack. You can get the PDF from here if interested: http://trailofbits.com/2011/08/09/attacker-math-101/ I'm glad to report my small fleet is Java-free.
Regarding NoScript, or the equivalent use of Zones in IE, the fatal flaw is that over 50% of the malicious websites in the world at any given time, are normally safe. If The Reg is on my "approved" list and they get hacked... game over.
@ Keith T re: SRP
You noted that "Restricting by path or zone won't work since an administrator could easily approve or install trojan infected approved software by mistake, and if an admin didn't, then an admin ID could." This is technically true, but if you refer to the 10 Immutable Laws Of Computer Security, laws #1 and #6 apply. If the Admin rights are in the hands of untrustworthy users, then the game is over regardless.
So I personally use the Catch-22 of path rules: only allow non-Admins to execute from the Windows and Program Files directories, where they cannot put new files (malicious or otherwise). They (or exploits acting on their behalf) cannot save trojans to locations they can execute them from, unless a privilege escalation to Admin or System privileges is part of the plot. So your average user stumbling into poisoned search results, or being bullied into executing a fake "Flash Player update," is protected by a very strong safety net that doesn't depend on signature updates or even heuristics. Arbitrary, simple, elegant, and paid for.
A layered defense is always best, but this is a very potent last line of defense, and one I'm not sure is given much recognition.
I use SRP
My approach to whitelisting on Windows boxes is to use Software Restriction Policy. Set it to "disallowed by default" and apply it to non-Admins, and the net result is that the users (being non-Admins) can use what the Admin installed, but can't execute anything else. Trojans, exploit payloads, AutoPlay attacks, all go right out the window.
There are some gotchas; for example, Adobe Reader's auto-update mechanism errors out unless a custom hash rule or path rule allows its update file to be executed from its non-approved path (which could be done via GPO if necessary). The LNK filetype must be allowed or desktop links break. Elevating stuff to run as Administrator with a right-click will allow the Admin to do most stuff from the non-Admin's account, but .MSI and .MSP files must be launched from a command prompt since their right-click doesn't have a run-as-Admin option. Another gotcha is that the Home versions of XP/7/Vista don't have a Local Group Policy and therefore don't have the SRP option.
Overall, for the game-changing improvement in security, these are prices I can afford to pay in our small-time operation. No additional licensing, updates, approximately zero performance impact, and difficult-to-impossible for the average user to bypass or disable.
Vista support ends 4/11/2017
Based on the author's inane speculation that Vista support will end before WinXP support does, I suggest a different line of work. Namely, one where it's safe to make wild speculations in place of two minutes of research.
To wit: http://support.microsoft.com/lifecycle/?LN=en-us&p1=11707&x=6&y=12
Software Restriction Policy would make an excellent first (or last) line of defense. I have some info on that at mechbgon.com/srp showing how you'd set up the Catch-22 of SRP + LUA.
Schedule updates as you please
You can set up a scheduled task to run MpCmdRun.exe -SignatureUpdate to update the definitions at startup (or whenever you like). Use the SYSTEM account (blank password).
I guess it's a good thing...
...that I configure Protected Mode to be enabled for all the Zones, including the Local Intranet Zone.
Every computer has an Admin
I use SRP at home as well as at work. The average Reg reader should be able to handle it, it's not that tough.
Use SRP already!
Software Restriction Policy would arbitrarily shut that attack vector down. Available since WinXP. I think it must be the best-kept security secret evar.
Not their first epic fail, either
I remember when VirusScan Enterprise false-positived on excel.exe back in 2006, and deleted everyone's Excel executables on our fleet. Fortunately, Office had been installed from an Administrative Installation Point, so it repaired itself on-the-fly.
Aero versus Aero Glass
Quote: "It [presumably Vista Home Basic] doesn't even have the Aero interface of the others, a fact that has landed Microsoft in legal hot water with customers who feel cheated."
Actually, Vista Home Basic uses the Aero interface by default, just not Aero Glass.
"Serious free security software," eh?
Quote: "If you need MS O/S for games, then install the cheapest version you can afford and remove all the pretend crud they put in it, then install some serious free security software, written by people who do genuinely care about their users!"
Ironically, you can do more to secure Windows by using the built-in features of Windows, than by installing layer upon layer of free security software. If you want to build a security solution, that's the bedrock to build upon. If you'd like a suggested plan, see http://www.mechbgon.com/security . I have considerable malware-hunting experience, as well as sysadmin experience, and these suggestions have passed extensive "live-fire testing," so... horse, meet water.
Quote: "I'm a software engineer (albeit Linux) and even I don't understand this straight off. What's Joe Public gonna make of it?"
I agree that most people are not very good at following printed instructions. Would a YouTube video help? http://www.youtube.com/watch?v=kzj8_n8uMGg
No catchy name, but...
...controlling active scripting in Internet Explorer (and their potential abuse & consequences) has been available for about ten years now, starting with IE 5.01 if I recall correctly. It just requires about 30 seconds of adjusting your Zones settings to your preferences. That holds true for ActiveX and Java as well.
Those who'd like to do so can simply set the Trusted Zone to Medium-High security (the same baseline as the Internet Zone's default setting in IE7) and disable the HTTPS requirement for Trusted Zone sites. Next, change the Internet Zone to disallow Java applets, active scripting, ActiveX and whatever else. Add trusted sites to the Trusted Sites zone as desired.
Is it maintenance-free? Certainly not, but neither is NoScript, so pick your poison. The kicker is, you can set this for hundreds or thousands of computers at once with a Group Policy setting if you wish, and make it stick whether the users like it or not.
As usual, the pundits forget about manageability :)
Internet Explorer offers central configuration & enforcement of settings and preferences using Group Policy. The "competition": sorry, you're at the mercy of your users. Want to lock out a particular browser add-on RIGHT NOW due to the emergence of a major security risk? With IE and Group Policy, that's possible.
IE offers central patching using WSUS (among other methods). The "competition": your team gets to go visit every desktop in person, unless you want to leave the work to your users.
IE is easy to audit, fleet-wide, using Microsoft Baseline Security Analyzer to identify systems with insecure browser settings or unpatched browsers. Competition... "uh, no, who do you think we are, Microsoft or someone?"
If this weren't The Reg, maybe the overwhelming home-user perspective would be more understandable. When it comes to the I.T. arena, I think efficient manageability and auditing is extremely important, and I see no viable competitors to Internet Explorer in that realm, even after all these years. If the competition wants to be taken seriously in the I.T. space, waking up to the need for efficient manageability would really help their case.
You have my sympathies. I relish the thought of those developers finally being forced to face reality someday (or fired). If you haven't already done so, you might see if Software Restriction Policy has something to offer you on WinXP and Vista clients:
Zlob is not DNSChanger, and furthermore...
The EULA shown here is not the one that an end user would see if he were suckered into installing running the hotelcodec Trojan from an actual affiliate site. It's just the EULA you see if for some reason you go straight to hotelcodec.com and download the dummy file like a newbie. ;)
The "real" hotelcodec.com Trojans are DNSChanger. Zlob is not "aka DNSChanger"; they are different families, although the tactic used to get users to run them is the same.
As for hotelcodec.com being blacklisted, it is already more than halfway through its lifecycle (the Zlob and DNSChanger gangs typically rotate the hosting domains out after just a few days), and SiteAdvisor's glacial 2-4 week reaction time is far too slow to be much use against current "live" Zlob and DNSChanger domains. Too little, too late. I specialize in doing SiteAdvisor reviews on Zlob and DNSChanger, so this is a bit frustrating ;)
The best blanket defense against these Trojans, aside from user education, is the one that's free, doesn't need definiton updates, and is already sitting there waiting to be put into effect: non-Administrator user accounts. http://www.mechbgon.com/security2.html
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs
- Spanish village called 'Kill the Jews' mulls rebranding exercise
- NASA finds first Earth-sized planet in a habitable zone around star