Someone asked me about this today, so I thought I'd add a link. for a while now Microsoft have regularly published an excel spreadsheet with all the details on their patches. It is quite useful as a quick reference!
It's available here under "Download Detailed Bulletin Information". Or direct link is here.
Microsoft have recently released an advisory "Microsoft Security Advisory (2286198)Vulnerability in Windows Shell Could Allow Remote Code Execution" for a new 0-day that is currently being exploited.
While it can be exploited via network or webdav shares, it is removable drives that are the most likely vector for exploitation. A big part of that is our old friend, autorun, that has been the cause of problems before.
If you haven't yet disabled autorun in your organization, I strongly suggest you look into it. Microsoft have some details on how to accomplish this here:
Well, it turns out that Windows will override this setting if you insert a USB drive that your computer has already seen. I received an email from Susan Bradley that links to an article on Nick Brown's blog, "Memory sitck worms." Nick mentions the MountPoints2 registry key, which keeps track of all USB drives your computer has ever seen. I'll admit, I didn't know this existed! I'm glad Nick wrote about it, though.
Nick also includes a little hack that effectively disables all files named "autorun.inf." Interesting, but something in me prefers to make Windows just plain forget about all the drives it's seen. So now I will amend my instructions. In addition to what I wrote earlier, you should also write a small script, and execute it through group policy, that deletes the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
I hadn't seen that registry key mentioned before, but it looks well worth investigating...
I was speaking with Microsoft Tech Support recently about some disk performance issues and an interesting point came up. On large NTFS volumes, the Enhanced Write Filter performance can be sped up by making a registry change to disable the last access date/time stamps. This disables the last access information written to each file as it is accessed, resulting in faster disk read-access:
In the Registry, create HKLM\System\CurrentControlSet\Control\FileSystem\Disablelastaccess and set to 1.
(you can also run an fsutil command in Windows 7/2008: fsutil behavior set disablelastaccess 1)
Microsoft like this idea so much, that the default setting in Windows 7 and Windows Server 2008 is to have the last access disabled (something I have verified on my Windows 7 laptop and in a Windows Server 2008 Standard VM).This has interesting repercussions for security and computer forensics personnel. If nothing else, if left with the default settings, it removes a tool from the investigation arsenal.
During my current Digital Forensics study I recently stumbled across a guide from Microsoft entitled the “Fundamental Computer Investigation Guide for Windows" which is a download containing the basic Microsoft guide, a sample Internal Investigation Report, a sample Chain of Custody document and a sample Impact Analysis document.
Although at 55 pages the guide isn't going to make you a Forensics guru, as a free starters guide it hits all the main points we've learnt so far - initially assessing the situation, obtaining authorization, reviewing any policies or legal restrictions, bieng thourough and methodical in the assessment, acquisition of data, analysis of the data and reporting on the findings. It also contains an applied scenario to tie together all the points previously discussed (set at the Woodgrove Bank - an organization, along with Tailspin Toys and Contoso, that will be all too familar to those who've done a few Microsoft exams).
The tools referenced in the guide are generally all included in the OS or free sysinternals tools, such as filemon, portmon, process explorer, etc, although EnCase and FTK are mentioned for performing a bit-wise acquisition.
While Microsoft do get bashed about alot of things (and security in particular), I am always surprised about the sheer amount of material they generate and freely distribute. If you deal with Windows and aren't familiar with the sysinternals tools, I recommend checking them out.
I'm currently studying Digital Forensics and a recent bit of google-inspired research lead me to one of the big stories of late last year (which I vaguely remembered) where a Microsoft forensic tool designed for use by law enforcement called COFEE (Computer Online Forensic Evidence Extractor) was leaked on the internet.
Given the prevelance of computer-based crime and the level of skill required to perform proper forensic analysis, it makes sense for Microsoft (or someone else) to develop a simple-to-use wrapper for what apparently was a number of common forensic tools available elsewhere on the internet.
The reaction to the leak seems to have been mixed, with Microsoft claiming they weren't bothered by the release of the software, although noting it is licenced for use by Law enforcement only, to someone developing a counter-forensic tool called (of course..) DECAF. What was the thinking in creating this counter to COFEE? One of the developers said:
"We saw Microsoft released COFEE and that it got leaked, and we checked it out," the man said. "And just like any kid's first day at the fair, when you walk up to that cotton-candy machine and it smells so good and you see it, it's all fluffy – just so good. You get up there and you grab it and you bite into it, it's nothing in your mouth.
"That's the same thing we did with COFEE. So, knowing that and knowing that forensics is a pretty important factor, and that a lot of other pretty good forensic tools are getting overlooked, we decided to put a stop to COFEE."
This arguement seems fairly disingenuous as COFEE seems to hardly have been aimed to replace any existing tools, but to simply make them easier for a less-well trained law enforcement operator to use in order gather crucial forensic evidence. The fact the tool was released by Microsoft probably had more to do with creating a counter-tool than noble thoughts of 'better tools being overlooked'.
No matter what the task, there is almost always a 'better tool', whose use might not be desirable because of cost, complexity or the expert knowledge required to operate it. Much of the history of software innovation has been designed around making complex tasks easier so more people can perform them, Windows being the prime example as it took desktop computers from the realm of geeky hobbyists to mainstream use in businesses and in homes. While simplifying (or as some may call it 'dumbing down') tasks may grate the nerves of the some, it is an inevitable and in many ways, desirable end goal.
No Microsoft haven't released a sucessor to Internet Explorer 8 (yet!)
The Australian is reporting that the French and German governments have warned people against using Internet Explorer due to the (as yet unpatched) security vulnerabilites that were allegedly exploited by the Chinese Government in cyberattacks against Google.
While I applaud any government effort to help ensure their citizens are provided with information on how to stay safe online, how to detect and avoid phishing attacks etc, I'm not sure I can agree with a Government picking out (or picking on) a particular piece of software.
Microsoft certainly has had a number of long running legal battles with the European Union, the most recent over their alleged browser monopoly, that was dropped after Microsoft agreed to include up to 12 other browser choice in European versions of Windows. Has this recent case and previous legal entanglements coloured the judgement of certain European government officials?
Microsoft are always the bad guys, the evil empire, the 800-pound gorilla, the easy target. It's something that comes with the territory of being so dominant in an industry. Windows and Internet Explorer have a less than stellar security record, but one that has been improving greatly since the start of their 'Trustworthy Computing' major security inititives back in 2002.
Are they perfect? No. But no software vendor is (or is even close!), as every major vendor regularly releases security patches. Will these same governments recommend users stop using Acrobat next time Adobe faces a 0-day vulnerability? Or stop using Safari? Or Firefox?
The high profile nature of the Google-China standoff (and I don't know what's worse, Google withdraws and the chinese people are punished, or China backs down to Google...) has thrust browsers and vulnerabilities back into the limelight for 5 minutes and I think some politicians want to have their soundbyte heard. I think their time and effort would be better used in continuing education for their end-users and letting them decide for themselves what software they want to use once they understand all of the risks involved.
The danger in pointing the finger at Microsoft and Internet Explorer is that it doesn't address the fact that these sort of attacks are out there and all software has flaws. It may give those people who do swap to Firefox or Safari a false sense of security 'because they're not using IE' (in much the same way I am critical of Apple's security attacks on Microsoft that paint OSX/Safari as being free of security problems). It seems to me to be a pretty shortsighted approach (but we are dealing with politicians right?).
Or maybe it's an EU thing and they want everyone using Opera instead?
*EDIT*
While there seems to have been plenty of hysterical articles about dropping IE and changing over to
7:09 PM
Justin
, Posted in