windows

On Roger's Information Security Blog, Roger posted an article about the challenges in getting his company to remove local admin rights from their users. It got me thinking about the issue, and how problems with administrative rights extend beyond just Information Security. Here is a list of arguments for using limited user accounts that I came up with:

Benefits:

• Limits the impact of viruses, worms, and other malicious software

Search for "Vista UAC" and you'll find a number of sites which tell you how to disable UAC prompting in Vista - within the top ten results.  What if it was possible to get the advantages of UAC without the explicit (and in some cases, excessive) prompting?  In at least some cases, it may be.

[Note that I'm going to be revising this article in the near future, as it doesn't reflect the whole picture] 

Inevitably when discussing the merits of Open Source Software (OSS) vs. propritary software, the (in)security of Microsoft products is brought up.  I've gathered vulnerability numbers from Secunia, and did some non-scientific analysis on them.

I compared vulnerabilities in 2005 for operating systems (RedHat Advanced Server vs. Windows 2003),  web browsers (Firefox 1.x vs. Internet Explorer 6), e-mail products (Thunderbird vs. Outlook 2003), databases (PostgreSQL 8 vs SQL Server 2000), and office products (OpenOffice.org 1.1 vs. Office 2003).

One of the most forgotten security tools is one most of us already have on our networks: Microsoft Windows

Most people are not using a fraction of Window's security features in companies.  Small and medium businesses can especially benefit from using the full functionality of the products they already have in place.

The following are a just a few of the many free features your company may not already be using.

Today Microsoft has released two security patches for Microsoft Windows as follows:

[Update 12-01: There's now a Trojan in the wild that exploits this vulnerability.  Information on Delf.DH can be found at Microsoft's site.  SANS ISC handler Scott Fendley suggests that we might see an out of cycle patch for this.]

[Update 11-29: Some AV vendors have updated their definitions to protect against this.  In order to be protected, the AV engine must scan the content before it is executed by the browser, otherwise it's just a warning that you were 0wn3d.] 

Microsoft has released a security advisory about yesterday's 0-day exploit.  The advisory can be found here.

In the advisory the only technical workaround presented involves disabling active scripting or causing the browser to prompt on active scripting.  As most web pages use Javascript, this doesn't really seem like a workable solution.  Checking Microsoft Update for security patches, for example, prompts 11 times about running active content. 

SANS InfoCon has been raised to yellow today and for good reason; A  security researcher working for the UK company Computer Terrorism has published a 0-day remote code execution PoC exploit.  This uses an older vulnerability in Internet Explorer versions 5.5 and 6.0 thought to cause a DoS only.  More information is available in the FrSIRT advisory.  Currently the only available countermeasures that I am aware of are:

1. Disable all "active content" (i.e. Javascript and VBScript) in untrusted security zones
2. Use another web browser, at least for the time being (you might not want to switch back)
3. Detect or Block based on signature (there's a Bleeding-edge Snort signature available here)

Be careful out there.

There are Proof of Concept exploits in the wild for three of the Microsoft Tuesday patches.  They are: