October 09, 2006
SP2 overflow - setslice
This month we looked at some malware alerts from both the recent past and today. Then we had a round table discussion about overall security and risk analysis. The spyware from a month ago was a variation of one from July. It seems that while Microsoft blocked remote execution (running) of files with a “pif” extension, they made the selection case sensitive. So simply putting a file ending with a name “.PIF” or “.Pif” will allow that file to be executed which can be used to install spyware on the remote (your) computer. We looked at the SANS blog and found the risk level elevated to yellow because of a buffer overflow in SP2 (CVE-2006-3730 or "setslice") that was based on some spyware from July. SANS gave a few recommendations which were as technical as certain kill bits to be set or as simple as using something other than IE. SANS has some tools that set the necessary kill bits so you don't have to play with the registry by hand. A kill bit is a setting in the registry that specifies that a specific ActiveX script can not be run. Since the program SPYWAREBLASTER from JavaCool is already setting the kill bit for several other malicious ActiveX scripts, I would expect that this control will be added soon. My thoughts are also that if the site with the nefarious ActiveX script was in the restricted zone then it wouldn’t run. This just highlights how much safer both the Firefox extension NOSCRIPT and Eric Howe’s ENOUGH-IS-ENOUGH is. NOSCRIPT does the same thing as MS’s zones but runs in Firefox. It is safer because instead of allowing everything except what you specify as bad, NOSCRIPT will not allow anything until you define it as acceptable. So even if Firefox ran ActiveX scripts, the NOSCRIPT extension would still make Firefox safer. ‘Enough Is Enough’ reverses the way Windows decides whether to run something or not. It restricts the ‘Internet zone’ and makes it easy to put a site in a different zone. The ‘Internet zone’ is where everything on the Internet is run if it isn't in the restricted zone. While many think MS should have these settings by default, at least there is a simple way to do it. I also want to point out that the claims about the safety of SP2 flies in the face of this problem. There is no silver bullet when it comes to security. Everything is open to some kind of attack and trying to say otherwise is only giving a false impression of security that will hurt later on when people think it’s ok to slack-off a little. I’ve also learned that those same claims about VISTA being immune to security threats is not completely true. While VISTA is more secure in many ways than anything MS has done in the past, there are still problems that will need to be addressed. We may even end-up with the same patching schedule we have with XP. links: The SANS blog mentioned above; http://isc.sans.org/diary.php?storyid=1742 ENOUGH-IS-ENOUGH; http://www.spywarewarrior.com/uiuc/main.htm NOSCRIPT extension; http://www.noscript.net SPYWAREBLASTER; http://www.javacoolsoftware.com/sbdownload.html
SECSIG meets in the Science building 203 at 11:15 am.
By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.
The RSS feed address is http://ocsecsig.blogspot.com/atom.xml
Dave Keays, SIG leader