February MS patchs

Microsoft Security Bulletin Summary for February, 2006

Critical: 2

Cumulative Security Update for Internet Explorer (910620): Only applies to Win2K users with IE 5.01, the WMF exploit fix for an older browser. Shouldn't have this running anywhere, will check with SMS.

Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565): Bitmap exploit, unchecked buffer! Who looks at bitmaps in Windows Media Player? Oh yeah - skins. "Significant user interaction is required to exploit this vulnerability". Which, once again is defined as "an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content by using banner advertisements." I can't believe they actually say that visiting a website or viewing an email is "significant user interaction"

- Back up and remove the WMZ registry key: that's interesting, we recently had an issue with .wmz files being blocked by either our Spam-Filter or Exchange from some vendor.

Important: 5

I'll just note one of them - "A vulnerability exists in the Windows and Office Korean Input Method Editor that could allow an attacker to take complete control of an affected system. For an attack to be successful an attacker must be able to interactively log on to the affected system." I won't be able to sleep unti this patch is rolled out 100%...


Microsoft promises "no passwords"

Microsoft Wants No Passwords

Bill Gates: “We need a continuum of authentication systems that will take into account the risk of the individual and entity,” he said. “Most of us are honest in our transactions in the real world and I don't see a reason why it will be otherwise in the digital world.”

True, most people don't engage in fraud. Most people don't write spyware. Most people don't write viruses. Most people don't send spam. Most people don't launch DDOS attacks from botnets. Most people don't poison DNS. I guess "it won't be otherwise" in the future, so evaluate risk based on the individual and entity. Yeah - that makes a lot of sense. I'm sure there's a lot more behind that comment...at least I hope so.

Gates tries to win over skeptics on security

InfoCard is part of a broader push by Gates to move away from passwords, which he said are "very quickly becoming the weak link" in online systems.

Password cracking is a very minor 'Internet' problem compared to the issues brought about from Microsoft's browser and OS. The average MS user doesn't have a prayer to protect their identity online; the only thing preserving it is strength in numbers. Identity thieves can only steal so many accounts of the tens of millions of average users out there.

I don't see what the revolution over this InfoCard is, Microsoft already sells their biometric fingerprint identifier, which does the exact same things and is presumably more secure.

Home users: what happens if you lose your InfoCard? You can't lose your fingerprint. Well you can take your InfoCard anywhere and use it on your friend's PC - but wait, you shouldn't be logging into anything on an untrusted computer.

Corporate users: administrative nightmare. We have ID / door / access cards at work. When we forget it at home, we get a temporary ID to use from the receptionist, the entire process takes less than a minute. You leave your InfoCard at home? Oh, there's no passwords anymore, so what then? The help desk just pumps you out a new card from the InfoCard machine? What about remote users who lose a card? International? The guy in Moscow who it takes a minimum of 2 weeks to get a package to? Looks like we'll be using passwords after all.


Today's Security Threats

MS to release Black Tuesday details today.

New Bagle Worm variation out, haven't seen it in my Spam filter. Or maybe this is what I saw earlier in the week, hundreds of .zip file attachments with the subject "Price". Subjects: Delivery by mail, Delivery service mail, Is delivered mail, Price, Registration is accepted, You are made active.

Islamist hackers attacking Danish sites because of the Mohammed comics. Religion is a beautiful thing.

2 Neutrino Realtime Operating System vulnerabilities (ROTS).


Just finished the series. Initial thoughts: very disappointing. Somewhat provocative but very slow with a lot of down time. More to come.


OfficeScan Part II

I can't solve the IIS error issue. It seems the error comes about from IIS being unable to see the physical path the virtual folder tries to redirect to. System has permissions, IUSR has permissions, administrators have permissions to the physical path, so I'm at a loss. There's not a lot of documentation online about the w3svc 101 "unable to add the virtual root" error.

The issue doesn't seem to be the download, anyways. The pattern files are downloaded fine into the OfficeScan\PCCSRV\Download\Pattern folder, using the Updates / Server Update / Manual Update from the management console. It seems there might be a problem moving the pattern files from Download\Patter to the PCCSRV folder. I gave "Everyone" full permissions to PCCSRV, but it still doesn't solve the problem...

One thing I noticed that's different from my other 13 OfficeScan servers is the BITS Service (Background Intelligent Transfer Service) is installed and integrated on this one. It looked like it was turned off, so I went ahead and turned it on for testing, with the settings "Allow clients to transfer data to this virtual directory" with default settings. It didn't seem to help matters much. I guess I can look into BITS some more, I'd also like to understand why it's uniquely installed on the server having problems.

One more thing I noticed on this server in the Event Logs was that ServerProtect was skipping large zip files. I added the PCCSRV directory to the ServerProtect exclusion list just in case, but it didn't make a difference.

TrendMicro OfficeScan issues

ActiveUpdate was unable to merge the incremental patch file. The incremental file is corrupted. Please try again.

I have an OfficeScan server that won't download new pattern files to distribute to the clients. Had a webex with TrendMicro to solve the issue...it worked when they did a manual update that day, but that night, the Scheduled update did not work. Assumption was it's a problem with the OfficeScan application which was upgraded from 5.5 to 5.58 to 7.0, something got corrupted along the way.

Reinstalled OSCE 7.0 on top of the existing 7.0 app, but I had the same problem with pattern files. I uninstalled OSCE 7 according to Trend's manual uninstallation instructions and tried to reinstall fresh, but services were not written to the registry, several directories under PCCSRV/web were not created and the install failed. I added full NTFS permissions to SYSTEM so that IIS (which runs under the Local System account) could do whatever it wanted in the install directory. I then had another webex with Trend to try to get the install to work, and it did. Pattern files updated fine! I figured all was well.

The day after the fresh install I come in and check the OfficeScan update logs, and I get the same error up top. I noticed that in IIS, OfficeScan virtual directory (which was installed under Default Website) has error status (the "error stop sign" deal), and the description reads "access is denied". Just some screwy permissions stuff going on. The problem isn't with OfficeScan, but permissions. It seems as if the OSCE app intermittently has permission issues writing the new pattern files.

Also, the event log has an error which is probably the key to the problem - Event ID 101, Source w3svc:

The server was unable to add the virtual root '/officescan' for the directory 'G:\Apps\OfficeScan\PCCSRV\WEB' due to the following error: Access is denied. The data is the error code.

This error follows for all the other directories in pccsrv/web. I spent some time looking for a solution, but all I could find was stuff helpful for Exchange which just needs a manual restart of the IIS Admin / WWWP services. During class tonight, I'll research the error some more.

Email posting

From the Blackberry? Edit - yes.

So I thought what I'd do was, I'd enter the blogosphere.

Computer/Network Security
Final Fantasy XI