Dec 30, 2009

Microsoft Response to Holiday IIS Zero Day

Here is the response from Microsoft. Looks like they are blaming it on configuration errors.

Results of Investigation into Holiday IIS Claim:
We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.
What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.
The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack.
However, customers who are using IIS 6.0 in the default configuration or following our recommended best practices don’t need to worry about this issue. If, however, you are running IIS in a configuration that allows both “write” and “execute” privileges on the same directory like this scenario requires, you should review our best practices and make changes to better secure your system from the threats that configuration can enable. Once again, here’s a list of best practices resources:



The IIS folks are evaluating a change to bring the behavior of IIS 6.0 in line with the other versions. In the meantime, they’ve put more information up about this on their weblog.
I hope this helps answer any questions.
Happy Holidays and Happy New Year.
Christopher
*This posting is provided 'AS IS' with no warranties, and confers no rights*

Dec 29, 2009

Possible IIS 6 0-day

News from SANS


Microsoft responds to possible IIS 6 0-day, (Tue, Dec 29th): "Following up to recent diaries 7816 and 7810 and numerous other sources regarding a possible IIS&nbs ...(more)..."

Dec 15, 2009

Adobe Warns of Reader, Acrobat Attack

Adobe Warns of Reader, Acrobat Attack: "itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."
Read more of this story at Slashdot.

Windows Share Refresher

I had a rights issue at work recently and it made me read up on Windows rights.

Here is a nice refresher on best practices for Windows Share rights assignments. Believe it or not it's really pretty simple. I think the key is to remember that it's the sum of both the security (NTFS) rights and the share rights that matters. I had an issue with RDP rights vs. share rights that I had to iron out and this answered the question.

Just make sure to tighten up the inherited rights if you use his suggestion on giving Authenticated Users full access to the Share.

Dec 11, 2009

Launching a Virtualbox Guest from OS X as an App

I've been using Virtualbox quite a bit lately now that I have my new MacBook Pro for work.  I have the disk space and I need access to Windows for a variety of things.

Anyway, I quickly tired of opening the Virtualbox Application just to launch the machine I needed (it's nearly always the same one even though I have many). So, I poked around in Google and found this great bit of instruction from Mark Bockenstedt.

Basically, you just have to create a script in Script Editor and save it as an Application. Then change the icon (if you want) and drag it to the dock. Here is all the code for the script.

  do shell script "vboxmanage startvm Ubuntu"

Very simple, very easy.