Security Watch

Vista -- How Secure?

Microsoft likes to think its OS is locked down. It's true to a point. Plus: Skype flaw not that dangerous; social hacking; more.

• By Russ Cooper
• 03/10/2008

Microsoft has once again jumped on its band wagon attempting to paint Windows Vista as being far more secure than older Windows versions. This statement alone is true, be it because of User Access Controls or any of the other numerous security improvements. But Microsoft uses its security bulletin statistics to give weight to its claim. Such an attempt will always fail, and is made worse when comparing to Linux or Mac OS X.

There truly is little benefit to this sort of vulnerability comparison, regardless how well it is done. Microsoft has never been able to do such comparisons well. I made such a comparison in 2004, delving deep into each vulnerability and establishing profiles that represented common configurations so that patches for non-OS products were considered as well. Do you care only about the number of OS patches for your SMTP (Exchange) server, or should Exchange and IIS patches count too? Further, with so many companies employing products in addition to the OS to protect themselves, these statistics do little to highlight Vista's true security benefits. For whatever reason, if malware gets to a Vista desktop, the simple fact is that it will more than likely not function. If malware does reach the desktop, it will operate with significantly lower rights, capabilities and mechanisms to do harm. That is Vista's true forte.

Skype Phones Can Kill
A Skype software design flaw is being hyped with less than plausible attack scenarios. Skype uses IE's mhtml object to perform its HTML rendering. The object is set to function in the "Local Computer Zone," which permits the object to do many things it would likely be restricted from doing in other zones, such as reading and writing files to disk. This is likely required in order to make Skype work properly. The problem is that dynamic content could be processed by a Skype call, and if it were criminally crafted, could do far more than anyone would want to allow by virtue of the zone its processing the content in.

Skype should be treating untrusted content with the security it requires and handling it in another zone, using the Local Computer Zone only when required to do so. This should be achievable in code. As far as the attack scenarios that are being presented, you basically have to choose to shoot yourself in the foot for an actual exploit to occur. You would have to choose to host the criminally crafted object (such as a video with scripting in it) within a call you're currently making. Of course prior to doing so, you'd likely have viewed the video yourself, and if you had, you'd have noticed that it was attempting things that would be blocked by IE in the Internet Zone. Ergo, you will have seen warnings and failures when viewing the video outside of Skype. Why, then, would you want to include it in a Skype call?

Reddit Exposes RIAA's Weaknesses
Reddit usually doesn't have much interaction between its members, but Richard Stiennon of ZDnet writes in a blog post that the social network has been used in an attempt to DDoS the RIAA's Web site.

One Reddit member posted a link to a SQL injection attack that the author claimed was a "slow SQL query." The intent was to overwhelm the site with laborious queries. Unfortunately for RIAA, the attack pointed out a weakness in the RIAA database that allowed a more determined criminal to simply wipe the the database clean. Several hours later the RIAA was back on line and defending itself against the attacks.

What bothers us most about the post is the claim that such actions were "enforcing the Web's ethos via DDoS." Nobody should attempt to claim that the Web is being represented by criminal acts, regardless his motivation. Correlate the Reddit logs with the IP addresses on the queries and the RIAA may very well be able to determine which of the 659 Reddit members gave a thumbs up to the query and clicked on it and, in doing so, performed an illegal act against the RIAA. One should always remember who has more lawyers.

Virginia Schools Snowed In by Online Storm
We're not in Kansas any more, Toto ... A 17-year-old student, unhappy that his school had not been closed due to snow (but already at school, so he made it despite the snow storm) decided he wanted to find out why the school wasn't closed. He called a city official at work, but got no answer. So, he called the official at home. Getting no answer, the student left a message. The official's wife picked up the message and called the student back, leaving him a message. That message was basically "Who do you think you are calling our home?" The Washington Post writes that message went to Facebook, then to YouTube, and by the next day it was with local TV and 9,000 people had listened to it. The student said the misunderstanding was due to a "generation gap," while the city said it was due to a "civility gap."

There has always been a problem teaching kids the difference between perceived rights and actual rights, but this issue takes on ridiculous proportions when you throw in sites like Facebook or YouTube. What might have been dealt with by a PTA group, or even a smaller group of friends, now might get aired on TV and turn into a regional or national issue. Everyone needs to realize what they say via e-mail or on the phone may well be recorded and broadcast to the world. Take a deep breath and think twice!

Heathrow Kiosks Wide Open
Spectrum Interactive is still questioning whether or not its public Internet access terminals in Heathrow Airport are secure. It acknowledged that one of its terminals was insecure and appeared to be vulnerable to having keylogging software installed, among other risks. It said, however, that the problem may be something other than the security of its desktops. (Read the story from The Register here.)

Talk about hiding your head in the sand! Does it matter how the system became compromised or vulnerable, as long as it's possible to install such malware the system is poorly secured, period! The company claims it's the first of its systems in seven years to have been compromised, but it might mean that this is the first incident that made public news reports. Who knows how many the company has discovered and quietly fixed?