[97481] in North American Network Operators' Group
Re: FBI tells the public to call their ISP for help
daemon@ATHENA.MIT.EDU (Douglas Otis)
Sat Jun 16 15:57:11 2007
In-Reply-To: <20070615.163146.16628.2@webmail33.lax.untd.com>
Cc: fw@deneb.enyo.de, nanog@nanog.org
From: Douglas Otis <dotis@mail-abuse.org>
Date: Sat, 16 Jun 2007 12:56:27 -0700
To: Fergie <fergdawg@netzero.net>
Errors-To: owner-nanog@merit.edu
On Jun 15, 2007, at 11:31 PM, Fergie wrote:
> - -- Florian Weimer <fw@deneb.enyo.de> wrote:
>
>> In most parts of the world, the Microsoft EULA is not enforceable. =20=
>> Most users don't buy their software from Microsoft, either. It's =20
>> preinstalled on their PC, and Microsoft disclaims any support.
>
> NOTE: This has nothing to do with ISPs.
>
> Also, there is somewhere in the neighborhood of > 65M MS hosts "out =20=
> there" that are either illegally or improperly licensed, and which =20
> cannot use Microsoft Update (due to the Genuine Advantage =20
> verification knobs).
>
> While they can download each patch individually through a series of =20=
> acrobatic exercises, this sorta contributes to the whole end-system =20=
> compromise problem.
>
> Again, not that this has much real bearing on the discussion, but =20
> figured I toss that into the mix.
At the prior ISOS conference in Redmond, Microsoft made assurances =20
even systems failing Genuine Advantage verification can enable =20
automatic udpates to obtain critical updates. One of the attendees =20
remarked privately this automation works only for English versions of =20=
XP. : (
With vulnerabilities created by Microsoft, such as:
- cloaking files and processes
- cloaking shell script extensions (even when show enabled)
- requiring scripts for basic browser functionality
- preventing removal of their exploitable browser
- Word
- .Net
- inadequate provisions for temporarily privilege escalation
- unfortunate network defaults
- reliance upon perimeter security
- etc.
It seems such negligence might make Micos0ft vulnerable to class =20
actions, especially from ISPs bearing the burnt of related support. =20
With the FBI recommendation, another very deep pocket might be add.
The paper provided by Google should give anyone cause.
http://www.usenix.org/events/hotbots07/tech/full_papers/provos/=20
provos.pdf
"A popular exploit we encountered takes advantage of a
vulnerability in Microsoft=92s Data Access Components that
allows arbitrary code execution on a user=92s computer [6].
The following example illustrates the steps taken by an ad-
versary to leverage this vulnerability into remote code exe-
cution:
=95 The exploit is delivered to a user=92s browser via an
iframe on a compromised web page.
=95 The iframe contains Javascript to instantiate an Ac-
tiveX object that is not normally safe for scripting.
=95 The Javascript makes an XMLHTTP request to re-
trieve an executable.
=95 Adodb.stream is used to write the executable to disk.
=95 A Shell.Application is used to launch the newly written
executable."
-Doug
