Re: New IE flaw and exploit sites/migration to non-MS browser
- From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
- Date: Fri, 31 Mar 2006 22:49:09 -0800
www.threatcode.com
If an application is written for TODAY's Windows XP logo it will run as a non administrator.
Everyone right now.. go click on your time and date... go .. okay ..can you change the date and time?
That is the quick and dirty test to see if you have admin rights...
You have administrator rights to your machine. Now go over to the absolutely stupid-est user in the office. (If that's you... that's fine ;-) Do they have admin rights just like you? The one that will click and download anything? That means not only can "you" install anything you darn well please. so can they.
And if you do and they do.. so do all those lovely drive by browser 'sploits and stuff. Please go back and review the security bulletins and see all the ones these days that say "will gain access in the rights of the user context" ...that means if you are LUA (non admin) so are the nasties... and studies have shown that if you run as non admin (which ...hello people.. Vista is doing this along with 'nix and mac's so get used to it before Vista's admin isn't admin anymore) you get less malware.
So why aren't we doing what we can to lower the attack surface of what we have ... especially when we can't rip out IE as our .. yeah you guessed it... crappy line of business applications depend on it? Why is it that according to stats that about 80% of us are running as admin? Yeah I know it's 'cause it's easy and it's the way we've always done it about Windows...but why are we still doing it this way?
Does the stupid-est user in the office really need to be able to download malware-de-jour?
So how do you run as non admin?
Log into that system, add another user as a 'normal' user and log in with those 'normal user' rights.
Okay how many applications of your won't work?
Lemme guess.. beancounter ones (accounting software)... along with many line of business applications.
So how do you deal with applications that won't 'do LUA'?
Aaron's blog has some suggestions..
Aaron Margosis' WebLog : Fixing "LUA bugs", Part I:
http://blogs.msdn.com/aaron_margosis/archive/2006/02/16/533077.aspx
Aaron Margosis' WebLog : Fixing "LUA Bugs", Part II:
http://blogs.msdn.com/aaron_margosis/archive/2006/03/27/562091.aspx
Jesper's Blog : Malware and administrative rights:
http://blogs.technet.com/jesper_johansson/archive/2005/11/30/415328.aspx
Use filemon/sysmon to figure out the ACL issues....
Use RunAs.
http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=102
Want to really fix it though? Yell. Yell at those vendors to fix it. And make sure your folks that are making the purchasing decisions know that this needs to be a requirement...because in this day and age of computer technology there is NO EXCUSE for a vendor to code like we are running Windows 98 around this place.
As to restricting Active X to only those you need..harness the power of group policy on that one...
Outlook Web Access and Small Business Server Remote Web Workplace do not function if XP Service Pack 2 Add-on Blocking is enabled via group policy:
http://support.microsoft.com/kb/555235/en-us
How to manage Internet Explorer add-ons in Windows XP Service Pack 2:
http://support.microsoft.com/?id=883256
How's that Milos?
Milos Puchta wrote:
Susan,
give please more info instead of clipped style letter.
It would be nice if you cold give it a little more time
to educate those who can accept it. ( For those who
feel lost without being administrator there are at
least two tools that change the rights ....)
TIA
Rgds
Milos
----- Original Message ----- From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
To: "bkfsec" <bkfsec@xxxxxxxxxxxxxxxx>
Cc: "Murad Talukdar" <talukdar_m@xxxxxxxxxx>; <focus-ms@xxxxxxxxxxxxxxxxx>
Sent: Saturday, April 01, 2006 1:07 AM
Subject: Re: New IE flaw and exploit sites/migration to non-MS browser
How many of you are running as non admin? Used the Group policy to adjust and allow approved active X?
Now I'm no coder...but from threads I've seen.... Firefox's Extensions are ripe for fun and excitement.
Is it IE that's insecure? Or how the workstations are setup in the first place?
bkfsec wrote:
Murad Talukdar wrote:
On a related note--how many people have initiated a move away from IE toWe have in certain areas. It's very much reality-based that IE is less secure and more prone to exploit than other browsers, for a number of reasons, not the least of which is IE's architectural tie-in with the MS Windows operating system.
Firefox/Opera etc in a corporate environment, due to the perception(is it
JUST a perception or reality based?) that IE is less secure/more prone to
exploits?
-bkfsec
---------------------------------------------------------------------------
---------------------------------------------------------------------------
--
Letting your vendors set your risk analysis these days? http://www.threatcode.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
--
Letting your vendors set your risk analysis these days? http://www.threatcode.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- References:
- Re: New IE flaw and exploit sites/migration to non-MS browser
- From: bkfsec
- Re: New IE flaw and exploit sites/migration to non-MS browser
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: New IE flaw and exploit sites/migration to non-MS browser
- Prev by Date: Re: New IE flaw and exploit sites/migration to non-MS browser
- Next by Date: RE: New IE flaw and exploit sites/migration to non-MS browser
- Previous by thread: Re: New IE flaw and exploit sites/migration to non-MS browser
- Next by thread: RE: New IE flaw and exploit sites/migration to non-MS browser
- Index(es):
Relevant Pages
|
Loading
