Microsoft security: Something old, something new

A peek into Windows Vista and IE 7 betas shows some welcome security upgrades

Windows administrators are busy this week analyzing Microsoft’s most recent Patch Tuesday releases. Of the eight patches released on Oct. 11, at least four of them have already resulted in publicly available exploit code. FrSIRT has three of the exploits and is sure to get the others as they become known.

Although there are several critical vulnerabilities in the Patch Tuesday grouping, the consensus among several observers is that MS05-051 (MSDTC and COM+ vulnerabilities) is the most critical of the bunch. MS05-051 contains several fixes. The COM+ hole, in particular, would allow an exploit to execute malicious code remotely on previously fully patched Windows 2000, XP, and Server 2003 computers. MS05-052 is a cumulative patch update for Internet Explorer 5.5 and 6.x and deserves special consideration as well. No word on whether these vulnerabilities affect Windows Vista and IE 7.

I’ve been beta testing Windows Vista and Internet Explorer 7 this week. Both are still really rough betas, but have enough features and functionality for any user to get the gist of what they can do. One of the biggest new features of Windows Vista is its UAP (User Account Protection), and it's a great and welcome change.

The UAP addition means that by default, even if you are logged in as Administrator, most programs, including Internet browsers, will run in non-admin mode. To run a program in admin mode, the user must right-click the program icon or executable and choose to Run Elevated (Run Elevated replaces the RunAs syntax).

There are many other new Vista security features, but I don’t want to report on them until I know they are going to be included in the final release.

Internet Explorer 7’s best new security feature is its anti-phishing filter. If enabled, it works like this: Whenever a user visits a new Web page, the link is sent to a Microsoft server, which checks if the link was previously reported and verified as a known phishing site. If so, the user is given a screen indicating this. And if users get this screen, they should not continue on the Web page, but Microsoft allows the user to bypass the warning if they so desire. Let's hope the bypass option can be disabled by group policy.

Users can report phishing sites they find to Microsoft. Microsoft requires that reporting users successfully pass one of those crummy OCR validation-graphic tests, but I guess this will prevent phishers from trying to overwhelm Microsoft with invalid reports. Even if the Web site hasn’t been reported, IE 7 will occasionally recognize phishing-like behavior and put up a cautionary warning.

In my beta testing, the new feature only worked about 10 percent of the time, but I’m sure accuracy will increase significantly once it is in general release.

I’ve always supported this type of user-reported methodology, but only as long as humans (or very intelligent software) validate the suspected sites and there is an easy way for false-positive Web sites to get removed quickly. Anti-spam blacklists sometimes drive me and my clients crazy. It might only take two minutes to find and close the open relay, but it takes days to weeks to get removed from all the blacklists.

In Other News …

MessageLabs tells me that there is a new Trojan masquerading as the new Skype client. Be sure, as always, to download all software directly from the vendor or a reputable download site.

And here's a new one: Last week one of my clients asked me if I would take a look at his son’s college computer because it was behaving slowly. Hey, I never care about the type of system as long as I’m being paid the same rate.

The son is an avid online Texas hold'em player. I found an interesting Trojan called 1.exe in the root directory, which alerted other online players when my client’s son was online. It then recorded his cards during the different hands of poker and sent that information to the monitoring users. My boss’ son said that early on he was winning all the time, but lately he consistently lost his biggest hands -- not that it stopped him from playing, unfortunately.

I collected the Trojan and sent it to the online poker company. Now, a devious mind might have reverse-engineered the Trojan and sent back the wrong cards to the cheating players and … oh, that’s right, I’m one of the good guys.