thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

Microsoft .NET Remote Code Execution exploit

Similar class of problem as last time with the TCP/IP thing:


             AUSCERT External Security Bulletin Redistribution

           Vulnerabilities in the Microsoft .NET Common Language
                 Runtime Could Allow Remote Code Execution
                              15 October 2009


        AusCERT Security Bulletin Summary

Product:           Microsoft .NET Framework
                   Microsoft Silverlight
Publisher:         Microsoft
Operating System:  Windows 2000
                   Windows XP
                   Windows Server 2003
                   Windows Vista
                   Windows Server 2008
                   Windows 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2009-2497 CVE-2009-0091 CVE-2009-0090

Original Bulletin:

That list of Operating System: entries? That's every single supported version of Windows, from XP (which should be end-of-life but isn't), to Windows 7 (the supposedly new "much more secure" shiny thing). They forgot to put Mac OS in the list - if you have Silverlight installed on a Mac somehow (I don't know who uses it), then it's vulnerable too.

Seriously, if you are a normal person, or even a small business with no ability to pay serious tech-support (and I'm talking about a real network and systems administrator, worth at absolute minimum AUD90k p/a, or a regular contractor worth at least AUD90 per hour for at least a day every week) to make sure you're safe and securely firewalled and patched 100% of the time, don't run Windows, and don't run any Microsoft products if you can help it.

Unless, of course, you don't value about your personal information, anyone else's personal information you might have, your bandwidth, your sales data, your netbanking, and anything else that you might use your computer to access. No worries, have fun with that.

Microsoft Danger Sidekick: All your data are belong to bitbucket

For more fun in that space, late last week, Microsoft managed to blow away all the storage for all Sidekick mobile customers. As in, boom, gone, no backups, kiss all your contacts and anything else supposedly securely backed on their "cloud service" goodbye, unless you were sensible and had your own offline backup (which isn't an officially supported thing on that platform).

T-Mobile Sidekick Disaster: Danger’s Servers Crashed, And They Don’t Have A Backup. There's a rumour today that
Microsoft May Be Able To Restore All Of The Lost Sidekick Data, After All, but so far it's a rumour.

Even if they manage to recover some of the lost data, that's going to be due to heroic manual data recovery of the SAN disks, rather than routine backup restoration. And when I say "routine", I mean - everyone involved in Systems Administration at any serious level knows full well that you have to have a full backup of all data with a regularly tested and validated restore process before you commence any kind of important upgrade.

That is industry standard procedure, and has been industry standard procedure for many decades. Which Microsoft Danger obviously wasn't following. Of course you can play the "blame the subsidiary" card - but they've been a M$ owned company for long enough, with a high profile M$ exec moved in to be in charge for long enough, that basic disaster recovery processes should be in place. There isn't any valid excuse for that kind of data loss by a corporation. None.

ETA: Looks like there has been successful data recovery. Microsoft Confirms Data Recovery for Sidekick Users.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
Amongst a swathe of other "[Win]" security alerts from AusCERT, this one stands out:

AusCERT Security Bulletin: ESB-2009.1267 - ALERT [Win] Windows TCP/IP: Multiple vulnerabilities

Product: Windows TCP/IP
Operating System: Windows 2000, Windows Server 2003, Windows Vista, Windows Server 2008
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Original Bulletin:

Why does this particular instance stand out to me? Because TCP/IP is the fundamental core of Internet communications - if your device does Internet, it does TCP/IP. The code to do it has been around for a few decades now, and pretty much everyone knows how to do it securely. Except, apparently, Microsoft.

This sort of security vulnerability can theoretically exist on other OS platforms, yes. That said, the only competing OS family these days is Unix - there are no extant OS platforms in common use that are not some type of Unix. Even Mac OS X is a version of Unix with a very shiny graphics layer on top.

Unix is designed from the ground up with a highly layered security approach, and in the layers where security is critical (i.e., the "kernel" - the part of the OS that deals with the computer hardware, and therefore can do things like snoop passwords, steal data from anyone on the machine, etc), the programmers tend to be very very careful, and most of the code is not actually new, and has been inspected heavily by many many people over the long decades that the technology has existed for, and tested by lots and lots of people who are pretty crazy about security, and think about it a lot.

Microsoft, fairly clearly, don't organise their code and their programmers to work that way. Every time they release a new OS version, they say "now more secure!" Every time they say that, they're proven wrong. Again. With several different hacks that break into the kernel layer, not just surface compromises. A Linux blogger describes the experience best:Windows Users - The Charlie Browns of Computing. Go on, kick the football. We promise it's secure this time. Really.

Don't get me wrong: You absolutely need to take security measures on other computers too. If you've got a Mac, you should still be purchasing anti-virus software, and if you've got Linux, or FreeBSD, or Solaris, or any other UNIX, you still need to be securing your computer in a variety of ways.

But on Windows - none of that matters. You can run all the anti-virus software you like, but if the Windows TCP/IP stack is open to a remote hacker, the remote hack will disable your anti-virus software, and install a bunch of stuff that will keep your computer broken and hacked, permanently.

If that happens to you, you can expect your computer to use all your bandwidth sending out spam email, attempt to crash and hack other computers on the Internet, send all your banking details to people who might be interested in stealing your money, send anything resembling personal data to the same people, and so on. Not good, not fun.

So, if you care about having a secure computer, don't use Windows. Ever. Really.

If you really do have to use Windows, then don't connect it directly to the Internet. Ever. Put that computer behind a secure firewall of some kind. If you don't know how to do that, find out from a tech-savvy friend. For your own sake.

April 2015

12131415 161718


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags