«

http://computerworld.co.nz/news.nsf/...25720100308517

regards

Thing

In message <3hgov3->, thingy wrote:

> http://computerworld.co.nz/news.nsf/...25720100308517

This caught my eye:

SetSlice chews through a hole in the WebViewFolderIcon ActiveX control
by overflowing an integer with a large negative number, and it’s being
remotely exploited on a large scale at the moment. It works on Windows
2000, XP and Server 2004 — all Service Pack Levels.

A patch from Microsoft is expected out on October 10, but the SetSlice
exploit was made public in July already. Over two months later, and
Microsoft still hasn’t plugged a serious, remotely exploitable security
hole that can be triggered by simply visiting the wrong website. This
begs the question: is Microsoft able to keep up with the malware writers
despite its commitment to security?

Contrast this with the speed with which Microsoft was able to rush out the
patch to plug the DRM hole in Windows Media Player
<http://www.wired.com/news/columns/0,71738-0.html> -- just three days. And
you can see where Microsoft's priorities lie--with the security of itself
and its biggest business/revenue partners, not with most of its customers.

Lawrence D'Oliveiro wrote:
> In message <3hgov3->, thingy wrote:
>
>> http://computerworld.co.nz/news.nsf/...25720100308517
>
> This caught my eye:
>
> SetSlice chews through a hole in the WebViewFolderIcon ActiveX control
> by overflowing an integer with a large negative number, and it’s being
> remotely exploited on a large scale at the moment. It works on Windows
> 2000, XP and Server 2004 — all Service Pack Levels.
>
> A patch from Microsoft is expected out on October 10, but the SetSlice
> exploit was made public in July already. Over two months later, and
> Microsoft still hasn’t plugged a serious, remotely exploitable security
> hole that can be triggered by simply visiting the wrong website. This
> begs the question: is Microsoft able to keep up with the malware writers
> despite its commitment to security?
>
> Contrast this with the speed with which Microsoft was able to rush out the
> patch to plug the DRM hole in Windows Media Player
> <http://www.wired.com/news/columns/0,71738-0.html> -- just three days. And
> you can see where Microsoft's priorities lie--with the security of itself
> and its biggest business/revenue partners, not with most of its customers.

Why are we not surprised.....I just wish it was possible to show MS etc
as liable for hacked PCs.....something like patching DRM in 3 days yet
taking 2 weeks for setslice is just pathetic....and they should be held
accountable IMHO.....then we would see a whole new ball game.....

regards

Thing

"thingy" <> wrote in message
news:4529d751$...
> Lawrence D'Oliveiro wrote:
>> In message <3hgov3->, thingy wrote:

--snip--

> Why are we not surprised.....I just wish it was possible to show MS etc as
> liable for hacked PCs.....something like patching DRM in 3 days yet taking
> 2 weeks for setslice is just pathetic....and they should be held
> accountable IMHO.....then we would see a whole new ball game.....
>
> regards
>
> Thing

If you got hit by a truck speeding through a red light would your car
manufacturer be liable for not protecting you from this accident?

Lawrence D'Oliveiro wrote:
> In message <3hgov3->, thingy wrote:
>
>> http://computerworld.co.nz/news.nsf/...25720100308517
>
> This caught my eye:
>
> SetSlice chews through a hole in the WebViewFolderIcon ActiveX control

[...]


> Contrast this with the speed with which Microsoft was able to rush out the
> patch to plug the DRM hole in Windows Media Player
> <http://www.wired.com/news/columns/0,71738-0.html> -- just three days. And
> you can see where Microsoft's priorities lie--with the security of itself
> and its biggest business/revenue partners, not with most of its customers.


No particular barrow to push, but the SetSlice PoC 2 months ago crashed
IE - didn't allow for remote code execution.
http://www.avertlabs.com/research/blog/?p=98
Remote code execution appeared at the end of Sept ..though that doesn't
lessen the risk now for unmanaged WinX hosts.

Managed Win2k sp4+ hosts have no infection excuse.
# AD / ieak / your script language of choice lets you disable all / some
or when activex controls run (if IE is needed).
That helps you at day 0.5 when the bug appears as a faint radar trace.

# To reduce the '0day' exposure - no user on a managed desktop should
run with admin rights (well, any, but that's another discussion).
Bad app only works as admin? don't be lazy - track where it breaks. If
the vendor is a useless noddy, only then do you push elevated rights to
required reg keys / specific files to that app user group via gpo.
In a perfect world, this would occur at the evaluation stage before
purchase. In the real world, it can be time consuming and frustrating.
It is definitely worth doing.

# Safer(MS) - even with restricted users, you can run specific apps with
lower privs at start. That would be at least IE, WMP and MS Office main
executables

# XPsp2 (possibly sp1a?) - use the firewall in domain mode to limit the
spread of network-aware nasties. Use software dep (with your exceptions)
- or h/w dep if supported.
Track your apps, feed port requirements into fw rules. Partition the
network - fw / vlan / etc.

Usual stuff about best practice layered defence et al - regardless of
whether the environment is heterogeneous or homogeneous.

For all the (sometimes misplaced) huff & puff in the article, there's
very little new in principle.

Doesn't matter what's being run - end point security has always been
important - and we've been familiar with rapidly spreading nasties using
low visibility exploits since the Morris worm.

My 10c - apparently I can't use the 5c piece any more.

/C

In message <>, dilberts_left_nut wrote:

> "thingy" <> wrote in message
> news:4529d751$...
>
>> .....I just wish it was possible to show MS etc
>> as liable for hacked PCs.....something like patching DRM in 3 days yet
>> taking 2 weeks for setslice is just pathetic....and they should be held
>> accountable IMHO.....then we would see a whole new ball game.....
>
> If you got hit by a truck speeding through a red light would your car
> manufacturer be liable for not protecting you from this accident?

Are we playing random pointless hypotheticals today? OK, how about this: if
you get an static electric shock from your seat cushion while reading
USENET while wearing nylon clothing, will that invalidate the terrorism
insurance on your house-plants?

"Lawrence D'Oliveiro" <_zealand> wrote in message
news:egfqa8$i7$...
>
> Are we playing random pointless hypotheticals today? OK, how about this:
> if
> you get an static electric shock from your seat cushion while reading
> USENET while wearing nylon clothing, will that invalidate the terrorism
> insurance on your house-plants?

Congratulations, that is pretty random and pointless.

I agree that the OP article says a lot about MS priorities re patches,
however I take issue with the MS anti-fanboy attitude that says they are
responsible for all the bad things that can happen when you use their
product in an uncontrolled environment.