Re: New IE flaw and exploit sites/migration to non-MS browser

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

So it wasn't out then? So what?  Do it now.  That was then, this is now.
In small shops they can hire Small Business Specialists who are starting 
to drink the LUA koolaid themselves...it's a matter of education..both 
to the consultants and to the buyers of technology.  These days we 
recommend that you outsource and find an IT pro that specializes in 
small businesses. 

The small firms you are talking about are typically the less than 10 
user/peer to peer/got the college friend of the son to help them set up 
the network.  Those firms in the 10-50 range are hiring IT consulting 
firms to set up their networks.

Regarding your argument that it's harder in a small shop, I'd argue that 
it's easier in a small shop because all we have to do is convince the 
boss.. one boss..not a committee.... and typically it's after just one 
incident.  We don't have all the customized just built for us ASP web 
applications.. we just bought Quickbooks at Costco and run Word and 
Excel and a few other crappy line of business apps, but they are all off 
the shelf.

As far as being too hard... www.threatcode.com has the instructions to 
do Quickbooks... and we have the info on how to do it via group policy 
these days... if this blonde can do it... anyone can.  In SBSland we do 
screen shots.  And how did I figure out the proper registry keys?  By 
finding someone else who figured it out first on a Quickbooks bulletin 
board and finally the vendor stepped up to the plate and made it 
official.  We ask our fellow geeks to help.. we don't do this all by 
ourselves.

And why did they make it official now?  Because enough of us yelled is why.

And that's the key right there.  WE in the marketplace has to yell at 
all of these vendors that demonstrate bad security practices.  Both in 
the form of non admin requirements...and in the application vendors that 
recommend not patching. 

And I honestly see it the other way around... it's harder for large 
firms to do it... those of us who's bosses have downed the LUA Koolaid 
in SBSland are doing it.  There's not a tipping point yet... but man.. 
come out to my SBS community and more and more IT consultants are asking 
about LUA and/or doing it.

As far as the home/consumer market... yes... we're losing the war there 
and we really need the help there.  That's the area that LUA is really 
hard to do. In our small biz community, we are recommending that 
families buy 'throw away' systems, give them to the teenagers and nuke 
and pave every so many months.  To me, I can protect and defend my 
firm... I have a hard time protecting and defending the teenagers 
machines.  Between peer pressure of downloads and the "free download" 
mentality..that's the one I'm worried about.  Add to that ...that Vista 
is going to annoy the heck out of folks with it's "are you sure"... it's 
the home market that I'm more worried about.

Remember down here in the home/small biz arena there is one tool that we 
don't have that you big guys have... and that's the Windows PE... we're 
using Bart's PE as an equivalent to boot on that disk and deal with the 
critters.



Devin Ganger wrote:

Hi, Kurt! Good to see you're alive and well!

At Tuesday, April 04, 2006 10:44 AM:, Kurt Dillard wrote:

 

I agree with Susan that logging into Windows without administrator
privileges is doable today, especially for well-managed networks.
   


Note that I haven't ever disagreed; I have acknowledged that it is
doable.

 

but its not
overwhelmingly difficult for most organizations today if you plan
ahead and properly test your applications.
   


The way you phrased this ties back to one of the points I was making,
which is that it's not hard *today*. A few years ago, when XP was
released, was a different story.

 

It only becomes impossible
on networks with thousands of applications, but organizations with
that many unique apps deployed tend to not have any kind of
centralized management going.        
   


It's also much more difficult in small shops where the person doing the
management of the network doesn't know much more than their users, or
only gets to do network management part-time, or whose owners don't
understand the value of LUA and thus don't allow their admins to take
the time to set it up (or who cave in after the bookkeeper complains the
first time QuickBooks won't start up). The time required to research
applications, test them out, and make sure they work under LUA doesn't
scale well for smaller companies. So for them, it *is* "too hard" -- not
because of the technical difficulty involved, but because the process is
involved and appears to take away too much productive time.

 

Devin, you compare the level of awareness about LUA in the Windows
community with that in the Linux and Unix communities. Its not a
reasonable comparison to make because the percentage of users who are
not computer professionals in the Linux and Unix communities is
miniscule
   


<thinks back to own experiences as a UNIX admin>

Oh, if only that were true!

Okay, okay, you have a point there that the ratio of professionals is
higher in the *nix community. However, I wasn't directly comparing the
communities so much as I was comparing *installation processes*. There
are some flavors of *nix (Solaris, I'm looking at you) that assume the
box is part of a larger directory service such as NIS, NIS+, or LDAP and
thus don't prompt you to create additional user accounts during the
first installation -- but many of the free *nix distributions I've used
do precisely that.

Let's compare that with Windows XP. If you're using Home, or Pro without
joining a domain, you get asked to input your name. The account that XP
creates is given local admin privileges by default even though there is
still a separate Administrator account. (If you're using Pro and join a
domain, then it does what Solaris does -- ask for the password to give
the local Administrator account and not worry about users. I stipulate
that this is the most useful route to take in the presence of some sort
of directory service.)

 

Last time I checked
Linux that was being marketed to home users was configured to logon
as root by default too.       
   


Depends on the distro. The ones that do tend to get a lot of abuse,
precisely because they're teaching bad habits to the people who use
them.

 

Devin, you switched the discussion to home users.
   


Not exactly. First, I wasn't aware that the original discussion was
limited to just business users, so home users are valid cases of Windows
users. With so many home machines compromised by malware (in many cases
was installed because the user was running with admin privs even when
they have anti-spam, anti-virus, and anti-spyware applications
installed) they constitute a significant source of threat. I spend a lot
of personal time helping people with their home machines, and in the
last couple of years, I don't think I've even seen an XP machine where
people didn't have anti-malware utilities installed. Most of them, to my
surprise, were actively updating through Windows Update instead of
relying passively on default Windows Update behavior. 

However, you could make the same statement of many business users on
laptops. A lot of companies buy laptops pre-configured with Windows and
don't ever bother to join them to a domain. Many of them allow the end
user to run through the initial installation process. Boom -- the user
now has local admin privs. And we're back to where we started.

Sue asked a question that kicked this part of the discussion off:

"Is it IE that's insecure?  Or how the workstations are setup in the
first place?"

My point all along -- which is one that apparently Sue isn't happy with
-- is while LUA does dramatically reduce the number of vulnerabilities
(in most user-space applications) that can actually hurt your machine
when they get through, IE is a special case. It has a history of having
far more vulnerabilities than other browsers, and because a lot of the
code in IE is so tied in with the rest of Windows, you cannot guarantee
(like I can with Firefox, etc.) that only non-admin code will ever be
affected by those vulnerabilities.

The rest of this was just rat holing.

 

Technology can only do so much, users who make bad decisions will be
exploited regardless of what browser (or email client, or P2P app,
etc) they are using.     
   


Absolutely.

 


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


---------------------------------------------------------------------------
---------------------------------------------------------------------------