Re: [Full-disclosure] Useless tidbit (MS AntiSpyware)
I'd also recommend learning to use RIS and SUS servers, GPO's and slipstreaming to keep patches up to date. True there are still unpatched vulnerabilities out there, but actually patching components such as MSIE is at least as important. I disagree that malicious code spreads purely due to bad admins. Standard builds deployed by a combination of RIS and GPOs could allow greater control over the environment, the balance between useability and security is often a fine one. Actually putting some thought into builds would be helpful, with basic builds having everthing unused switched off. Choosing between similar applications based on their lack of insecure features would help too. The main problem IMHO is that people don't know what's on their network. It's kinda hard then to apply any advice you get. There's no excuse for this if you have a 1918 network, as you can use the basic version of NeWT to scan your network for vulnerabilities and to find out what you actually have. Technology isn't a panacea, but slating people for using AV/Spyware products shows a lack of understanding of business. Or maybe certain people feel you don't need either if you've configured your network properly? (Airgap instead of the 'net anyone?) Sure the technology isn't perfect, but if it helps prevent further botnet activities on those systems controlled by less experienced people I'm certainly not going to make them feel bad for it. -Original Message- From: [EMAIL PROTECTED] Date: Thu, 12 May 2005 02:05:23 To:[EMAIL PROTECTED] Cc:[EMAIL PROTECTED], Full Disclosure Subject: Re: [Full-disclosure] Useless tidbit (MS AntiSpyware) On Wed, 11 May 2005 11:30:46 PDT, Kurt Buff said: > > If one [or more] of you on the list could be so kind to indicate a > > [many] resource[s] that lame hamstung admins would be wise to follow > > as guidlines to secure Windows systems.. it would be so much more > > productive. espcially for those lazy a$$ admins who may overlook the > > single [or multiple] missed step that lets them become owned, hacked, > > infected, unpatched, bugged, spewing, spamming, bots, rooted [I > > am sure to have skipped a few important ones] ;-P > > > > steve > > Google is your friend - start with 'NSA security guidelines windows'. I'll add in the Center for Internet Security benchmarks: http://www.cisecurity.org It covers a lot of the same stuff as the NSA guidelines (which were used as one of the inputs). Benefits: (1) I don't know if the NSA stuff has been updated for XP, and (2) the CIS stuff includes a scoring tool which will let you know which things you've not tightened down. XP SP2, current patches, and either/both of the NSA/CIS kits - I will *not* guarantee that it's bulletproof secure, but at least the box won't be sitting there with a 'HAX0R ME N0W' sign on it. (No, I didn't work on the CIS Windows stuff, but I'll take at least partial blame for the Solaris/Linux/AIX ones) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Kind regards, Des Ward ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Useless tidbit (MS AntiSpyware)
On Wed, 11 May 2005 11:30:46 PDT, Kurt Buff said: > > If one [or more] of you on the list could be so kind to indicate a > > [many] resource[s] that lame hamstung admins would be wise to follow > > as guidlines to secure Windows systems.. it would be so much more > > productive. espcially for those lazy a$$ admins who may overlook the > > single [or multiple] missed step that lets them become owned, hacked, > > infected, unpatched, bugged, spewing, spamming, bots, rooted [I > > am sure to have skipped a few important ones] ;-P > > > > steve > > Google is your friend - start with 'NSA security guidelines windows'. I'll add in the Center for Internet Security benchmarks: http://www.cisecurity.org It covers a lot of the same stuff as the NSA guidelines (which were used as one of the inputs). Benefits: (1) I don't know if the NSA stuff has been updated for XP, and (2) the CIS stuff includes a scoring tool which will let you know which things you've not tightened down. XP SP2, current patches, and either/both of the NSA/CIS kits - I will *not* guarantee that it's bulletproof secure, but at least the box won't be sitting there with a 'HAX0R ME N0W' sign on it. (No, I didn't work on the CIS Windows stuff, but I'll take at least partial blame for the Solaris/Linux/AIX ones) pgpCyL8u7dxWy.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Useless tidbit (MS AntiSpyware)
> If one [or more] of you on the list could be so kind to indicate a > [many] resource[s] that lame hamstung admins would be wise to follow > as guidlines to secure Windows systems.. it would be so much more > productive. espcially for those lazy a$$ admins who may overlook the > single [or multiple] missed step that lets them become owned, hacked, > infected, unpatched, bugged, spewing, spamming, bots, rooted [I > am sure to have skipped a few important ones] ;-P > > steve Google is your friend - start with 'NSA security guidelines windows'. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Useless tidbit (MS AntiSpyware)
On 5/11/05, Randall M <[EMAIL PROTECTED]> wrote: > > > :-Original Message- > :From: [EMAIL PROTECTED] > :[mailto:[EMAIL PROTECTED] On Behalf > :Of Nick FitzGerald > :Sent: Tuesday, May 10, 2005 6:17 PM > :To: full-disclosure@lists.grok.org.uk > :Subject: RE: [Full-disclosure] Useless tidbit (MS AntiSpyware) > : > : > :_THAT_ is a far larger problem you should have considered long > :before you discovered that one (or more) of the many > :"band-aid" programs (like MS AntiSpyware, most other > :anti-spywares, known virus scanning "antivirus" programs, > :software firewalls, and so on) so commonly advocated by lame > :(or hamstrung) system admins has this (and dozens of > :other) trivial, stupid holes. > : > : > :Regards, > : > :Nick FitzGerald > : > > Nick, > Would you please elaborate futhur on this? I read it to say we should have > cleaned out the machines first by hand and we are lame or hamstrug for > relying on anti-virus, anti-spyware programs to find them. > > RandallM > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > If one [or more] of you on the list could be so kind to indicate a [many] resource[s] that lame hamstung admins would be wise to follow as guidlines to secure Windows systems.. it would be so much more productive. espcially for those lazy a$$ admins who may overlook the single [or multiple] missed step that lets them become owned, hacked, infected, unpatched, bugged, spewing, spamming, bots, rooted [I am sure to have skipped a few important ones] ;-P steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Useless tidbit (MS AntiSpyware)
:-Original Message- :From: [EMAIL PROTECTED] :[mailto:[EMAIL PROTECTED] On Behalf :Of Nick FitzGerald :Sent: Tuesday, May 10, 2005 6:17 PM :To: full-disclosure@lists.grok.org.uk :Subject: RE: [Full-disclosure] Useless tidbit (MS AntiSpyware) : : :_THAT_ is a far larger problem you should have considered long :before you discovered that one (or more) of the many :"band-aid" programs (like MS AntiSpyware, most other :anti-spywares, known virus scanning "antivirus" programs, :software firewalls, and so on) so commonly advocated by lame :(or hamstrung) system admins has this (and dozens of :other) trivial, stupid holes. : : :Regards, : :Nick FitzGerald : Nick, Would you please elaborate futhur on this? I read it to say we should have cleaned out the machines first by hand and we are lame or hamstrug for relying on anti-virus, anti-spyware programs to find them. RandallM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Useless tidbit (MS AntiSpyware)
May I ask what web browser you use, if any? What about mail client? Do you read rich text and html mails in code? Do you never have to update your software? Can you reliably justify rolling out new software versions to massively time-dependant and business critical systems potentially causing as much damage as an infection? These are the issues from the other side. On 5/11/05, Nick FitzGerald <[EMAIL PROTECTED]> wrote: > Steven Rakick wrote: > > > Interesting. Has this always been that way? While it's not a huge gaping > > hole, it's definitely concerning. At least to me. > > Well, yes, of course it's concerning... > > If you have some unknown/unwanted/etc program running on one of your > machines you darn well should be concerned, regardless of whether its > called program.exe and located in the root directory of your Windows > install drive or not. > > Of course, (assuming you are an IT admin) your boss should be even more > concerned in how in the heck you've allowed your IT system to be rolled > out such that arbitrary executables can actually get onto the machines > and be run so easily. > > _THAT_ is a far larger problem you should have considered long before > you discovered that one (or more) of the many "band-aid" programs (like > MS AntiSpyware, most other anti-spywares, known virus scanning > "antivirus" programs, software firewalls, and so on) so commonly > advocated by lame (or hamstrung) system admins has this (and dozens of > other) trivial, stupid holes. > > Regards, > > Nick FitzGerald > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Useless tidbit (MS AntiSpyware)
Steven Rakick wrote: > Interesting. Has this always been that way? While it's not a huge gaping > hole, it's definitely concerning. At least to me. Well, yes, of course it's concerning... If you have some unknown/unwanted/etc program running on one of your machines you darn well should be concerned, regardless of whether its called program.exe and located in the root directory of your Windows install drive or not. Of course, (assuming you are an IT admin) your boss should be even more concerned in how in the heck you've allowed your IT system to be rolled out such that arbitrary executables can actually get onto the machines and be run so easily. _THAT_ is a far larger problem you should have considered long before you discovered that one (or more) of the many "band-aid" programs (like MS AntiSpyware, most other anti-spywares, known virus scanning "antivirus" programs, software firewalls, and so on) so commonly advocated by lame (or hamstrung) system admins has this (and dozens of other) trivial, stupid holes. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Useless tidbit (MS AntiSpyware)
Interesting. Has this always been that way? While it's not a huge gaping hole, it's definitely concerning. At least to me. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of pretty vacant Sent: Tuesday, May 10, 2005 9:53 AM To: James Tucker Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Useless tidbit You may or may not know that Windows applications often use the registry to store information about where to find applications within their file system. Due to the way in which Windows handles filenames, situations where this information is stored in an unquoted fashion, can leave the application open to an attack commonly referred to as the "Program.exe trick". As you know, it's quite common to have files and/or directories with spaces in the name (e.g. C:\Program Files). Windows is unique in that it essentially doesn't exactly know what it's doing if the command isn't quoted and contains spaces. For example look at the following command: c:\program files\windows media player\wmplayer If unquoted, Windows tries the following: 1st try Execute: c:\program.exe Arg1: files\windows Arg2: media Arg3: player\wmplayer 2nd try Execute: "c:\program files\windows.exe" Arg1: media Arg2: player\wmplayer 3rd try Execute: "c:\program files\windows media" Arg1: player\wmplayer 4th try Execute: "c:\program files\windows media player\mwplayer.exe" Well in the case of MS AntiSpyware (and hundreds of other applications), AntiSpyware, it starts up by executing "AntiSpywareMain.exe" which in turn displays a nice splash screen, performs some other misc activities before calling the gsasDtServ.exe. The problem is that the execution of gsasDtServ.exe is unquoted, while the app tries to execute c:\program files\microsoft antispyware\gsasDtServ.exe, if c:\program.exe exists, it will be executed instead and MS Antispyware never actually gets loaded. With XPSP2, the OS will actually warn you about files like c:\Program.bat, or c:\Program.exe, but not of c:\program files\internet.exe. Sadly, this isn't uncommon and when I tested this on my system the first time, 7 applications were executed over a 48 hour period. Try it for yourself. My Program.exe logs the executing user and command args to c:\program.log. On Tue, 10 May 2005, James Tucker wrote: > It appears this was a "trick" that I missed, can you provide more info? > > thanks. > > On 5/9/05, pretty vacant <[EMAIL PROTECTED]> wrote: > > Interesting tidbit. The old c:\program.exe trick prevents MS > > Anti-Spyware from loading at login. :) > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/[EMAIL PROTECTED] wrote: Send Full-Disclosure mailing list submissions tofull-disclosure@lists.grok.org.ukTo subscribe or unsubscribe via the World Wide Web, visithttps://lists.grok.org.uk/mailman/listinfo/full-disclosureor, via email, send a message with subject or body 'help' to[EMAIL PROTECTED]You can reach the person managing the list at[EMAIL PROTECTED]When replying, please edit your Subject line so it is more specificthan "Re: Contents of Full-Disclosure digest..."Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.Today's Topics:1. List Charter (John Cartwright)2. Re: Fwd: GWAVA Sender Notification (Content filter) (James Tucker)3. Re: coldfusion pentest (fatb)4. Re: coldfusion pentest (fatb)--Message: 1Date: Tue, 10 May 2005 10:02:23 +0100From: John Cartwright <[EMAIL PROTECTED]>Subject: [Full-disclosure] List CharterTo: full-disclosure@lists.grok.org.ukMessage-ID: <[EMAIL PROTECTED]>Content-Type: text/plain; charset=us-asciiHiFYI: I have disabled monthly password reminders due to the increasingproblem of archive sites storing them verbatim without filtering. Anyone running such an archive is encouraged to change their passwordif necessary.A password reminder is always available via the web interface in anycase. Additionally I have moved to more secure random passwords fornew members.Cheers- John[Full-Disclosure] Mailing List CharterJohn Cartwright <[EMAIL PROTECTED]>- Introduction & Purpose -This document serves as a charter for th e [Full-Disclosure] mailing list hosted at lists.grok.org.uk.The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright.The Full-Disclosure list is hosted and sponsored by Secunia.- Subscription Information -Subscription/unsubscription may be performed via the HTTP interface located at http://lis
