RE: Most vulnerable apps of 2008

2008-12-16 Thread Webster 
From: James Rankin [mailto:kz2...@googlemail.com] 
Subject: Re: Most vulnerable apps of 2008

 

Adobe kit has to be top

The fact that our application servers still use version 7.07 of Adobe Reader
because of compatibility with some POS finance application gives me
nightmares. I have just penned another inflammatory email to the vendor of
said POS.

You use Point of Sale software on your servers? 

Webster


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Most vulnerable apps of 2008

2008-12-16 Thread James Rankin 
I definitely don't think it is OK for users to install stuff. In the
environment I run, nothing gets installed unless it comes through us.

-Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Monday, December 15, 2008 8:35 PM
> To: NT System Admin Issues
> Subject: Re: Most vulnerable apps of 2008
>
> On Mon, Dec 15, 2008 at 5:49 PM, Andy Ognenoff 
> wrote:
> > One of their criteria is that the apps on the list can't be managed
> with
> > WSUS.  Isn't that a reason to use another tool besides (or in addition
> to)
> > WSUS rather than not use the application in question?
>
>  I was more surprised to find out that Microsoft Systems Management
> Server is now a "free Enterprise tool".  (Page 1, "Criteria" list,
> item #6.)
>
>  More seriously: Several of their identified "worsts" come with their
> own self-update tools.  Since this list seems to assume it is okay for
> lusers to install and manage their own software (aside: WTF?!?), why
> isn't it okay to use those self-update tools?
>
>  The strange thing is, this company (Bit9) doesn't appear to sell
> update management tools.  Their chief -- if not only -- product is an
> "Application Whitelisting" tool.  (Kind of like the Software
> Restrictions Policies built-in to MS Windows, but with more
> capabilities and a pre-loaded list of signatures.)
>
>  I'm guessing they set out to craft a situation where you couldn't
> use Software Restriction Policies (due to allowing lusers running all
> sorts of arbitrary random crap; see above) but still wanted
> centralized management of the applications they can run.  Of course, I
> have to ask, why not just solve the real problem rather than bolting
> on a solution that a determined luser could prolly bypass anyway (they
> have admin rights, remember).
>
>  Also interesting is the fact that a stack smash with code injection
> isn't necessarily going to show up on the radar of their product
> anyway.  That doesn't tamper with the files on disk; it just modifies
> the in-memory image.  So the bad guys can still do bad nasty things in
> the unpatched application.
>
>  I'm not impressed.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Most vulnerable apps of 2008

2008-12-16 Thread Ziots, Edward 
Actually with Bit9 Parity even if they have Admin rights, I believe they
can't run the software if its not on the whitelist. Therefore the
(l)user can't bypass. At least in our demo they couldn't. 

Z

Edward E. Ziots
Network Engineer
Lifespan Organization
Email: ezi...@lifespan.org
Phone: 401-639-3505
MCSE, MCP+I, ME, CCA, Security +, Network +

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Monday, December 15, 2008 8:35 PM
To: NT System Admin Issues
Subject: Re: Most vulnerable apps of 2008

On Mon, Dec 15, 2008 at 5:49 PM, Andy Ognenoff 
wrote:
> One of their criteria is that the apps on the list can't be managed
with
> WSUS.  Isn't that a reason to use another tool besides (or in addition
to)
> WSUS rather than not use the application in question?

  I was more surprised to find out that Microsoft Systems Management
Server is now a "free Enterprise tool".  (Page 1, "Criteria" list,
item #6.)

  More seriously: Several of their identified "worsts" come with their
own self-update tools.  Since this list seems to assume it is okay for
lusers to install and manage their own software (aside: WTF?!?), why
isn't it okay to use those self-update tools?

  The strange thing is, this company (Bit9) doesn't appear to sell
update management tools.  Their chief -- if not only -- product is an
"Application Whitelisting" tool.  (Kind of like the Software
Restrictions Policies built-in to MS Windows, but with more
capabilities and a pre-loaded list of signatures.)

  I'm guessing they set out to craft a situation where you couldn't
use Software Restriction Policies (due to allowing lusers running all
sorts of arbitrary random crap; see above) but still wanted
centralized management of the applications they can run.  Of course, I
have to ask, why not just solve the real problem rather than bolting
on a solution that a determined luser could prolly bypass anyway (they
have admin rights, remember).

  Also interesting is the fact that a stack smash with code injection
isn't necessarily going to show up on the radar of their product
anyway.  That doesn't tamper with the files on disk; it just modifies
the in-memory image.  So the bad guys can still do bad nasty things in
the unpatched application.

  I'm not impressed.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Most vulnerable apps of 2008

2008-12-16 Thread Ziots, Edward 
Plenty of POS Software out there, no getting away from that. Its usually
the 3rd party integration with applications that adds all the
vulnerabilities into it. 

 

Trust me try Apache Tomcat, or Apache Period, and you will find out what
I have known for a while. 

 

Z

 

Edward E. Ziots

Network Engineer

Lifespan Organization

Email: ezi...@lifespan.org

Phone: 401-639-3505

MCSE, MCP+I, ME, CCA, Security +, Network +



From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Tuesday, December 16, 2008 6:25 AM
To: NT System Admin Issues
Subject: Re: Most vulnerable apps of 2008

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Most vulnerable apps of 2008

2008-12-16 Thread James Rankin 
Adobe kit has to be top

The fact that our application servers still use version 7.07 of Adobe Reader
because of compatibility with some POS finance application gives me
nightmares. I have just penned another inflammatory email to the vendor of
said POS.

2008/12/16 Ziots, Edward 

> Don't discount our friend the Swiss-Cheese exploitable browser called
> Internet Explorer (Exploder, Destroyer, Malware Infester, etc etc)
>
> Besides that its Adobe that has been getting a lot of the Hacking play
> lately.
>
> Z
>
> Edward E. Ziots
> Network Engineer
> Lifespan Organization
> Email: ezi...@lifespan.org
> Phone: 401-639-3505
> MCSE, MCP+I, ME, CCA, Security +, Network +
> -Original Message-
> From: Andy Ognenoff [mailto:andyognen...@gmail.com]
> Sent: Monday, December 15, 2008 10:24 PM
> To: NT System Admin Issues
> Subject: Re: Most vulnerable apps of 2008
>
> I also like that they say ESXi 3.5 or earlier is an application that
> installs on Windows, is commonly known in the consumer market and
> installed by the user with no way for central administration via WSUS.
> It's like they looked up a bunch of applications that execs might
> recognize by name only and threw them all out on a piece of collateral
> for their marketing dept.
>
> But I agree with Ben S. - get to the root of the problem: least
> privilege.
>
> - Andy O.
>
> Micheal Espinola Jr wrote:
> > I still dont see a rationale for Firefox being at the top of the list.
> > I would THINK that Adobe Flash and Adobe Acrobat would be a greater
> > risk exposure, but I dont have stats for that - but neither do they it
> > seems.
> >
> > Or did I miss something?
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Most vulnerable apps of 2008

2008-12-16 Thread Ziots, Edward 
Don't discount our friend the Swiss-Cheese exploitable browser called
Internet Explorer (Exploder, Destroyer, Malware Infester, etc etc) 

Besides that its Adobe that has been getting a lot of the Hacking play
lately. 

Z

Edward E. Ziots
Network Engineer
Lifespan Organization
Email: ezi...@lifespan.org
Phone: 401-639-3505
MCSE, MCP+I, ME, CCA, Security +, Network +
-Original Message-
From: Andy Ognenoff [mailto:andyognen...@gmail.com] 
Sent: Monday, December 15, 2008 10:24 PM
To: NT System Admin Issues
Subject: Re: Most vulnerable apps of 2008

I also like that they say ESXi 3.5 or earlier is an application that 
installs on Windows, is commonly known in the consumer market and 
installed by the user with no way for central administration via WSUS. 
It's like they looked up a bunch of applications that execs might 
recognize by name only and threw them all out on a piece of collateral 
for their marketing dept.

But I agree with Ben S. - get to the root of the problem: least
privilege.

- Andy O.

Micheal Espinola Jr wrote:
> I still dont see a rationale for Firefox being at the top of the list.
> I would THINK that Adobe Flash and Adobe Acrobat would be a greater
> risk exposure, but I dont have stats for that - but neither do they it
> seems.
> 
> Or did I miss something?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Most vulnerable apps of 2008

2008-12-15 Thread Andy Ognenoff 
I also like that they say ESXi 3.5 or earlier is an application that 
installs on Windows, is commonly known in the consumer market and 
installed by the user with no way for central administration via WSUS. 
It's like they looked up a bunch of applications that execs might 
recognize by name only and threw them all out on a piece of collateral 
for their marketing dept.


But I agree with Ben S. - get to the root of the problem: least privilege.

- Andy O.

Micheal Espinola Jr wrote:

I still dont see a rationale for Firefox being at the top of the list.
I would THINK that Adobe Flash and Adobe Acrobat would be a greater
risk exposure, but I dont have stats for that - but neither do they it
seems.

Or did I miss something?


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Most vulnerable apps of 2008

2008-12-15 Thread Ben Scott 
On Mon, Dec 15, 2008 at 5:49 PM, Andy Ognenoff  wrote:
> One of their criteria is that the apps on the list can't be managed with
> WSUS.  Isn't that a reason to use another tool besides (or in addition to)
> WSUS rather than not use the application in question?

  I was more surprised to find out that Microsoft Systems Management
Server is now a "free Enterprise tool".  (Page 1, "Criteria" list,
item #6.)

  More seriously: Several of their identified "worsts" come with their
own self-update tools.  Since this list seems to assume it is okay for
lusers to install and manage their own software (aside: WTF?!?), why
isn't it okay to use those self-update tools?

  The strange thing is, this company (Bit9) doesn't appear to sell
update management tools.  Their chief -- if not only -- product is an
"Application Whitelisting" tool.  (Kind of like the Software
Restrictions Policies built-in to MS Windows, but with more
capabilities and a pre-loaded list of signatures.)

  I'm guessing they set out to craft a situation where you couldn't
use Software Restriction Policies (due to allowing lusers running all
sorts of arbitrary random crap; see above) but still wanted
centralized management of the applications they can run.  Of course, I
have to ask, why not just solve the real problem rather than bolting
on a solution that a determined luser could prolly bypass anyway (they
have admin rights, remember).

  Also interesting is the fact that a stack smash with code injection
isn't necessarily going to show up on the radar of their product
anyway.  That doesn't tamper with the files on disk; it just modifies
the in-memory image.  So the bad guys can still do bad nasty things in
the unpatched application.

  I'm not impressed.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Most vulnerable apps of 2008

2008-12-15 Thread Micheal Espinola Jr 
I still dont see a rationale for Firefox being at the top of the list.
I would THINK that Adobe Flash and Adobe Acrobat would be a greater
risk exposure, but I dont have stats for that - but neither do they it
seems.

Or did I miss something?

--
ME2



On Mon, Dec 15, 2008 at 5:49 PM, Andy Ognenoff  wrote:
> "Firefox tops list of 12 most vulnerable apps"
> http://blogs.zdnet.com/security/?p=2304
>
> One of their criteria is that the apps on the list can't be managed with
> WSUS.  Isn't that a reason to use another tool besides (or in addition to)
> WSUS rather than not use the application in question?
>
> Read the full report for the criteria used to compile the list:
> http://www.bit9.com/files/Vulnerable_Apps_DEC_08.pdf
>
> Wow...
>
>  - Andy O.
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~