Re: FBI tells the public to call their ISP for help

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Florian Weimer <fwdeneb.enyo.de> wrote:

>In most parts of the world, the Microsoft EULA is not
enforceable.
>Most users don't buy their software from Microsoft,
either.  It's
>preinstalled on their PC, and Microsoft disclaims any
support.

NOTE: This has nothing to do with ISPs.

Also, there is somewhere in the neighborhood of > 65M MS
hosts
"out there" that are either illegally or
improperly licensed, and
which cannot use Microsoft Update (due to the Genuine
Advantage
verification knobs).

While they can download each patch individually through a
series
of acrobatic exercises, this sorta contributes to the whole
end-system compromise problem.

Again, not that this has much real bearing on the
discussion, but
figured I toss that into the mix.

- - ferg

p.s. I forget exactly where the >65M figure came from,
but I'm pretty
sure it Microsoft a few months back...

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.1 (Build 1012)

wj8DBQFGcyFWq1pz9mNUZTMRAhjMAKDMA6Zwy8ZPeatoQPKQiwQLiLod2QCg
+pHO
3EUiDw6OXUp9DdjXM62p9qM=
=izS9
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspo
t.com/

On Jun 15, 2007, at 11:31 PM, Fergie wrote:
> - -- Florian Weimer <fwdeneb.enyo.de> wrote:
>
>> In most parts of the world, the Microsoft EULA is
not enforceable.  
>> Most users don't buy their software from Microsoft,
either.  It's  
>> preinstalled on their PC, and Microsoft disclaims
any support.
>
> NOTE: This has nothing to do with ISPs.
>
> Also, there is somewhere in the neighborhood of >
65M MS hosts "out  
> there" that are either illegally or improperly
licensed, and which  
> cannot use Microsoft Update (due to the Genuine
Advantage  
> verification knobs).
>
> While they can download each patch individually through
a series of  
> acrobatic exercises, this sorta contributes to the
whole end-system  
> compromise problem.
>
> Again, not that this has much real bearing on the
discussion, but  
> figured I toss that into the mix.

At the prior ISOS conference in Redmond, Microsoft made
assurances  
even systems failing Genuine Advantage verification can
enable  
automatic udpates to obtain critical updates.  One of the
attendees  
remarked privately this automation works only for English
versions of  
XP. : (

With vulnerabilities created by Microsoft, such as:
   - cloaking files and processes
   - cloaking shell script extensions (even when show
enabled)
   - requiring scripts for basic browser functionality
   - preventing removal of their exploitable browser
   - Word
   - .Net
   - inadequate provisions for temporarily privilege
escalation
   - unfortunate network defaults
   - reliance upon perimeter security
   - etc.

It seems such negligence might make Micos0ft vulnerable to
class  
actions, especially from ISPs bearing the burnt of related
support.   
With the FBI recommendation, another very deep pocket might
be add.

The paper provided by Google should give anyone cause.
http://www.usenix.org/events/hotbots07/tech/full_
papers/provos/ 
provos.pdf

"A popular exploit we encountered takes advantage of a
  vulnerability in Microsoft’s Data Access Components that
  allows arbitrary code execution on a user’s computer [6].
  The following example illustrates the steps taken by an
ad-
  versary to leverage this vulnerability into remote code
exe-
  cution:
  • The exploit is delivered to a user’s browser via an
  iframe on a compromised web page.
  • The iframe contains Javascript to instantiate an Ac-
  tiveX object that is not normally safe for scripting.
  • The Javascript makes an XMLHTTP request to re-
  trieve an executable.
  • Adodb.stream is used to write the executable to disk.
  • A Shell.Application is used to launch the newly written
  executable."

-Doug

* Douglas Otis:

> At the prior ISOS conference in Redmond, Microsoft made
assurances
> even systems failing Genuine Advantage verification can
enable
> automatic udpates to obtain critical updates.  One of
the attendees
> remarked privately this automation works only for
English versions of
> XP. : (

Yeah, I couldn't install the latest security update today; I
was
forced to run WGA first.  I have to admit that I didn't try
very hard
to bypass it since WGA was already installed on that
machine.

Microsoft has been quite successful in associating security
updates
with piracy.  Perhaps not at a technical level, but
definitely in
people's minds. 8-(