Tag Archive for Internet Explorer

| April 1, 2014
Comments Off on Limit Admin Rights to Close Microsoft Holes

Limit Admin Rights to Close Microsoft Holes

Limit Admin Rights to Close MSFT HolesIt’s been best practice for a very long time: all users and processes should run with the fewest privileges necessary. That means no Admin rights for users. This limits the damage that can be done by an attacker if the user or process is compromised.

Avecto logoZDNet says that running users without admin rights on Microsoft (MSFT) Windows XP was generally impractical. It is a much more reasonable and manageable approach on Windows Vista, Windows 7, and Windows 8, but many organizations still run users as administrators because it makes things easier in the short term.

Impact of running with “least privilege”

ZDNet cites a new study from UK software company Avecto which demonstrates the real-world impact of running with “least privilege”. In 2013, Microsoft released 106 security bulletins and updates to address the 333 vulnerabilities identified in them. 200 of the 333 total vulnerabilities would be mitigated if the user were not running as administrator. 147 of the vulnerabilities were designated critical; 92 percent (135) of these would be mitigated.

Dark Reading says that the Avecto results also revealed that removing admin rights would also mitigate:

  • running with "least privilege"91% critical vulnerabilities affecting Microsoft Office,
  • 96% of critical vulnerabilities affecting Windows operating systems,
  • 100% of vulnerabilities in Internet Explorer and
  • 100% of critical remote code execution vulnerabilities.

Breakdown of Microsoft V\vulnerability Impact in 2013

Avecto told ZDNet that non-administrator users can still be compromised, but it’s much less likely that they would be and, if they were, the impact would likely be greatly limited. Least privilege is most effective as part of a more comprehensive security architecture including the prompt application of updates to patch vulnerabilities.

Paul Kenyon, co-founder, and EVP of Avecto told Dark Reading, “This analysis focuses purely on known vulnerabilities, and cybercriminals will be quick to take advantage of bugs that are unknown to vendors. Defending against these unknown threats is difficult, but removing admin rights is the most effective way to do so.”

rb-

Employees with admin rights can install, modify and delete software and files as well as change system settings making more work for the help desk folks. The report demonstrates that many companies are still not fully aware of how many admin users they have and consequently face an unknown and unquantified security threat. It is also conceivable that privilege management would have made high-profile attacks such as the recent one on Target if not impossible then much harder, by reducing the potential for the abuse of partner access, believed to have been at the heart of the breach.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| June 19, 2012
Comments Off on Attackers Attack Emerging Technologies

Attackers Attack Emerging Technologies

Help Net Security reports that attackers continue to focus on social engineering attacks and circumventing legacy enterprise security systems according to a recent report by Zscaler. The Sunnyvale, CA-based firm reported shifts in the sources of enterprise web traffic, and that some popular sites attempt to improve user security. Here are some of the top findings detailed in the report:

  • Local apps are generating more direct HTTP and HTTPS traffic
  • Not all web traffic comes from browsers, and as this traffic shifts, web threats have a new attack vector
  • Internet Explorer 6 is on the decline in the enterprise. While this mitigates the security risks of the old browser platform, it could lead to a shift in attacks.
  • Google (GOOG) is actively attempting to thwart search engine optimization (SEO) spam and fake AV attacks, the topmost Internet threats today. However, most users remain exposed to these threats.
  • More sites, like Facebook (FB) and Gmail, are moving to HTTPS delivery. This is good for preventing sidejacking, but it allows savvy attackers a way to bypass traditional network-based security controls like IDS/IPS, which cannot decrypt traffic for inspection.

Internet of Things“Attackers know the limits of traditional security solutions,” says Michael Sutton, VP of Security Research at Zscaler. “But they are also very good at taking advantage of emerging technologies and new vectors for attack. Standalone user applications, social engineering attacks, and the move to HTTPS all have the potential to introduce new threats. Now more than ever, enterprise security solutions must inspect traffic in real-time, all the time, regardless of source, to provide true protection.”

RB-

I have covered IOT for a while here and here. I wrote about the big sites moving to HTTPS a while ago here and even wrote about HTTPS Everywhere here. And I am sure I don’t cost as much as an engagement with these firms.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| March 4, 2010
Comments Off on A New Problem Caused by IE

A New Problem Caused by IE

A New Problem Caused by IEThe Microsoft Security Response Center (MSRC) Engineering team is reporting a vulnerability involving VBScript and Windows Help files.  In Microsoft Security Advisory 981169, the MSRC says that hitting the F1 Help key can activate a vulnerability in VBScript enabling Remote Code Execution. The new Microsoft threat involves any version of Internet Explorer (IE) on Windows 2000 and Windows XP.

MicrosoftThe US-Cert Vulnerability Note VU#612021 says that any file displayed by the  Internet Explorer (IE) engine can trigger an attack. IE’s engine is often used to render HTML for other applications, even if you don’t see the usual IE program window.

Trigger the execution of arbitrary code

This issue makes it possible for a malicious web page, an HTML e-mail or an e-mail attachment, or any file to display a dialog box that will trigger the execution of arbitrary code when the user presses the F1 key. The prompt can reappear when dismissed, nagging the user to press the F1 key. MSFT calls the Windows Help files are an “inherently unsafe” file format. That means these files can run arbitrary code, thus the browser must prevent remote Windows Help files from executing automatically.

MSFT suggests that as an interim workaround, users avoid pressing F1 on dialogs presented from web pages or other Internet content. If a dialog box repeatedly appears trying to convince the user to press F1, users should log off the system or use Task Manager to kill the Internet Explorer process.

It is possible  to mitigate the threat from the command line to lock down the legacy Windows Help system by  typing:
cacls “%windir%\winhlp32.exe” /E /P everyone:N
and to undo the change type:
cacls “%windir%\winhlp32.exe” /E /R everyone

Windows Server 2003 is affected as well, but the default IE configuration mitigates the threat. Windows Vista, Server 2008, and Windows 7 are not affected.

Steve Balmmer

The MSRC post also describes how to change IE’s Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones a move that can also help protect against potential attacks.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,