Robert Hensing's Blog

Bluehat V8: Mitigations Unplugged

2008-12-02T18:15:00Z

I first got to see Matt Miller speak in person a few Bluehat's ago when he was talking about 'Temporal return addresses' . . . ah yes - the talk was entitled "Temporal Chronomancy" according to Mr. Shostack's blog and it was all the way back in 2005. The basic premise behind the talk was that there are various counters / timers etc. that reside in a processes memory space that at specific dates and times become interesting 'op-codes' that can be used by exploit writers to do interesting things . . . IF they performed their exploit at exactly the right time . . . the talk freaking blew my mind . . . it was perhaps the best / most memorable Bluehat talk I've ever seen.

Anyways - I told you that story to set some precedent for this one. Matt Miller works at Microsoft now - on my extended team and he recently spoke again at Bluehat v8 (didn't get to attend sadly) and he delivered a talk on Mitigations Unplugged where he goes into GS / DEP / ASLR etc. etc. You'll have to trust me that these are topics that he's more than qualified to speak about. :) I haven't watched the video yet (it's 45 minutes) but I plan on making some time this week - if you have more free time than me - you should definitely check it out: http://technet.microsoft.com/en-us/security/dd285253.aspx

TIP: Be on the lookout for future blog posts from Matt over on the SVRD blog . . .

Interesting stuff and the end is near (for my blog)

2008-11-19T19:17:00Z

First off - OneCare is dead - long live . . . OneCare . . . err Morro?
http://news.cnet.com/8301-1009_3-10101582-83.html?tag=newsLeadStoriesArea.1

Next up - Zune 3.1 is out - download it - love it.
http://www.engadget.com/2008/11/18/zune-3-1-update-out-today-now-featuring-sudoku/
Also - the flash memory based Zunes are getting price chopped from $10 - $30 in time for Christmas:
http://www.engadget.com/2008/11/18/microsoft-ratchets-down-pricing-on-flash-based-zunes/

Things I loved about the 3.1 update are the new games (Checkers, etc.) and the ability to play with other players wirelessly. My 8 year old kicked my ass in Checkers last night playing wirelessly from his Zune 30. I was both proud and embarassed at being outsmarted by an 8 year old. :) I was too scared to try my luck at NLHE against him (yes he already knows how to play Poker - I'm not proud of that b.t.w.)

Also came across a new commerical I hadn't seen yet for the 360 today: http://www.xbox.com/NR/rdonlyres/79EB42A4-BB6F-4CDE-9DA1-1759D3EE8A18/0/vidxboxtvadgh3hi.asx

Finally - all good things must come to an end - and my blog is no exception. :)

I'll probably be done blogging real soon now . . . security (which unfortunately is one of my favorite topics) is a topic full of blog-landmines . . . only they move around frequently . . . and after stepping on them - they reset so you can step on them again, and again if you have short term memory problems and a learning problem. :) Not to mention it's time consuming when done properly and I've been busy as hell lately working on work - and overclocking my car (installed a piggyback EMU and self-tuned it a bit, installing some stage 2 cams this weekend - wish me luck - you may find a used overclocked 2001 IS300 on eBay Monday in need of a new engine with a low low reserve!).

So that said - my farewell post will probably be an explanation of why I have 'El Conquistador' in my display name since it's probably the most frequently asked question I get. :)

This week's Fail Open Goat Award goes to - Credit Card Processing

2008-11-02T16:43:00Z

http://www.veracode.com/blog/2008/10/credit-cards-failing-open/

Microsoft SideSight?

2008-10-29T18:53:00Z

Looks cool: http://www.gearlog.com/2008/10/microsofts_sidesight_something.php

SmoothHD

2008-10-29T18:44:00Z

Akamai / IIS7 / SilverLight 2.0 / VC-1 == HD over broadband happiness. It's sort of cool - the video started off a tad blurry and then got sharper after a few seconds and I didn't have a single glitch.
Pretty impressive stuff: http://www.smoothhd.com/
Also see: http://www.akamai.com/smoothhd

Mass SQL Injection : The Chinese Way

2008-10-23T16:20:00Z

The blog pretty much speaks for itself: http://www.circleid.com/posts/20081022_sql_injection_attacks_chinese_way/

Client-side browser vulns are of little use without an effective way of spreading them to the victims - unfortunately - it's still relatively easy for the miscreants to spread them around using tools like this.
Interesting the comment about SQL injection via cookies . . .

Out of band security update planned for today (MS08-067)

2008-10-23T15:28:00Z

Updated 10/23/2008 @ 1:17pm EST
We have pushed the update live - here's the direct link to the bulletin:http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx (if it doesn't work for you - keep trying - it will be live real soon now).
Also note that the Microsoft Malware Protection Center also has generic detection for the malware dropped in the targeted attacks!
You can read more about it at the MMPC blog: http://blogs.technet.com/mmpc/archive/2008/10/23/get-protected-now.aspx
Finally my team has released a blog post with an interesting .C file linked at the end - for those who like to compile stuff and play around with ACLs: http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx
---------------------------------------------

The MSRC, SWI and some Windows product team folks have been working really hard to get a critical security update out the door this week and they just pushed the advanced notification thing live early this morning (EST).

http://blogs.technet.com/msrc/archive/2008/10/22/advance-notification-for-out-of-band-release.aspx

http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx

It's likely that by the time many of you read this - the update will already be available for download via WU/MU/WSUS etc.
Be sure to go out and grab it - especially if you are running Windows XP or lower operating systems (as you can tell by the severity ratings in the advance notification thinger - it's critical on that platform).

As always we apologize in advance if this ruins anyone's weekend plans - I personally blame the miscreants. :)

P.S. Keep an eye on my team's blog later today for more technical information: http://blogs.technet.com/swi

Flash 10 & IE8b2 Per Site ActiveX

2008-10-22T22:28:00Z

So I've got IE8b2 installed on all of my machines and I've noticed that since installing Flash 10 that all web sites now prompt me before running Flash 10! The new gold bar experience users will see when they install Flash 10 on IE8 is described here (thanks to Eric Lawrence for the URL: http://blogs.msdn.com/ie/archive/2008/05/07/ie8-security-part-ii-activex-improvements.aspx).

Some people may hate this - I actually like that I can now selectively control which sites get to use Flash and that it defaults to OFF for all web sites. As long as you don't select to allow ALL web sites to run the ActiveX control - it will continue to be blocked behind a gold bar for every web site that wants to instantiate the control. You'll find that within hours of installing Flash 10 on IE8b2 that pretty much EVERY site on the entire Interwebs wants to instantiate Flash (mostly for supporting annoying ads) and you'll also find that having it blocked behind a gold bar really isn't so annoying. I personally plan on leaving the Flash 10 AX configured to run on a per-site basis (i.e. I won't be configure it to run on all web sites) since this makes me feel a bit more warm and fuzzy only allowing certain sites to run the control. I imagine the vast majority of users will choose to allow all web sites to run the control and that's fine with me - as long as *I* don't have to allow all web sites to run the control - I'm a happy camper.

Flash 10 is out - install it like . . . yesterday.

2008-10-18T02:50:00Z

If I were a bad guy and I wanted to pwn lots of people via the web - I'd probably focus my efforts on ubiquitous software guaranteed to give me a lot of bang for my buck (like Flash and Acrobat). Software like Flash would seem like a good target given that it's installed on just about everything these days. Adobe released Flash 10 recently and I'm just guessing it's got some security bug fixes in it that would probably be good to have. I'd install it ASAP.

Oh and has anyone else noticed that Acrobat 9 still:

Opens PDFs by default in a browser *without prompting* the user
Runs JavaScript by default (I'm sure it's 'sandboxed' - whatever - i still disable this by default on all my boxes).

And does this remind anyone of Office circa 2000 when we let VBA macros run by default and didn't prompt users before opening documents via the web? How is it possible that in 2008 this still happens with our competitors?

Win7 to officially be called . . . Win7?

2008-10-14T23:59:00Z

I actually for once - LOVE that we are keeping the name of the OS simple and leaving it at Win7. I will admit - I was somewhat disappointed when XP's name was announced internally (internally it was known as Whistler) and I was downright horrified when we decided to call Longhorn "Vista" (my friends call it "Veesta"). Longhorn sounds cool . . . manly . . . Vista is pretty much the exact opposite in my mind . . . it sounds serene and 'pretty'.

Anyhoo - we seem to be doing all the right things with Win7 (you'll know why I'm saying that soon enough <G>): http://windowsvistablog.com/blogs/windowsvista/archive/2008/10/14/why-7.aspx

Wish I could tell you more about it - but I can't. All I can say is that it freaking rocks. I already use it as my daily driver OS at work and can't wait until it's out in the public for testing (which it will be very soon at PDC / WinHec next week).

MAPP + Exploitability Index == Protected Customers, Better Security Update Prioritization

2008-10-14T23:28:00Z

Today we officially launched our MAPP program (http://www.microsoft.com/security/msrc/mapp/partners.mspx) and at the same time we also started providing exploitability information about our vulnerabilities to the world. These two things are pretty huge. The idea behind the exploitability index is to help customers understand which updates they should deploy immediately vs. which ones we don't think are as likely to be epxloited or exploited reliably (trivia: Did you know that only about 30% of all of our vulns ever have exploit code written for them?).

You can see the exploitability index for the October release here: http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx

Here's the breakout of the numbering system used for the exploitability index - it uses 3 numbers - simple - like me: http://technet.microsoft.com/en-us/security/cc998259.aspx

Code monkey very simple man.

DayCon II / OSU Security Day / SafeCode

2008-10-13T23:17:00Z

Welp - just got back from speaking at a couple of events in Dayton, OH. First up was THE Ohio State University security day . . . I delivered my 'targeted attacks' presentation which I've been doing for over 2 years now (everything's the same - only the malware changes. :). I got to take a tour of the OSU campus (freaking huge) and meet some of the defenders of the OSU network which was nice. Next up was my presentation at DayCon II on Friday night at the Crowne Plaza in downtown Dayton. I met some real interesting people there (most seemed to be reverse engineers working at the base, and random other security people) and only ONE academic type in the crowd tried to bust my chops at the end with the typical anti-Microsoft rants - first it was Open XML and the fact that it still supports 'binary parts' and then after I addressed those concerns it was "Microsoft is so far behind the Unix world with respect to security - why weren't you programming securely 10-15 years ago?" type arguments. I believe he mentioned he was a professor with a PhD (possibly from Wright State - a college I dropped out of when I joined Microsoft and was forced to move) . . . I pointed out that we do the vast majority of our hiring (if not all of our hiring) for developers from accredited universities and institutions of higher learning and that if there was bad code being written by our folks - it certainly wasn't "below the standard" of what was being taught at universities 10 or 15 years ago - because we like every other company - hired those universities graduates!! I also pointed out that I had recently attended a C++ refresher course at CPCC (local community college) and was none to surprised to find that the PhD professor I had teaching the class was not at all familiar with buffer overruns (well that's not true - he knew what they were just not that they could lead to code execution!!) or heap overruns, or fuzzing, or any other interesting aspects of secure coding (but he knew his sorting algorithms and could talk in depth about compilers!). In fact he had me at one point lecture the class for him with respect to things like our own SDL, banned APIs, why they are banned, fuzzing, etc. It was surreal. This was in 2006. I was really glad I went back to school to see how things had changed since I had last taken a programming class (they hadn't!!).

And having said all of that, it's a nice segue into this: http://blogs.msdn.com/michael_howard/archive/2008/10/08/safecode-releases-fundamental-practices-for-secure-software-development-document.aspx

Shostack on "Threat Modeling"

2008-10-13T23:01:00Z

Adam Shostack is incredibly smart - and he also happens to be responsible for managing the threat modeling aspect of the SDL these days. Here's got a nice 10 page paper here on threat modeling - very much worth the read if you're into that sort of thing. http://blogs.msdn.com/sdl/archive/2008/10/08/experiences-threat-modeling-at-microsoft.aspx

iPhone running WM 6.1?

2008-10-13T22:57:00Z

Okay - I'm not sure if this is real or not - but the interview itself is hilarious - the questions the woman asks at the end and the kid's responses are hysterical: http://wmpoweruser.com/?p=1330

SkyFire?!?!?!

2008-09-30T19:52:00Z

OMG - how is it possible that I JUST today found out about this?

http://www.skyfire.com

What is it? It's a new FREE (for now) browser for WM phones . . . that doesn't absolutely positively suck. I just installed it on my Q9 smartphone and it rendered www.microsoft.com perfectly and it even rendered the flash animations?! So to test that theory out I went to Youtube and it played a Youtube video!! This is freaking insane . . . I finally have a full fledged browser for my phone that doesn't suck. I encourage all WM users to go check it out if you have iPhone / Safari / Android / Chrome envy!!