- I'm a PC and I fight for the users . . .
-
Tron Guy makes a cameo in our "I'm a PC" video wall: http://media.lifewithoutwalls.com/ugc/t/r/o/tronguy/tronguy_336_252.wmv
Here's the algorithm for finding direct links to videos based on user name: http://media.lifewithoutwalls.com/ugc/[1st letter of username]/[2nd letter of username]/[3rd letter of username]/[username]/username]_336_252.wmv (thanks for the tip Jiri)
I sort of like the video wall (and no the irony of having a video wall for a 'Life without walls' campaign has not escaped me) . . . its fun watching some of the videos and it reminds me a bit of DeepLOL (zoom in with the mouse wheel or by clicking with the mouse on the pic)
- Extreme Ad Makeover - We are now entering "the 2nd phase"?
-
You know, I have one simple request. And that is if we are to have an ad campaign with sharks, that we have sharks with frickin’ laser beams attached to their heads!
http://www.nytimes.com/2008/09/18/business/media/18adco.html?pagewanted=1&_r=1&ei=5040&partner=MOREOVERFEATURES
- Zune 3.0 - Using wifi to download songs right from the ZMP (speed test)
-
Today a friend asked me how fast downloading songs / albums from the ZMP was and I had to admit - I wasn't sure. The day the firmware came out I immediately hooked up my Zune to my wifi network at home and then connected to the marketplace and then started playing a newly released song and it started playing nearly instantly - there was maybe a 3-4s delay between the time I clicked and the time it started playing on my Zune - but it seemed very reasonable and the song played without a single hiccup or buffering issues.
But the cool thing about the ability to access the ZMP wirelessly is that you don't have to stream the songs - you can add them to your 'cart' on the Zune and then this downloads them locally to the Zune vs. simply streaming them (when you stream I don't believe they are left behind when the song is over). Theoretically if I was at a friends house and wanted to download random songs that I didn't already have on my Zune for later playback on his 360 - this is what I'd have to do - I'd have to find the songs / albums, add them to the cart on the Zune and then once they were done downloading - plug my Zune into the 360 and start playing them (if you are downloading content or streaming when you plug the Zune into the 360 it stops).
So I decided to do a speed test - tonight I found a newly released album - it was a Buckcherry album that showed up right on the main 'New Releases' part of the marketplace on the Zune. I clicked to add it to the cart and it started downloading . . . and it was slow. The Zune gives you a % complete number - but not a throughput number . . . but the throughput didn't seem all that great. In fact as I have typed this blog post I've only gotten to 95% complete with the album - and I've been downloading it for at least 10 minutes. So I wanted to know what my average download speed was so I logged into my DD-WRT router and pulled up the bandwidth monitoring interface in FireFox (it uses VML - this is the ONLY reason I have FF3.0 installed) and looked at my wifi (since my Zune is the only wifi device on it right now - these are fairly accurate numbers).
Welp - a picture is worth a thousand words - it looks like at around 7pm EST on 9/17/2008 my Zune 80 could only achieve an average of about 650kbps download speeds from the ZMP which is slower than the ~2-3Mbps I have clocked it at when doing a wireless sync to my PC.
After the download was over though - I noticed that my wifi utilization was still bouncing between 100kbps and 200kbps . . . but I had nothing queued up and nothing was downloading . . . I disabled the wifi on the Zune and the utilization immediately dropped back down to 0%. I then fired up the wifi on the Zune again and logged in to the marketplace again and the utilizaiton hovered near 0 (the thumbnails and stuff that it downloads are barely enough to register). So then I decided to time one song to see how long that would take to download (and to see if the utilization would stay at 100kbps to 200kbps after the download finished). I chose the artist 'Gym Class Heroes' and the song was a rather amusingly named 'Drnk Txt Rmeo' ('cause who HASN'T txt'd while drnk? :) . . . it's a 3:25s song - fairly representative . . . I started that song downloading and it was done approx 50 seconds later (give or take 2-3s) and here's what the bandwidth graph looked like for that download - notice that I hit peaks of up to 1.5mbps but the average is about the same probably between 600-700kbps
Welp - those are my numbers - YMMV . . .
UPDATE: So after I published this I started downloading that whole Gym Class Heroes album and I had a very different network utilization graph from this download - I averaged closer to 1.5Mbps with bursts of up to 3Mbps. I also noticed that you can use the back arrow to do other things while a song / album is downloading in the background (i.e. you can listen to music while downloading from the ZMP - but you don't seem to be able to play a game - games seem to disconnect you - BUT - it will resume downloading where it left off after you re-connect to the ZMP after you're done with the game - you don't have to start all over)
So then I decided to do see if the Zune would be smart enough to push the content that I downloaded directly to the Zune back up to my PC and I decided to do that wirelessly as well to see how fast the wireless sync is with the new firmware (since I haven't tested it in a while).
Well - I'm pleased to report that not only did it push the downloaded content back to my PC (as one would expect) - but it also averaged about 5Mbps while doing it!
That's up about 50% faster than the last time I tested (with the last version of the firmware I averaged about 2 - 2.5Mbps).
So it looks like what we've learned is:
- The Zune 3.0 firmware can download / upload at about 5mbps - and this is much faster than the Zune 2.0 and older firmwares
- Download speeds from the ZMP range from 600kbps to 3Mbps depending on time of day, color of shirt, album downloaded etc.
- Zune 3.0 - Insanely great creamy goodness from the Zune team
-
So I have a Zune 80 (black) and I freaking love it. The Zune software kicks the living crap out of anything Apple has ever released in terms of quality and functionality and ease of use. The software just works, the Zune just works - it's probably the best entertainment device we make that no one knows about or has (sigh). Well, yesterday we released the Zune 3.0 software and firmware for all the Zunes (yes even if you have the first gen brown Zune-brick you get the updated firmware). So what's cool with the new softawre/firmware? Well at long last you can connect up to ANY wifi network via your Zune's wifi capability and you can use that Internet access to connect up to the Zune Market Place (ZMP). It even works on WPA2 networks with passphrases (I connected up to mine yesterday) - but that only works on the Zune80's and newer (Zune30's support WPA1 and WEP though).
Okay so what's the big deal with being able to connect to any Wifi network? Well imagine that you have a Zunepass (as I do) for $15/month . . . you can download as much music as you want to your PC or your Zune . . . well imagine that I'm heading to a friends house to play poker and we want to play some music while we play - but he doesn't have a Zune or a Zune pass. I can bring my Zune, plug it into say his Xbox 360 which is connected to his home entertainment system and then I can connect to the Zune marketplace via his wifi network to download / stream *any* music that I want . . . so the Zune is on wifi downloading content from the ZMP while plugged into his 360 via USB playing the songs through his home audio system.
Basically I have access to the entire ZMP anywhere I go that has wifi now . . . so even if I haven't downloaded the songs to my Zune from the PC, that doesn't matter - I can still get them . . . anywhere. This is insanely cool (for me) because I can't tell you how many times I've been on a trip with my Zune sans my home PC with the Zune software installed and I've wanted to grab some new content from the ZMP but can't until I get home (you can only pair the Zune to so many PCs).
Also there is FM tagging which I will probably never use - but basically the Zune will use RDS info (if its present - un-surprisingly many of the radio stations here in the south have yet to opt-in to this exciting technology of the last century) to figure out what song you're listening to and it allows you to tag it so that you can download it later from the ZMP if you like.
What else is cool? Well games - I now have Hexic and NLHE poker on my Zune (two of my favorite games - what are the odds?).
I dunno man . . . the Zune is finally a seriously, "insanely great" entertainment device . . . the fact that we give the new hotness to even the original Zune 30 owners is IMHO very impressive - you don't see our competition doing anything like that.
Welcome to the social.
- GOVCERT.NL and German authorities recommend against installing Chrome!?
-
It was only a matter of time - the first few days worth of bugs were so bad I gave up covering them / reading them and one *has* to question Google's commitment and ability to write secure code: http://www.computerworld.co.ke/articles/2008/09/09/security-agencies-rally-against-google-chrome After reading their security architecture whitepaper - it really is pretty unbelievable how many vulns were found in such a short period of time and how bad they were.
Shrugs - definitely using IE8b2 on all my machines now. :)
- 6 on 6? (Hot IE on WM action)
-
Whoa . . . a full fledged browser on my Smartphone! Yes please!
http://news.cnet.com/8301-13860_3-10039152-56.html?tag=newsLeadStoriesArea.0
Don't get me wrong - the browser on WM6.1 is nice . . . but it's still not all that great - lots of pages with complex script cause my browser to hang, other pages still don't render properly etc. It's a hit or miss afair surfing the web on my phone which is disappointing becuase the 3G speed is there and makes it doable. Oh and being able to watch Flash videos on my phone? Can't wait . . .
- New Microsoft Ad with Bill and Jerry - it's actually sorta FUNNY!
-
And holy crap - it's 4.5 minutes long!!!
You can watch the ad in better definition than you can on Youtube by going here (and it looks like down on the timeline we'll have them all up there soon): http://www.microsoft.com/windows/
Okay - I have to admit - I officially think this ad campaign is sort of cool now . . . I see where they're going with it and well . . . it's not bad. ;)
- Why I'm not running Chrome anymore (back to IE8 beta 2 for me)
-
http://www.milw0rm.com/exploits/6367
Long strings leading to stack overruns? Really Google? Srsly? I guess I have the answer to my questions about whether they have an SDL / or the notion of banned APIs / or automated code scanning stuff . . . I mean long strings in an HTML tag is like . . . silly fuzzing 101 type stuff . . . the vulns we're fixing in IE these days are pretty insane and are usually pretty complicated / obscure . . . like usually they are some really complicated DOM manipulation stuff that is waaaaaayyyyy beyond simple 'overly long strings in a tag' type stuff. I can't *wait* to see what happens when people start doing really advanced DOM fuzzing against Chrome. :)
Another interesting read is how they implemented some of their 'enhanced' BIBA security model stuff to prevent the read-up (from Low to Medium or higher) stuff that Low IL on Vista still allows: http://gynvael.coldwind.pl/?id=49
Function patching? Really? Wow. Just . . . wow.
It's pretty obvious that the code quality just isn't there . . . this browser is not ready for prime time on anyone's machine IMHO.
- It begins . . .
-
UPDATE: Go here and watch the video - it's higher resolution and better: http://www.microsoft.com/windows/
Our $300MM ad campaign featuring Seinfeld: http://www.techcrunch.com/2008/09/04/first-bill-gatesjerry-seinfeld-advertisement-wheres-the-microsoft/
I was left wanting so much more . . . Apple's probably breathign a collective sigh of relief right about now . . .
- Breaking out of the Chrome sandbox - 2 interesting vulns in 24 hours? Got IE8? :)
-
So it hasn't even been out 24 hours yet but Chrome is, as predicted, getting scrutinized heavily and well . . . it's falling down at a pretty alarming rate (as say compared to say - IE8 beta 2 which has been out longer :))
So yesterday Aviv Raff discovered that Chrome is vulnerable to the Safari carpet bomb issue as reported here: http://blogs.zdnet.com/security/?p=1843. This is actually a download and execute / remote code execution bug which is about as bad as it gets! I verified that the PoC downloads a .JAR file to my IE downloads folder and then attempts to execute it (I got a file open dialog since I don't have Java installed).
Then this morning we have a new, more interesting (IMHO) crash that was posted here: http://evilfingers.com/advisory/google_chrome_poc.php
So, I slapped WinDBG on both processes to see what's going on - and I visited the PoC site from my Vista++ machine and this is what I observed in the debugger attached to the medium IL kernel process:
0:022> g
(1078.fe4): Break instruction exception - code 80000003 (first chance)
eax=553a2ff0 ebx=0024e238 ecx=553a2ff0 edx=775cea74 esi=0024e238 edi=00000002
eip=553a2ff3 esp=0024e180 ebp=0024e180 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for D:\Users\rhensing\AppData\Local\Google\Chrome\Application\0.2.149.27\chrome.dll -
chrome_553a0000+0x2ff3:
553a2ff3 cc int 3
0:000> ub eip
chrome_553a0000+0x2fe3:
553a2fe3 56 push esi
553a2fe4 e8d5dc5d00 call chrome_553a0000!ChromeMain+0x5ddb99 (55980cbe)
553a2fe9 59 pop ecx
553a2fea 8bc6 mov eax,esi
553a2fec 5e pop esi
553a2fed c20400 ret 4
553a2ff0 55 push ebp
553a2ff1 8bec mov ebp,esp
Why is this crash interesting? Because it crashes the medium IL 'kernel' process and not the low IL 'sandbox / rendering engine' process (though that process does exit when the parent process dies)!! Why is that interesting? Because it points to protocol handler abuse as a potential way to bypass the protection measures of the low IL rendering engine sandboxes!
Overall - I have to admit - I am in love with Chrome - the UI is fantastic, the rendering is pretty fast, and it's very intuitive and clutter free . . . that said - I'm very concerned about the code quality given that in less than 24 hours we've got one confirmed remote code execution vuln (one that was already patched by Apple in the same source code weeks ago!) and one 'interesting' discovery / crash - that is certainly going to draw attention to fuzzing protocol handlers and maybe lead to the discovery of something even more interesting.
Welp - the ball has been resoundingly slammed back over the net at Google - and it will be interesting to see how they respond. Will they release a blog detailing what's going on with the protocol handler debug break above? Will they release an update soon that corrects these two issues? Will they talk about how these issues were missed and what they're doing to ensure there aren't variations all over the place?
- On Chromium and Practical Windows Sandboxing
-
UPDATE 9/13/2008: The authors of the Chromium whitepaper linked to below wrote to me the day after I wrote this post thanking me for the links to Dave's blog and they insisted that they had not seen his presentation at Blackhat nor were they aware of his blogs on sandboxing so it must be a coincidence that the two groups used the same approach for MOICE and Chrome. They also mentioned that they have subsequently updated the whitepaper to cite his work at the end in the referrences section which was nice. It has also been pointed out to me that Google bought GreenBorder however I do not believe that this is the technology described in the whitepaper on the Stanford web site and used by Chrome that I link to below - but I could be wrong - I know pretty much nothing about GreenBorder.
------------------------------------------
So tonight a friend sent me this URL which offers a bit more technical detail on how Google's new 'Chrome' browser implements its 'sandbox' for the rendering engine processes: http://crypto.stanford.edu/websec/chromium/chromium-security-architecture.pdf
If you read up on the sandbox you will discover that Google is doing essentially the following things:
- Using the CreateRestrictedtoken API and AdjustTokenPrivileges to lock down the token the rendering process is running with.
- Using a Job object to place limitations on what the rendering process can do
- Running the rendering process on a separate desktop to prevent window message abuse.
Hmmm . . . this all sounds familair . . . where have I read about this type of sandbox before? Oh that's RIGHT . . . on David LeBlanc's blog:
http://blogs.msdn.com/david_leblanc/archive/2007/07/27/practical-windows-sandboxing-part-1.aspx <-- CreateRestrictedToken
http://blogs.msdn.com/david_leblanc/archive/2007/07/27/practical-windows-sandboxing-part-2.aspx <-- Job Object
http://blogs.msdn.com/david_leblanc/archive/2007/07/27/practical-windows-sandboxing-part-3.aspx <-- Locking down a process on a different desktop to prevent WM abuse.
Now obviously his blog posts are over a year old . . . Chrome just released today along with the whitepaper I linked to above (the create date on the PDF was 9/2/2008 so this doesn't appear to be something old that I'm just now reading) - but in the "references" section - I didn't see any acknowledgement of Dave's work on building the MOICE sandbox (which clearly seems to have given the Google Chrome team some inspiration? Or perhaps great minds just think alike). Dave also presented this at Blackhat last year I believe.
Having said all of that - this does appear on the surface to be a rather well thought out browser / sandbox . . . what I find interesting is how . . . "quaint" the new Chrome browser makes FireFox 3.0 look! :) I mean FireFox 3.0 was touted for its "security" and is heavily hyped as being the most secure browser by people not grounded in reality. In reality that browser offers even less protection / mitigation against web exploits than IE7 on Vista and of course it has had quite a few vulns in its short lifetime (9 CVEs so far?). Now we have Chrome which seems to be over the top with respect to protection technology that Windows can offer - possibly even going above and beyond what we have planned for IE8?
All I can say is - "dang". :)
So the only concerns I have left are:
- Does Google have an SDL? Are they using any banned / dangerous Windows APIs? Do they have any sort of automated code analysis that is occuring looking for defects as its checked in? Are they compiling with the latest C compiler and opt-ing in to things like /GS, /SafeSEH, /NXCOMPAT, /DYNAMICBASE etc.? Clearly they are open sourcing this - but are qualified eyeballs being paid to review the code and look for weakness or are they just assuming that someone will . . . for free? They clearly seem to have threat modeled and pen-tested which is important - but at the same time they seem to have started from an older version of WebKit which Apple has already patched in a recent Safari build . . . this causes some concern.
- How strong is the sandbox? Will catastrophic jail breaks be discovered that are challenging or architecturally impossible to fix rendering them useless against some future Metasploit module? :)
I for one don't run FireFox 3.0 . . . I don't consider it even a worthy challenger (though it sure is fast) to IE7 let alone IE8 (due to lack of protection / mitigation technologies, the vuln counts etc.), but I AM going to install Chrome and give props to the folks over at Google for impressing me - this is definitely no "Google Safari 3" or "Google FireFox 3" like I was expecting. :)
- Google Chrome coming today? Launch early and iterate? srsly?
-
UPDATE: Reading the Google chrome comic that I received offline - man, I have to admit, this does sound pretty hot. Lots of interesting things - but first and foremost the one that security geeks will care about most - they have in some way ACL'd the tab processes to make them like a 'jail' or 'sandbox'. They seem to have not only disabled write access to the file system ala low rights IE (no write-up policy) but seem to have taken the low IL concept a step farther even! In the comic they explicitly call out our BIBA-like implementation of integrity levels and talk about how low IL processes can read up to a higher IL, but they can't write-up (i.e. low IL can't write to Medium IL but it CAN read medium IL data which may still be sensitive) . . . in their model they are claiming that low rights processes can't even read up unless some action is explicitly taken by the user. If true, that's huge and a compelling win over FireFox right there in and of itself . . . and may even give them an edge over IE8 on Vista? We'll have to see how strong that sandbox is . . . Whoa . . . I also like the Task Manager for Chrome that lets you track CPU usage / memory consumption by tab. The updated JVM sounds interesting as well . . . looks like they have written their own JVM from the ground up and focused on speed and making garbage collection work right. Also it appears you'll be able to move tabs from the main UI to their own separate window - so you could have one tab on one LCD and another tab on another . . . also what they are calling the 'Omnibox' (the URL bar) is described in a downright Steve Jobs like fashion as being "perfectly, aesthetically, non-distracting", and heh - they also have a 'porn mode' where nothing gets saved locally just like IE8 . . . man . . . I have to admit - I'm probably going to have to install this and play with it (though not because of porn mode. :)). Finally - the comic also does call out that they have at least done fuzzing (cute picture of presumably infinite monkeys hammering away at infinite keyboards) and they even go into some of the automated testing they do with the daily builds to make sure they can render the most popular pages right etc. All very interesting stuff!
-----------------------------------------------------------------------------------------
Man - between vacation and working on special projects - I've been pretty busy for the last month and haven't had any time to blog about stuff. Probably won't be any reprieve in the near future but here's a quickie.
Sooo . . . last night I heard about Google Chrome from a friend . . . which I believe is being released for Windows today?
http://blogoscoped.com/archive/2008-09-01-n47.html
http://googleblog.blogspot.com/2008/09/fresh-take-on-browser.html <-- Official blog
At first glance - this seems cool - they have adopted the tab per process model like we have with IE8 to help isolate web apps running in tabs . . . but then they have added a new feature that will let web pages be launched without "chrome" (well - what we used to call chrome heh) . . . that would be the address bar and toolbar etc. If you remember we actually worked hard to *prevent* web sites from being able to do this sort of stuff in IE6 on XPSP2 after realizing it was a bad idea (go here: http://www.microsoft.com/technet/prodtechnol/ie/reskit/6/appendix.mspx?mfr=true click on 'Window Restrictions') due to phishing attacks and other nefarious things that malicious web sites could do to try and trick users. Here's hoping Google has thought of this and is not re-living the mistakes of the past like Apple seems to be with Safari. :)
I'm actually pretty excited about this . . . I know the IE team has been working super hard on making IE8 not only fast - but extremely secure. We've already seen FireFox 3 getting beat up pretty badly with the first vulns appearing just hours after its release - and Safari is pretty bad from a security PoV it would seem based on all of the vuln reports and stupid old-school "too many chars in a tag" type bugs that were present at launch. So I'm excited to not only have yet more browser competition but I'm also excited to see how seriously the Google developers actually take secure coding (I'm sure we'll find out soon if they launch Chrome today). From their blog, their mantra of "launch early and iterate" (if I understand the meaning properly) seems a bit dangerous in this day and age . . . hmm - speaking of iterating - I wonder how well their auto-update mechanism will work for Chrome . . . and whether it will be MITM'able like other 3rd party vendors or whether it will work on Vista as a standard user . . .
It will also be interesting to see who's market share Chrome eats into . . . I bet it hurts FireFox more than IE. :)
- RedHat Package Signing Server - Pwnd
-
EDIT: Holy crap: http://rhn.redhat.com/errata/RHSA-2008-0855.html
"In connection with the incident, the intruder was able to sign a small
number of OpenSSH packages relating only to Red Hat Enterprise Linux 4
(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only). As a precautionary measure, we are releasing an
updated version of these packages, and have published a list of the
tampered packages and how to detect them at
http://www.redhat.com/security/data/openssh-blacklist.html"
Original blurb which sort of contradicts the above burb . . . wow . . .just . . . wow:
Oh . . . My . . . God: https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html
Will anyone pay attention to this? Does anyone care? Probably not . . . I can't imagine what the fallout would be if our WU / MU / AU servers got pwnd like this. It's like . . . the package signing server and stuff. At least they seem to be doing the right thing and are going to issue new signing keys etc. and will hopefully revoke the old ones. Wow.
Been a busy two weeks - been on the road - working till 2am - thus the lack of blog material. I heard from someone very clueful that I should give Microsoft a FOGA for the .NET stuff Dowd and Sotirov found and demo'd at Blackhat . . . still haven't read that paper . . . I swear I will on the plane home. :(
- The truth about the Dowd / Sotirov Vista memory protection bypass stuff
-
Good short interview with Sotirov who clarifies what actually happened at Blackhat for some folks: http://blogs.zdnet.com/Bott/?p=513
He mentions some interesting stuff - like how they worked with us, we gave them feedback, worked with the other vendors etc. I haven't had time to read their whitepaper yet (though I will this weekend). :(
- Happy Patch Tuesday - Random thoughts
-
The SnapShot Viewer 0-day that has seen limited exploitation in the wild is now patched - here's an interesting write-up with some things you may not have known about it. Here's the deal - IE Protected Mode, while not a true defendable security boundary - is awesome and this particular vulnerability proves its worth. This vuln allowed a bad guy to write an arbitrary file to an arbitrary location on disk without having to run shellcode or perform heap spray. That's about as bad as it gets vuln-wise because there's little or no risk of crashing the browser and the victim may not even realize what's happened. On Windows XP with IE6 this is all fail, all the time - because your mom running IE6 on Windows XP is likely running with admin rights - which means not only is she NOT going to get a gold bar prompt blocking the instantiation of the buggy AX (we introduced that in IE7), but since she's also running as admin - the AX can write the malware anywhere it wants (like to any of the known auto-start entry points (ASEPS) that are available to admins. On Vista the exploit would be full of fail. Why? Well for starters if the AX control has never been used by IE before - it will be blocked from being loaded behind a gold bar vs. just running silently. If the user decided to trust the AX and allow it to run (it is after all a Microsoft AX) the bad guys would probably assume they could write their malware to say the Windows directory or if they were more sophisticated the users startup folder (which would work for non-admins) - but on Vista - even THAT would be full of fail due to Protected Mode IE. PMIE is on by default (along with UAC which is what makes it possible) and it means that IEXPLORE.EXE is running at "Low" integrity. This means that the only folders that the IEXPLORE.EXE process can write to are ones that have a Low IL label. How do you know which folders have a "Low" integrity label allowing processes running at Low IL to write to them? Let me show you:
C:\Users\rhensing\AppData>dir
Volume in drive C has no label.
Volume Serial Number is 3E4D-4005
Directory of C:\Users\rhensing\AppData
08/12/2008 04:51 PM <DIR> Local
08/01/2008 06:10 PM <DIR> LocalLow
06/23/2008 09:19 AM <DIR> Roaming
0 File(s) 0 bytes
3 Dir(s) 5,155,340,288 bytes free
C:\Users\rhensing\AppData>icacls LocalLow
LocalLow NORTHAMERICA\rhensing:(F)
NORTHAMERICA\rhensing:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
Mandatory Label\Low Mandatory Level:(OI)(CI)(NW) <---- Lookie here!
Successfully processed 1 files; Failed processing 0 files
The AppData\LocalLow folder is, I believe, the only folder that's writeable by a Low IL process. And it's not an ASEP so assuming the bad guys adjusted their exploits to start dropping their malware in that folder - they'd have to still find a way to get it to execute (i.e. chain this vulnerability with some other one that allows you to run a program from a known location).
Let's see, what else is interesting this month . . . OH we released a blog on how we can use the programmable 010 hex editor from Sweetscape to detect malicious Word documents that attempt to exploit vulnerabilities. If you're interested in the gory details of that you can read about it here. Essentially if you know the binary file format - you can teach this hex editor how to parse the file and then you can inspect the various bytes of data you read from the various meaningful offsets in the file to determine whether they represent an attempt to exploit a known vulnerability - it's pretty cool stuff.
