MacBook Pro Biometrics
This guy retrofitted his MacBook Pro with a biometric scanner. It has to be the worlds first. Very neat way to engage added security for a notebook.
Microsoft Patch Tuesday Will Offer 7 Security Patches
The upcoming patch Tuesday from Microsoft will offer 7 security patches to reconcile vulnerabilities found in their widely used software.
Although Microsoft does not disclose in advance what flaws are to be patched, two vulnerabilities in Excel are likely to be among the fixes. One issue relates to maliciously crafted spreadsheet files that could lead to a full system compromise, while the other relates to hyperlinks in Excel documents.
Two security flaws affecting Internet Explorer were also reported last week, including a cross-site scripting issue where an attacker could view information in an open browser window from another that is visiting a malicious site.
As usual, Internet Explorer is being fixed yet again. For the second month straight Excel will receive some patch love among a few others that we are not yet aware of. If you are a corporate system administrator then ensure you test these patches on a closed network before deploying throughout your enterprise.
Absence, New Theme
Sorry for the absense over the course of the last week. I halted posting while updating the site theme to something more personal, easier on the eyes and just all around better. Enjoy the new theme and look forward to a slew of new posts to start appearing.
Windows Vista Gets ActiveX Installer Service
Once again, Microsoft is bowing to pressure from businesses rather than thinking of possible security ramifications of the features they add to Windows Vista. This time Windows Vista gets an ActiveX installer service so that the controls can be installed on client workstations regardless of the permissions of the user logged in.
The new feature, called ActiveX Installer Service, will be fitted into the next public release of Vista to provide a way for enterprises to cope with the UAC (User Account Control) security mechanism.
UAC, formerly known as LUA (Limited User Account), is enabled by default in Vista to separate Standard User privileges from those that require admin rights to harden the operating system against malware and malicious hacker attacks.
However, because UAC will block the installation of ActiveX controls on Standard User systems, enterprise applications that use the technology will encounter breakages. ActiveX controls are objects used to enhance a user’s interaction with an application.
This sounds like an exploit that many will be salivating to take control of. While it remains to be seen just how vulnerable this “feature” is, the base description certainly leaves a lot to be desired. How long before a privilege escalation exploit is released?
Catawba County Schools Plays “Blame Game”
The Catawba County Schools is playing the blame game rather than owning up to operator error on behalf of their own employees. The school district somehow convinved a judge to issue an injunction against Google for allegedly posting names, social security numbers and grades of 619 students.
They school district claims that Google somehow trespassed on their server and made information publicly available. There is very little information about this incident being publicly released, however the following statement really caught my attention:
“One of the students on the list had a presence on the Web,” she said. “In Google’s effort to get information on her, one of its spiders latched onto her name in this document. We were not aware that password-protected sites are set up like that. To our knowledge, Google could only cache unsecure information that did not require a password or username.”
Based on reading the statement by the district I can only surmise that they have incompetent system administrators working on their web server. It is common knowledge by those in the industry that if information is posted on a publicly accessible web site then it can be spidered and indexed by Google. If the information is properly protected then there is no way for Google’s spider to crawl the documents, therefore they will not be included in their index.
Sadly, it appears that nobody is willing to own up and tell the school district that they made a mistake. Taxpayer dollars will be wasted on a baseless lawsuit that could have been avoided if 1) the district hired competent system administrators and 2) the employees properly briefed their supervisors on their own mistakes.
Microsoft Acknowledges Excel Vulnerability
Microsoft issued a security advisory for an Excel vulnerability that I recently wrote about. The company acknowledged reports of the exploit but has not yet determined the cause, or any fix action as of yet.
Microsoft is investigating new public reports of limited “zero-day†attacks using a vulnerability in Microsoft Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac. In order for this attack to be carried out, a user must first open a malicious Excel file attached to an e-mail or otherwise provided to them by an attacker.
In order to avoid the possibility of being compromised by this vulnerability just do not open attachments from untrusted, unreliable authors. This is a best practice that should be followed daily. If you are already weary about opening attachments from unknown senders then you are on the right track.
Cracking OS X Passwords
Cracking OS X Passwords is far easier than you might have thought. But how often does a system administrator really need to do something like this?
It’s interesting how most papers on the subject state that’s it is useful knowledge for Sysadmins to know how to crack passwords; come on, let’s be honest a Systems Administrator will most likely reset the password or if he can’t he will simply reinstall the Operating System. I’ve worked as a Sysadmin for several years and not once I had to “crack†a password.
Nonetheless, while not exactly the most necessary piece of information around, know that it is available in the event that you need it. Or, if you just desire to play around then you now know that capability exists.
New Microsoft Excel Vulnerability Found
A day after Microsoft released 12 patches that fixed 21 vulnerabilities, including an exploit in Word, it appears that reports of a new vulnerability in Microsoft Excel are surfacing.
Here’s what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker. (note that opening it out of email will prompt you to be careful about opening the attachment) So remember to be very careful opening unsolicited attachments from both known and unknown sources.
There probably will not be a patch until the next Patch Tuesday so be on the lookout for any malicious activity that may attempt to exploit this vulnerability.
I Forgot My Administrator Password!
If you have ever forgotten your Windows administrator password then you probably panicked, and ultimately ended up wiping your hard drive and performing a clean install of Windows. I bet you did not know that was completely unnecessary, as there is a pretty simple method for resetting an administrator password on just about every version of Windows.
ERD is an excellent multi purpose product, but you should know it is not a necessary one if you have a healthy system and your sole problem is the inability to logon to Windows due to a forgotten password. Not necessary because you can easily change or wipe out your Administrator password for free during a Windows XP Repair. Here’s how with a step-by-step description of the initial Repair process included for newbie’s.
The main reason I bring this up is because it is an attack vector on to a workstation and, ultimately, network. If the system administrators have not properly locked down a computer then the chances that this simple “attack” succeeds is fairly significant.
Microsoft Patches 8 Critical Security Flaws
The second largest patch Tuesday has arrived, with Microsoft issuing fixes for 8 critical security flaws, and a host of other non-criticals, in a number of their products. Today’s set of patches offered the greatest number since February 2005, and is the second largest overall.
Out of the eight critical fixes, 2 resolve Internet Explorer vulnerabilities, 1 is for Windows Media Player, 2 are for the Windows operating system itself, 1 is for Word and 1 is for PowerPoint. The Word patch reconciles a major security issue regarding a highly-publicized zero-day exploit, which has already used in conjunction with a number of attacks. The vulnerability can be exploited after a user opens a specially crafted Word file with a malformed object pointer, allowing for code execution.
There is also a cumulative patch for Internet Explorer, which fixes five code execution vulnerabilities, a spoofing flaw, and an issue that could pose both an information disclosure or spoofing risk. Modifications to the way that Internet Explorer handles ActiveX controls is also included in the IE cumulative update.
It is highly recommended that all organizations take the necessary steps required in order to install these patches, especially considering the critical exploits that they resolve.