Thursday, August 31, 2006

Deep Roots

When I have a new plant to add to my yard, I dig a hole deeper and wider than the rootball then back-fill a bit. The reason for that is to have nice loose soil to make it easier for the roots to get a firm hold.

That procedure is good for working in the garden, but not when it comes to security. Loose soil; that is, an unpatched, improperly protected computer, can allow a rootkit into the system. When a rootkit does infiltrate, it digs deep down through that "loose soil" and hides itself. As a result detection and removal are frequently nearly impossible. In fact, when infiltrated by a rootkit, the first recommendation usually provided to the "victim" is to consider formating the computer.

Heres a simple definition of a rootkit by PCMagzine:
A type of Trojan that keeps itself, other files, registry keys and network connections hidden from detection. It enables an attacker to have "root" access to the computer, which means it runs at the lowest level of the machine. A rootkit typically intercepts common API calls. For example, it can intercept requests to a file manager such as Explorer and cause it to keep certain files hidden from display, even reporting false file counts and sizes to the user. Rootkits came from the Unix world and started out as a set of altered utilities such as the ls command, which is used to list file names in the directory (folder).
As I mentioned above, an unpatched computer can result in a rootkit infiltration. If you have visited the Security Garden previously, you may have seen several posts regarding MS06-040 in which I stressed the highly critical nature of that update. In his blog post, Harry Waldron provided detailed information from McAfee on a new variant of the Spybot family that includes a MS06-040 exploit as well as an extra goodie -- a rootkit.
The worm opens a backdoor at TCP port 443 and tries to connect to IRC server and waits for commands. One of the ways this worm can spread is by exploiting MS06-040 vulnerability. TCP port 443 is normally used for https protocol but this worm uses it for IRC. W32/Spybot.worm.gen.p is a worm that also drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J.

Actions that the worm may perform on receiving appropriate commands include:
  • Enumerate active process and threads on infected computer
  • Start, stop and hide processes and threads
  • Modify Microsoft Internet Explorer's start page
  • Open a local web server
  • Port scan IP addresses in a specified subnet to identify possible targets for infection
  • Open backdoor at a specified port
  • Transfer files
  • Spread via MIRC
  • Update itself
  • Restart infected machine
  • Flush ARP and DNS caches
  • Sniff network traffic
  • Create, delete and try to spread via network shares
  • Spread via AOL Instant Messenger
  • Download files from a specified URL
The Gromozon Rootkit, a particularly nasty is discussed in at Wilders Security Forums, including a the original link to Marco Giuliani's, "My pdf report", which includes an analysis of the Gromozon Rootkit.

So, what do you do if you suspect you have a rootkit on your computer? The following short list will get you started.
  • First, keep the infected machine off the internet.
  • Next, if you do online banking, shopping or bill paying, contact your bank and credit companies.

  • Change your passwords. However, do NOT change your passwords on the infected machine, rather use a neighbor, friend or family member's computer or a computer at the local public library,

  • Finally, seek help at a security forum or from a local computer repair shop.

ASAP member sites have experts who can help with rootkit removal. Particularly experienced analysts can be found at Malware Removal, Spyware Info, Spyware Warrior as well as non-ASAP sites, Bleeping Computer, Castle Cops and Geeks to Go.

Resources:

Monday, August 28, 2006

To "My Girl"


Happy Birthday "Yorky"

A special person in my life is officially a teenager today!
Happy Birthday, Sweetheart!



Earlier this summer her Mom assigned her a project to research the dangers on the internet. She learned a lot with that project. For parents who don't have the time to do the research, the list below is a collection of Parental Control and Child Safety sites compiled by the local "computer guru", Nick Francesco of Sound Bytes (on the air for 17 years!).

The above listings are not to be construed as an endorsement by either Nick or myself.

Saturday, August 26, 2006

I Met "Scotty" Today!

It seems that every time I wear my WinPatrol Plus shirt, someone asks me if I have a "Scotty" dog. Of course, my response is something to the effect that I have WinPatrol Plus with "Scotty on Patrol". The conversation will then generally lead to questions about WinPatrol.

The conversation went a bit differently this morning. As I was loading the produce I had just purchased in my car outside the local farm market, the person getting in the neighboring car asked me if I have a Scotty dog. I explained that I have two Borders and that my shirt is for WinPatrol. I don't believe the young man heard a word I said. His face lite up and he quickly informed me that he has a Scotty and asked if I wanted to meet him. By that time he was climbing into the front seat of his car and I had finished loading my purchases. Before I could say a word, he reached across the passenger seat and opened the car door. Sure enough, there was a full-grown Scotty, looking just like Bill Pytlovany's WinPatrol Scotty! Gotta love it.

Wednesday, August 23, 2006

Java Update

Those of us in the security community will be enjoying our "Java" just a bit more these days. It isn't that the vulnerability issue with prior versions of Java no longer exists. Rather, it is that Sun Java has finally acknowledged the problem.

For a bit if history, Microsoft MVP CalamityJane detailed at Broadband Reports that fellow Microsoft MVP, Steve Welscher wrote to Sun about this issue in February, 2005:
Fellow MS MVP Steve Wechsler (aka MowGreen) wrote to Sun Microsystems (makers of Sun Java) to express the concerns raised in the Security Community that autoupdaters of Sun Java do not uninstall previous (vulnerable) versions of the program. He asked for clarification that if a User utilizes the automatic update mechanism of the JRE the previous vulnerable version is left on the system, and that those previous vulnerable versions can still be called by malware. The folks at Sun Microsystems wrote back confirming this is true and they would be investigating updating the java.com pages and the auto update uninstallation issue.
I wonder how many thousands of computer have been needlessly infected merely because there was no warning to uninstall prior versions of this software for 18 months after Sun Microsystems acknowledged the problem. Coincidentally, after seeing that there was still a lot of confusion in both updating and knowing what Java components to remove, I provided instructions just the other day in Java.

Below is a partial copy of Sun Alert ID 102557. Please keep in mind that this is merely an acknowledgement of the problem. It is still necessary to follow the instructions to remove prior versions of Java to avoid the Winfixer/Vundo/Virtumundo infection.


Java Plug-in and Java Web Start May Allow Applets and Applications to Run With Unpatched JRE
1. Impact

The Java Plug-in and Java Web Start both allow applets and applications to specify the version of the Java Runtime Environment (JRE) to run with. However, the versions of Java Web Start and the Java Plug-in listed in Section 2 below may allow applets or applications to run with a specified version of the JRE that does not have the latest security fixes.
2. Contributing Factors

This issue can occur in the following releases (for Solaris, Linux and Windows platforms):

* Java Plug-in included with J2SE 5.0 Update 5 and earlier, 1.4.x, 1.3.1, and 1.3.0_02 and later
* Java Web Start included with J2SE 5.0 Update 5 and earlier, and 1.4.2
* Java Web Start 1.2, 1.0.2, 1.0.1, and 1.0

{snip}
Java Web Start:

* Java Web Start 5.0 Update 6 and later for Windows, Solaris, and Linux

Note: Prior to 5.0 Update 6, an application could specify the version of the JRE on which it would run. With 5.0 Update 6 and later installed, unsigned Java Web Start applications that specify a version other than the latest installed will trigger a warning, requiring explicit user permission before the application will run. Signed Java Web Start applications are not affected.

{snip}

Note: It is recommended that affected versions be removed from your system. For more information, see the installation notes on the respective java.sun.com download pages.

Tuesday, August 22, 2006

My Garden Vista

As indicated at Bartleby.com, the American Heritage Dictionary defines "vista" as

"A distant view or prospect, especially one seen through an opening, as between rows of buildings or trees."

Above is the view or "vista" from my back patio. Many, many years ago, glaciers formed the area where I live. Beyond the trees on the right, there is a steep hill leading down to a fresh water creek. In the back is another hill sloping down and then back up where the top of the hill meets my neighbors' back yards.

Perhaps another occasion will be a fitting time to provide a view of another part of my garden vista. This time, however, I really want to start thoughts in the direction of another vista entirely; that is, Microsoft's Windows Vista. As reported by Paul Thurrott for Windows IT Pro, in his August 15, 2006, exclusive, Microsoft Still Plans October 2006 Vista:
"Although I'm not at liberty to divulge the full contents of the message, Microsoft has placed build 5520 into escrow as the RC1 of Vista. This build will be released to testers and the public after the Labor Day holiday in the United States, which falls this year on September 4. Currently, Microsoft expects to ship RC1 on or after September 7."
With Release Candidate 1 right around the corner, you may want to start watching more closely the progress of Vista. Two sources of information from Microsoft are the Microsoft Windows Vista Security Blog and the Windows Vista Team Blog. On the other hand, MaryJo Foley of Microsoft Watch, often provides a slightly less biased viewpoint.

As much as I like the Microsoft operating system and Office software, for some reason IE does not play well with my dialup connection. I discovered Firefox doesn't have a problem loading pages quickly with dialup. Also, with the volunteer help I provide on various security forums, great extensions like BBCode by Jed Brown, certainly simplify formating the post replies. What am I leading up to? Just this -- thanks to a post by Marsden11 at Scot's Newsletter Forum, I learned that Sam Ramji, Director, Open Source Software Lab for Microsoft, has invited Mozilla developers to Redmond work to on compatibility problems between Vista and Mozilla's open source software, Firefox and Thunderbird:
"As part of my mission as an advocate for open source applications on Windows, I've gotten spaces set aside at the Windows Vista Readiness ISV Lab. In the past the company has only invited commercial software developers to these labs. I'm committed to evolving our thinking beyond commercial companies to include open source projects, so I went to the non-trivial effort of getting slots for non-commercial open source projects."
Sam Ramji Invitation

In the link Marsden11 provided to the Beta News Forum, I learned that Opera has been to Redmond already and is Preparing Opera for Vista.

As time goes on, I may provide more on my garden vista. But, for now, I glad to see that Microsoft is also expanding their Vista.

Monday, August 21, 2006

Java

Ah, that first cup of coffee in the morning always seems to taste better while sitting outside in the garden. Except I'm not here to talk about the joys of early morning outside. No, this is neither about that morning wake-up cup of java nor the island located south of Borneo in Indonesia. Remember, this is the "Security" Garden. This topic is about the Java "language".

What is special about Java? Simply stated, Java is a language that allows coded web pages to be viewed on the browser. Do you need Java on your computer? No. It just makes the internet experience more fun. As indicated at Java.com:
Java technology is everywhere

From the Mars Rover all the way to your mobile phone, Java technology is changing the world around us, and beyond. It's used in practically every major industry, from education, government, and space exploration to transportation, finance, telecommunications, and more. It enables applications and products of all kinds to do something unique and incredible: Communicate. Integrate. Animate. Interact. Protect.
The problem, as discussed in a very long topic at Broad Band Reports entitled, "Winfixer/ Vundo / Virtumonde Victims : Please Read", started by Microsoft MVP CalamityJane, is that computers with older versions of Sun Java are vulnerable to the "Vundo" infection. It doesn't matter if the latest update was applied. If the older versions are still resident on the machine, the vulnerability is definitely there. So, what do we recommend? Definitely to uninstall all prior versions of Java. The instructions that seem to work best follow. The current version is Java Runtime Environment (JRE) 5.0, Update 8.

Sun Java Installation/Update Instructions

The following procedure is strongly encouraged to remove older version Java components:
  1. Close any open programs you may have running, especially your web browser
  2. Click Start > Control Panel (Depending on your OS or configuration, you may have to click Start > Settings > Control Panel)
  3. Open Add or Remove Programs (If you have Windows 98 or Windows 2000, open Add/Remove Programs)
  4. Click once on any item listing J2SE, Java Runtime Environment or Java WebStart in the name. (Not every version of Java will begin with "Java" so be sure to read each entry in the list)
    IPB Image
  5. Click the Remove or Change/Remove button
  6. Follow steps 4 and 5 as many times as necessary to remove all versions of Java
  7. Search 'Programs' and 'Application Data' and remove old version files manually.
    1. C:\Program Files\
    2. C:\Documents and Settings\USERNAME\Application Data\
  8. Restart your PC once all Java components have been removed
  9. Proceed with reinstalling Java by going to http://java.sun.com/javase/downloads/index.jsp
  10. Click the "Download" button to the right of
    Java Runtime Environment (JRE) 5.0 Update 8
    The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
    Installation Instructions | ReadMe | ReleaseNotes | Sun License | Third Party Licenses
  11. Accept the agreement at the page that opens:
    Required: You must accept the license agreement to download the product.
  12. Click: Accept License Agreement
  13. The page will refresh to Windows Platform - J2SE™ Runtime Environment 5.0 Update 8
  14. It is recommended that you select:
    Windows Offline Installation, Multi-language jre-1_5_0_08-windows-i586-p.exe 15.74 MB
  15. After installing the downloaded file, restart your system again to finalize the process.


23Aug06: See Java Update for information on Sun Alert ID 102557.

Saturday, August 19, 2006

When Do You Update?

A regularly maintained garden provides a brilliant show year round. Gardeners have charts available for when to fertilize, how short the grass should be clipped, how to trim the shrubs, which plants do best in the the sun and what selections are better for a shade garden.

To maintain your computer, you need to keep the security software updated.
How do you know when it is time to update the security software programs on your computer? Is this a daily, weekly or rather an . . . oops. . . project? Unlike gardens, there are no charts, graphs or the like for this task. I have a work-around though.

I happen to frequent many of the online security forums where updates are posted on the popular security software programs. Helping at the security forums happens to be my hobby, but most likely is not something everyone else does regularly. There is a solution for avoiding the "oops" problem for those who do not frequent the forums on a regular basis. First, register at one of the sites that maintains a security update forum. (Rest assured, no personal information is needed -- just an email address and a "user name".) Next, locate the software update forum. Scroll down the page to the update information for the software on your computer and "subscribe" to the thread. Repeat for each software you need to remember to update.

Subscribing is easy.
Some time ago, I prepared instructions for subscribing to the updates at LandzDown Forum, a computer help site using SMF software. Rather than repeat the instructions here, see the illustrated instructions at "Stay Current -- Subscribe to the Update Topics for your system software!"

IPB is a popular forum software. Subscribing with IPB is about the same as with SMF. Click the "Options" button at the top of the thread for each software you want to receive an update notification for and then and select "Track this topic":

You will be redirected to your profile where you can elect your preferred notification method as illustrated here:

Please choose your notification method.
Forum subscriptions will notify when new topics have been made and topic subscriptions notify when a reply has been made.
No Email Notification
This option will not send out any email notification but will retain the topic or forum in your subscriptions panel.
Delayed Emailed Notification
This option will send out a notification if a new topic or reply has been made and you're not active on the board.
Immediate Email Notification
This option will send out a notification immediately after a new topic or reply has been made regardless of your activity.
Daily Email Digest
This option will send out a daily digest showing all new replies or topics for that day
Weekly Email Digest
This option will send out a weekly digest showing all new replies or topics for that week

Subscribing to other forum software is similar to IPB. With phpBB, look for the link at the bottom of the page to "Watch this topic for replies". To unsubscribe, return to the thread and click "Stop watching this topic".

When an update is posted to the topics you are subscribed to, you will receive an email notification. Following the link in the email to read about the updated information.

Another option, other than manually checking each software for updates, is to review the listings at Calendar of Updates. You can select multiple views, including A to Z View, Month View, or Week View. While you're at "COU", check out the site. It is jam-packed with information!

Staying up to date is easy if you take a few minutes to organze. So, no more "oops"! If you are not a member of a security forum, try an ASAP Member site.

Tuesday, August 15, 2006

Security Garden "Landscape Maintenance"

Just like working in your garden, you cannot have tunnel vision when it comes to maintaining your computer. If you only maintain one section of your garden, the rest will become overgrown and/or weed infested. The same principle applies to computer maintenance. Having a firewall and updated antivirus are both essential. However, all the parts are only as good as the whole. That was why one of the first topics I addressed when starting this blog was Windows Automatic Updates in "Maintaining the Security Landscape".

Last week's Microsoft Updates continue to draw a lot of attention, with particular regard to MS06-040. It only took the malware writers days to act on the vulnerability of systems unpatched with MS06-040 and roll out the Win32/Graweg IRC-Mocot which exploits the server buffer overflow vulnerability. What's worse about this worm is that it registers itself as the "Windows Genuine Advantage" service and renders the system unstable when attempting to stop or disable the service. (What infected systems will most likely show is wgareg.exe or wgavm.exe in the Windows System Directory.)

The "good news" (if you can call it that) is that, as indicated in
updated Microsoft Security Advisory 922437, as far as Microsoft is aware, Win32/Graweg only affects Windows 2000 machines that have not been patched or had the appropriate ports blocked. Harry Waldron has compiled a thorough synopsis of security information and warnings as well as anti-virus information, in his blog entry on "MS06-040 -- New IRCBot attacks unpatched W/2000 systems".

So, you ask, what does all that business about MS06-040 and W32/Graweg have to do with maintaining your computer? It is like this. How do you know that you received all of the updates? If you use Automatic Updates and leave the driving to Microsoft, were all of the updates installed last Tuesday? This question came up in a forum discussion at LandzDown Forum, "Confirming your Windows Updates". To tie that discussion back to MS06-040, the same topic was addressed in the "Microsoft Security Response Center Blog" entry, "Monday Update on Graweg":
Speaking of downloading updates I also want to clarify some questions I have heard lately regarding why some customers have seen MS06-040 downloaded or installed while some of the other updates have not appeared yet during the same interval. With Windows Update we have the ability to prioritize updates in order to ensure that we are providing the broadest customer distribution possible for a particular update or set of updates given the relative threat. Prioritizing of the updates is done taking into account the threats identified with each individual release. As we have seen and has been identified by others the threat presented by the vulnerability addressed in MS06-040 prompted us to do everything possible to ensure that customers received the update with the highest possible priority. The is a normal behavior and if you have not seen the rest of this months updates yet on your computer rest assured they are coming and this is perfectly normal.

As stated in Windows Update, Microsoft Update, and Automatic Updates for IT Professionals:

Windows Update provides high-priority and optional updates for all supported versions of the Windows operating system. Windows Update may be accessed at http://update.microsoft.com. It can also be found via the Windows Start Menu.

Microsoft Update provides all the updates offered by Windows Update, plus high-priority updates for Office and other Microsoft applications. Microsoft Update requires a one-time opt-in process and may be accessed at http://update.microsoft.com/microsoftupdate.

When it comes to critical updates, I like to do a quick check that they have installed on my PC. The fastest way to check is to check for the KB update number in Add/Remove Programs. That information is easily available from the monthly Microsoft Security Bulletin available at the Tech Net Security Center (or blogs like this one). Another option is to open the C:\WINDOWS\WindowsUpdate.log with Notepad and search for the KB number. You should also be able to locate a log for the specific update; i.e., C:\Windows\KB921883.log. One final option is to go to the Windows or Microsoft Update Center and scan your PC for updates. If any of the updates didn't "take" the scan should be able to pick that up.

Although all of those steps are not necessary, sometimes a touch of paranoia isn't such a bad thing when it comes to updates that have been identified as highly critical.

Friday, August 11, 2006

MS06-040 Pops Up Again - "Microsoft Security Advisory 922437"

The importance of installing MS06-40 cannot be stressed strongly enough. If you are having problems with the update, Microsoft has a toll-free number available. It is available 24 hours a day for the U.S. and Canada. Call: 1-866-PCSAFETY (1-866-727-2338)

For support outside the United States and Canada, please contact your Microsoft Help and Support worldwide. Go to
Microsoft Security Home and choose your region from the box in the upper right corner.


There are steps you can take in the meantime if unable to get the update. First and foremost, have a firewall on your PC. Next, block TCP ports 139 and 445, inbound and outbound. (Microsoft has additional information on TCP/IP filtering here.) To test your firewall, go to GRC.com and run Shields UP!

For complete information, see Microsoft
Security Advisory 922437, "Exploit Code Published Affecting the Server Service", Published 11August2006:
Microsoft is aware that detailed exploit code has been published on the Internet for the vulnerability that is addressed by Microsoft security bulletin MS06-040. Microsoft has verified the published exploit code to work on Windows 2000 and Windows XP Service Pack 1 only; this code does not affect Windows XP Service Pack 2, Windows Server 2003, or Windows Server 2003 Service Pack 1. At this time our investigation of this exploit code has verified that it does not affect customers who have installed the update detailed in MS06-040.

{Snip}

Customers who believe they have been attacked should contact their local FBI office or report their situation to www.ic3.gov. Customers outside the U.S. should contact the national law enforcement agency in their country

Mitigating Factors:

Customers who have installed the MS06-040 security update are not affected by this vulnerability.

While installation of the update is the recommended action, customers who have applied the mitigations as identified in MS06-040 will have minimized their exposure and potential exploitability against an attack.


Thursday, August 10, 2006

Patch Update -- MS 06-040

If you haven't installed the Microsoft Updates released this past "Patch Tuesday ", its time to take action! Even the Department of Homeland Security is getting into the act:
"The Department of Homeland Security (DHS) is recommending that Windows Operating Systems users apply Microsoft security patch MS06-040 as quickly as possible. This security patch is designed to protect against a vulnerability that, if exploited, could enable an attacker to remotely take control of an affected system and install programs, view, change, or delete data, and create new accounts with full user rights."
MS06-040 and the other updates released on "Patch Tuesday" can be downloaded directly from TechNet. This update should be installed on the following affected systems:

-- Microsoft Windows 2000 Service Pack 4
-- Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
-- Microsoft Windows XP Professional x64 Edition
-- Microsoft Windows Server 2003 & Microsoft Windows Server 2003 Service Pack 1
-- Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
-- Microsoft Windows Server 2003 x64 Edition
Note: Windows 98 and ME are not included in that list. Remember, those operating systems reached the end of the life support cycle on July 11, 2006. For all systems, see Microsoft Support Lifecycle by Product.

Microsoft has a toll-free number available to call in the event you are having problems with this or any other Microsoft Update. The service is free and is for all virus and security-related support. It is available 24 hours a day for the U.S. and Canada.

Call: 1-866-PCSAFETY (1-866-727-2338)

For support outside the United States and Canada, please contact your Microsoft Help and Support worldwide. Go to Microsoft Security Home and choose your region from the box in the upper right corner.

Wednesday, August 09, 2006

This Call's For You, WGA Team!

It appears that a recent call to Microsoft's Windows Genuine Advantage (WGA) has been missed.

In Ed Bott's report of "Another WGA Failure", he indicates that he was working with his Microsoft contacts to obtain a pirated Volume License Key (VLK). His purpose in doing this was to provide a report of what a user would experience if they had a "non-Genuine" Windows key. When the Microsoft-provided license key was unsuccessful installing, Ed reports that in about fifteen minutes he located a bunch leaked VLK's through a Google search . Reportedly, those keys have been publicly posted for almost two years!

So, with keys in hand, he figured he was golden and would achieve his goal of providing his readers with the messages they would receive with pirated or illegal VLKs. The problem, however, is that the keys did NOT fail the WGA test. In fact, the passed over and over.

I am sure the WGA Team is working very hard to iron out any problems with the WGA software. In the meantime, if you run into difficulties with the WGA tool, you can learn more at the Genuine Microsoft Software website. Help is available at the Microsoft WGA help forum, "Speak to Us at Microsoft!"

Trackback

Tuesday, August 08, 2006

Patch Time!


It is Patch Tuesday and Microsoft has released the security bulletins identified below. Please see Nellie2's instructions on "How to Prepare for Patch Tuesday" and update ASAP.

MS06-040 - Vulnerability in Server Service Could Allow Remote Code Execution (921883) (Note: Addresses a critical security problem)

MS06-041 - Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)

MS06-042 - Cumulative Security Update for Internet Explorer (918899)

MS06-043 - Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)

MS06-044 - Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)

MS06-045 - Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398)

MS06-046 - Vulnerability in HTML Help Could Allow Remote Code Execution (922616)

MS06-047 - Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645)

MS06-048 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)

MS06-049 - Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)

MS06-050 - Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)

MS06-051 - Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422)


View the summary and all the details here

Saturday, August 05, 2006

Garden Certificate Warnings

This discussion of Certificates started with "Garden Certificate Basics", which included background information about digital certificates as well as a sample of a "domain name mismatch". In that situation, it was apparent that a site was providing bogus information.

"Garden Certificate - Microsoft MVP Site" included an illustrated examination of digital certificate information provided to a reader of this blog. The certificate was received as a result of the MS MVP link in an earlier blog post here.

I was reminded today by a respected member of Freedomlist that there are circumstances where an unsigned certificate should not be accepted.
"Anyone can create a certificate that will show mvp.support.microsoft.com or anything they want in the cname and in the hierarchy. Checking those fields doesn't tell you anything particularly useful about the certificate or the website.

I'm afraid advice to accept the certificate is likely to give people the impression that the site is what it claims to be. That's fine for a site like mvp.support.microsoft.com where you just read their pages and don't send them any information, but people should absolutely never accept an unsigned certificate for a site that needs sensitive information like online-banking or shopping, because there is no way to know whether the webserver at the other end is really their bank or store, or if it is some random person spoofing the site and trying to get their data.

A simple summary:
A certificate signed by a certificate authority (verisign, for example) protects against eavesdropping and confirms the identity of the site.

An unsigned certificate (like the one at mvp.support.microsoft.com) protects against eavesdropping, but does NOT confirm the identity of the site."

Thank you, digger, for the explanation and excellent advice!

Additional reference information:

VeriSign Described
VeriSign.com
Digital Certificate Defined
Public Key Certificate