In addition to the critical security threats from Microsoft that I covered in last week’s column, the Redmond software giant has also issued a flurry of medium-level security threats that Windows administrators need to be aware of.
Details

MS04-018, “Cumulative Security Update for Outlook Express,” is caused by a failure of Outlook express to properly handle some specifically malformed e-mail headers. This is a DoS threat and Microsoft reports having seen published exploits but hasn’t received any reports from customers that have been compromised by the exploit. This threat is covered by CAN-2004-0215

Best online Microsoft MCTS Certification, Microsoft MCITP Certification at Actualkey.com

MS04-019, “Vulnerability in Utility Manager Could Allow Code Execution,” is a local elevation of privilege threat that can’t be exploited remotely. MSBA will report if your system needs this update and Systems Management Server (SMS) can help deploy it.

MS04-020, “Vulnerability in POSIX Could Allow Code Execution,” is an unchecked buffer vulnerability in the Portable Operating System Interface for UNIX. MSBA will report if your system needs this update and SMS can help deploy it. This threat is covered by CAN-2004-0210.

MS04-021, “Security Update for IIS 4.0,” is a buffer overrun vulnerability in the redirect function that can allow remote execution. MSBA will report if your system needs this update and SMS can help deploy it. This threat is covered by CAN-2004-0205.

MS04-024, “Vulnerability in Windows Shell Could Allow Remote Code Execution,” replaces MS03-027 for Windows XP (but not for the other affected operating systems). This threat is covered by CAN-2004-0420.
Applicability

MS04-018 applies to all versions of Outlook Express from 5.5 through 6, including operating systems from NT 4.0 through Windows Server 2003.

MS04-019 affects all versions (and all Service Packs) of Windows 2000.

MS04-020 affects all versions of Windows NT 4.0 and all versions of Windows 2000 (and all its service packs).

MS04-021 affects Windows NT Workstation 4.0 Service Pack 6a and Windows NT Server 4.0 SP6a (but only with IIS installed as part of the NT 4 Option Pack).

MS04-024 affects all versions of:

* Windows NT 4.0
* Windows 2000
* Windows XP
* Windows Server 2003

Windows 98, 98 SE and ME may be affected by all of these threats, but since none of these flaws are a critical threat to those operating environments, updates are not provided by Microsoft (which limits support for discontinued operating systems to critical-only updates).
Risk level – Important to moderate

MS04-021 and MS-024 are both remote code execution vulnerabilities that allow a remote attacker to run arbitrary programs and take complete control over the vulnerable systems. I would rate these as critical rather than the moderate rating Microsoft has given them.

MS04-020 is a local elevation of privilege threat and can’t be exploited remotely or without detailed information about the system and access to it.

Although MS04-019 can allow someone to take complete control over a system, it is rated a moderate threat because it can only be exploited locally by a legitimate user. This is not a remotely executable threat or one that could be executed by a complete stranger.

MS04-018 is considered only a moderate denial of service threat because successful execution would cause only Outlook Express to fail, not the operating system or other applications.
Fix – Apply the patches/updates provided

Please check the Microsoft bulletins before taking any action on these vulnerabilities, because several of the bulletins have been updated multiple times.

A partial workaround for MS04-018 is to disable the preview pane (View, Layout, and uncheck View Preview Pane). This doesn’t completely remove the threat, but it does make it easier to remove the offending message.

There is no workaround for MS04-024.

As mentioned above, Windows 98, 98 SE, and ME are no longer supported except for critical threats, so no patches are available for those operating systems. Also, Windows NT Workstation 4.0 has also just passed out of normal support, but Microsoft already had a number of these patches prepared for that operating system and has included fixes for it in these updates.
Warnings

MS04-019 (Utility Manager bulletin) – In addition to fixing the vulnerability, applying this update will eliminate access to context-sensitive help from the Utility Manager.

MS04-021 (IIS 4.0) – There is apparently a problem updating with the ISAPI filters running (see knowledge base article 873401). That’s what Microsoft says. Actually the problem is a complete crash-and-burn, so I’d pay attention to this knowledge base article if I were applying this patch. The IISLockdown tool installs URLScan and will protect against this vulnerability. See the workarounds section of the Microsoft bulletin for directions on configuring the tool. Also, the workaround using URLScan will block all incoming requests larger than 16K. IIS can be disabled or stopped in IIS Manager or removed, but this will also block other Internet services, such as the IIS SMTP service.

MS04-024 (Windows Shell) – Active X features may be limited by some of the recent IE patches and this patch refines some previous changes in IE 6 Service Pack 1 that may prevent other cross domain vulnerabilities. The update can prevent attackers from moving code execution from the Internet Zone to the more permissive Local Machine security zone.
Final word

As for the problem in Outlook Express, MS04-019, I don’t believe this software belongs on any business system. In fact, I don’t even use the full version of Outlook because it is tied to, or is the source of, so many vulnerabilities. Thus, my personal best practices would have avoided this problem entirely. None of my clients use Outlook Express and if any of them use Outlook, it is against my advice.
Also watch for …

* Secunia has released an advisory for an unspecified mod_ssl 2.x (mod-proxy) threat in Apache that the security vendor has rated as highly critical because of the widespread critical applications in which Apache is used. No further details were available but the vendor that reported the threat recommends immediate update to version 2.8.19-1.3.31.
* Beagle/Bagle is once again showing its teeth. Fast-spreading and virulent, the latest incarnation of Beagle/Bagle (the one known as Beagle.AG at Symantec) has its own SMTP mail engine and opens a backdoor at TCP 1080. Click here for a number of Beagle removal tools.
* According to a CNET news.com report, the new Atak mass-mailing worm actually watches for antivirus software activity and, when it begins a scan, Atak shuts down so it won’t be discovered. It doesn’t carry a dangerous payload but Atak is part of the new generation of worms that are intended to spread spam. F-Secure’s lead virus specialist says that while many viruses and worms attempt to hide, this one is exceptionally good at it.
* In the “it had to happen someday” category, you can now place bets (they are actually a kind of futures options) on an Irish sports betting site (tradesports.com) about when the next big worm or virus attack will take place. See this ZDNet UK story for more details and get your bets down early!
* There is a Gentoo php update that is rated highly critical. It addresses two apparently unrelated vulnerabilities that can allow an attacker to completely compromise a system. See the full advisory here. Another moderately critical vulnerability in Opera for Gentoo Linux 1.x has been patched. The impact of this threat is phishing related. See this Gentoo-announce report and this Gentoo Linux Security Advisory for more details.

A year ago, the author of the MSBlast computer worm taunted Microsoft with a message in the fast-spreading program: “billy gates why do you make this possible? Stop making money and fix your software!!”

Bill Gates and company apparently took up the challenge. On Friday, Microsoft released to PC manufacturers Windows XP Service Pack 2, an update aimed at locking down customers’ computers. SP2 took more than nine months to complete and contains significant security changes to the flagship operating system.

Microsoft’s overhaul of the software underwent a fast shift in direction–from a focus on features to an overwhelming concentration on security–after the rapid spread of MSBlast last summer threw doubt on the operating system’s protections.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

The worm compromised more than 9.5 million Windows PCs by exploiting a flaw in the software that not many customers had actually patched, even though Microsoft had made a fix available.

“This time last year was a really exciting time,” said Amy Carroll, director of product management in Microsoft’s Security Business and Technology Unit. “There wasn’t a lot of sleep involved.”

The MSBlast worm hit the Internet on Aug. 11, 26 days after Microsoft published a patch for the vulnerability that the worm used to spread. But many Windows users failed to vaccinate their systems, even though there was widespread expectation that a virus would emerge from the security hole. The result: The malicious program caused enough havoc to play some part in a major power failure that affected as many as 50 million homes in the United States and Canada, though it did not cause the outage.

SP2 Resource Center
Visit our SP2 Resource Center for more SP2 news, updates, and discussions.

A year later, the release of SP2 means that Carroll and her Redmond cohorts may get at least a few hours more winks. Through changes to the Windows XP code and configuration, the update adds better security to the operating system’s handling of network data, program memory, browsing activity and e-mail messages.

Some security companies are tentatively hopeful that the XP software fix will bolster security in the average PC.

“It is probably too early to say whether SP2 will meet its promise,” said Alfred Huger, senior director of engineering at Symantec, a security company. “That said, it’s a great step in the right direction. We still have all the same fears as before, but we are in a better place to deal with them.”

Those that install the update will be better protected against MSBlast-type network worms. The security revamp has multiple layers of redundancy that would have stopped MSBlast and the more recent Sasser worm from spreading, Microsoft’s Carroll said.

For example, the flaw in the Remote Procedure Call (RPC) component in Windows that allowed MSBlast to spread has now been fixed, she said. Even if it hadn’t, SP2 has an automatic update feature that would have installed the Microsoft patch before MSBlast propagated. Then, if a user turned off that update feature, SP2’s improved firewall would have blocked the worm. And if the firewall had been turned off, Microsoft has changed the way that Windows XP interacts with such viruses, so that MSBlast’s attempts to infect computers would have failed.

“There is a whole cascade of defenses that make the operating system more resilient overall,” Carroll said.

Now Microsoft has to persuade consumers and corporate network administrators to apply the SP2 changes. The company has repeatedly learned that customers are less than assiduous about applying updates to their systems. The Slammer worm, which exploited a 6-month-old security hole in Microsoft SQL Server, spread widely because many companies failed to patch the flaw during that half-year.

“This is the most secure version of Windows that we have shipped yet,” said Carroll, who issued a plea for customers to apply the patch. “That said, it is not a ‘silver bullet,’ and we are doing a lot of other things to address security.”

Complicating matters, the update could cause problems with corporate homegrown applications, Microsoft has acknowledged. IBM, for one, has told employees to wait for the go-ahead from management before installing the update. To allow companies time to test how the update will affect their users, Microsoft has published a tool to enable businesses to block people from downloading and installing the update.

Giving companies a choice is one of the lessons learned by Microsoft. A handful of major worm and virus attacks in the past three years have taught the software giant that security is not simple. The result is that the company pushes for security on multiple fronts.

The Code Red and Nimda worms led the company to embark on its 10-year Trustworthy Computing initiative, designed to focus Microsoft employees on building better security into products and on improving customer response. The Slammer worm convinced the software giant to stress patching and to find ways to defend systems that are not patched. And the MSBlast worm helped lead Microsoft to create Service Pack 2 and to finance a reward program for informants who help pinpoint virus writers.

Although it is harder to create network worms that can penetrate Windows XP SP2’s defenses, it can be done, Symantec’s Huger warned.

“It would stop the old MSBlast. I don’t know if it would stop a new one,” he said. “This isn’t the end of the network worm, but it makes more sense (for attackers) to focus on other methods.”

Security researchers are already picking apart SP2, looking for flaws. Thor Larholm, a senior security researcher with PivX Solutions, downloaded the software last Friday and continues to analyze it. The true test for the update will likely come in the next few months, once those researchers’ efforts bear fruit.

“Give it a few weeks, or a few months, and you will see the first vulnerability announcements regarding Service Pack 2,” Larholm said.

2010 saw the release of version 7.3 of the Vim text processing editor. Vim was originally written by Brian Moolenaar in 1991. While it has not been around nearly as long as Berkeley vi — the model on which Vim was based — it is a venerable mainstay of many developers’ toolkits.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

Vim has offered built-in support for file encryption for a long time, as long as it is built with the cryptv compilation option. This made working with encrypted files incredibly easy and transparent — almost entirely unnoticeable, in fact. Unfortunately, Vim file encryption suffered one major problem: it used PkZip compatible encryption, which is not the strongest encryption available.

As of Vim version 7.3, the editor now supports Blowfish encryption. Bruce Schneier created the Blowfish cipher to fill the need for a replacement for the aging and increasingly vulnerable DES cipher, releasing it in 1993 and declaring that he would never subject it to restrictions on use and implementation:

Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone.

No truly effective cryptanalysis of the Blowfish cipher has been confirmed to date, a good sign after longer than seventeen years of heavy testing and use. It is one of the strongest ciphers available to the general public and, unlike ciphers that have been developed in part by the NSA, there is little reason to fear that it is subject to any intentionally included “backdoor” vulnerabilities.

To determine whether the Vim package you have installed on your OS of choice has been built with the cryptv option, enter the vim –version command at a shell prompt. If the string +cryptv appears in the output under “Features included (+) or not(-):”, your Vim binary has been built with support for file encryption. If your Vim version is 7.3 or later, it should use Blowfish encryption.

On a typical Unix-like system, you may want to filter for the +cryptv string:

vim –version | grep +cryptv

The result, using the grep utility, should look something like this:

+conceal +cryptv +cscope +cursorbind +cursorshape +dialog_con_gui +diff

Assuming it has been built with file encryption support, working with file encryption in Vim is so easy as to be nearly second nature to a habitual Vim user. To open a plain text file or create a new one, you might normally enter a command at the shell like this:

vim filename.txt

The exacting, complex, highly difficult and dangerous version that tells Vim you want to encrypt the file when you save it looks like this:

vim -x filename.txt

Once a file has been encrypted by Vim once, you never need to use the -x option when opening that file again; Vim will automatically recognize it as an encrypted file and Do The Right Thing. Using the -x option when opening a file that has already been encrypted by Vim should not hurt anything, though.

Because Blowfish is a symmetric key encryption system, the same key is used for both encryption and decryption. When Vim opens a file for the first time with the -x option, the first thing it will do is ask you to give it a key you can use to encrypt and decrypt the file, with this prompt:

Enter encryption key:

After entering the key, you will then be asked to confirm the key, to ensure you did not mistype it.

Enter same key again:

After that point, Vim will act exactly the way it always has, as far as the user can tell. When you save and exit the file, there will then be an encrypted file containing the secret data you put in it. When opening the file with Vim again, the editor will ask you to enter the key needed to decrypt it for you; once open, you can again edit the file just as you would any other, and when you save the file again, it will be encrypted again.

Of course, you probably want to avoid littering your hard drive with Vim’s swapfiles, since one of the benefits of using Vim directly for file encryption management is that you do not have to create a decrypted version of the file on the hard drive before editing it, then save it decrypted, and re-encrypt it. That benefit is completely obviated if your editor saves tempfiles full of unencrypted data to disk.

You can do so by creating a special vimrc file — though you will not want to name it .vimrc because it may then be used by Vim all the time, automatically. Call it something like .encrypted_vim_rc and you can use it with Vim’s -u option:

vim -u ~/.encrypted_vim_rc -x filename.txt

That may look like a bit of a virtual “mouthful” to type every time you want to work with encrypted files. A shell alias, such as defining the vimenc alias to execute vim with that set of command line options will help. How exactly you go about setting aliases depends on your shell. In tcsh, for instance:

alias vimenc “vim -u ~/.encrypted_vim_rc -x”

In bash, it would look more like this:

alias vimenc=”vim -u ~/.encrypted_vim_rc -x filename.txt”

You will not need to type more than vimenc filename.txt as a command to open a file (whether it has already been encrypted by Vim or not) and encrypt it while saving it, without unencrypted versions of the file being saved to disk as Vim swapfiles while you have the editor open, then. Of course, for this to work, you need that .encrypted_vim_rc file. It should not write unencrypted data to disk if you include the following in that configuration file:

set nobackup
set noswapfile
set nowritebackup

Note that the -u option ensures that Vim does not automatically load any other vimrc files. If you want Vim to use the complete set of configuration options normally sourced by the editor, you can use Vim’s source command in your .encrypted_vim_rc file to indicate an additional vimrc configuration file, so that the special configuration file that gets loaded when you run the vimenc command alias now contains these lines:

source ~/.vimrc
set nobackup
set noswapfile
set nowritebackup

Unfortunately, Vim’s built-in encryption support is not entirely suitable for sharing encrypted files with others, because its only strong encryption support is the Blowfish cipher. Blowifsh is great, but it is a symmetric key cipher, not a public key cipher. It is great for single-person file encryption tasks, but less so for sharing files with others. This is where external tools must be used with Vim to manage file encryption.

I would like to side-step all pretenses about how and why software is flawed. And, instead, focus on what we can do to protect ourselves from the vulnerabilities caused by the flaws. Have you heard: “Make sure your software programs are up to date?” It’s becoming a tired mantra, but alludes to one of the best ways to stay safe online.

Best online Microsoft MCTS Certification, Microsoft MCITP Certification at Actualkey.com

Not so simple

Keeping updated seems simple enough, but becomes complicated when put into practice. Questions occur. For example:

* How do I know if a program is up to date?
* How often do I need to check for updates?

Some software companies cover the questions by having an automated client application and scheduled updates. Microsoft, for instance, uses Windows Update to roll out patches the second Tuesday of every month. If there is a serious problem, Microsoft will issue an out-of-sequence patch.

Google is another example. The Chrome web browser automatically updates in the background without any user interface.

Unfortunately, Microsoft and Google are the exception. Other software developers tend to update at their convenience or if a major issue surfaces. Which begs the question: How are we supposed to know when that is?
Secunia

One company makes it their business to know. That company is Secunia. They have developed scanners for the corporate world and a freeware version for consumers called Personal Software Inspector (PSI). It is reassuring to fire up PSI and check if programs are up to date. If not, PSI will offer suggestions on what to do. It works well, if you remember to update.

Having to manually update is the chink in PSI’s armor. By not automating, the process tends to be hit or miss.
Auto Update

That has changed with version 2.0 of PSI. Jakob Balle, VP of Product Development for Secunia refers to the new update feature:

“Secunia aims to solve this problem with Secunia PSI 2.0, featuring updates that are truly automatic. In the sense that, if the user prefers, Secunia PSI 2.0 can install most security updates without requiring the user to download, run, or otherwise perform manual actions to patch their PC.”

Secunia received a vote of confidence on PSI 2.0 from the Online Trust Alliance:

“The Online Trust Alliance applauds the launch of the Secunia PSI 2.0. OTA has been working with Secunia for over two years to develop best practices and solutions.”
Installation

Downloading (less than 2 MB) and installing PSI is painless. Also, the install is one of two places where you configure the auto-update feature:

The next configuration PSI asks about is whether you want to have the tray icon show all the details:

If you are a current PSI user, you will notice the user interface screen has changed dramatically. I asked several system admins what they thought about the new interface. All commented it was an improvement:

Alternative settings

Advanced users may not like having programs update automatically. Having thought of that possibility, Secunia offers the choice of only allowing updates to install with user approval:

Final thoughts

I asked the same system admins what they thought about Secunia overall. To a one, they said it was one of few applications that has never disappointed them. I tend to agree