Patch Tuesday: Microsoft raises alert for dangerous IE, Windows flaws

ZDnet ^ | 12 Jun 2012 | Ryan Naraine

[gcraig]

I agree that hardware acceleration is an excellent solution, if it is installed in a project from inception. If the system is not equipped with the hardware cards already then it usually means scaling the existing infrastructure by some multiplier. I find your observation about government inability to decipher might be interpreted more as a political constraint rather than a technical limit. That said, I would expect conservative thinkers to reject a government decryption snoop on everything we do. I admire your well thought-out post, you hit the target.

[zeugma]

Regarding the hardware cards, I absolutely agree. If you're going to use it, you need to architect it in at a project's inception, otherwise you're likely to end up with a bolted-on solution that will likely not satisfy your requirements.

I find your observation about government inability to decipher might be interpreted more as a political constraint rather than a technical limit. That said, I would expect conservative thinkers to reject a government decryption snoop on everything we do.

I've been interested in cryptography for quite a while, and I've watched a lot of the discussions that have surrounded it, especially as it concerns government agencies. The government really doesn't like crypto at all. I don't know if you're aware, but but cryptography used to be heavily controlled as an export product. (still is to some degree - figures, the government doesn't think foreigners can do math). Phil Zimmerman, the guy who wrote PGP was under threat of federal charges for quite some time because he open-sourced the code to the program. The uncertainty and roadblocks generated by FedGov were a major reason the internet didn't develop stronger privacy protections in the days before the net was noticed by the vast majority of the public. The main conclusion I took from this was that they believe in privacy that goes one way, and that is their way. Extracting information from FedGov is like pulling teeth (See Fast & Furious), but they want to be able to read anything you send on the net. You might be surprised at how much of the internet passes through points that FedGov has direct access to. Anyone who thinks they aren't snooping hasn't been paying attention.

I admire your well thought-out post, you hit the target.

Gee thanks! Doesn't happen often. Trust me. :-)

[OldEarlGray]

>>was one of his (incorrect) "examples" of why a sandbox won't help.

 

I didn't say sandboxing in a VM wouldn't help, Wiley. I said if wanted to sandbox, then I'd use the VM created by those who created the OS...

http://www.microsoft.com/windows/virtual-pc/download.aspx

...instead of the ACME "free"ware you (in the typical role of the flatulant god-SA) suggested -- because there is no guarantee that any such utility downloaded from the Internet isn't itself, malware.

 

In fact, as pointed out by Mark Russinovich during his TechEd session on using SysInternals tools, folks need to be careful when using the "Search Online" feature of Process Explorer because the result list itself will likely contain numerous links to sites that offer "solutions" which are, themselves, malware.

 

So how do you guarantee that ACME "we'll keep you safe for FREE" ware like Sandboxie isn't itself malware, Wiley? Sign it with something derived from the compromised Microsoft root certificate? Oops.

 

Oh, and let's review your assertion regarding home usage:

"Home users read the news, email and download music. Some, but fewer, use the PC for creating and managing files of various form. for those who meddle with pirated software.. well, they get what they deserve"

News, Email, and Music. Uhuh.

 

LOL. How many copies of Microsoft C# Express have been downloaded by "Home Users"? No gamers out there, are there? Nobody uses Facebook or the other plethora of socialware. YouTube has no content at all. Uhuh.

 

Once again, your list is pretentiously incomplete and laughable - just like this...

"Malware can be a thing of the past of you familiarize yourself with and use a program called "Sandboxie". "

--FunkyZero (Aka Wile E Coyote, Suuuper Administrator)

...is pretentious and laughable.

 

Did the ACME sandboxie pick up many registrations from your shilling of it here, Wiley?

 

NO SALE.

[OldEarlGray]

[If you're going to use it, you need to architect it in at a project's inception,]

Something like what MS is supposedly doing with Windows 8 -- where the signing cert is in hardware, and everything from bios-boot forward will (supposedly) be verified as trustable. Unless of course there's a little problem with the MS Root certificate itself being untrustable...

Horses Out. Check.
Barndoor Closed.  Check.
Security from the geniuses who thought VB Script in Email was a great idea. Check.

 

[OldEarlGray]

 [Stuxnet was an extremely targeted virus.  ]

^{Which of course is why...} 

^{"This attack from an unknown source but likely related to Stuxnet, disabled one of the lists and thereby interrupted an important source of information for power plants and factories.[24]"}

^{http://en.wikipedia.org/wiki/Stuxnet}

^Oops.

^{And then there's the more general issue of the Stuxnet / Duqu / Flame methodology being reverse engineered and COPIED, presumably by some entity operating in a framework of governance that is not constrained by our specified pupose for American governance:}

^{"TO SECURE THESE RIGHTS, governments are instituted among men.".}

^{http://www.google.com/#hl=en&gs_nf=1&cp=59&gs_id=7&xhr=t&q=to+secure+these+rights+governments+are+instituted+among+men}

[OldEarlGray]

[A third option would be to secure them on a different level not involving the user]

“Windows 8 PCs will ship with Microsoft’s certificate stored in UEFI (and possibly other certificates, depending on the manufacturer). UEFI will check the boot loader before launching it and ensure it’s signed by Microsoft – if a rootkit or another malware program does replace your boot loader, UEFI won’t allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system.”
http://www.howtogeek.com/116569/htg-explains-how-windows-8s-secure-boot-feature-works-what-it-means-for-linux/

That’s a good start.

In addition, MS needs to implement process specific claims assignment instead of the ridiculous notion of UserIDs operating in a full trust contract with the rights of whatever groups they happen to be assigned to.

[OldEarlGray]

[but don't ever insinuate that I participate in illegal activity again.]

I'm not the one shilling "free"ware with the idea that music should be downloaded from within a SandBoxie, Wiley.

You remind me of folks who think they're protected from AIDs because some pharmaceutical snake-oil company sold them a pill to protect them from the due penalty for their perversions.

http://www.ehealthme.com/ds/lamivudine/pseudomyxoma+peritonei

See Wiley, there's that "sa-God" complex vs the 1st commandment conflict articulated in Romans 1:20++, again.

That's a behavioral problem rooted in the calibration of the moral compass the operator's framework is booted with.

You sure you're not an apple administrator?
 
"Go ahead, take a byte, it's "free"..."

[OldEarlGray]

>>There are currently over 8600 windows devices on my network

8600 windoze devices on the ACME botnet ehh Wiley? {yawn}

http://www.computerworld.com/s/article/9200598/Group_used_30_000_node_botnet_in_MasterCard_PayPal_attacks

30,000 -- Well, that’s a little more impressive... for a non-government-sponsored bot-net anyhow.

“Both MasterCard and Visa also had their public websites knocked offline by a “hive” of as many as 3,000 activists who had downloaded Web-attacking software, which was then turned on different websites. “

{Sigh} Alas! If only Visa and Mastercard had worn a pair of these here ACME Sand-Boxers...

...the malware attacking them would've been a thing of the past and the organized cyber-criminals who perpetrate such mischief would've been discouraged from skimming their way out of Cyberia ever again. Alas!/s

[zeugma]

I can't say that I understand your seemingly virulent (no pun intended) antipathy towards the sandboxing solution offered by funkyzero. If someone wants to use a sandbox, and they are smart enough to even know how to make it work, more power to them. Personally I prefer VMs, but there is a place for each solution.

As for the problem with it being freeware, my entire desktop is nothing but freeware, from the OS up. Given the utility and security it provides me I fail to find that as a charge against it. Yes, it's probably not a really good idea to take the top hit on Google for something like this, but I also figure that if you're going to take the time to implement sandboxing, it would make a wee bit of sense to also take the time to figure out if it is a good solution for you. 

As for getting the VM solution by those who created the OS, that's a pretty iffy statement. As far as security goes, Microsoft, as a vendor doesn't exactly have a sterling history. Of the VM solutions out there, I personally like VMware better, because I like the feature set and stability. I don't have any particular animus towards virtualPC, but last time I took the time to look at it, it was several years behind VMware. That may not be true now, as microsoft has a history of continuing to slog along with inferior products until they finally get it right.

Having choice in the marketplace for different solutions is a Good Thing IMO, because not every solution will fit every need. Sometimes it takes time and effort to even determine what your needs are, and a little trial and error to discover what fills them. I'm just glad we have options and don't have to take just whatever it is that a single vendor decides to make available. Do you recall what happened with Internet Explorer once Microsoft had driven Netscape out of business? They sat on their asses for years while the rest of the world who wanted a browser that actually worked and had things like tabs passed them by. I still think IE is a steaming pile of crap that has market space primarily because of the inertia provided by the lazy and clueless who don't even know about the alternatives. That's my own personal opinion though, given my personal experiences with it. YMMV.

HAND!

[zeugma]

^{"This attack from an unknown source but likely related to Stuxnet, disabled one of the lists and thereby interrupted an important source of information for power plants and factories.[24]"}

Yup. sucks to be attacked by your own government. I expect such things will happen more in the future. Not much to be done about it though, because they are willing to use their guns, and we apparently aren't.

[dragnet2]

Bookmark

[FunkyZero]

Ok, now you’re just creeping me out. Please stop with the messages, I’m getting off this crazy train right here.

[OldEarlGray]

Eat your words, Wiley:

"Malware can be a thing of the past of you familiarize yourself with and use a program called "Sandboxie"."

FAIL.

NO SALE.

[OldEarlGray]

>>sucks to be attacked by your own government.

I wouldn’t characterize it as being attacked by our own government - but rather a probable case of unintended collateral damage.

But now that the cat is out of the bag and third parties are reverse engineering the technology, it’s only a matter of time before weapons like these are in somebody else’s arsenal.

Are we prepared?

[kalee]

Ping

[zeugma]

>>sucks to be attacked by your own government.

I wouldn’t characterize it as being attacked by our own government - but rather a probable case of unintended collateral damage.

I have never before been accused of rhetorical excess in all of my life. Never! I tell you, Never!

[FunkyZero]

I’m not joking. Stop with the messages. You are practically stalking me at this point as it appears you have done to others. Knock it off and leave me alone.

[OldEarlGray]

Your motherboard is soiled by hampster poopie and your bootstrapper is too short of bits.



Now go away from this thread or I shall taunt you a second time.