Patch Tuesday looms over us once again. 9 Windows patches, 2 Office, and 1 Exchange, and a wide range of severity levels. More details here:

Looks like the same functionality change that was rolled into MS06-019 is going to be in the new exchange one. While some might read something malicious into MS' persistence in forcing admins to choose between breaking compatibility with 3rd party mobility extensions and patching their exchange boxes, I do not. I think it would be ludicrous for them to maintain a separate stream of patches for external functionality, especially functionality that was based on what was essentially a bug. Now why does that sound so familiar?

Predictions for this Tuesday:
- MS will be late again with the release. Technically they say 10am PST, but it's often more like 10:30 before the bulletins and patches are available. This is a pet peeve of mine, why can't they release this stuff at 9am EST, so that at least half the planet has a full working day to test and patch?
- The office vuln will branch in more ways then you could ever believe. If you have previously applied patch 9743573 download patch 22113344, but if you have not applied patch 9743573 then download patch 22113345, unless you're using the Korean version then ...

Either way, the sure thing is that we are going to be here well into Wednesday. Wish us luck.

Come one... Come all... to the Wonderful World of Dis... Patch Tuesday. The time again is on us and as Ross had previously mentioned, we're looking at 12 advisories. We just keep telling ourselves, “It could be worse.”

For those of you keeping count, the advisories start with MS06-021 and work their way up to MS06-032 and luckily, they come with a wide variety of choices.

We kick things off with a cumulative update for Internet Explorer… this is a regularly monthly occurrence and was to be expected… I’m sure, just like last month, tomorrow the mailing lists will see a flood of new vulns for IE, which will lead to another cumulative update in July.

Then we have a string of locals, or what the security community, for the most part, considers to be locals. Have you ever noticed that there are different opinions of what constitutes a local and a remote? If someone can trick you into visiting a malicious website, Microsoft considers that to be a remote. The security community in general seems to consider a remote to mean that a malicious person could run it against your computer without any interaction on your part… but that’s a discussion for another day… A quick rundown of the locals includes: ART Image Rendering, JScript, Windows Media Player, Word, Works Suite, PowerPoint, Outlook Web Access, and SMB.

There are also three remotes included in the Advisories… true remotes that require zero user interaction. They include vulns in Routing and Remote Access, TCP/IP, and RPC Mutual Authentication.

I’m going to be working with Routing and Remote Access today, so when time permits, I’ll be stopping in to let you know how that’s going and I’m sure others will join in to comment on the progress they’re making.

It’s going to be a long day and an even longer night… Even though I’m pulling an all-nighter, something I thought would end with college, I wouldn’t trade this job for anything. And on that note… back to the fun.

The link below shows an example of security going horribly wrong. This is an example of someone going through the process of deleting a shortcut in Microsoft's new operating system, Vista.

Shortcut Link

Now, I have never done this myself, so I have no idea whether or not this is in fact the way it works. However, if this process shown is in fact valid, this is a great example of how security can go wrong.

Taking seven steps to delete a shortcut in Microsoft Vista is absolutely ludicrous. It is understood that this is in place to curb spyware from deleting things that the user does not want to delete, but what would the average user do here? Does Microsoft really believe that the average person knows what the SYSTEM owner is supposed to represent? Do they think that people will have the patience to sit through this whole process? It is similar to the restrictive IP list on the Internet Explorer version of Microsoft Windows 2003. Users have to physicaly add in every web site that they want to go to. Like the shortcut issue above, it is not necessarily a bad idea, but it is a bad implemetation of one.

Microsoft is claiming that Vista will be the most secure operating system ever. If it takes multiple steps to perform the most mundane of tasks, then when no one is using it, it definitely will be. Microsoft runs the risk of alienating their bread and butter customers, the ones who are using it for it's simplicity. Why should I give a reason to shut the operating system down?

There is no such thing as being too secure, but there is such a thing as making the system so secure that no one will be able to use it.

In his blog (which is one of the few on my "Daily Reading" list), Adam Shostack has a really interesting post entitled "The New Transparency Imperative". He makes the point that the new disclosure laws are going to do a great service.

And, while I agree with him, I think we really need to talk about the dark-side of the point. Everyone's running around touting the benefits of SB-1386 and laws like it, but we're forgetting the very real damage that disclosure can cause.

We've had a "responsible disclosure" debate in the vulnerability research community for a whole lot of years - the point is simply that, while disclosure forces everyone to be responsible, sometimes, you can have too much of a good thing.

The recent VA compromise is a great example. The analyst whose laptop was stolen obviously potentially compromised a large amount of personal data. However, the average domestic laptop theft isn't a targeted act - the purpose isn't to steal data, but to steal a laptop. However, with the amount of disclosure that happened in this case, it's a safe bet that, if the thieves didn't know what they had stolen (and the value of the data on the laptop), there's no question that they do now.

We likely won't ever know if the thieves stole the laptop for the sake of the laptop, or for the sake of the data. But, if the disclosure had been a little more discreet, it's at least possible that they wouldn't have known what they stole.

I'm not suggesting that we shouldn't disclose - I'm only saying the same thing that has been said about exploits and vulnerabilities for the past 10 years: we need to find a way to be responsible about it.

I've been doing paid security work for roughly 4 years now, and had an interest in it since my dad built our first Apple ][+. I'm starting to wonder if I've seen it all. I'm referring to archetypal scenarios of course; I fully realize you can never 'step in the same river twice'. Having said that, anyone who has enjoyed a few good Danish Christmas dinners knows that even though every rice pudding is a little different, there's not alot of room for significant variation :)

Technology changes, there's new attacks, new defenses... but is that really true? Personally all this stuff I'm seeing seems to be variations on a few basic themes. People implement it, other people attack it. Buffer Overflows *big yawn* shellcode *yawn* Crappy Software *yawn* lazy users *yawn* Businesses making hardware and software for money and skimping on security *yawn*. Crypto created, crypto broken *yawn* fuzzing *yawn* IPS and firewalls *yawn* automated exploit frameworks *yawn*... Viruses, worms and trojans *super big yawn*...

Sometimes I think it's like being a cop... at first you're all excited to be making a difference. You're going to save lives, make the world a safer place. Fast forward 10 years later, and you're probably well jaded after busting the same junkies 1000 times, the same person that beats his family and never learns, the same thieves that keep getting in trouble. In short, people rarely learn and they keep making the same mistakes.

Security is starting to look the same way. Sure, every now and then something comes out that sounds new and revolutionary... but there's *always* a precedent to some kind of attack in the past. There's nothing truly, radically new. Maybe with all the younger folks coming into the field, being exposed to computers and doing security stuff, it all seems new to them and so they think they're doing something incredible. And I suppose they are, but that doesn't mean it's new. Stop re-inveting the wheels guys, and know your history or you're doomed to repeat it.

Perhaps the field is maturing and that's why we're not seeing anything truly, radically new. I will make a bet that in the next several months, no one out there will be able to produce, and show to me, anything 'truly, radically new' - I'm confident that I'll be able to show you where and when someone has touched on this before, and if I can't do that, why what you're showing me is nothing more than a variation on a theme already extant.

Came across this today, don't remember where, but I found it interesting: http://www.acmqueue.com/modules.php?name=Content&pa=showpage&pid=396

If I may purloin a couple of paragraphs for the ADD afflicted folks who don't want to read the whole article:

Today, CORBA is used mostly to wire together components that run inside companies' networks, where communication is protected from the outside world by a firewall. It is also used for realtime and embedded systems development, a sector in which CORBA is actually growing. Overall, however, CORBA's use is in decline and it cannot be called anything but a niche technology now.

Given that only a few years ago, CORBA was considered the cutting edge of middleware that promised to revolutionize e-commerce, it is surprising to see how quickly the technology was marginalized, and it is instructive to examine some of the deeper reasons for the decline.

There's a few reasons I found the article interesting:

First off, we have customers that use CORBA and so I've had to deal with it... it can be challenging stuff :) Kinda of like Java in that it's big and tries to do alot, maybe too much.

Secondly, it demonstrates the downside of standards bodies. Death by comittee, and how politics, economics and business motivations affect the security 'ecosphere', if I may use such a poncy term. You can be as smart, productive and visionary as John Postel, but it's the suits that will ultimately try to define the shape of the future; sometimes they succeed and sometimes they fail.

Thirdly, it amazes me all over again that folks like the OMG exist, to create standards and technologies. And then license them at exhorbitant costs? Stupid idea. In my book, any standards bodies that exist such that the products of their efforts are designed as a revenue stream are completely retarded. It's as bad as getting your news from CNN.

http://irrepressible.info/

Please show your support. Freedom is more important than security.

By now, everyone knows that I regularly read Adam Shostack's blog. He had a great post today, and I'm posting here to simply say congratulations to Adam on his new job with Microsoft.

All of us in the security and IT industries bash Microsoft at times - one needs only to read Slashdot on a given day to know that. But they have done an amazing job of making the world a more secure place in the past 3 years, and they deserve kudos for that.

And, undoubtedly, hiring Adam continues that trend.