Microsoft Windows

No-Hassle Way to Kill ActiveX Controls

ActiveX has always been a weak point in IE. The majority of browser plug-in vulnerabilities are ActiveX based. Microsoft realizes this and has a method to disable certain problematic ActiveX controls. But Microsoft’s method involves setting the kill bit by editing the registry and in order to discover the CLSID (Class ID) of the control you want to disable, you may have to uninstall others. In short, it’s a messy way to do things.

Errata Security to the rescue. They’ve created AxBan, a free tool to set the kill bit on known bad ActiveX controls. Errata promises that they’ll “be updating it as needed with new CLSIDs on an as needed basis.” AxBan is a single, small (45.5 KB), standalone executable that contains a list of known dangerous ActiveX controls. It highlights in red any you have installed on your system and gives you a button to set the kill bit. Be careful, though–there isn’t an “undo” button. Once you set the kill bit, if you find you’ve made a mistake, you’ll have to edit the registry to unset it.

Nevertheless, it’s a handy tool to have in your security arsenal

Windows XP SP3 Offers Enhanced Reliability and Security, But Not IE7

The long-awaited Windows XP Service Pack 3 became available as an Express Update May 6, 2008 on Windows Update, and offers enhanced reliability and security through a few new features: Network Access Protection (NAP), designed to work with Windows Server 2008; a product key-less install option; a Kernel Mode cryptographics module, and; a “black hole” router detection algorithm.

One puzzling thing, however, is that SP3 doesn’t include the more secure IE7–it ships with a fully-patched IE6 instead. As I found out, having applied SP3 to my systems, all of which are running IE7, this isn’t a problem; systems won’t be rolled back to IE6. Here’s an excerpt from the IE Blog:

XPSP3 will continue to ship with IE6 and contains a roll-up of the latest security updates for IE6. If you are still running Internet Explorer 6, then XPSP3 will be offered to you via Windows Update as a high priority update. You can safely install XPSP3 and will have an updated version of IE6 with all your personal preferences, such as home pages and favorites, still intact.

If you are currently running IE7 on XPSP2, Windows Update will offer you XPSP3 as a high priority update. If you choose to install XPSP3, Internet Explorer 7 will remain on your system after the install is complete.

If you’re still running IE6, you really should upgrade to IE7. Along with SP3, that will make your XP system as secure as it can be at this time.

Your Wallet is the Best Password Manager

Although I use them for sites that don’t require much security, password managers are something I generally stay away from. Why? Because they store the information on my hard drive or a website, both of which could be compromised by a determined hacker. Even a relatively unsophisticated hacker could exploit an unpatched vulnerability leaving my passwords open to inspection. My personal security policy is to make it as hard as possible for someone to get to my passwords.

I write them down and keep them in my wallet.

Yes, that is the most secure “password manager” there is. No one can get to your wallet from the Internet or your PC. Passwords written on a piece of paper and stored in your wallet are nearly impossible to compromise–someone would have to steal your wallet (or you’d have to lose it) to get at them. How likely is that? I’m 55 years old and have never lost my wallet or had one stolen. Just be sure not to write down your username with the passwords.

Tighten Security With Your Hosts File

Using a HOSTS file to block access to malicious or unwanted web sites is an old trick and it’s excellent protection against malware. I’ve been using the mvps.org hosts file for about five years, and I have never been infected with any malware, despite, for testing purposes, intentionally visiting sites known to host it. The thing just works. It’s a great way to add an additional layer of security to your machine. You’ll also notice that many of those annoying ads no longer display in your browser.

Today, I found a cool utility that will let you download, install, and update your HOSTS file directly from the mvps.org site: Hosts File Updater, a freeware program by FaltronSoft. This single 16K executable checks the mvps.org site for a new version of the HOSTS file. If it finds one, it asks you if you want to update. Give your permission and the program backs up your existing HOSTS file and downloads and installs the new one. It also automatically sets the file to read-only, a nice feature.

How to Prevent DNS Rebinding Attacks

There’s nothing new about the DNS rebinding attack, but it’s in the news again. Dan Kaminsky, Director of Penetration Testing for IOActive has shown a video of the attack in action at the RSA 2008 Conference. I first addressed this problem more than a year ago in a Lockergnome posting, and just recently in this Security Corner article. Both of those articles say the same thing: Change the default password on routers, switches, and any other configurable device on your network.

There’s another thing you can do: Use OpenDNS; they block known phishing and malware-infested sites, thereby making your web surfing more secure. They also just released a nifty tool called FixMyLinksys that makes it easy for anyone to change the default password and enable OpenDNS. An article at DarkReading.com had this to say about OpenDNS:

…“This will stop all the automated attacks that Dan is showing at the RSA conference today. It’s easy and is done over the Web,” says David Ulevitch, CEO of OpenDNS.

OpenDNS also launched a new type of DNS filter today that protects users from a DNS response from a malicious server. “In short, a DNS response from a malicious server that resolves to a host inside your network would get blocked,” Ulevitch says.

I’ve been using OpenDNS for some time; I’m glad to see they’ve addressed this issue directly.

You Clicked? Really? Are You Nuts?!

This has to be one of the most evergreen security topics to come along; no matter how much anyone writes about the dangers of clicking on links or opening attachments in unsolicited email, people continue to do it. SANS NewsBites, March 25, 2008, Vol. 10, Num. 24, begins with this statement:

The Excel story is number two in Top of the News this week because of the critical lesson it teaches: When you see your anti-virus package scanning a Word or Excel file, the odds are VERY high that it won’t find any of the important new vulnerabilities nation states and rich criminals are using to get past the most sophisticated defenses. Don’t open email attachments unless you were expecting them. [Emphasis added] Send a note back and ask the person to embed the text in a simple email. This matters to your career. The people who break this rule will be the reason their organization’s data are stolen and they won’t be able to hide.

(They’re referring to a months-old Excel vulnerability for which the exploit code has just been widely released. For more information on that, you can check out this ComputerWorld article.)

I remember, years ago, a client got a nasty malware infection that resulted in my finally resorting to a full wipe/reload of the OS and all her data. I had solved a couple of minor adware issues for her in the past and, as is my custom, gave her my standard admonition, “NEVER, EVER click on anything if you don’t know where it came from.”

“But I clicked on CANCEL!” she replied. She just couldn’t get her head wrapped around the idea that no means yes, yes means yes, cancel means yes, exit means yes, ANY click means yes.

I’m thankful that most of my clients now either call me or drop me an email if they see a message or pop-up they don’t understand, and malware-related emergencies are way down. But they’re not completely gone. Occasionally, I still get that one dull client who calls to say they clicked on something and now they’ve got popups all over their screen.

All I can say (think) is, “You clicked? Really? Are you nuts?”