Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill You Aaron Margosis Principal...
Transcript of Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill You Aaron Margosis Principal...
Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill YouAaron MargosisPrincipal ConsultantMicrosoft Corporation
SIA324
Session Objectives and Takeaways
After this session, I can:Identify risky practices in your web applicationsPersuade managers/developers of the importance of making necessary changesArticulate options
Scenarios:Windows / IE upgradeFixing security issues
The Sysinternals Administrator’s ReferenceThe official guide to the Sysinternals tools
Covers every tool, every feature, with tipsWritten by Mark Russinovich andAaron Margosis
Full chapters on the major tools:Process ExplorerProcess MonitorAutoruns
Other chapters by tool groupSecurity, process, AD, desktop, …
Book signings with Mark and Aaron
Wed. and Thurs., 11:30amTechEd bookstore
Mark will also be signing Zero Day and Windows Internals 6th
Ed Pt. 1
Agenda
Dumb Risk:
Carrying old IE settings forward
High Risk:
Insisting on old versions of Java
Insidious Risk:
Relying on ActiveX not intended for browser use
Java’s Forward Compatibility Promise
Write once, work foreverMultiple JRE versions installed side by sideOlder versions do not get removedProgram can pick any version it needs Always uses the version it was developed/tested with Always works the way it did when written
Write once, hack foreverMultiple JRE versions installed side by sideVulnerabilities do not get fixedMalware can pick any version it needs Always uses the version it was developed/tested with Always works the way it did when written
Risks of Retaining Older Java Versions
Many JRE updates contain Critical Patch UpdatesCannot retain older versions and be protectedNew vulns may also apply to older, unsupported versionsJava support lifecycle is short
Public support for Java SE 5.0 (a.k.a., 1.5) ended October 2009Public support for Java SE 6.0 (a.k.a., 1.6) ends November 2012Java 7: GA July 2011, EOL July 2014
Reference: http://www.oracle.com/technetwork/java/javase/eol-135779.html
Most Widely Attacked Component on Windows
Early 2010: Symantec reports notable rise in Java vulns through 2009Late 2010: Microsoft sees large spike in actual attempted exploitsLatest MS SIRs sees high level continued through 2011, and increasing in the last half
“Can we standardize on JRE 1.6 Update 17?”
128 separate vulnerabilities:March 2010, affecting Update 18 and earlier (27 fixes)http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html
October 2010, affecting Update 21 and earlier (29 fixes)http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html
February 2011, affecting Update 23 and earlier (21 fixes)http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html
June 2011, affecting Update 25 and earlier (17 fixes)http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html
October 2011, affecting Update 27 and earlier (20 fixes)http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
February 2012, affecting Update 30 and earlier (14 fixes)http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
Plus: versions before Update 24 incompatible with IE9
What Does Oracle Say?
We highly recommend users remove all older versions of Java from your system.
Keeping old and unsupported versions of Java on your system presents a serious security risk.
Ref: http://www.java.com/en/download/faq/remove_olderversions.xml
Updating Java Apps
Oracle: “the latest available [Java] version is always compatible with older versions.”Don’t demand a specific version in your code
Don't use low-level sun.misc or com.sun classes (not guaranteed to be consistent between different JRE versions).No “version lie” available a la Windows shims
Ideally, updating Java should be as uneventful as applying Windows patches
Making IE work “like it used to”Things we have observed customers doing
Copying IE settings from older versionsUsing .reg filesUsing Internet Explorer Maintenance
Turning off Protected Mode (or UAC)Turning off Data Execution Prevention (DEP – a.k.a. NX)
Copying preserved legacy settings…Importing custom registry files
regedit /s ie-settings.reg Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]"1001"=dword:00000000"1004"=dword:00000001"1200"=dword:00000000"1201"=dword:00000001"1206"=dword:00000000"1207"=dword:00000000"1400"=dword:00000000"1402"=dword:00000000"1405"=dword:00000000"1406"=dword:00000000"1407"=dword:00000000"1601"=dword:00000000"1604"=dword:00000000"1605"=dword:00000000"1606"=dword:00000000"1607"=dword:00000000
Copying preserved legacy settings…Internet Explorer Maintenance (IEM)
NOTE: IEM is gone in Windows 8!
Default security has improved…
IEZoneAnalyzerhttp://
blogs.technet.com/b/fdcc/archive/2011/09/22/iezoneanalyzer-v3-5-with-zone-map-viewer.aspx
Turning off Protected Mode to fix apps
PM enabled in Internet and Restricted SitesDisabled in Intranet and Trusted SitesSeverely restricts ability to write to file system / registryPM can be turned on/off per security zone
Turning off UAC turns off Protected Mode globallyCan break apps based on mobile code (Java / ActiveX)
These apps should be in Intranet or Trusted SitesMake sure sites are mapped appropriately!
Do not turn off PM in the Internet zone! Do not turn off UAC!
Turning off DEP/NX to fix apps
“DEP causes apps to crash”Feature, not a bugBlocks execution from data or other non-execute areasBetter to crash than to execute evil codeBlocks many popular hacker techniques
Three types – memory contains:Malicious codeNon-malicious codeGarbage
In IE, almost always triggered by add-ons
ActiveX
Software re-use technology built on COM and OLEScriptable interfaces ([OLE] Automation)IE’s “plug-in” model
Overcome the limitations of mid-1990s HTML“Safe for Scripting”
Assertion by the control that it can’t harm the userMust assert or IE won’t load it……unless security is relaxed
“Initialize and script ActiveX controls not marked as safe for scripting”
Per-zone security settingDisabled in all zones (except Computer zone)MS and govt security guidance mandates disabling only in the Internet zone
Not Safe for Scripting
Microsoft WordWindows Script HostScripting components (incl. FileSystemObject)
Can’t enable one without enabling allCan’t enable for one site in a zone without enabling all
Why Ever Relax This Setting?
Limitations of straight HTML until recentlyCreation of Word and Excel documentsHasn’t always been forbidden: Trusted Sites before IE7
“Prompt” is pretty much “Yes”
Thought Experiment…
Greedy or disgruntled in-house web developerHas no access to users’ computersJust creates content for org’s internal home pageIf unsafe ActiveX disabled… can’t do muchIf unsafe ActiveX enabled…
Change a few lines in a script file (EXTREMELY EASY)Gain full control over site visitors’ user accountsChange it back a few days later
Good luck finding the root cause
“We’ve Had It Enabled With No Problems.”
How can you be sure?How long until something does happen?
Always-increasing concerns (and sophistication):Insider attacksTargeted attacks“Advanced Persistent Threats” (APTs)
OK – How Do We Fix This?
Depends on the appExample: “WScript.Network” UserName
Capture it on the server (Windows authentication)Make the user type it once, then save itCustom ActiveX
Most common example: Office automationCreate on the server with Office OpenXMLCustom ActiveX
Build a Custom ActiveX? Seriously?
Encapsulate the logic in the web page in a custom controlMinimal external interfacesConsider further lockdown: SiteLock and/or per-site AXMinimal change to existing web app architectureShort term bridge
<script language="vbscript">Set obj = CreateObject("UnsafeActiveX")obj.DoStuff("Fun stuff")
Allowing the use of unsafe ActiveX
Unsafe ActiveX
Component
<script language="vbscript">Set obj = CreateObject(“SafeActiveX")obj.DoStuff("Useful stuff")
Not allowing the use of unsafe ActiveX
Safe-for-scripting ActiveXComponent
Unsafe ActiveX
Component
How Can I Build an ActiveX Today?
Fully-supported: Visual C++ActiveX Template Library (ATL) helpsObvious drawbacks
Fastest and easiest solution: Visual Basic 6Yes I am dead seriousMost productive way to build simple ActiveXEasiest way to automate Office appsLots more people know VB6 than C++Support? It’s not completely unsupported
In Review – Session Objectives and TakeawaysNow I can:
Identify risky practices in web applicationsJavaMisconfiguring IE settingsUnsafe ActiveX
Persuade others of the importance of making necessary changesArticulate options
References
Alert: Java’s Forward-Compatibility Promise Has Been Revisedhttp://blogs.technet.com/b/fdcc/archive/2011/10/18/alert-java-s-forward-compatibility-promise-has-been-revised.aspx
Understanding DEP/NXhttp://blogs.msdn.com/b/ieinternals/archive/2009/10/10/understanding-data-execution-prevention-crashes-in-ie8.aspx
Enabling “Initialize and script ActiveX controls not marked as safe” in ANY zone can get you hurt, bad.http://blogs.technet.com/b/fdcc/archive/2011/11/03/enabling-initialize-and-script-activex-controls-not-marked-as-safe-in-any-zone-can-get-you-hurt-bad.aspx
Security Intelligence Reporthttp://www.microsoft.com/security/sir/default.aspx
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
MS Tag
Scan the Tagto evaluate thissession now onmyTechEd Mobile
Required Slide *delete this box when your slide is finalized
Your MS Tag will be inserted here during the final scrub.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.