lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <optid.4760cfd6ea.58DB1B68E62B9F448DF1A276B0886DF11C6CD1C8@EX2010.hammerofgod.com>
Date: Mon, 24 May 2010 01:40:51 +0000
From: "Thor (Hammer of God)" <Thor@...merofgod.com>
To: Larry Seltzer <larry@...ryseltzer.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: denial-of-service vulnerability
	in	theMicrosoft Malicious Software Removal Tool

I've been trying to get through to him Larry, but it's been hard ;)

Stu, let's try this first... 

In XP, you don't have "built in" elevation features like you do with Vista and Windows 7.  While you can certainly run as a regular user and use "runas" when you must run something the requires administrative privileges, it's not exactly the easiest thing for people to do.  As such, they just run as admin.

This is really, really bad.  It's like running as root for everything.  Whoever set up your client's systems did them a great disservice when they configured everyone to run as admin, as you are beginning to see.  While not all malware requires admin permissions, most do.  

The way your client got malware was by downloading something and installing it as admin.  You should not feel sorry for them.  *THEY* did it.  *THEY* are running as admin and THEY are getting infected.  If they choose to say with XP and not have AV properly installed, and to not run as a normal users, that is THEIR fault.  When they get infected, you bill them as you should.   

Create a normal user for them and see if their software works.  That's the simplest thing.  If it does, then have them run as that user and not admin - that's the least you can do and what I could consider "responsible" from a professional standpoint.   Other aspects of the user experience can be very easily controlled via GPO assuming they have a domain structure.   Of course, the recommendation is to move into Windows 7, which is just freaking awesome.   These are the things you need to be concentrating on.

But saying they shouldn't be using Windows because they are running software released almost 10 years ago with inadequate AV and running under admin while downloading things they shouldn't honestly makes you look like a tool.  To focus your attention on MRT *maybe* causing your system to boot improperly is ludicrous.  Focus on the malware.  Focus on the user.  

We're trying to help here, but you are going to have to do your part too.
T

p.s.  Last time you were talking about your unreleased code being 1951 bytes that gave you a drive tot, free, and % free.  I believe you said to me "to do better if you can."    Feel free to use the below code at your discretion.  I only spent about 15 minutes on it, so I apologize if it is rough.  However, it returns all local AND network drives on the system in a single command with total, free, and percentage free.   It's 886 bytes.  I'd call half the size with more than twice the capabilities "doing better."  :-p   Oh, don't mistake the "FreeBFD" part for something it's not.  That's just what I thought of it ;)

using System;
using System.Management;
namespace FreeBFD
{class Program{static void Main(string[] args){
ManagementClass drivesClass = new ManagementClass("win32_logicaldisk");
ManagementObjectCollection drives = drivesClass.GetInstances();
foreach (ManagementObject drive in drives)
{
drive.Get();
int type = Convert.ToInt32(drive["DriveType"]);
if (type == 3 | type == 4) 
{
double size = Convert.ToInt64(drive["Size"]);
double free = Convert .ToInt64(drive["FreeSpace"]);
Console.WriteLine("Drive " + drive["deviceid"] +"\nTotal:\t"+ size + "\nFree:\t " + free + "\n%Free:\t" + Convert.ToDouble((free/size)*100)+"\n");
}}}}}

>-----Original Message-----
>From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-
>bounces@...ts.grok.org.uk] On Behalf Of Larry Seltzer
>Sent: Sunday, May 23, 2010 5:57 PM
>To: stuart@...erdelix.net; full-disclosure@...ts.grok.org.uk
>Subject: Re: [Full-disclosure] denial-of-service vulnerability in theMicrosoft
>Malicious Software Removal Tool
>
>Don't you get it? Your customers installed malware while logged in as
>administrator on XP. MSRT isn't magic. From this you tell people "Don't run
>Windows"?
>
>And if your customers' apps require admin privileges and they have to run on
>XP then they really can't be properly secured.
>
>Larry Seltzer
>Contributing Editor, PC Magazine
>larry_seltzer@...fdavis.com
>http://blogs.pcmag.com/securitywatch/
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ