Gridding .NET :

Security (RSS)

Security

Is Oracle the new king of bugs? Unpatchable the new slogan?

I always thought that many companies (and Open Source vendors) were hiding behind Microsoft's security blunders, but themselves didn't have a trasparent security oriented development lifecycle and just used it as marketing material. Now it's showing not only in the news, but also in statistics on sites like Secunia and SecurityFocus. In 2002/2003 Microsoft had it's peak as the first vendor exposed due to it's size and pervasivess, but since then the bug count has been slowing for MS and increasing for all other. Go and check yourself IIS vs Apache, MSSQL vs MYSQL or Oracle, ASP.NET vs PHP on those security sites.

http://news.com.com/2061-10789_3-5808928.html
http://www.eweek.com/print_article2/0,1217,a=160368,00.asp

posted Saturday, September 17, 2005 5:43 AM by stefandemetz with 1 Comments

Unsafe LAMP? Open Source LAMP software more bugs than Microsoft's stack

After:

IIS6 has less bugs than Apache
SQL Server is more secure than MYSQL
ASP.NET is more secure than PHP

now this at http://blogs.zdnet.com/Ou/index.php?p=103

On the linux vs Windows front it's pretty much even without browsers I guess, with Firefox installed a LAMP box is definitely not a safe boat

posted Friday, September 16, 2005 7:24 PM by stefandemetz with 0 Comments

good worms/viruses

It's one of those controversial topics of computer security.

IMHO, a worm to switch on automatic updates on PCs would be good thing, if there was a way to download only the critical patches of vulnerabilities which can be attacked remotely.

some links:

http://vx.netlux.org/lib/vmn07.html
http://www.truthorfiction.com/rumors/g/goodworms.htm
http://slate.msn.com/id/2104432/
http://xforce.iss.net/xforce/alerts/id/150
http://www.eweek.com/article2/0,1759,1638680,00.asp
http://discuss.fogcreek.com/joelonsoftware/default.asp?cmd=show&ixPost=65059
http://computercops.biz/article2771.html
http://www.f-secure.com/news/items/news_2003081900.shtml

posted Sunday, November 07, 2004 4:14 PM by stefandemetz with 1 Comments

IE Security

IE is definitely the most insecure gateway to a PC. So I was thinking: why not run it in a guest account context?

It would be easy for MS to replace some code in IEXPLORE.EXE to run the least priviledge account when loading the associated dlls.

Another good trick would be to replace the shortcuts on the desktop and programs to launch IE with a RUNAS \

some good links:

http://blogs.msdn.com/tristank/archive/2004/08/02/204982.aspx

http://sqljunkies.com/WebLog/donkiely/archive/2004/07/29/3680.aspx

http://blogs.msdn.com/aaron_margosis/archive/2004/06/23/163229.aspx

http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx

Articles (+runas code utilities)

http://www.codeproject.com/tips/runas.asp

http://www.codeproject.com/csharp/RunAs.asp

least privilege:

http://weblogs.asp.net/gad/archive/2004/01/24/62539.aspx

http://weblogs.asp.net/rhurlbut/archive/2004/07/08/177271.aspx

Longhorm least privilege

http://silverstr.ufies.org/blog/archives/000612.html

http://msdn.microsoft.com/library/en-us/dnlong/html/leastprivlh.asp

http://msmvps.com/secure/archive/2004/04/27/5572.aspx

http://msmvps.com/donna/archive/2004/04/28/5584.aspx

http://geekswithblogs.net/ssimakov/archive/2004/04/23/4230.aspx

http://geekswithblogs.net/dwoodard/archive/2004/04/27/4443.aspx

http://channel9.msdn.com/ShowPost.aspx?PostID=5187

http://channel9.msdn.com/ShowPost.aspx?PostID=8399

posted Saturday, October 23, 2004 1:23 PM by stefandemetz with 1 Comments

Myth debunking: SQL Server vs MySQL security 2003-2004(SQL Server has less bugs !!)

MS SQL Server (or MSDE) vs MySQL

Seems that yet again a MS product has less bugs that the corresponding LAMP product (here are unscientific reports for ASP.NET vs PHP and IIS6 vs APACHE)

MSSQL 2003 12
MySQL 2003 12 + 1 multiple (2003-10-30: MySQL Multiple Vulnerabilities )

MSSQL 2004 3
MySQL 2004 8

Am sure everybody will get (yet again) into splitting hairs as which is more or less secure, depending on
lines of code, number of installations, Service Packs vs latest build, etc etc

This is the list:

2004-10-07: MySQL MaxDB WebDBM Server Name Denial of Service Vulnerability
2004-09-30: MySQL Unspecified Insecure Temporary File Creation Vulnerability
2004-09-27: MySQL Bounded Parameter Statement Execution Remote Buffer Overflow Vulnerability
2004-09-07: MySQL Mysqlhotcopy Script Insecure Temporary File Creation Vulnerability
2004-07-08: MySQL Authentication Bypass Vulnerability
2004-07-05: MySQL Password Length Remote Buffer Overflow Vulnerability
2004-05-25: MySQL MYSQLD_Multi Insecure Temporary File Creation Vulnerability
2004-05-25: MySQL Aborted Bug Report Insecure Temporary File Creation Vulnerability
2003-11-24: MySQL Password Handler Buffer Overflow Vulnerability
2003-10-30: MySQL Multiple Vulnerabilities
2003-09-18: MySQL mysqld Privilege Escalation Vulnerability
2003-09-18: MySQL Double Free Heap Corruption Vulnerability
2003-07-22: MySQL AB ODBC Driver Plain Text Password Vulnerability
2003-06-12: MySQL libmysqlclient Library mysql_real_connect() Buffer Overrun Vulnerability
2003-05-12: MySQL COM_CHANGE_USER Password Memory Corruption Vulnerability
2003-05-12: MySQL libmysqlclient Library Read_One_Row Buffer Overflow Vulnerability
2003-05-12: MySQL COM_CHANGE_USER Password Length Account Compromise Vulnerability
2003-05-12: MySQL libmysqlclient Library Read_Rows Buffer Overflow Vulnerability
2003-05-12: MySQL COM_TABLE_DUMP Memory Corruption Vulnerability
2003-05-05: MySQL Weak Password Encryption Vulnerability
2003-03-07: MySQL Control Center Insecure Default File Permission Vulnerability

2004-08-24: Microsoft SQL Server User Authentication Remote Buffer Overflow Vulnerability
2004-04-14: Microsoft Remote Procedure Call Service DoS Vulnerability
2004-04-07: Microsoft SQL Server 2000 Resolution Service Stack Overflow Vulnerability
2003-07-25: Microsoft SQL Server / MSDE Named Pipes Privilege Escalation Vulnerability
2003-07-25: Microsoft SQL Server LPC Port Request Buffer Overflow Vulnerability
2003-07-25: Microsoft SQL Server / MSDE Named Pipe Denial Of Service Vulnerability
2003-07-25: Microsoft SQL Server / MSDE Multiple Vulnerabilities
2003-07-15: Microsoft SQL Server JET Database Engine 4.0 Buffer Overrun Vulnerability
2003-06-16: Microsoft SQL Server 2000 Resolution Service Heap Overflow Vulnerability
2003-06-04: Microsoft SQL MS Jet Engine Unicode Buffer Overflow Vulnerability
2003-02-01: Microsoft SQL Server 7.0/2000 DBCC Buffer Overflow Vulnerability
2003-02-01: Microsoft SQL Agent Jobs Privilege Elevation Vulnerability
2003-02-01: Microsoft SQL Server Extended Stored Procedure Privilege Elevation Vulnerability
2003-01-27: Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability
2003-01-25: Microsoft SQL Server 2000 Bulk Insert Procedure Buffer Overflow Vulnerability

(Figues provided by http://www.securityfocus.com/bid/vendor/)

posted Monday, October 11, 2004 8:59 PM by stefandemetz with 2 Comments

IIS 6 security wins approval

Larry Seltzer, one of my preferred journos, hails IIS 6 security at http://www.eweek.com/article2/0,1759,1666134,00.asp
Netcrafts reports good stuff at http://news.netcraft.com/archives/2004/10/01/most_reliable_hosting_providers_during_september.html of IIS 6 security, reliability and stability

As I also posted at http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/03/30/10388.aspx IIS 6 security is very good indeed

IIS vs Apache
http://weblogs.asp.net/pscott/archive/2003/12/17/44103.aspx
http://blogs.msdn.com/jvast/archive/2004/10/19/244587.aspx
http://www.lparky.com/blog/FirstGlanceAtIIS6.aspx
http://blogs.msdn.com/paul_fallon/archive/category/5979.aspx
http://chrison.net/IIS60VsApache20xSecurityDefects.aspx

posted Tuesday, October 05, 2004 9:08 PM by stefandemetz with 2 Comments

ASP.NET authentication security bug in IIS4/IIS5(ASP.NET on IIS6 Windows 2003 is not affected)

As written here

http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754

http://weblogs.asp.net/lbarbieri/archive/2004/10/02/237049.aspx

http://weblogs.asp.net/ksamaschke/archive/2004/10/02/237042.aspx
http://weblogs.asp.net/ksamaschke/archive/2004/10/02/237055.aspx

Solutions:
1)Here is some code for a httpmodule to obviate to the problem
http://blogs.devleap.com/rob/archive/2004/10/02/1803.aspx
http://www.mostlylucid.co.uk/archive/2004/10/07/1396.aspx

2)PLEASE PLEASE PLEASE install for IIS4/IIS5:
URLSCAN : http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp
IIS Lockdown tool: http://www.microsoft.com/technet/security/tools/locktool.mspx

posted Saturday, October 02, 2004 9:59 PM by stefandemetz with 14 Comments

Security should also mean "easily securable"

If implementation of security has one major flaw is that it is difficult to install and configure.
Alas, Windows can be made VERY secure, just there are so many knobs to turn
that it is almost easier to learn voodoo or black magic.
Threfore most people don't bother, leaving Windows in it's default shipping configuration.
Alright, some install antivirus and personal firewalls.
What does securable mean? One just needs to look at how many castles were build in the middle age.
The castle was built on a rock or hill, so the attackers had to put in a maximum effort to get close.
If they wanted to enter though the main gate, they had to cross a slim bridge, where they would be easily intercepted.
The defenders really needed to closed the main entrance, perhaps lift the bridge and they were safe for a while.

Secure by design, secure by default, secure by deployment and even a fourth: secure by defendibility.
So to needs to be an OS, easily defendable by applying all the clever criteria, but also by making it more defendable.

posted Thursday, September 30, 2004 12:19 PM by stefandemetz with 0 Comments

The evil of wrong Windows base configurations

After reading one the few good articles of the TheRegister http://www.theregister.co.uk/2004/09/02/winxpsp2_security_review/
I have to wholehartedly agree with the article since I like to fiddle with my local policy settings on all machines I run. Its one the
most underused and least understood tecnologies in the Windows world.

Basically it allows following things:

setting account/password options (password strength, account lockout)
disable legacy components(like LAN manager authentication - LM & NTLM used on 9X Windows)
Hardware access
IPSEC filters
auditing
disabling configuration of network, IE, scheduling and other stuff
disabling command prompt and disallow lists of executables
disallow installation of programs
set ACLs
lockdown WMI
harden TCP/IP
and more stuff

I use the Windows Security Scoring Tool from http://www.cisecurity.org to build secure baselines for standalone and networked PCs and even servers sometimes. I' re read somewhere that even Dell ships some workstations with
such a baseline switched on. The CIS tool contains excellent templates which are recommended by organizations like NIST, NSA, DISA, SANS, and CIS

posted Friday, September 03, 2004 8:30 AM by stefandemetz with 0 Comments

PHP vs ASP.NET Oracle FUD

Bertrand Le Roy fights back Oracle's article about ASP.NET vs PHP with a rebuttal .

On the security of Apache/PHP vs ASP.NET/IIS I have posted this:
http://dotnetjunkies.com/weblog/stefandemetz/posts/10465.aspx
http://dotnetjunkies.com/weblog/stefandemetz/posts/10388.aspx

posted Saturday, July 24, 2004 8:58 AM by stefandemetz with 3 Comments

What features does ASP.NET still need after Whidbey?

IMHO
workflow engine
web based job scheduler(DTS)
easier handling of stored procedures
better SQL injection/cross site scripting pretenction/prevention

posted Saturday, July 17, 2004 6:27 PM by stefandemetz with 0 Comments

Lobby MS to eliminate SQL injection

secure Querystring
http://www.dotnetjunkies.com/HowTo/99201486-ACFD-4607-A0CC-99E75836DC72.dcik
http://www.dotnetjunkies.com/Forums/ShowForum.aspx?forumid=4922

Vote here and here on MSDN to have this functionality included in ASP.NET

links

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/02/06/6748.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/02/03/6530.aspx

posted Saturday, July 10, 2004 10:09 AM by stefandemetz with 20 Comments

Why Windows update/Automatic Windows Update suck (part 3)

After seeing the latest developments and improvements I still have several issues with the Automatic Windows Update and the windows update site.

1) patch distribution of patches is still not good enough.
I think that critical patches should be BUNDLED with the latest version of Windows Media, MSN Messenger, IE or even third party apps like Winzip and Adobe.
2) critical (remote exploitable or currently expoited) patches are not prioritized in the automated download process nor in the sequence, nor in download urgency in respect to other security patches
3) patches are not supported by scripts, group policies, .reg registry files, IPSEC rules or configuration files which the user installs with a simple click, in which protective features such as firewall, automatic updates can be turned on and features like RPC, files sharing or ports turned off.

posted Tuesday, May 11, 2004 8:32 PM by stefandemetz with 0 Comments

XP SP2 RC1 issues

After playing with XP SP2 RC1 for a while I still have a few things which bother me.
I had a look at group policies typing gpedit.msc in the Run command.

I found following issues:

RPC policies are still undefined ie it still allows unauthenticated anonymous users to log in ... with the bad practices around I doubt it will be switched on

Automatic updates are not enabled -> users will b

Gridding .NET

Search

Archives

News

Navigation

Post Categories

DECATEC

.NET Consulting

BizTalk

Sharepoint

tekkie blogs

friends & family

Cool Sites

FeedMap

Monad Blogs

Other Blogs

UserGroups