runonce and birds.

["Dave Aitel" <dave.aitel () gmail com>]

So every time I boot up my Windows XP SP2 box for testing and it hits that
Microsoft "runonce" page in IE I feel like I should reinstall. Does anyone
else feel like that? All of the "mitigating factors" on every Microsoft
advisory say "A user would have to visit a malicious web page". And then you
have people like Gadi Evron tracking each individual domain they think is
"hot" and anti-virus companies taking in lists. But that runonce page runs
in HTTP. Now I can see someone at MS sitting there with Fes's threat
modeling book going "hmm, it makes an outbound connection", and then the
project manager, who has some sort of liberal arts degree, going "but it
only comes here to Microsoft so cleartext is ok". [2]

I'm not going to go into the legitimacy of poisoning Windows DNS with the
WPAD stuff mentioned this week, or the fact that most ISPs are run by
hackers who will happily MITM every HTTP connection and shove an ANI exploit
into www.opinionistas.com or whatever weblog your girlfriend is reading on
your computer that day as she fantasizes she never got an English degree and
went into law school. Even without all that, any hacker worth the term can
hack websites faster than they can be cleaned up.

I watched an AVI of Raven Adler's Shmoocon talk the other day. It was
completely devoid of content, except at the end, when someone stood up and
asked her "Why should we trust you to secure the Internet's infrastructure
if you can't even secure your own laptop?"[1] She responded "0day can happen
to anyone."

This is true, I guess. The important corollary, is that since there are
non-public kernel bugs, and non-public client-sides and the ability to shove
them into every web page visited by almost anyone, that "0day can happen to
everyone".

Can and _does_. I think I will reinstall that XP box.

FWIW in CANVAS you have this concept of a "post-condition" which is a module
(or set of modules) that get run after an exploit is successful. So for
example after the the spooler exploit is run we restart the spooler service.
I was tempted to make GDIWrite4 a post-condition for the CANVAS ANI exploit
so that it was a full unpatched path to LOCAL\SYSTEM, but I decided against
it at the last minute.

The biggest question in the ANI exploit is "Why now?" If an attacker knew
the average lifespan of an 0day, they could maximize their usage to optimize
the number of hosts they hit. I'm not sure what this curve would look like
(Dan Geer would know), but I'd predict you'd see 0day being "wasted" as it
reaches the end of its predicted usefulness. Perhaps this is what happened
to ANI.

-dave

[1] This was probably a reference to the events noted here:
http://www.theregister.co.uk/2006/02/08/apple_vulnerability/ (The unknown
researcher in this case is assumed to be Raven)
[2] This was shoddy work. It's just as bad as every bank putting their login
page on a cleartext connection, as if MITM can't rewrite a form. The SDL
should say "No default outbound non-signed and sealed connections". But it
doesn't. A while back everyone made a big hubbub over Michael Howard's
feeling that there should be LESS vulnerabilities in modern Microsoft OS's.
I got the feeling he was saying "or else we're all fired". XP SP2 is
essentially in complete collapse. If this happens to Vista, a lot of
companies might just make the decision to move their data security
requirements over to hosting on Google-farms...

Speaking of Kiwi's, Justine is headed back to Wellington, NZ, for a few days
for a wedding. She took my SILICA with her, so if you want to get a quick
demo, spam her an email.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave