Scribd
Upload
15 views37 pages

SIA324 - Margosis (Defense Against The Dark Ages - Your Old Web Apps Are Trying To Kill You)

The document discusses the security risks associated with outdated web applications, particularly focusing on older versions of Java and Internet Explorer settings. It emphasizes the importance of updating Java to mitigate vulnerabilities and the dangers of carrying over legacy settings that compromise security. Additionally, it highlights the risks of using unsafe ActiveX controls in web applications and provides guidance on how to address these issues effectively.

Uploaded by

Edward Mamotlivi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
15 views37 pages

SIA324 - Margosis (Defense Against The Dark Ages - Your Old Web Apps Are Trying To Kill You)

The document discusses the security risks associated with outdated web applications, particularly focusing on older versions of Java and Internet Explorer settings. It emphasizes the importance of updating Java to mitigate vulnerabilities and the dangers of carrying over legacy settings that compromise security. Additionally, it highlights the risks of using unsafe ActiveX controls in web applications and provides guidance on how to address these issues effectively.

Uploaded by

Edward Mamotlivi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 37

SIA324

Defense Against the


Dark Ages: Your Old
Web Apps Are Trying to
Kill You
Aaron Margosis
Principal Consultant
Microsoft Corporation
Session Objectives and Takeaways
After this session, I can:
Identify risky practices in your web applications
Persuade managers/developers of the importance of
making necessary changes
Articulate options

Scenarios:
Windows / IE upgrade
Fixing security issues
The Sysinternals Administrator’s
Reference
The official guide to the Sysinternals tools
Covers every tool, every feature, with tips
Book signings
Written by Mark with Mark and
Russinovich and
Aaron
Aaron Margosis
FullWed.
chapters on the11:30am
and Thurs., major tools:
TechEd
Process bookstore
Explorer
Process Monitor
Mark will
Autoruns also be signing Zero
Day and Windows Internals 6th
Other chapters by tool group
Ed Pt. 1
Security, process, AD, desktop, …
Agenda

High Risk:
Insisting on old versions of Java

Dumb Risk:
Carrying old IE settings forward

Insidious Risk:
Relying on ActiveX not intended for browser use
topic
Java past its sell-by
date
Java’s Forward Compatibility Promise
Write once, work
hack forever
Multiple JRE versions installed side by side
Older versions do
Vulnerabilities do not
not get
get fixed
removed
Program can pick any version it needs
Malware
 Always uses the version it was developed/tested with
 Always works the way it did when written
Risks of Retaining Older Java Versions
Many JRE updates contain Critical Patch Updates
Cannot retain older versions and be protected
New vulns may also apply to older, unsupported
versions
Java support lifecycle is short
Public support for Java SE 5.0 (a.k.a., 1.5) ended October
2009
Public support for Java SE 6.0 (a.k.a., 1.6) ends
November 2012
Java 7: GA July 2011, EOL July 2014
Reference: http://www.oracle.com/technetwork/java/javase/eol-135779.html
Most Widely Attacked Component on
Windows
Early 2010: Symantec
reports notable rise in
Java vulns through
2009
Late 2010: Microsoft
sees large spike in
actual attempted
exploits
Latest MS SIRs sees
high level continued
“Can we standardize on JRE 1.6 Update
17?”
128 separate vulnerabilities:
March 2010, affecting Update 18 and earlier (27 fixes)
http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html

October 2010, affecting Update 21 and earlier (29 fixes)


http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

February 2011, affecting Update 23 and earlier (21 fixes)


http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html

June 2011, affecting Update 25 and earlier (17 fixes)


http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html

October 2011, affecting Update 27 and earlier (20 fixes)


http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

February 2012, affecting Update 30 and earlier (14 fixes)


http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

Plus: versions before Update 24 incompatible with


IE9
What Does Oracle Say?

We highly recommend users remove all older versions


of Java from your system.

Keeping old and unsupported versions of Java on your


system presents a serious security risk.

Ref:
http://www.java.com/en/download/faq/remove_olderversions.xml
Updating Java Apps
Oracle: “the latest available [Java] version is
always compatible with older versions.”
Don’t demand a specific version in your code
Don't use low-level sun.misc or com.sun classes (not
guaranteed to be consistent between different JRE
versions).
No “version lie” available a la Windows shims
Ideally, updating Java should be as uneventful as
applying Windows patches
topic
Carrying old IE settings
forward
Making IE work “like it used to”
Things we have observed customers doing
Copying IE settings from older versions
Using .reg files
Using Internet Explorer Maintenance
Turning off Protected Mode (or UAC)
Turning off Data Execution Prevention (DEP – a.k.a.
NX)
Copying preserved legacy settings…
Importing custom registry files
regedit /s ie-settings.reg Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur
"1001"=dword:00000000
"1004"=dword:00000001
"1200"=dword:00000000
"1201"=dword:00000001
"1206"=dword:00000000
"1207"=dword:00000000
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000000
"1407"=dword:00000000
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
Copying preserved legacy settings…
Internet Explorer Maintenance (IEM)

NOTE: IEM is gone in Windows 8!


Default security has improved…

IEZoneAnalyzer
http://
blogs.technet.com/b/fdcc/archive/2011/09/22/iezoneanalyzer-v3-5-with-zone-map-viewer.aspx
Turning off Protected Mode to fix apps
PM enabled in Internet and Restricted Sites
Disabled in Intranet and Trusted Sites
Severely restricts ability to write to file system /
registry
PM can be turned on/off per security zone
Turning off UAC turns off Protected Mode globally
Can break apps based on mobile code (Java /
ActiveX)
These apps should be in Intranet or Trusted Sites
Make sure sites are mapped appropriately!
 Do not turn off PM in the Internet zone!
Turning off DEP/NX to fix apps
“DEP causes apps to crash”
Feature, not a bug
Blocks execution from data or other non-execute areas
Better to crash than to execute evil code
Blocks many popular hacker techniques
Three types – memory contains:
Malicious code
Non-malicious code
Garbage
In IE, almost always triggered by add-ons
topic
Using unsafe ActiveX in
web apps
ActiveX

Software re-use technology built on COM and OLE


Scriptable interfaces ([OLE] Automation)
IE’s “plug-in” model
Overcome the limitations of mid-1990s HTML
“Safe for Scripting”
Assertion by the control that it can’t harm the user
Must assert or IE won’t load it…
…unless security is relaxed
“Initialize and script ActiveX controls not
marked as safe for scripting”
Per-zone security setting
Disabled in all zones (except Computer zone)
MS and govt security guidance mandates disabling
only in the Internet zone
Not Safe for Scripting
Microsoft Word
Windows Script Host
Scripting components (incl. FileSystemObject)

Can’t enable one without enabling all


Can’t enable for one site in a zone without enabling
all
Why Ever Relax This Setting?
Limitations of straight HTML until recently
Creation of Word and Excel documents
Hasn’t always been forbidden: Trusted Sites before
IE7

“Prompt” is pretty much “Yes”


Thought Experiment…
Greedy or disgruntled in-house web developer
Has no access to users’ computers
Just creates content for org’s internal home page
If unsafe ActiveX disabled… can’t do much
If unsafe ActiveX enabled…
Change a few lines in a script file (EXTREMELY EASY)
Gain full control over site visitors’ user accounts
Change it back a few days later
Good luck finding the root cause
“We’ve Had It Enabled With No
Problems.”
How can you be sure?
How long until something does happen?

Always-increasing concerns (and sophistication):


Insider attacks
Targeted attacks
“Advanced Persistent Threats” (APTs)
OK – How Do We Fix This?
Depends on the app
Example: “WScript.Network”  UserName
Capture it on the server (Windows authentication)
Make the user type it once, then save it
Custom ActiveX
Most common example: Office automation
Create on the server with Office OpenXML
Custom ActiveX
Build a Custom ActiveX? Seriously?
Encapsulate the logic in the web page in a custom
control
Minimal external interfaces
Consider further lockdown: SiteLock and/or per-site
AX
Minimal change to existing web app architecture
Short term bridge
How Can I Build an ActiveX Today?
Fully-supported: Visual C++
ActiveX Template Library (ATL) helps
Obvious drawbacks
Fastest and easiest solution: Visual Basic 6
Yes I am dead serious
Most productive way to build simple ActiveX
Easiest way to automate Office apps
Lots more people know VB6 than C++
Support? It’s not completely unsupported
demo
Using an unsafe
ActiveX in a web app…
then FIXING it!
In Review – Session Objectives and
Takeaways
Now I can:
Identify risky practices in web applications
Java
Misconfiguring IE settings
Unsafe ActiveX
Persuade others of the importance of making
necessary changes
Articulate options
References
Alert: Java’s Forward-Compatibility Promise Has
Been Revised
http://
blogs.technet.com/b/fdcc/archive/2011/10/18/alert-java-s-forward-compatibi
lity-promise-has-been-revised.aspx
Understanding DEP/NX
http://blogs.msdn.com/b/ieinternals/archive/2009/10/10/understanding-data
-execution-prevention-crashes-in-ie8.aspx

Enabling “Initialize and script ActiveX controls not


marked as safe” in ANY zone can get you hurt, bad.
http://
blogs.technet.com/b/fdcc/archive/2011/11/03/enabling-initialize-and-script-
activex-controls-not-marked-as-safe-in-any-zone-can-get-you-hurt-bad.aspx
Security Intelligence Report
Track Resources
www.microsoft.com/twc

www.microsoft.com/security

www.microsoft.com/privacy

www.microsoft.com/reliability
Resources

Learnin
g
Connect. Share. Discuss. Microsoft Certification & Training Resources
http://northamerica.msteched.com www.microsoft.com/learning

TechNe
t
Resources for IT Professionals Resources for Developers
http://microsoft.com/technet http://microsoft.com/msdn
Complete an evaluation on CommNet and enter to
win!
MS Tag

Scan the Tag


to evaluate this
session now on
myTechEd
Mobile
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.

You might also like