Readers respond on Deep Six spamwall

Readers respond on Deep Six spamwall

By Brian Livingston

Our tests of antispam appliances in the Jan. 26 newsletter made a definite impression on our readers. The article received a reader rating of 4.15 out of a possible 5, our highest-rated article so far (well, in all two of the issues that’ve supported reader ratings to date). And several subscribers sent us their own results from testing the least-expensive appliance in our review: the Deep Six Technologies DS200 Spamwall, which we found to be highly effective.

This device, our tests showed, prevented almost all spam servers from even connecting to our test mail server. No quarantine folder of "possible spam," therefore, is needed. This means there’s no morass of junk mail to examine for misdirected legitimate messages. Quarantine folders not only waste your users’ time, but also expose them to phishing scams and all the other bad stuff that spam usually contains.

The DS200 ($999 list) produced no false positives in our tests but allowed into our inboxes only 0.09% of the thousands of unwanted messages that spammers attempted to send. This performance compares very favorably with competing SMB antispam appliances that list for $3,000 to $7,200, plus ongoing license fees. (Many of the alternatives, however, also offer antivirus and firewall protection that the Deep Six invention does not.)

Despite its low cost, simplicity, and effectiveness, the Deep Six device has never been reviewed by any major computer magazine. The DS200 uses “connection scoring,” which ranks incoming mail connections using a “decision tree” involving several dozen real-time block lists. Test labs cannot review this approach by merely sending a corpus of known spam and not-spam from one test server to another. It can only be reviewed using a live mail server and a live stream of SMTP (Simple Mail Transport Protocol) connections. I repeat my call for better-funded research labs to commit the resources necessary to really torture-test the DS200.

As a result of my article, many of our readers learned about Deep Six for the first time. To be sure, the DS200 is useful only to companies that operate their own mail servers. But this represents a large portion of our subscribers. I believe the principles at work in the Deep Six device can eventually relieve individual computer users of spam as the Spamwall’s methodologies are licensed (or imitated) by ISPs and others.

Decision tree reduces mail-server demands

Many of our readers who tested the device for themselves reported that it succeeded in its major benefit: reducing the CPU time and storage space that their mail servers previously consumed calculating spam scores for incoming messages. Reader Alex Davidson writes:

• “We currently use GFI’s Mail Essentials software installed on a server. In January 2006, it reported that we received an average of 18,662 messages a day. Of those, 99% were identified as spam by GFI.

  “On Friday, Feb. 3rd, I set up our new DS200 (purchase based solely on your review), put it on the LAN, then switched the firewall to point to it (all during business hours and no problems were experienced).

  “Yesterday, the number of messages hitting GFI dropped by 82% to 3,317, with 90% of those being identified as spam by GFI.

  “We currently have the spam threshold on the DS200 set to 15, but plan on reducing this one point every week or so until we get to our goal of 10, unless it causes too many false positives.

  “So far we’re very pleased, and hope to improve things even further.”

My own office has five mail users on a Microsoft Exchange Server. We’ve gradually reduced the permissable "spamminess" connection score from 20 to 15 to 10 (out of a possible 100) on the test DS200 unit we purchased. We still haven’t received a single report of a false positive (a legitimate sender whose message bounced). We’ve been filtering our live mail stream through the DS200 now for approximately 45 calendar days. If any newsletter readers received any bounce errors, at least one of them would have informed us through our Web comment form or voicemail service, our alternate contact methods that are specified in the error notice.

What do to when you have no spam

Other testers also noticed an immediate reduction in the load on their mail servers after installing a DS200. Reader Mike Winfrey writes:

• “I have a small IT consulting company and I have an e-mail server that was getting hammered with spam, just like everyone else. Unfortunately, I didn’t know how badly it was getting hammered.

  “I installed the DS200 on Friday, Feb. 10, at about 10:30 a.m. My server breathed an immediate sigh of relief. In about 30 hours, the DS200 processed approximately 34,000 emails with a rejection rate of 82%.

  “Unfortunately, I had to reboot the DS200 because of a configuration change and didn’t think to write down the statistics beforehand. So, at about 3:30 on Saturday, Feb. 11, my counters started over. Since then, the DS200 has processed 14,741 emails with a rejection rate of 86%. Now for the outstanding part. My personal inbox hasn’t received any spam.

  "I’ve seen a lot of new products over the last 20 years and I don’t normally get excited about them, but I am excited about this. It’s fun to watch all those little pests die a horrible death. I sit and watch the real-time process as it reports, ‘Done blocking server.’ Yeah!!!!

  “That’s outstanding. After the ‘new’ wears off, I’ll continue with the rest of my life.”

Considering its effectiveness, the Deep Six technology is surprisingly simple. It has no moving parts and, after an initial configuration period, it’s a set-it-and-forget-it device.

That leaves little for you to do but watch a scrolling window showing spam server after spam server that’s being denied an SMTP connection. This is admittedly a tempting pastime. But I strongly advise everyone who installs this little device to tear yourself away from the window and get some real work done!

Connection algorithm beats block lists alone

Subscribers who had previously depended on the binary use of yes-no block lists also found benefits from the DS200. As explained last issue, the device uses a sophisticated mathematical model to gauge the interaction between various block-list recommendations rather than defaulting to any single yes-no judgments. The device also asks some mail servers to re-send a given connection attempt. This almost always uncloaks spam servers, which value nothing but speed and are programmed to ignore such hand-shaking.

Reader Rich Wills writes:

• “Thanks for your review of the Deep Six device. Our 300-seat firm was having very mixed results using RBLs (Spamhaus and SpamCop amongst them). We got so very tired of the whining, both about the amount of spam [not] being caught and the very small amount of false positives we were experiencing.

  “E-mail volume here is high (4,000-6,000 per day) and the whining was growing. We purchased the Deep Six device last week and have seen an amazing drop in spam getting though.

  “Today was a milestone — not one spam e-mail upon arrival this morning. I was accustomed to over 40 per day. Great device, inexpensive, and I had to restrain myself from buying it a Valentine, I love it so much. Thanks for reviewing the device.”

One serious criticism of real-time block lists is that they sometimes ban innocent parties. the Deep Six approach, which assembles a matrix of dozens of block-list ratings, appears to work around such mistakes.

Watch out for friendly-server forwarding

I don’t want to give the impression that Deep Six’s results are perfect, by any means. One of the "gotchas" that testers found is a case in which users forward e-mail to company accounts from other addresses.

Reader Greg Shaffer describes his findings as follows:

• “The main attraction for me is that connections are dropped before the message is accepted. We run SpamAssassin on our mail server, and the resources it was taking were a growing concern for me. However, not knowing anything more than the IP address of the dropped connection and the score is a little disconcerting. I am hoping I will find the syslog reporting is a little more detailed. …

  “If you have any users auto-forwarding messages from a spam-ridden account at a legitimate server, this box will score the legitimate server as clean and pass them right through. We are currently running the DS200 in front of SpamAssassin and, not surprisingly, it is filtering out these messages without any difficulty.”

If you can’t talk users out of this kind of forwarding, at least the DS200 device can substantially reduce the amount of mail on which your server has to perform CPU-intensive content filtering. Best of all would be to talk those users into changing their outside addresses that have become saturated with spam. Be sure to "spam-proof" the new addresses; my recently revised e-book on the subject explains a few easy steps to do this.

Verizon can’t configure mail servers properly

Shaffer uncovered a serious problem with the way Verizon, the large New York-based ISP and telephone conglomerate, handles its mail servers.

In my Datamation columns of Jan. 3 and Jan. 24, I explained that companies using both an antispam appliance and a mail server should direct all mail to the appliance. To do this, you set up what’s called an MX (Mail Exchanger) record. This tells outside mail servers what IP address any messages to your domain name should be sent to. Your mail server should then be configured to deny all SMTP connections, except from the appliance itself. This prevents spam servers from simply connecting to your mail server’s IP address or its subdomain name, which is a common trick of big-time spam software.

Shaffer continued his comments to me on the DS200 by explaining the error he found in Verizon’s mail servers:

• “The recommended procedure is to remove the MX record for your mail server after you have fully tested the DS200. After I did that, I started accumulating [outgoing] mail for Verizon.net in my mail queue. I eventually discovered that Verizon’s antispam measures require both an MX record for the sending server and the ability for them to make a delivery attempt for the sending address at that server. The clearest description I have found of this is in the December 2nd blog entry at this site: Jeff.Squyres.com.

  “DS200 implications aside, I think the Verizon issue is very interesting. Their method of protecting their users/servers from spam costs me (a legitimate sender) extra CPU cycles and bandwidth.

  “In addition to the Verizon problem, some spammers have been sending directly to our mail server, even when there wasn’t an MX record. Even the engineer at Tyrnstone reported the same problem.

  However, there seems to be a very workable solution. As you suggest, a layered approach is very effective. Since all legitimate mail should be going through the DS200, I am now able to be very aggressive with RBL checks and access control lists on our mail server. This has effectively blocked nearly all of the messages being sent directly to the mail server, is not as resource intensive as having those messages running through SpamAssassin, and doesn’t seem to cause any problems with Verizon (at least as far as I can tell right now).

  “I believe the DS200 will be a welcome addition to my network. It is doing a good job of discarding a large percentage of spam before it hits our server. However, the DS200 passes more than a little spam from hosts which aren’t flagged by enough of the RBLs that the DS200 checks. I’ve been checking, and generally these hosts are getting scored as 0’s or 5’s, so this isn’t simply a tuning issue. More than likely, they are just the latest hosts being exploited by spammers and have not yet been listed.

  Given that, and the need to keep port 25 open on the mail host (because of the Verizon issue), I would strongly recommend using the DS200 in conjunction with SpamAssassin or some other content-based anti-spam measure.”

Verizon.net is clearly wrong in requiring that an outbound-only mail server must also have an MX record and accept incoming messages. Most large companies, as well as many educational institutions, maintain separate outgoing and incoming mail servers to handle the load. In addition, security appliances must be located on a separate IP address from the mail servers they protect. The Internet’s mail protocols clearly state that every sending mail server must check the recipient company’s MX record to see which IP addresses are designated to receive incoming messages.

Fortunately, this kind of misconfiguration is easy to work around. As Shaffer reported, simply filtering out most messages that are sent directly to the wrong IP address (but accepting those from Verizon.net) allows legitimate mail to be transferred while avoiding the usual spammers’ tricks.

In my experience with the DS200, it’s true that a few pieces of spam are received each week from distant servers that boast a clean spamminess score of 0. I assume that these are newly hacked, "desktop servers," also known as zombie PCs. These zombies are likely to be added in short order to one or more of the numerous real-time block lists that Deep Six bases its algorithms on.

But it’s also important to remember that no antispam appliance can eliminate every single suspected piece of spam. Most companies consider avoiding false positives (legitimate messages that are filtered out)to be a far more important goal.

For this reason, you should always tune any antispam defense, whether it be hardware or software, to allow a little spam but eliminate false positives. Since the decision tree of the DS200 seems to reject more than 99.9% of spammy connections, it appears to be a very cost-effective way for companies to reduce the load on their incoming mail servers.

For more information on the DS200, contact the SMB marketing unit for the device, Tyrnstone Systems. For details on the patent-pending techniques that are involved, visit the Web site of Deep Six Technologies. (The name is a play on "you can deep-six your spam.")

To send us more information about antispam appliances, or to send us a tip on any other subject, visit WindowsSecrets.com/contact.

Readers Davidson, Winfrey, Wills, and Shaffer will receive gift certificates for a book, CD, or DVD of their choice for sending me comments that I printed.
Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

I'm a little 0x80242006 today

The date on the calendar as Microsoft’s patches came out this week said St. Valentine’s Day, the day for love and romance. But if you’re a patchaholic like me, a guy who offered to patch my computers for me would be even more romantic than roses and chocolate. Especially in a week like this, when he’d have to use some extra manual labor to get my machines fully patched.

MS06-007 (913446)
Problems arise with MS’s IGMP patch

We finally saw late on Tuesday evening the resolution to some of the problems we found when installing MS06-007 (KB913446). The Microsoft Security Resource Center blog reported mid-Tuesday that developers were working on the issues.

If you attempted to install MS06-007 that day, you probably saw it attempt to load but fail with a cryptic 0x80242006 error. This problem had no solution in the help text. In the meantime, if you wanted to ensure you were patched, you could still manually install the patch, using the links in the MS bulletin.

This patch cures an IGMP vulnerability, but exactly what is IGMP, anyway? Reading the Wikipedia.org definition doesn’t make it that much clearer. According to the bulletin, while the normal Windows firewall will protect you from "Unicast IGMP packets," it will not protect you from "Multicast" ones.

According to the definition of Multicast packets, once again from Wikipedia, multicast is used primarily for such services as IRC chat and Web and video conferencing.

The MS06-007 bulletin is replacing 05-019, which historically caused some issues for VPN connections. This and other issues are listed in KB893066. You should keep an eye on your Internet connectivity during your patch testing on this one.

MS06-004 (910620)
Update your Internet Explorer or retire Me

For those folks running Windows Me with Internet Explorer 5.5 Service Pack 2, you’re at the end of your lifecycle. While Windows 2000 will get a patch for its IE 5.01 SP4, Me’s IE 5.5 SP2 will not. You can, however, update your IE on Me to IE 6 Service Pack 1. This is now the only supported version of IE on ME, Windows 98, and Windows 98 Second Edition, according to the information in MS06-004 (KB910620).

The usual caveats for customized Web applications in your network apply, as with any Internet Explorer patch. KB 910620 documents the issues surrounding these IE patches. This patch still does not correct the 225-days-and-counting IE vulnerability that’s been privately disclosed by eEye.

MS06-008 (911927)
Web client for most will be a nonstarter

When I first read MS06-008 (KB911927), it sounded to me like this hole could be a nasty one, just because the bulletin indicated that an attacker could take complete control of a system. However, for most of us, this service isn’t running on our servers unless we turn it on. Windows XP has a limited way that this could be exploited, which is explained in security advisory 906574.

MS06-005 (911565) and MS06-006 (911564)
Windows Media patches are a double header

Our next two bulletins affect Windows Media Player and plug-ins for the player in third party browsers.

MS06-005 (KB911565), as discovered and published by eEye, closes a hole that allows several methods of attack. As the bulletin states, Windows Media player is not the default application for .bmp files. (This image file format is normally handled by the Picture and Fax Viewer on XP machines). Specially crafted .asx files, however, could be built to trick you into infecting yourself.

MS06-006 (KB911564) affects a Windows Media plug-in for third-party browsers. Folks running Firefox and Netscape who use Windows Media Player for their default multimedia playback need to take special care to patch, according to iDefense, the company that found the exploit.

MS06-010 (889167)
Death by PowerPoint hole should be closed

You know, an attacker wouldn’t have to go through all the trouble to “attack” us and gain information about our system, using the hole closed by MS06-010 (KB889167). It would be easier if they just followed the steps outlined by Dr. Jesper Johansson in his blog to perform “Death by PowerPoint” than merely retrieve information. Attackers would have to explicity know the names of objects in the Temporary Internet Files folder by name.

MS06-009 (901190)
Korean language tools make interesting vulnerability

Our last patch that came out this Valentine’s Day fixes an obscure hole. It only affects the Korean language. Also, the attacker must have access to the system either locally or remotely over the Internet using Remote Desktop Protocol.

Microsoft points out the recommended best practice that you shouldn’t have the Terminal Service port (port 3389) open at your perimeter.

The bulletin states that Windows Small Business Server 2003 uses a feature called Remote Web Workplace. This is a Web-based portal that makes it easy and secure for small businesses to have remote access to their networks.

SBS 2003 is vulnerable, according to Microsoft, because it uses TCP port 4125 to listen for RDP connections. However, this statement is incorrect. The server only opens up port 4125 after someone authenticates on the network. This mitigates this issue over that TCP port connection.

.NET 2.0 update resets SBS Web sites

A few weeks back, I reported that I had no issues installing .NET 2.0 on my Small Business Server box. To be honest, though, I didn’t use the Microsoft Update mechanism. Instead, I went directly to the .NET 2.0 manual download and installed it from there.

I have reports of folks who’ve used Microsoft Update to install .NET 2.0 saying it resets some of the Web sites in SBS 2003. I’ve found that if you go into IIS and reset these Web sites back to the defaults, as described in my blog entry, the system works just fine.

Changing priorities for SBS 2003 POP3

KB835734, a patch that I affectionately refer to as the “Spammer” patch, fixes the old issue of SBS 2003 POP3 connectors that will relay e-mail to such a degree that it causes headlines.

While this fix has been out for a long time, it’s just been upgraded to a “high priority” patch on Microsoft Update. Now you have no excuse not to see this and patch for this issue.

Call Microsoft when patch issues arise

The very obvious failure of MS06-007 to install during most of Patch Tuesday (until corrected) raises an important point. I thought I’d end my column today by reminding folks that whenever a problem is caused by a security patch, it’s a free call to Microsoft. The number to start with is 1-866-PC-Safety. International folks can call your local Microsoft office at these numbers. In general, Microsoft often doesn’t hear about issues unless you call.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title awarded by Microsoft to independent experts who do not work for the company. She’s known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003 and is a partner in a CPA firm.

How to restore with confidence

Windows XP’s System Restore can save your bacon. But it wallows in disk space like a hog. If you understand the secrets of System Restore, you can save yourself untold headaches when things inevitably go bump in the night. And you can reclaim a few zillion megabytes of pure Windows pork while you’re at it.

Scoping out the System Restore function

Windows XP includes a remarkably capable subsystem known as System Restore. You’ve probably bumped into it.

Unfortunately, there’s a lot of hogwash about System Restore floating around the Internet. The truth is that System Restore doesn’t take a snapshot of your entire system; it isn’t anything like a full backup. Instead, System Restore allows you, the programs you run, and Windows itself to store away copies of key system files, all of the Windows Registry, and various user settings.

The resulting restore point, as it’s called, consists of a bundle of files that are named and stored together. This makes it easy for you to retrieve those settings and roll Windows back to an earlier state.

System Restore doesn’t back up your files. It doesn’t store most application settings. In fact, if you create a system restore point, install a program, then roll back to the earlier restore point, the program probably won’t work. Any settings the program stuck into the Registry get obliterated by the rollback. The program may find itself floating in the Windows Primordial Ooze with no way to connect to Windows itself. Think “Lost” at 2.4 GHz.

To be a bit more precise, a restore point contains the contents of the Registry, the Windows File Protection files that are stored in dllcache, all of the COM+ add-in database, the IIS configuration files, the Windows Management Instrumentation Database, some weird system files with filename extensions from a long list of “monitored extensions,” and local user profiles.

None of your passwords make it into the restore point. Nor do any normal files, such as application programs and data files. If a file has a filename extension that isn’t on the “monitored” list, it just doesn’t make the cut.

Setting restore points

You can create your own restore point any time you like: click Start, All Programs, Accessories, System Tools, System Restore. Click the button marked Create a restore point, then click Next. The System Restore Wizard asks you to type in a name for the restore point.

Don’t bother typing the date or time — Windows always brands the restore point with that information. Instead, pick a descriptive name, like, oh, “Before Installing the HP Drivers for the 17th time.” Click Create. The Wizard creates a new restore point and files it away, so you can retrieve it any time you like. Click Close and you’re out of the Wizard, back in Windows.

Restore points are created automatically in a number of different situations. Most good applications will create a restore point before installing themselves. Windows runs a restore point before installing security patches or updates. It also creates a restore point before installing an unsigned driver. But, surprisingly, it doesn’t bother to make a restore point if you install a signed driver. (In Windows XP Timesaving Techniques For Dummies, I explain why and how you might want to set a manual restore point before installing a signed driver. Yes, signed drivers screw up.)

Windows also creates a restore point immediately before restoring to an old restore point. This is kind of like leaving a trail of crumbs behind when the forest is in flames. Windows also creates a restore point every 24 hours, automatically, by default. (It’s smart enough to wait until there hasn’t been any activity on the PC for a while.) If you start your computer and it’s been more than 24 hours since the last restore point was created, Windows makes a new restore point automatically.

Restoring your PC: back to the future

You probably know (or could guess if you’ve been following along in the System Restore Wizard) that you can restore your system to any specific restore point with a few clicks: Start, All Programs, Accessories, System Tools, System Restore. Choose the button marked Restore my computer to an earlier time, then click Next. The System Restore Wizard offers you a choice of all available restore points, neatly presented in a calendar format.

If you want to restore, simply close any running programs, click on the restore point that you like, then click Next. The Wizard creates a restore point, performs the restore, then restarts Windows. As I explain below, it’s important to note here that you get another restore point set before Windows "rolls back," whether or not you want another restore point.

As soon as Windows restarts, you can “undo” the restore by clicking Start, All Programs, Accessories, System Tools, System Restore. The Wizard sports a new button that says Undo my last restoration. It’s easy, and it’s relatively foolproof.

You might not realize that System Restore also appears in a different guise: as an alternative to Safe Mode. When you can’t get your computer to boot — or if you press the F8 key while booting — Windows shows you the Advanced Boot Options screen, which lets you choose Safe Mode. On that screen, there’s an option to boot with Last Known Good Configuration (your most recent settings that worked). Booting to your last good configuration this way, in fact, runs a System Restore using the most recent restore point.

When you boot to the Last Known Good Configuration, Windows makes a system restore point, whether you want it or not, rolls back to the last system restore point, then boots Windows. While that may seem like a very clever idea, there’s one gotcha: if you boot to the Last Known Good Configuration two times in a row, Windows “rolls back” to the system restore point that it saved during your prior boot.

This probably won’t work at all. Think of it like changing a flat tire. If a tire blows and you put on the spare, it’s cool. But if the spare blows, and you haven’t fixed the old tire, you’re in for some very bumpy times. That’s why it’s never a good idea to use boot into the Last Known Good Configuration twice in a row.

Managing your various restore points

Restore-point data gets stored in folders named:

C:System Volume Information_restore {7AC41853-D197-43DD-A331-D376ADD98AC2}RPXXX

The XXX at the end of that string is a sequential number incremented with each new restore point. Don’t bother trying to look for the files, by the way: Windows goes to great lengths to hide them from you; you can’t even get into the System Volume Information folder.

This is for good reason. There’s absolutely nothing in there that you should ever change by hand. Moreover, by blocking those files from your prying eyes, Microsoft is also keeping Trojans (and worms and viruses, oh my!) from using your privileged security level to clobber your system restore points.

(Yes, I know that it is, in fact, possible to get in there. No, you shouldn’t do it. No, I won’t show you how.)

If you really want to see a list of files that contain your restore points, navigate to C:Windowssystem32Restore and run the program Srdiag.exe. You can then look at the SR-RP.log file to see a list of all available restore points, and SR-RstrLog.txt to see details about the files.

The fundamental problem with restore points? They can take up a whole lot of room. By default, Windows XP keeps 90 days’ worth of restore points. By my standards, that’s about 80 days too many. (C’mon, can you remember the state of your system on November 16, 2005? As opposed to November 17, 2005?) Also by default, Windows allows itself to use up to 12% of your hard drive to store restore points (if the Windows partition is greater than 4 GB). That’s outrageous.

Fortunately, it’s easy to put System Restore on a diet. Click Start, right-click My Computer, choose Properties, then click System Restore. Click your main drive, then click Settings. Drag the slider down to 3% or less and click OK twice. On my main production machine, reducing System Restore down to 3% reduced the number of system restore points so I had only six weeks’ worth. I won’t lose any sleep over it.

Oh. While you’re playing with the System Restore settings dialog box, be careful not to turn off System Restore. While it’s easy enough to turn System Restore off and back on again, every time you turn it off, you wipe out all existing restore points — and you can’t get them back.

Woody Leonhard‘s latest book is Windows XP Hacks & Mods For Dummies, published by Wiley.

Judging third-party patch practices

What does a vendor’s patch-release schedule tell you? Have you thought much about how and when your software providers release their patches? Are patches provided in a convenient format for centralized updates? Do patches take years, months, or only weeks to deliver? If you’re paying attention, this will help your security stance in the future.

How’s patching Firefox going for you?

In the Sept. 29, 2005, newsletter, Chris Mosby wrote an extensive discussion about the relative number of vulnerabilities in Firefox versus Internet Explorer. Counting patches is probably the most popular way to measure two products for security. And, on a single-user basis, it’s probably the best.

But once you’re talking about multiple computers, Mom’s machine, small network pipes, or maybe an enterprise deployment, it’s a completely different story.

I’ve been dabbling in Firefox for a while now, and the Mozilla Suite browser before that. I find it to be generally a workable piece of software, though its stability on the OS X iBook I use for a lot of daily browsing isn’t great. For my e-mail client, I like Mozilla’s Thunderbird a lot. Again, I could do with some fewer crashes. But I digress, I’m talking about patches.

So, I was originally using Firefox 0.something, and the new improved 0.something comes out. Great! I’d love to upgrade. What’s the procedure? I had to delete the old version to install the new one. And not just delete it, I had to uninstall it and then delete the files, too. Otherwise, I’d have multiple copies in my Add/Remove Programs control panel, and I might leave behind some chrome-something settings that will mess up the new version.

All right, that wasn’t quite ready for prime time, but it was beta. So, 1.0 was released to much fanfare, full-page ads, and millions of downloads. Finally, the installer/upgrade does what you expect. You download the entire 30-odd megs of 1.0.x, and it installs correctly, keeps your settings, and isn’t as much work.

Why did I have to download the entire installer to upgrade to a new version? How do I know a new version is out? Well, I guess I watch the geek news sites, read my Windows Secrets Newsletter, etc…

Now Firefox 1.5 is out, and it includes automatic updates. And lo! Shortly after that, 1.5.0.1 is released. I’m very pleased to see that my machine now informs me that there’s an update. And it only had to download about 500K to get me to the new version!

This is real, genuine improvement. You have now solved my Mom’s computer problem, and the small-network-pipe problem. Plus, if I’m not mistaken, I think I’m also seeing the first step towards quicker patches from the Mozilla guys. It was only a handful of days between those updates.

Mozilla, you have now caught up with Windows Update.

I don’t mean to discourage the Firefox team. They’re absolutely on the right path, and these things do take time. But there’s still a ways to go to help any administrator who supports hundreds or thousands of computers, isn’t there?

Any IT manager with a little experience will tell you that you don’t leave the decision to upgrade with end users. You centralize the upgrade controls, you have a reporting mechanism so you know what versions are installed, you have a process for qualifying new versions, and so on.

This means a browser needs things like the ability for an administrator to disable auto-updates and prompting. You need to first make sure your corporate Web apps all work with 1.5.0.1 before your users starting clicking “yes” to upgrade. You need to make sure that you know how to internally distribute the 500KB patch, and not have to use the 30MB installer. Will there be a patch that lets your company go straight from 1.5.0.0 to 1.5.0.2? Or will I have to go 1.5.0.0 to 1.5.0.1 before I can upgrade to 1.5.0.2?

I don’t doubt that the Mozilla developers will get there. I look forward to it. I’m simply trying to point out that there is sometimes a vast difference in what works on your home machine vs. what works for thousands of corporate desktops. It looks to me like Firefox is addressing home users first. This may be unavoidable, but I wish corporate deployment of Firefox had gotten easier faster.

There’s a little more ramp-up for big-time patch management. We’ve got some learning curve yet to go with Firefox.

Fortunately, admins got some of the key tools we needed to upgrade Firefox in a corporate environment last month. And, to be fair, we’ve had several years to get used to updating IE, which now seems almost straight-forward.

Firefox may have fewer vulnerabilities that need patching each month. But sometimes, our ability to effectively qualify the holes in IE and patch them in a centralized manner is more important to us than the absolute number of vulnerabilities discovered in our browsers.

Unbreakable? More like unfixable

You may recall a few years ago that Oracle started its “Unbreakable” marketing campaign. Naturally, information security people tended to scoff at this, and a few of them took it as a challenge. One of those researchers who’s known for examining the security of Oracle applications is David Litchfield of NGS Software.

Database security is an ongoing topic for David and his co-workers, a specialty area for them. I’ve mentioned David a couple of times before, in my last column as well as the one on Oct. 13, 2005.

To recap: David is a personal acquaintance, I’ve been watching his vulnerability research work for a number of years, I tend to believe what he has to say on the subject, and David has been rather vocal lately about Oracle not being very proactive with its fixes.

In my two past columns, when I brought up Oracle, in was in the context of me criticizing it for sometimes taking years to produce a fix after being notified of a problem. I feel a little bit bad about picking on Oracle. But it’s difficult for me not to when it keeps volunteering to be the example of what not to do.

So what have they done now? According to David, they have not been doing a very good job fixing a particular problem, multiple times, over several years. (Yes, years, again.)

On Jan. 25, Litchfield posted a fix for an Oracle vulnerability, a fix that Litchfield himself had developed. Some vulnerability researchers have taken this tack before in the past, feeling that they can go ahead and release details as long as they provide a workaround.

This is often met with varying levels of criticism, most frequently from the original software vendor. People sometimes complain that they can’t effectively use the workaround provided, and would have rather have an official patch. A little of that even went on in this example. See Litchfield’s post about an updated version of his fix to address some problems.

However, the details of the fix probably aren’t terribly interesting to you unless you run Oracle PLSQL Gateway. What is interesting is Litchfield’s post titled The History of the Oracle PLSQL Gateway Flaw. In it, you get to see a couple of different angles of the sausage being made, though, to be fair, this is Litchfield’s version of the story.

In his post, Litchfield describes a process over a period of about 4 years when he tried to get Oracle to properly fix the PLSQL Gateway. The basic problem was that someone with a Web browser could type in a special URL, and end up with full administrative control of the database. (This also typically gives the attacker control of a shell on the operating system the database runs on, on a computer that usually has some access to the internal network inside the firewall, and so on.)

OK, so allowing this kind of takeover is a rank amateur mistake made by most people who write their first Web application. You might want a little bit more care to be taken by your database vendor to prevent this. But I’ve seen every software vendor do something like it at least once. So, you patch, you learn, you don’t do it again, right?

The short version of the story, if you didn’t read it yourself, is that over 4 years, Oracle kept trying to fix the problem, apparently with the least amount of effort each time. Each time, Litchfield would test the “fix.” He’d quickly find some variation that usually required only a few extra characters and the exploit would work again. I believe I count seven times that he went back and forth with Oracle.

The “punch line” is that Oracle should have simply provided what’s called a whitelist, instead of an ever-failing series of blacklists. Blacklists attempt to block all bad things, while whitelists will only allow a list of known good things. And when I say “punch line,” I mean that this stuff could appear in Dilbert. Scott Adams probably couldn’t write better jokes that what Oracle came up with.

I wish I could say that it was just Oracle that had no clue. Then I could tell you to go to any other RDBMS vendor.

Sadly, that’s not the case. Litchfield did some research on Sybase not long ago. What was the response? Timely patches? No, legal threats! They threatened to sue him under the DMCA (Digital Millennium Copyright Act) if he said anything.

Fortunately, they eventually cleaned up their act, and the usual patches and advisories proceeded. That example was particularly painful for me. A number of years ago, I used to be the corporate security guy at Sybase. I ended up leaving Sybase over what I thought were bad security decisions by management. Go figure.

If security is a big concern for you, be sure to pay attention to what your vendor’s attitude toward it is. Maybe you think Microsoft doesn’t do a great job, but they can generally get you a patch in less than a year, and it usually does really fix the problem.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.

Unpatched flaws threaten Windows users

Microsoft didn’t have a very good Valentine’s Day this week. Even after releasing seven patches for various security vulnerabilities this month, Microsoft still has plenty of flaws that the company could profitably spend some time fixing.

IE drag-and-drop vulnerability returns

It was over a year ago that Microsoft released a couple of patches — MS05-008 and MS05-014, to be exact — that dealt with severe “drag and drop” vulnerabilities in Internet Explorer. These flaws allowed hacked Web sites to run infected programs on a user’s PC while the user was merely browsing normally, without downloading anything.

The latest drag-and-drop vulnerability was discovered by Matthew Murphy, a writer for SecuriTeam. Matthew notified Microsoft of this vulnerability on Aug. 3rd, 2005. But he wasn’t satisfied with the company’s planned response. So he made his discovery public on Feb. 13 in an advisory on SecuriTeam’s Web site. In that advisory, Matthew says:

• “Currently, the company has no plans to issue a security update to correct this vulnerability. Fixes for this issue are scheduled to be included in Service Pack 2 of Windows Server 2003 and Service Pack 3 of Windows XP. Of particular note is that Windows 2000 users will *NOT* receive an update to correct this vulnerability.”

Microsoft’s response to new drag-and-drop hole

Fortunately, this vulnerability requires somewhat precise timing on the part of the user, so it might not be as critical as the previous drag-and-drop weaknesses. Microsoft comments on this in a post to the Microsoft Security Response Center blog, which states:

• “The specific configuration consists of having two windows open: one an IE window, and the other a folder to a resource. The specific user action is the user clicking and dragging an object from the IE window over to the folder window. The timing is very exact: when this is happening the windows would flip back and forth visibly at a set interval. The user would have to time it such that they catch the windows as they’re flipping back and forth.

  “We will update the behavior, but in looking at the severity of the issue and balancing the risk inherent in any fix, we believe a future service pack is the best way to address this issue. Some thoughts on fixing issues in service packs – service pack allow for additional testing, including beta testing, to reduce the risk of quality issues impacting 3rd party applications. This extra testing is especially important for complicated fixes that require extensive behavior changes. That said we work hard to make sure that when we resolve issues found in service packs (as opposed to security updates) these are only for issues that are of a reduced severity, and we continually monitor those issues for a change in status.”

Microsoft’s reponse does make the new vulnerability seem minor. However Gadi Evron, another SecuriTeam writer, brings up several specific instances where the problem could be exploited without a user suspecting anything. In a post on the SecuriTeam blogs, he writes:

• “Here are some interesting ways to exploit this using social engineering:

  “Scroll-bar, ‘smack the monkey,’ moving naked girl (move mouse to make me…), web game, shopping list/wish list, ‘calibrate your mouse,’ etc.”

These examples make the exploit seem pretty easy for a typical end user to fall into. Matthew himself offers some important clarifications in a Feb. 14 advisory.

What to do: There are several workarounds suggested, with details to implement them, in the SecuriTeam advisory. However, all of these will also limit other functions of IE and may make the browser unusable, depending on how you use it.

The option, in my opinion, that is probably the least intrusive is to set a kill bit on the Shell.Explorer Control. This will, however, disable IE’s ability to show views for local directories, network file shares, FTP file directories, and Web folders. Viewing the same resources with Windows Explorer or with third-party tools (in the case of FTP sites) is not affected.

To set the kill bit on the Shell.Explorer Control, you can either use the information from the SecuriTeam advisory to do this manually, or use the tools they’ve posted. Neither method has been tested by anyone at WindowsSecrets.com, at this writing.

For more information, see Secunia, Websense, and Watchguard.

HTML Help files can hurt computers

The Microsoft HTML Help Workshop is included in the Microsoft HTML Help 1.4 SDK. It’s used to compress HTML, graphics, and other Web files into small compiled help (*.chm) files.

A hacker can use this to take over a PC by inserting a long string in a contents file. This is due to a flaw in the way the HTML Help Workshop processes *.hhp files. This could allow the attacker to execute infected files with the same privileges as the logged-on user. This problem has been tested on version 4.74.8702.0, and it’s believed that earlier versions are vulnerable as well.

It’s important to note that a PC has to have the HTML Help SDK for the machine to be at risk. The SDK is not shipped with Windows or Microsoft Office, so it’s not widely installed.

What to do: Several exploits have been released publicly for this flaw. I recommended that you avoid opening *.hhp files in the HTML Help Workshop until a patch for this problem is available.

For more information, see Bratax security advisory B008, Secunia, and eWeek.

The Over the Horizon column informs you about threats for which no patch has yet been released by a vendor. Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.