Tales from the Crypto – Page 48 – Alun Jones (Security MVP Reconnect) writes about security, cryptography, SSL, PKI, and pretty much anything else that bothers him enough.

Peculiar article on "new kind of bug".

So, I’m cruising the security news feeds, and I come across this interesting little article: Microsoft to hunt for new species of Windows bug

I really don’t think the article is all that fair – maybe Kevin Kean and Debby Fry Wilson weren’t able to convince the journalist to write the whole side of the story, I don’t know.

Certainly, while I was at Microsoft, new code was run through code-review by real, intelligent people, with a keen eye to ensuring that it could not be abused; new features were run through threat-modeling by a Security PM, whose job it was to find all kinds of avenues of misuse and abuse, and rate mitigiations and risk.  I don’t believe that approach was unique to IIS.

So, far from this being something that’s completely new to MS, and has never been addressed, this is something that’s looked at for new code all the time.

Old code, I’m not so sure of, and maybe the article is right in that regard, that old code is not scanned rigorously for unintended uses.

What software company out there is currently scanning through old code for such unintended uses as a regular part of their security process?

Okay, so we do it here at Texas Imperial Software, every time a new and interesting abuse is revealed against someone else’s software, but that’s a much smaller segment of code.

Statistics and the news.

News coverage gets me irritated whenever statistics are mentioned.

This morning’s example (paraphrasing): “South African gays are upset about discrimination in blood donation; their donations are being refused, despite the fact that the majority of HIV cases in the country are in heterosexual women.”

I’m not wondering if there really is or isn’t a case of discrimination going on there; what irritated me is that there’s actually no valid statistical link between the two clauses of the sentence.

That’s one example; it’s on NPR, so I’d have thought they’d take a moment to get it right. Here’s another example from New Scientist magazine, who should know better (I’m paraphrasing again):

“A survey of accident victims indicates that more of them have cellphones than the general population, demonstrating that people who have cellphones are more likely to have accidents.”

No, no, no. It demonstrates that people who have accidents are more likely to have cellphones; maybe cellphones appeal to people who drive aggressively!

Notice that neither of my examples are cases where the statistic actually disproves the claim made in the accompanying article; only that they do not lend any valid credence to the claim.

What’s your favourite example of – not a maliciously misused statistic, so much – a statistic that, to the educated reader/listener/viewer, does nothing to prove the claim being made?

A quick guide to PC SAFETY – follow up on MS06-003 / CreateItemFromTemplate

After yesterday’s post on MS06-003 interfering with my use of CreateItemFromTemplate, I figured I should take advantage of the 1-866-PCSAFETY line provided by Microsoft for resolving bugs caused by security patches.

Other than a mildly confusing list of choices, which didn’t quite cover the case I wanted, but allowed me to select “talk to a human”, I’ve found this to be a really good tech-support experience.  Hold times were less than five minutes in most cases, with the longest being eight minutes, and the questions asked were all to the point.  The bug was confirmed as being present, a workaround was offered (don’t use the second parameter, the item will be created in the drafts folder anyway), and the prospect of a quick-fix was offered once it is developed.

I found it very interesting to see that the first option in the voice-mail is a kind of “issue-of-the-day” message, offering information on resolving whatever virus or spyware infection appears to be en vogue.

Option two allows you to request a fax of information on how to protect your PC – a brief reminder that there are some people who still prefer to do business without the Internet as much as possible.

Option three – the “talk to a person” option – gives you the further option of whether you’re calling about personal software, professional software, or developer issues.

Wireless PC Lock – nice device, crummy software.

I’ve been playing lately with a little device I picked up in the local Fry’s store. It’s a “Wireless PC Lock”, and the idea is that there’s a pair of pieces – a USB stick, and what you might charitably call a fob (although when I tried to use it on my key ring, the button stayed pressed in my pocket, and I wore out the battery).

This is really a sweet little idea – a presence device so that you don’t forget to lock your PC when you walk away (you do lock your PC whenever you’re away, don’t you?)

Unfortunately, the software isn’t very well thought-out or well written. The device is capable of unlocking the PC as well as locking it, which is not good if you hang out on the other side of the wall from your PC. For me, that’s out in the corridor, but I don’t feel comfortable taking the chance that it’ll unlock as I’m standing chatting in an area where I can’t see my PC.

This is where we come to the second problem. Those sharp-eyed among you will note that you can’t programmatically unlock the PC. You have to enter a username and password to do so. The obvious way the developers on the Wireless PC Lock came up with for dealing with this was to pretend to lock the system – they put up a picture of dolphins (because dolphins and security – well, if I have to explain it…)) over every one of your programs, and they do their level best to prevent you from getting to anything but the dolphins until you’ve typed in your password.

I’m a suspicious person at heart – it can’t be too tricky to get around this, and my bet is that you simply insert a CD-ROM with Autoplay (although I do have that disabled, too) that runs a tool to kill the process that locks the system. It’s not too difficult to figure out the process.

So, I’m thinking it shouldn’t be too difficult to write a program that does the right thing – if you disappear from radio sight for a few seconds, or you unplug the USB stick, the system should lock – proper LockWorkStation lock. When you come back in range… nothing. You have to unlock manually.

This is a good thing, because the radio device has only a two-byte serial code that prevents others from getting the same number device as you – but those odds just aren’t good enough to act as an authentication factor. They are sufficient to act as a “presence not detected” factor.

Plus, I want my program to run as a restricted user – I don’t need to be administrator to lock my terminal, I shouldn’t have to be administrator to work with the Wireless PC Lock. Tune in here again in a few days, and we’ll see how I’ve done with my goal of producing a simple, more secure version of the Wireless PC Lock software.

Issues with MS06-003 and Outlook 2003 Scripts.

I have a script that I use at work to send out emails every few days.

Last night, we installed MS06-003 on my workstation’s copy of Outlook, and today, my script fails.

The key function appears to be either CreateItemFromTemplate creating messages into the drafts folder, or GetDefaultFolder, supplying an object to the drafts folder.

Here’s a snippet…

Set oFolder = olApp.Session.GetDefaultFolder(olFolderDrafts)
Set oMail = olApp.CreateItemFromTemplate( oTemplate, oFolder )

The failure doesn’t occur on first running through this, but on the second hit of GetDefaultFolder, where the VB drops out with the helpful message: “Z:\Script\mailout.vbs(176, 3) (null): The server threw an exception.”

The underlying error number is -2147417851 – 0x80010105, RPC_E_SERVERFAULT. [I included all forms to make it easier for this article to pop up in searches.]

I don’t currently see this listed as a “known issue” for MS06-003.  Has anyone else seen this issue?

Programmer Hubris Part 2: I’ll get you, and your little dog, too.

Apple’s QuickTime (for Mac & Windows) vulnerable to flawed images.

Great – hot on the heels of a WMF vulnerability (“why does Microsoft keep having buffer overflows when the rest of the industry doesn’t?”), we get a TGA/TIFF/QTIF/GIF/media-file overflow vulnerability in QuickTime – the warning seems almost designed to get lost in the noise surrounding Microsoft’s regular updates – but that would be a cynical view.

When I visited the page referenced above, which is at Apple’s own site, I could not find a link to the patch, or to download the current version of QuickTime for Windows.  I’ve been doing this “computer thing” for a couple of decades now, and so has my cube-neighbour, who went looking for it as well, without success.  [Hopefully Apple will read this, and edit the page so that by the time you read this, the link is prominent and obvious, but if you can’t find it, read on…]

You can find the current version of QuickTime for Windows at http://www.apple.com/quicktime/download/win.html

<PThere are a number of disadvantages to this link, though:

  1. This is a full replacement, not a patch.
  2. The site does not say whether you are downloading the fixed 7.0.4 version, or an earlier version with the flaws still in it.
  3. The download includes iTunes, and while I can imagine QT to be necessary to view, say, presentations from vendors, iTunes is definitely not necessary for our corporate use. Nor do I want it for my personal use.
  4. The download file is called ‘iTunesSetup.exe’, and its version information declares it to be the setup program for iTunes – no mention of QuickTime is made here.
  5. Even after downloading the setup executable, you cannot tell what version you have downloaded without running it first. The version number on the setup file ‘iTunesSetup.exe’ is
  6. The setup program goes through a few unpacking steps before aborting if you are not an administrator, so a restricted user cannot tell if this is the current 7.0.4 version of QuickTime.
  7. If you only want QuickTime, you have to install iTunes and QuickTime and then remove iTunes. The installation itself doesn’t require a reboot – but removing iTunes does. So, effectively, if you want to install QuickTime, you must reboot, or you must accept iTunes.
  8. At no point in the installation are you told what version of QuickTime is being installed.

Finally, yes, the version of QuickTime at the Apple download link is 7.0.4, which is supposed to include the patches against remote exploit through image vulnerabilities.

The main thrust of this rant has been that this is really not so useful in terms of a security update – but there’s a subtle theme throughout – in order to get a tool that I want, I have to install and then remove a tool that I don’t want.  Bundling is a fine tradition – and if Apple was to bundle QuickTime and iTunes such that iTunes was required, I’d simply refuse to watch .mov files.  But this method of bundling – requiring it be installed, but allowing uninstallation afterwards – seems to be more like punishing people who want to view QuickTime format movies.

Not quite "SUS on a disk", but…

I’ve been asking Microsoft for some time to release a “SUS on a disk” – an ISO image format, and maybe an updater tool, that would allow an admin to create a DVD-R that they could then drag along to a machine that is either disconnected or poorly connected, or not allowed to connect out to the Internet.  Such a disk would be really useful for those of us called to upgrade machines of our friends and family, too.

Well, today on MS Downloads, I noticed the following:

January 2006 Security and Critical Releases ISO Image

If this isn’t new, I haven’t seen it before – and while it’s not quite SUS on a disk, it’s pretty damn close.

Thanks for listening, Microsoft!

Now, because nothing is ever perfect, some suggestions for MS:

  1. This is only Windows Update, not Microsoft Update.  Particularly, it doesn’t include MS06-003 fixes, because that’s Exchange and Outlook.  A MU-on-a-disk would be great, too.
  2. A baseline disk image of security/critical patches to date would be helpful, too – I appreciate that it would be huge.  Perhaps pick a date, make a baseline image, and provide a means to download mere updates to the image, rather than the whole image afresh, for people who like to have the “most complete” set of patches.
  3. Is there a tool to create our own WSUS-on-a-disk?  I’d love to have that tool, so that I can take a disk with me for systems that don’t get network access even for patches. Or for mailing to my parents.

Security Koan #1

A user and a security engineer arrived at the business site together.

The user placed his bicycle against the wall, and walked
towards the door.

The security engineer stopped him and said “You forgot to
lock your bicycle.”

The user thanked the security engineer, and went back to lock
his bicycle.

On the way, he noticed the security engineer’s bicycle was leaning
against the wall, unlocked.

“You forgot to lock your bicycle,” the user called to the
security engineer.

The security engineer responded “No, I didn’t.”

Microsoft makes the world safe for porn.

Catching many security professionals by surprise, Microsoft has released an “off-cycle” patch for the recent WMF exploits:



A couple of things to note:

  1. Off-cycle means that Microsoft thought that this was important enough to ship early.  That’s a hint that they reckon that a significant number of their users will be affected by this, and the influx of new tech support calls and bad PR due to the patch will be less than the influx of new tech support calls and bad PR due to the exploit.

  2. Microsoft have been getting much better at providing reliable patches, so that “significant number” should actually be relatively low in percentage terms.

  3. The behaviour being exploited is not a buffer overflow.  It’s doubtful whether you can call it a bug.  It’s by design.  The WMF design is lifted straight from the API instructions you’d send to a printer, and those APIs allow the calling program to specify “in the event of an error rendering this image, call me back”, and provide an address to call into.  Where this breaks is in allowing a data file to contain that code.

  4. Data files are code.  Code files are data.  There is no spoon.

  5. Unofficial patches are generally inadvisable, for most users.  “To avoid unknown third parties installing code on my machine, I will install code on my machine from an unknown third party.”  Make sure you have reason to trust any third party whose code you install.  Maybe the unofficial patch floating around for the WMF exploit is good and trustworthy, but it’s a risk you should consider.

Happy New Year!

It’s now officially 2006, at least in UTC – so I’m going to ask the following simple question:

What did you do with your extra leap second this year?

In related news, it’s worth noting that the US government is pushing for the leap second to be abolished.


I haven’t looked into it, but this seems to be really stupid. Most devices I’ve used fall into one of three categories:


These devices (or their owners / administrators) can’t keep time to anything like a second over a year, so they aren’t going to notice a change of a second, whether it’s added at the end of the year, or phased in throughout the year by making seconds longer.

Remotely set

I got one of these this year – a watch that receives a signal from the NIST giving the current date and time. Obviously, owners of these devices don’t have to do anything, because NIST keeps the signal updated with leap seconds.

Highly accurate

There are some devices – atomic clocks, etc – that need to maintain accurate time, because they are used to control or monitor astronomically important things, like telescopes, etc. Those machines need to know the time in relation to the progression of the earth through the solar system, so presumably they make good use of the leap seconds to ensure that the time they display is always close to the visible local time.

So, where’s the fuss? What could it possibly benefit to kill the leap second? Is the leap second really causing anyone any confusion? I’d love to know.