1 / 39

Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill You

SIA324. Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill You. Aaron Margosis Principal Consultant Microsoft Corporation. Session Objectives and Takeaways. After this session, I can: Identify risky practices in your web applications

percy
Download Presentation

Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill You

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIA324 Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill You Aaron Margosis Principal Consultant Microsoft Corporation

  2. Session Objectives and Takeaways • After this session, I can: • Identify risky practices in your web applications • Persuade managers/developers of the importance of making necessary changes • Articulate options • Scenarios: • Windows / IE upgrade • Fixing security issues

  3. The Sysinternals Administrator’s Reference • The official guide to the Sysinternals tools • Covers every tool, every feature, with tips • Written by Mark Russinovich andAaron Margosis • Full chapters on the major tools: • Process Explorer • Process Monitor • Autoruns • Other chapters by tool group • Security, process, AD, desktop, … Book signings with Mark and Aaron Wed. and Thurs., 11:30am TechEd bookstore Mark will also be signing Zero Day and Windows Internals 6th Ed Pt. 1

  4. Agenda High Risk: Insisting on old versions of Java Dumb Risk: Carrying old IE settings forward Insidious Risk: Relying on ActiveX not intended for browser use

  5. topic Java past its sell-by date

  6. Java’s Forward Compatibility Promise • Write once, work forever • Multiple JRE versions installed side by side • Older versions do not get removed • Program can pick any version it needs  Always uses the version it was developed/tested with  Always works the way it did when written • Write once, hack forever • Multiple JRE versions installed side by side • Vulnerabilities do not get fixed • Malware can pick any version it needs  Always uses the version it was developed/tested with  Always works the way it did when written

  7. Risks of Retaining Older Java Versions • Many JRE updates contain Critical Patch Updates • Cannot retain older versions and be protected • New vulns may also apply to older, unsupported versions • Java support lifecycle is short • Public support for Java SE 5.0 (a.k.a., 1.5) ended October 2009 • Public support for Java SE 6.0 (a.k.a., 1.6) ends November 2012 • Java 7: GA July 2011, EOL July 2014Reference:http://www.oracle.com/technetwork/java/javase/eol-135779.html

  8. Most Widely Attacked Component on Windows • Early 2010: Symantec reports notable rise in Java vulns through 2009 • Late 2010: Microsoft sees large spike in actual attempted exploits • Latest MS SIRs sees high level continued through 2011, and increasing in the last half

  9. “Can we standardize on JRE 1.6 Update 17?” • 128 separate vulnerabilities: • March 2010, affecting Update 18 and earlier (27 fixes)http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html • October 2010, affecting Update 21 and earlier (29 fixes)http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html • February 2011, affecting Update 23 and earlier (21 fixes)http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html • June 2011, affecting Update 25 and earlier (17 fixes)http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html • October 2011, affecting Update 27 and earlier (20 fixes)http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html • February 2012, affecting Update 30 and earlier (14 fixes)http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html • Plus: versions before Update 24 incompatible with IE9

  10. What Does Oracle Say? We highly recommend users remove all older versions of Java from your system. Keeping old and unsupported versions of Java on your system presents a serious security risk. • Ref: http://www.java.com/en/download/faq/remove_olderversions.xml

  11. Updating Java Apps • Oracle: “the latest available [Java] version is always compatible with older versions.” • Don’t demand a specific version in your code • Don't use low-level sun.miscor com.sunclasses (not guaranteed to be consistent between different JRE versions). • No “version lie” available a la Windows shims • Ideally, updating Java should be as uneventful as applying Windows patches

  12. topic Carrying old IE settings forward

  13. Making IE work “like it used to”Things we have observed customers doing • Copying IE settings from older versions • Using .reg files • Using Internet Explorer Maintenance • Turning off Protected Mode (or UAC) • Turning off Data Execution Prevention (DEP – a.k.a. NX)

  14. Copying preserved legacy settings…Importing custom registry files • regedit /s ie-settings.reg Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] "1001"=dword:00000000 "1004"=dword:00000001 "1200"=dword:00000000 "1201"=dword:00000001 "1206"=dword:00000000 "1207"=dword:00000000 "1400"=dword:00000000 "1402"=dword:00000000 "1405"=dword:00000000 "1406"=dword:00000000 "1407"=dword:00000000 "1601"=dword:00000000 "1604"=dword:00000000 "1605"=dword:00000000 "1606"=dword:00000000 "1607"=dword:00000000

  15. Copying preserved legacy settings…Internet Explorer Maintenance (IEM) NOTE: IEM is gone in Windows 8!

  16. Default security has improved… IEZoneAnalyzerhttp://blogs.technet.com/b/fdcc/archive/2011/09/22/iezoneanalyzer-v3-5-with-zone-map-viewer.aspx

  17. Turning off Protected Mode to fix apps • PM enabled in Internet and Restricted Sites • Disabled in Intranet and Trusted Sites • Severely restricts ability to write to file system / registry • PM can be turned on/off per security zone • Turning off UAC turns off Protected Mode globally • Can break apps based on mobile code (Java / ActiveX) • These apps should be in Intranet or Trusted Sites • Make sure sites are mapped appropriately!  Do not turn off PM in the Internet zone!  Do not turn off UAC!

  18. Turning off DEP/NX to fix apps • “DEP causes apps to crash” • Feature, not a bug • Blocks execution from data or other non-execute areas • Better to crash than to execute evil code • Blocks many popular hacker techniques • Three types – memory contains: • Malicious code • Non-malicious code • Garbage • In IE, almost always triggered by add-ons

  19. topic Using unsafe ActiveX in web apps

  20. ActiveX • Software re-use technology built on COM and OLE • Scriptable interfaces ([OLE] Automation) • IE’s “plug-in” model • Overcome the limitations of mid-1990s HTML • “Safe for Scripting” • Assertion by the control that it can’t harm the user • Must assert or IE won’t load it… • …unless security is relaxed

  21. “Initialize and script ActiveX controls not marked as safe for scripting” • Per-zone security setting • Disabled in all zones (except Computer zone) • MS and govt security guidance mandates disabling only in the Internet zone

  22. Not Safe for Scripting • Microsoft Word • Windows Script Host • Scripting components (incl. FileSystemObject) • Can’t enable one without enabling all • Can’t enable for one site in a zone without enabling all

  23. Why Ever Relax This Setting? • Limitations of straight HTML until recently • Creation of Word and Excel documents • Hasn’t always been forbidden: Trusted Sites before IE7 • “Prompt” is pretty much “Yes”

  24. Thought Experiment… • Greedy or disgruntled in-house web developer • Has no access to users’ computers • Just creates content for org’s internal home page • If unsafe ActiveX disabled… can’t do much • If unsafe ActiveX enabled… • Change a few lines in a script file (EXTREMELY EASY) • Gain full control over site visitors’ user accounts • Change it back a few days later • Good luck finding the root cause

  25. “We’ve Had It Enabled With No Problems.” • How can you be sure? • How long until something does happen? • Always-increasing concerns (and sophistication): • Insider attacks • Targeted attacks • “Advanced Persistent Threats” (APTs)

  26. OK – How Do We Fix This? • Depends on the app • Example: “WScript.Network”  UserName • Capture it on the server (Windows authentication) • Make the user type it once, then save it • Custom ActiveX • Most common example: Office automation • Create on the server with Office OpenXML • Custom ActiveX

  27. Build a Custom ActiveX? Seriously? • Encapsulate the logic in the web page in a custom control • Minimal external interfaces • Consider further lockdown: SiteLock and/or per-site AX • Minimal change to existing web app architecture • Short term bridge

  28. Allowing the use of unsafe ActiveX • <script language="vbscript"> • Set obj = CreateObject("UnsafeActiveX") • obj.DoStuff("Fun stuff") Unsafe ActiveX Component

  29. Not allowing the use of unsafe ActiveX • <script language="vbscript"> • Set obj = CreateObject(“SafeActiveX") • obj.DoStuff("Useful stuff") Safe-for-scripting ActiveX Component Unsafe ActiveX Component

  30. How Can I Build an ActiveX Today? • Fully-supported: Visual C++ • ActiveX Template Library (ATL) helps • Obvious drawbacks • Fastest and easiest solution: Visual Basic 6 • Yes I am dead serious • Most productive way to build simple ActiveX • Easiest way to automate Office apps • Lots more people know VB6 than C++ • Support? It’s not completely unsupported

  31. demo Using an unsafe ActiveX in a web app… then FIXING it!

  32. partner Browsium Ion Matt Heller (CEO) and Matt Crowley (CTO) Browsium, Inc.

  33. In Review – Session Objectives and Takeaways Now I can: • Identify risky practices in web applications • Java • Misconfiguring IE settings • Unsafe ActiveX • Persuade others of the importance of making necessary changes • Articulate options

  34. References • Alert: Java’s Forward-Compatibility Promise Has Been Revisedhttp://blogs.technet.com/b/fdcc/archive/2011/10/18/alert-java-s-forward-compatibility-promise-has-been-revised.aspx • Understanding DEP/NXhttp://blogs.msdn.com/b/ieinternals/archive/2009/10/10/understanding-data-execution-prevention-crashes-in-ie8.aspx • Enabling “Initialize and script ActiveX controls not marked as safe” in ANY zone can get you hurt, bad.http://blogs.technet.com/b/fdcc/archive/2011/11/03/enabling-initialize-and-script-activex-controls-not-marked-as-safe-in-any-zone-can-get-you-hurt-bad.aspx • Security Intelligence Reporthttp://www.microsoft.com/security/sir/default.aspx

  35. Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://northamerica.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn

  36. Required Slide Complete an evaluation on CommNet and enter to win!

  37. Required Slide • *delete this box when your slide is finalized • Your MS Tag will be inserted here during the final scrub. MS Tag Scan the Tag to evaluate this session now on myTechEd Mobile

  38. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related