Internet Explorer CSS Tag Parsing Code Execution Vulnerability

Yet another IE Code Execution Vulnerability:

Description:

Internet Explorer, Microsoft's flagship browser, is susceptible to a memory corruption vulnerability. The code responsible for parsing cascading stylesheet (CSS) tags can be made to overwrite a pointer to a virtual function, potentially resulting in code execution.

The beta version of Internet Explorer 9 is not susceptible, but other versions are. An attacker must entice a target to view a malicious site in order to exploit this vulnerability, which can be used to execute arbitrary code on the target's machine. No updates are currently available for this vulnerability, which is being actively exploited in the wild.

Status: vendor confirmed, updates not available

References:

• SecurityFocus Bugtraq ID http://www.securityfocus.com/bid/44536

Again, why are you still using IE?  Really, why?

-Bob

Amazon S3 IP Blocks

Today I need to help a customer that uses Amazon S3 for offsite backups (using duplicity). Up until now they had been accessing S3 through a squid proxy to get the data to and from S3. This enables them to limit the outgoing HTTP connections from their hosts.

Recently, they discovered that the performance of backups has been highly variable and restores are extremely slow. In testing today we found that performance through the proxy (with just duplicity) was much slower than it was going direct to S3. Of course, this now caused some problems with firewall configuration. In order to try to limit access, we need to find the IP addresses that are used by S3. Unfortunately, this does appear to be an easy task. Google was not immediately helpful.

I then started looking at DNS. It appears that *.s3.amazonaws.com goes through a number of CNAME records before arriving at an IP address. The last step alone the way appears to be one of three host names:

1. s3-1-w.amazonaws.com.
2. s3-2-w.amazonaws.com.
3. s3-3-w.amazonaws.com.

It appears that each of these host names resolve to IP addresses in different blocks.  By running whois queries against an IP address in each block I was able to discover the following blocks:

1. 72.21.192.0/19
2. 87.238.80.0/21
3. 207.171.160.0/19

For now, this is good enough...

-Bob

The Perseids are Coming

From: http://science.nasa.gov/headlines/y2009/31jul_perseids2009.htm

For sky watchers in North America, the watch begins after nightfall on August 11th and continues until sunrise on the 12th. Veteran observers suggest the following strategy: Unfold a blanket on a flat patch of ground. (Note: The middle of your street is not a good choice.) Lie down and look up. Perseids can appear in any part of the sky, their tails all pointing back to the shower's radiant in the constellation Perseus. Get away from city lights if you can.

-Bob

A couple of Microsoft Zero Day Vulnerabilities

For those still using Internet Explorer for regular web browsing, you need to read this:

From the "@RISK: The Consensus Security Vulnerability Alert - Week 50 2008"

(1) CRITICAL: Microsoft Internet Explorer Remote Code Execution Vulnerability (0day)

Affected:

Microsoft Internet Explorer 7 and possibly prior

Description: Microsoft Internet Explorer contains a remote code execution vulnerability in its handling of certain XML structures. A specially crafted web page can result in remote code execution with the privileges of the current user. This vulnerability is currently being exploited in the wild, and is reportedly not mitigated by the most recent Microsoft patches. No further technical details are publicly available for this vulnerability.

Status: Vendor confirmed, no updates available.

References:

Microsoft Security Advisory

http://www.microsoft.com/technet/security/advisory/961051.mspx

SecurityFocus BID

http://www.securityfocus.com/bid/32721

US-CERT Vulnerability Note

http://www.kb.cert.org/vuls/id/493881

Network World Article

http://www.networkworld.com/news/2008/120908-new-web-attack-exploits-unpatched.html?fsrc=rss-security

SecurityFocus BID

http://www.securityfocus.com/bid/32721

***********************************************

(2) CRITICAL: Microsoft WordPad Text Converter Remote Code Execution (0day)

Affected:

Microsoft Windows XP prior to Service Pack 3.

Description: Microsoft WordPad is a Rich Text Format (RTF) editor included by default in Microsoft Windows. It is the default viewer for RTF files. It contains a flaw in its Text Converter component. A specially crafted RTF document could trigger this vulnerability, allowing an attacker to execute arbitrary code with the privileges of the current user. This vulnerability is being actively exploited in the wild and is reportedly not mitigated by the most recent set of Microsoft patches.

Status: Vendor confirmed, no updates available.

References:

Microsoft Security Advisory

http://www.microsoft.com/technet/security/advisory/960906.mspx

US-CERT Vulnerability Note

http://www.kb.cert.org/vuls/id/926676

SecurityFocus BID

http://www.securityfocus.com/bid/32718

So why aren't you using something else? If you didn't know, there's Chrome, Firefox, Opera, and Safari available for Windows users, among others. The excuse that "I need IE for site X" may be valid for site X, but, why are you using it for everything else?


-Bob

How to set size limits for messages in Exchange Server

I was asked by a customer today how to configure the SMTP message size limit in Exchange. Here is what I found: http://support.microsoft.com/kb/322679

-Bob

BlueScreen Saver...

This has got to be one of the funniest screen savers there ever was, BlueScreen. Of all places, this one comes from Microsoft (http://technet.microsoft.com/en-us/sysinternals/bb897558.aspx).

One of the "Top 10 Harmless Geek Pranks".

-Bob

Footpeg springs for the Oset

I had enough of watching how frustrated my son got with the foot pegs on his Oset. Frequently, as he picked up his feet, the would brush by the foot pegs and the one (or both) of the foot pegs would stick in the folded position. Often this would occur just as he was about to enter a section. This would cause to stop and reset the pegs before continuing. Here's how the foot pegs look on a stock bike (click on the images for larger versions):

Obviously, something had to be done...

A trip to the hardware store was in order to find some suitable springs. After a bit of searching, I found these:

Back at home, it was time to figure out how to put these in place. I started by drilling a hole in the leading edge of each foot peg (see red arrow). The hole was just slightly large then wire diameter of the springs. The hole positioned so that the straight part of the spring would reach to the inner end of the plate portion of the foot peg (see the yellow arrow):

For the other end of the spring, I drilled a hole in the frame just below the foot peg mount. To test this idea I used Ring Terminal electrical connector:

I removed the insulation and threaded the other end of the spring (the end with the loop like a key ring) on to the ring terminal. The ring portion of the ring terminal was "bolted" to the frame using the hole I had drilled just below the foot peg mount. Here are the results:

This done with just a drill and common hand tools. If had a welder, I would have welded a small loop to the frame just below the foot peg mount. This would be much more solid than the current configuration.

So far, this has held up through two events. I've lost count on the number of time the bike has fallen over. Only once did I have to crimp one of the ring terminals back together.

Total cost: about $4.

If you have any suggestions for improvements, please let me know!

-Bob