defense against the dark ages: your old web apps are trying to kill you aaron margosis principal...

Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill You Aaron Margosis Principal Consultant Microsoft Corporation SIA324

Upload: ralf-rose

Post on 17-Dec-2015




0 download


Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill YouAaron MargosisPrincipal ConsultantMicrosoft Corporation


Session Objectives and Takeaways

After this session, I can:Identify risky practices in your web applicationsPersuade managers/developers of the importance of making necessary changesArticulate options

Scenarios:Windows / IE upgradeFixing security issues

The Sysinternals Administrator’s ReferenceThe official guide to the Sysinternals tools

Covers every tool, every feature, with tipsWritten by Mark Russinovich andAaron Margosis

Full chapters on the major tools:Process ExplorerProcess MonitorAutoruns

Other chapters by tool groupSecurity, process, AD, desktop, …

Book signings with Mark and Aaron

Wed. and Thurs., 11:30amTechEd bookstore

Mark will also be signing Zero Day and Windows Internals 6th

Ed Pt. 1


Dumb Risk:

Carrying old IE settings forward

High Risk:

Insisting on old versions of Java

Insidious Risk:

Relying on ActiveX not intended for browser use


Java past its sell-by date

Java’s Forward Compatibility Promise

Write once, work foreverMultiple JRE versions installed side by sideOlder versions do not get removedProgram can pick any version it needs Always uses the version it was developed/tested with Always works the way it did when written

Write once, hack foreverMultiple JRE versions installed side by sideVulnerabilities do not get fixedMalware can pick any version it needs Always uses the version it was developed/tested with Always works the way it did when written

Risks of Retaining Older Java Versions

Many JRE updates contain Critical Patch UpdatesCannot retain older versions and be protectedNew vulns may also apply to older, unsupported versionsJava support lifecycle is short

Public support for Java SE 5.0 (a.k.a., 1.5) ended October 2009Public support for Java SE 6.0 (a.k.a., 1.6) ends November 2012Java 7: GA July 2011, EOL July 2014


Most Widely Attacked Component on Windows

Early 2010: Symantec reports notable rise in Java vulns through 2009Late 2010: Microsoft sees large spike in actual attempted exploitsLatest MS SIRs sees high level continued through 2011, and increasing in the last half

“Can we standardize on JRE 1.6 Update 17?”

128 separate vulnerabilities:March 2010, affecting Update 18 and earlier (27 fixes)

October 2010, affecting Update 21 and earlier (29 fixes)

February 2011, affecting Update 23 and earlier (21 fixes)

June 2011, affecting Update 25 and earlier (17 fixes)

October 2011, affecting Update 27 and earlier (20 fixes)

February 2012, affecting Update 30 and earlier (14 fixes)

Plus: versions before Update 24 incompatible with IE9

What Does Oracle Say?

We highly recommend users remove all older versions of Java from your system.

Keeping old and unsupported versions of Java on your system presents a serious security risk.


Updating Java Apps

Oracle: “the latest available [Java] version is always compatible with older versions.”Don’t demand a specific version in your code

Don't use low-level sun.misc or com.sun classes (not guaranteed to be consistent between different JRE versions).No “version lie” available a la Windows shims

Ideally, updating Java should be as uneventful as applying Windows patches


Carrying old IE settings forward

Making IE work “like it used to”Things we have observed customers doing

Copying IE settings from older versionsUsing .reg filesUsing Internet Explorer Maintenance

Turning off Protected Mode (or UAC)Turning off Data Execution Prevention (DEP – a.k.a. NX)

Copying preserved legacy settings…Importing custom registry files

regedit /s ie-settings.reg Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]"1001"=dword:00000000"1004"=dword:00000001"1200"=dword:00000000"1201"=dword:00000001"1206"=dword:00000000"1207"=dword:00000000"1400"=dword:00000000"1402"=dword:00000000"1405"=dword:00000000"1406"=dword:00000000"1407"=dword:00000000"1601"=dword:00000000"1604"=dword:00000000"1605"=dword:00000000"1606"=dword:00000000"1607"=dword:00000000

Copying preserved legacy settings…Internet Explorer Maintenance (IEM)

NOTE: IEM is gone in Windows 8!

Turning off Protected Mode to fix apps

PM enabled in Internet and Restricted SitesDisabled in Intranet and Trusted SitesSeverely restricts ability to write to file system / registryPM can be turned on/off per security zone

Turning off UAC turns off Protected Mode globallyCan break apps based on mobile code (Java / ActiveX)

These apps should be in Intranet or Trusted SitesMake sure sites are mapped appropriately!

Do not turn off PM in the Internet zone! Do not turn off UAC!

Turning off DEP/NX to fix apps

“DEP causes apps to crash”Feature, not a bugBlocks execution from data or other non-execute areasBetter to crash than to execute evil codeBlocks many popular hacker techniques

Three types – memory contains:Malicious codeNon-malicious codeGarbage

In IE, almost always triggered by add-ons


Using unsafe ActiveX in web apps


Software re-use technology built on COM and OLEScriptable interfaces ([OLE] Automation)IE’s “plug-in” model

Overcome the limitations of mid-1990s HTML“Safe for Scripting”

Assertion by the control that it can’t harm the userMust assert or IE won’t load it……unless security is relaxed

“Initialize and script ActiveX controls not marked as safe for scripting”

Per-zone security settingDisabled in all zones (except Computer zone)MS and govt security guidance mandates disabling only in the Internet zone

Not Safe for Scripting

Microsoft WordWindows Script HostScripting components (incl. FileSystemObject)

Can’t enable one without enabling allCan’t enable for one site in a zone without enabling all

Why Ever Relax This Setting?

Limitations of straight HTML until recentlyCreation of Word and Excel documentsHasn’t always been forbidden: Trusted Sites before IE7

“Prompt” is pretty much “Yes”

Thought Experiment…

Greedy or disgruntled in-house web developerHas no access to users’ computersJust creates content for org’s internal home pageIf unsafe ActiveX disabled… can’t do muchIf unsafe ActiveX enabled…

Change a few lines in a script file (EXTREMELY EASY)Gain full control over site visitors’ user accountsChange it back a few days later

Good luck finding the root cause

“We’ve Had It Enabled With No Problems.”

How can you be sure?How long until something does happen?

Always-increasing concerns (and sophistication):Insider attacksTargeted attacks“Advanced Persistent Threats” (APTs)

OK – How Do We Fix This?

Depends on the appExample: “WScript.Network” UserName

Capture it on the server (Windows authentication)Make the user type it once, then save itCustom ActiveX

Most common example: Office automationCreate on the server with Office OpenXMLCustom ActiveX

Build a Custom ActiveX? Seriously?

Encapsulate the logic in the web page in a custom controlMinimal external interfacesConsider further lockdown: SiteLock and/or per-site AXMinimal change to existing web app architectureShort term bridge

<script language="vbscript">Set obj = CreateObject("UnsafeActiveX")obj.DoStuff("Fun stuff")

Allowing the use of unsafe ActiveX

Unsafe ActiveX


<script language="vbscript">Set obj = CreateObject(“SafeActiveX")obj.DoStuff("Useful stuff")

Not allowing the use of unsafe ActiveX

Safe-for-scripting ActiveXComponent

Unsafe ActiveX


How Can I Build an ActiveX Today?

Fully-supported: Visual C++ActiveX Template Library (ATL) helpsObvious drawbacks

Fastest and easiest solution: Visual Basic 6Yes I am dead seriousMost productive way to build simple ActiveXEasiest way to automate Office appsLots more people know VB6 than C++Support? It’s not completely unsupported


Using an unsafe ActiveX in a web app…

then FIXING it!


Matt Heller (CEO) and Matt Crowley (CTO)Browsium, Inc.

Browsium Ion

In Review – Session Objectives and TakeawaysNow I can:

Identify risky practices in web applicationsJavaMisconfiguring IE settingsUnsafe ActiveX

Persuade others of the importance of making necessary changesArticulate options


Alert: Java’s Forward-Compatibility Promise Has Been Revised

Understanding DEP/NX

Enabling “Initialize and script ActiveX controls not marked as safe” in ANY zone can get you hurt, bad.

Security Intelligence Report


Connect. Share. Discuss.


Microsoft Certification & Training Resources


Resources for IT Professionals

Resources for Developers

Complete an evaluation on CommNet and enter to win!

MS Tag

Scan the Tagto evaluate thissession now onmyTechEd Mobile

Required Slide *delete this box when your slide is finalized

Your MS Tag will be inserted here during the final scrub.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS