I ran across this on the Microsoft support site:

If you log on to an MIT realm, press CTRL+ALT+DELETE, click Change Password, type your existing MIT password, and then type a new, simple password that does not pass the dictionary check in Kadmind, you may receive the following error message:
Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords.

Microsoft Knowledge Base Article #276304 [Microsoft.com]

News.com brings us two stories about Symantec and Microsoft. The first declares that “Symantec won’t ‘whine’ about Microsoft” and includes statements from Symantec CEO John Thompson like:

We’re not looking to go whining to the EU or the DOJ for anything

Essentially the message is, “we’re not scared of Microsoft entering the security market.” Just making the statement means they are, but that’s another point. But what’s even funnier is that in another story on News.com today, they go on to whine about a new Microsoft technology to protect the kernel in 64 bit systems called patch guard:

“patch guard is hurting security vendors more than it is hurting malware writers,” Bruce McCorkendale, a chief engineer at Symantec

The story goes on to say:

Indeed, Symantec is playing the anticompetitive card for the first time. The Cupertino, Calif.-based company had said it would beat Microsoft by using its security wits as long as the competition is fair. Now the fairness seems to be gone, McCorkendale said.

So, in summary Symantec will not whine to the DoJ or EU about Microsoft, just to the press. I for one am ready for Symantec to stop trying to grab headlines about technology that hasn’t hit the street yet and start fixing the problems we have today.

Windows defense handcuffs good guys [news.com]

Symantec won’t ‘whine’ about Microsoft [news.com]

SecurityFocus has a great article on Windows password security. Among other things, it addresses the real implications of the weaknesses of LanMan and NTLMv2, and a way you can use that to your advantage:

if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password.

And I remember creating my fist Alt+255 password years ago. It was a pain to enter, and the author makes a good point:

It common to see recommendations to use high-ASCII characters as the ultimate password tip. High-ASCII characters are those that cannot normally be typed on a keyboard but are entered by holding down the ALT key and typing the character’s ASCII value on the numeric keypad. For example, the sequence ALT-0255 creates the character <ÿ>…. creating such a character requires five keystrokes that must be memorized and later typed every time the password is entered. Perhaps a more effective technique would be to make your password five characters longer, which would actually make your password much stronger for the same number of keystrokes.

Might it be time to take a glance at your policy to see if your standards still make sense?
Ten Windows Password Myths [SecurityFocus]

Internet Explorer 7 will be a huge win for web security, and Microsoft has announced how they will be distributing it:

AU will notify you when IE7 is ready to install. Alternately, you will be able to visit the Windows Update or Microsoft Update sites and obtain IE7 by performing an “Express” scan for high-priority updates. Either way, you will see the welcome screen that allows you to choose whether to install it.

Enterprises will have some ability to control this:

We are also providing a Blocker Toolkit for our enterprise customers who may want to block automatic delivery of IE7 in their organizations; this blocker has no expiration date.

IE7 to be distributed via Automatic Updates [IE Blog on MSDN]

The seems to be a rash of news reports lately about vulnerabilities in Vista. Maybe it’s a quick way to grab a headline, to beat up the product that promises a better security model but has been delayed infinitely. The attacks are interesting, and reinforce that no new OS will be a fix-all for our security issues.

However, keep in mind that these tests are being run against a beta, and Microsoft has already fixed a number of the issues. I say let them hack away, after all isn’t that part of why Microsoft made the beat public?

Hacking the Vista Kernel [Dark Reading]

Symantec criticizes Vista’s User Account Control technology [ARS Technica]

July brings fixes for 18 vulnerabilities bundled in 7 patches. July also makes the official end of security support for all Windows 9x products. Let us pause and take a moment of silence for our fallen friends of old…

Now back to our regularly scheduled patch announcement:

• MS06-033 .NET 2.0 Application Folder Information Disclosure Vulnerability - “could allow an attacker to bypass ASP.Net security and gain unauthorized access to objects in the Application folders explicitly by name.” Yawn.
• MS06-034 Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Lead To Remote Code Execution - - The only people who can exploit this are ones that already can upload ASP files to and IIS server. This basically makes it a privilege escalation attack, even though it uses a buffer overflow to accomplish it. Not to serious, and if you have untrusted people uploading ASP files to your web server, you have bigger problems.
• MS06-035 Vulnerability in Server Service Could Allow Remote Code Execution - This is the grand daddy of the patches, and Microsoft should create a ubber critical category for patches like this. It’s wormable, and makes a good cases for personal firewalls. Get this one out fast.
• MS06-036 Vulnerability in DHCP Client Service Could Allow Remote Code Execution - This one’s pretty critical, too. But the attacker has to be on the subnet as the victim (same switch?).
• MS06-037 Vulnerability in Microsoft Excel Could Allow Remote Code Execution - Open a malicious Excel doc and you are owned. In Office 2000, just visiting a website could do it. Already exploits in the wild.
• MS06-038 Vulnerability in Microsoft Office Could Allow Remote Code Execution - Same as 06-037, except it applies to any office doc and there’s no known exploits yet.
• MS06-039 Vulnerability in Microsoft Office Could Allow Remote Code Execution - Same as 06-038.

Get ‘um done.

Security Bulletin Summary [Microsoft]

Microsoft Patches 18 Security Flaws in Windows, Office [Security Fix]

There’s reports that there’s publically available exploit code for the following Microsoft vulnerabilities:

• MS06-024: Windows Media Player.
• MS06-025: RRAS
• MS06-027: Word remote code execution
• MS06-030: SMB Priviledge Escalation.
• MS06-032: IP Source Routing Exploit.

Let’s get ‘em patched.

More Windows Exploits Out; Hacker Wins $10K Challenge [Security Fix]

Exploits for most recent Microsoft Patches [SANS ISC]

Looks like June will be a big Microsoft patch month:

- Nine security bulletins for Microsoft Windows, the highest maximum severity rating for these is “critical.”
- One security bulletin affecting Microsoft Exchange. The highest maximum severity rating for this is “important.”
- Two security bulletins affecting Microsoft Office. The highest maximum severity rating for these is “critical.” [emphasis added]

Included in the office patches will be fixes for the Word 0-Day Vulnerability.

June 2006 Advance Notification [Microsoft Security Response Center Blog]

Microsoft takes a big step to make vulnerabilities harder to exploit. In short, it’s harder to guess where the buffer for a given process will be in order overflow it.

“In short, when you boot a Windows Vista Beta 2 computer, we load system code into different locations in memory. This helps defeat a well-understood attack called ‘return-to-libc’, where exploit code attempts to call a system function,” Howard explained.

He said the job of ASLR is to move these function entry points around in memory so they are in unpredictable locations.

The article also links to a 25-page Word Doc that summarizes the new security features in Vista.

Microsoft Finds (Random) Way to Secure Vista [eWeek]

Microsoft Windows Vista Security Advancements (Word Doc) [Microsoft]

In a recent speech, MS Big-Wig Jim Allchin recounts a story of CEO Steve Ballmer trying to clean up a severely infested PC for 2 days.

Ballmer spent the better part of the next two days trying to rid this PC of worms, viruses, spyware, malware, severe fragmentation, and well, you name it. Picture it: the world’s 24th wealthiest person, a man worth $13.6 billion according to Forbes magazine, sitting at a table for two days, playing tech support. It was, Allchin says, a humbling experience.

It eventually took a MS team of engineers to clean it up. In the real world tech support would have backup the data and re-imaged it in 20 minutes. Still, I’m glad Steve got to enjoy life in the trenches for a while.

Even the Builders of Windows Find Tech Support a Challenge [ITworld]

The very useful and very free Site Advisor from McAfee has their list of most dangerous search terms:

Free Screensaver
Bearshare
Screensavers
Winmx
Limewire
Download Yahoo messenger
Lime wire
Free ringtones

Site Advisor has gone onto my “list of software I make sure is installed on my Mom’s computer.” You know what they say about an once of prevention.

Killer phrase will fill your PC with Spam [the Inquirer]

The Safety of Internet Search Terms [siteadvisor.com]

This is genius:

A top Microsoft engineer on Friday set out a weekend challenge to the Windows Vista development team: Find and fix a bug in the current code and earn US$100.

The employee who squashed the most bugs before Monday in the US was promised a US$500 prize.

It’s about time. I had a conversation with a MS security leader about this years ago, and he gave me all kinds of reasons why they couldn’t do it. Of course my proposal was to pay them something like $10,000/bug (like iDefense), although more like $10 million/bug is more representive of what each significant bug costs MS.

It looks like this is just a temporary program, although I don’t know why the couldn’t make it permanent.

Bounty for Vista coders who squish bugs at home [zdnet australia] [via Microsoft-Watch]

As we previously mentioned, there’s two Windows Patches and One for Exchange. Let’s start with the Windows:

MS06-018 - Moderate

• Denial of Service Vulnerability in Distributed Transaction Coordinator
• 2 Vulnerabilities fixed with one patch
• Remotely Exploitable
• Affected: XP SP1&2, 2000, 2003
• Non-Affected: 2003 SP1, 98, ME

MS06-020 - Critical

• Vulnerabilities in Flash Player Could Allow Remote Code Execution
• Announced by MS because they bundled Flash player since Windows 98.
• 2 Vulnerabilities in one patch
• Exploitable by visiting a malicious website, or (rarely) by opening an email.
• Definitely Affected: XP SP1&2, 98, ME
• Maybe Affected: Anything else you installed Flash on.

The Exchange one is the most tricky and scary:

MS06-019 - Critical

• Vulnerability in Exchange Could Allow Remote Code Execution
• Exploited by sending a malicious cal or iCal message through and Exchange server.
• Breaks Blackberry Enterprise Server and Goodlink functionality (via SANS ISC) But it’s fixable.
• No workarounds.
• Affected: Exchange Server 2000, Server 2003 SP1&2

Have fun with this one.

Official Patch Summary [Microsoft]

We will have at least one critical patch next Tuesday from Microsoft. Windows will have two patches and Exchange just 1.

Security Bulletin Advance Notification [Microsoft.com]

Update: Details of the Patches [Microsoft.com]