LEO LAPORTE: This is Security Now! with Steve Gibson, Episode 232 for January 21, 2010: Your questions, Steve's answers #84. It's time for Security Now!. Get ready, fasten your seatbelts, you're about to learn about all the dangers, the hazards, the problems, the issues on the Internet. But here's the good news. Steve Gibson will also tell you what to do about it. Steve Gibson is the man in charge around here. He is a security wizard, the guy who created SpinRite, the world's best hard drive recovery and maintenance utility. He also discovered the first spyware, coined the term "spyware," wrote the first antispyware program, has written a great many security tools for free for people, and has been doing this show, well, I guess if it's 232 episodes - 232, Steve - we must have - and we've never missed one. STEVE GIBSON: Never missed one. 232 weeks and counting.
LEO: Wow. Fourth year. Fifth year of this show.
STEVE: Into our fifth year, yeah.
LEO: Hey, Steve.
STEVE: Leo, it's great to be with you again, as always. I had a thought yesterday, and then again this morning a little bit, when you were talking about all the security utilities that I create, that it would be maybe useful to create one for this most recent zero-day IE flaw.
LEO: Ooh, yeah.
STEVE: But then I figured, eh, you know, the half-life of the thing is going to be very short because Microsoft is scampering apparently, maybe even considering an out-of-cycle fix because - not that this is so bad. We've seen these before. But mostly because it's gotten so much attention. And so the PR is really bad for Microsoft.
LEO: This is the flaw that was used to hack people's Google accounts; right? STEVE: Well, it's - okay. So this first came on the map when Google informed Microsoft that it wasn't, as was initially sort of just conjectured, it wasn't an Adobe flaw. It was an at-that-time unknown, that is to say zero-day vulnerability in Internet Explorer, yet another one, that was in this case being used to penetrate IE6 running on XP.
LEO: And of course the first thing that, what was it, the German government said is stop using IE6, and then everywhere people are saying do not use IE6 anymore.
STEVE: Germany and France both said stop - well, actually I think they said stop using IE in general because the vulnerability exists in all versions of IE.
LEO: Right.
STEVE: But due to the incrementally increasing security that Microsoft has been bringing into play, you know, we've talked about this many times, how unfortunately Microsoft's install base and their previously lax security prevents them from just turning up the security all at once. So very much like how in XP they introduced a firewall, but it wasn't turned on by default. Then in Vista they introduced, or actually at some point in XP also DEP, the Data Execution Prevention technology, but it wasn't really turned on very strong. Then with Service Pack 2 of XP they started turning on the firewall by default. So they've sort of been creeping along, tightening things down as they go. And I've, of course, for years been railing against the idea that scripting was on in email by default. Well, of course that finally got turned off along the way because no one ever did use it. But Microsoft just has to be sort of, you know, to very slowly move forward.
So many of these things that they've done incrementally over time have improved the security of IE: 7 is better than 6; 8 is better than 7. In IE8 its use of data execution protection or prevention is enabled by default, so DEP does prevent this problem. So even though all versions of IE have had the flaw, which someone presumably in China discovered, and what Google did was they found the command-and-control servers, that is, they were able to, once they realized they'd been penetrated, they found some penetrated machines, saw them communicating back to the mothership, tracked those down, found 33 other companies including Adobe, interestingly enough, that had been also penetrated. So this wasn't just an attack against Google. This was an attack against 34 companies using an at-the-time unknown vulnerability in Internet Explorer.
So there's many takeaways from this. One, of course, is to all of our listeners, I'm hoping that nobody is even vulnerable or at risk because you're no longer using IE. That is, everyone within the sound of our voices should have switched to Firefox. And I'm seeing Chrome mentioned sort of as an also option, although Firefox seems to be the one people would be moving to. I'm hoping that everyone has moved there already. Now, of course, Windows users don't have a choice about IE. We have to have IE around to some degree because Microsoft's Windows updating system, if you want to go there and check it out, it wants to be IE. LEO: Yeah.
But you can't even uninstall IE if you wanted to, I don't think. I mean... STEVE: Right. LEO: ...[indiscernible] stuck with it. So I just - I don't even put an icon on the desktop. I just run Windows Update, I don't even run IE, and leave it at that. STEVE: Right.
However, things like, for example, Outlook will still be using the IE browsing component in order to display email.
LEO: It's really intimately part of Windows, isn't it. You just can't get away from it. STEVE: You really can't. So the other - but the other point is you can lock it down. And so I wanted just to take a minute to remind our users how that's done. Because it's not difficult. You start up your copy of Internet Explorer. Just launch if it's in the tray, or you use Windows Update, however it is you get IE going. And then under the Internet Options icon, which generally most recently has looked like a little gear, you open that, go to the bottom line on the menu, which is Internet Options, and then choose the Security tab. That's where it shows you those zones. And so IE has this notion of different security behavior depending upon whether you're on your local Intranet, on the Internet outside of your own local network, and whether the domain you're going to is trusted or not. So there's all, I mean, it ends up being a confusing and complicated thing because you could, for example, put people in the untrusted zone, which means apply presumably more rigorous security to them. Anyway, the point of all this is, what I would recommend people do, that is, people who are already switched away from IE - IE, as you say, Leo, is intrinsic to Windows. It's there. We can't get away from it. Various apps are going to bring it up. It still can be exploited even though it's not the browser that you're normally using, although certainly your risk profile is far lower if you're surfing the 'Net with Firefox than with IE. So you want to set the trusted sites - I'm sorry. You want to set both the Internet zone for outside and the local Intranet zone, both, even your local Intranet zone because that's the zone used, for example, that Outlook uses when it's doing things. You set the security for both those zones to high. And I made sure again that everything is set correctly when you do that. When you set your security to high, basically it just shuts it down. It can barely even bring up a web page because the security is bolted down. And this exploit does require, naturally, scripting. So scripting is shut down, both for the Internet and the Intranet. Then you can set your trusted sites zone to the default level.
Now, in doing this, though, you will completely block Windows Update from running through the browser. So you then need to, on the trusted zone, add *.windowsupdate.com and *.microsoft.com. So essentially what we've done is we've turned IE into a browser only useful for going to Microsoft and using Windows Update. We've also locked it down so that in Outlook there's no scripting and no permissions to run ActiveX controls and none of these things that are dangerous. So if you're going to view email, it's as safe as it could be using Outlook by having IE locked down. If you for some reason need to use IE for other sites that you trust, you can certainly add those domains to the trusted sites list, and then IE will work the way it normally would. But both for reaching out onto the Internet and your own local use, if you set the security to high for those zones, then you're as secure as you can be while you're using Internet Explorer. And given that it's locked down that much, I would say you're probably as secure as when you've got scripting disabled under Firefox. But as we know, it's difficult to run during the day-to-day use of the 'Net with no scripting. So of course NoScript allows you to do that conditionally. Sort of it's doing a little bit like what IE was doing with its multiple zones. LEO: One of the things, it has a checkbox that says HTTPS, require HTTPS.
STEVE: Yes.
LEO: Should you leave that checked, or should you uncheck that?
STEVE: I don't think it's that important. I put TWiT in because I also use TWiT... LEO: Right, I have to uncheck it for TWiT because we aren't HTTPS. You can't require it. STEVE: Yes.
And so I did uncheck it and do have it unchecked, that is to say, not requiring an SSL connection for all of those trusted sites. Well, because they're trusted. LEO: So just to recap, you open the Internet Options control panel. You set security to the max, which breaks every site, basically.
STEVE: Set it to high for... LEO: To high, all the way up. STEVE: For two zones - for the Internet zone and the local Intranet zone.
LEO: Oh, important, that's a good point because you want local sites that way, too; right. STEVE: Well, you want your local use of the IE control, which gets sort of mapped into other applications like Outlook. You want it to be locked down because, again, you don't need scripting in email. LEO: All right. So we're going to go to Security. We're going to turn it up all the way to high for local zones and for... STEVE: Internet. LEO: Okay. So let me just do that. Okay.
So custom level, actually not custom level, I guess default level, and then turn it all the way up. So now it's all the way up for Internet, and it's all the way up for local Intranet. STEVE: Correct.
LEO: And then I click Trusted Sites, press the default button once again. You have to press default for some reason to have the slider. And the default here is medium.
STEVE: Yes.
And that's fine for trusted sites. That allows the normal sort of scripting things, ActiveX controls. Sites will work the way you expect them to, except that the other thing you need to do then is, while you've clicked that Trusted Sites, then there's a button that says Sites. So you click that, and that will open the list of sites that you have deliberately chosen to trust.
LEO: Right.
And if you don't use IE, just do *.microsoft.com and *.windowsupdate.com. STEVE: Exactly.
LEO: Uncheck https, and you're done. STEVE: Yes.
LEO: And basically IE will now only work properly for those two sites, but that's all you want. STEVE: Exactly.
LEO: Does this fix the problem then for Outlook email? I mean, will Outlook email work okay?
STEVE: It does fix the problem for Outlook email.
LEO: Scripts won't work in Outlook email, but that's what you want. STEVE: Exactly.
Because scripts are the big problem. And it shuts down ActiveX controls. It just bolts it down so that essentially you've said, okay, we're not going to use IE for much. We can't get away from it completely. But, you know, where it does need to get used, at least it won't be able to do, you know, won't do any harm. LEO: Now, IE7 and 8 have protected mode browsing.
STEVE: Yes, and basically that's bringing these same things along by default. This is Microsoft again sort of very slowly, I mean, we've had the tools since IE5 to do this. But it wasn't default. And as we know - I call it the tyranny of the default is, you know, unfortunately the default is what the vast majority of people use. Microsoft I remember was saying, oh, yeah, but XP has a firewall. It's like, yes, but it's off by default. Oh, yeah, but, I mean, this mumbo-jumbo about, well, but most people will run across the dialogue that suggests they turn it on. Well, if that was true, then we wouldn't have had the Code Red and the Nimda worms, which both occurred on XP because the firewall was not on by default. So that just wasn't the case. LEO: You know, it's funny, these - you've been talking about doing this because you used IE for a long time. We only recently got you to move over to Firefox, like in the last couple of years. But I know you've come on the TV shows and told us about this process. But it's really important, even if you don't use IE, to do this now because you just want to lock this sucker down. STEVE: Yes.
LEO: It's still used so often. STEVE: Yes.
IE is built into Windows. You can't get rid of it. It's used in places you don't expect it to be used. There are other places like in the Help system or other applications that will invoke the IE control. You've probably seen like some strange software that says "Requires Internet Explorer 6 or later. " And you're thinking, well, why does my MP3 player need a certain version of IE? It's because it's assuming the presence of the IE control, that is, the IE surface which it's using to render things. And there are - I don't talk about all the really obscure security exploits that occur in applications that are low instance. But there's a lot more going on that people are aware of that use a common control like this. So just, as you said, locking this down now, it's very much like turning scripting off in Acrobat. Just turn scripting off in Acrobat because you don't need it, and it will make your PDFs a lot safer. LEO: I love security tips like this because they have very little consequence. Unlike, say, running NoScript in Firefox, which really kind of becomes an issue. This is easy. Everybody could do it. I'm going to do it. I'm going to remind people to do this on the radio show. In fact, why don't you come on the radio show this weekend. STEVE: Love to.
LEO: And just tell people, do this in light of what we're learning now. And then you don't have to think about it. STEVE: Right.
LEO: I like it. All right.
STEVE: A number of our listeners wrote to tell me something that I had run across, actually I think I had a note for it last week, and I forgot to mention it. And that is that Gmail - this is unrelated to the Google attacks. But Gmail now enforces HTTPS connections by default. We've talked for years about how to get Google Mail to be secure for the entire duration of the connection. If you went to Gmail using a secure connection, HTTPS for logging in, then it left you there for your entire use of Gmail. But if you went there with an unsecure connection initially, it switched you into security for the process of logging on and then back out of security otherwise. Interestingly, and not surprisingly, Google is citing the increased use of open WiFi hotspots... LEO: Oh, boy. STEVE: ...as the motivation, their motivation for doing this. And notably, the other free popular email, web-based email, Yahoo! and Microsoft, that is, Microsoft with Hotmail, neither use HTTPS except briefly during logon. So this really does give Gmail a leg up in security. Now, because they are concerned maybe somebody would have a problem with this, I don't really know who could, but there is an option to turn that off in the configuration settings. But the default is secure, which is really nice. That's a great move forward for them. LEO: Yeah.
Well, we've been telling people for a long time to just turn it on. But now you don't have to. Just it is.
STEVE: Right.
And while we're on the topic of Google, there's been so much buzz in the last couple weeks about the presumed Chinese attack on Google. One security researcher claims to have recognized code in the exploit that is known to be used in China. The problem is it's very difficult to have absolute accountability. I don't really have any particular feeling one way or the other about these claims that this was backed by the Chinese government. I mean, my sense is, well, okay, we really don't know. I dislike making accusations like that, that can't be really soundly confirmed. And frankly, there's no way to confirm this. I don't think there ever will be a way, unless somebody with direct knowledge says, yes, I know from first-hand, not from reverse-engineering something and recognizing a byte pattern that I saw once. Or these other sort of gray comments of, like, well, this is much too sophisticated to have come from hackers. We don't see this in normal hacking stuff. This must have come from state-sponsored accomplices. It's like, eh, okay. I just don't put any credence behind that. I don't see that that makes any sense. So... LEO: By the way, I don't know if you mentioned this. Microsoft announced this morning that they're going to patch this zero-day exploit on the 21st. STEVE: Oh, I did not see that.
LEO: They're going to do an out-of-cycle Thursday update on the 21st. STEVE: Good.
LEO: That's tomorrow. STEVE: I'm not surprised. LEO: Actually that's when this show comes out, so today. STEVE: Fantastic. Well, that's - isn't it interesting how quickly they're able to move when they want to. LEO: Yeah.
STEVE: Because they didn't find out about this, I mean, we know when they found out about it. They found out about it, like, you know, last week. And because it's generated so much fury and, as you said, governments are recommending that people not use IE, but use instead - in fact Germany said use Firefox or Google's Chrome browser. Do not use Internet Explorer until it gets fixed.
LEO: Although we do know that any Internet access is risky, and I'm sure Chrome and Firefox have all sorts of unpublished exploits. I mean... STEVE: Sure. We know for a fact that they're providing security updates to fix their security problems, as well. LEO: I'm sure both Google and Mozilla are saying, there but for the grace of god go we. I mean... STEVE: Yeah. LEO: Microsoft doesn't have the greatest track record. But I don't think they're particularly worse than anybody else. STEVE: No. I agree. The IETF has ratified the fix for the SSL renegotiation vulnerability. Remember that many weeks ago we did a podcast specifically explaining what the flaw was that had been found in the SSL protocol, which essentially it allowed somebody who was able to intercept traffic to inject their own content into an SSL connection in a way that was not detectable by either end. And the way they were able to do this was to take advantage of the fact that what's called the renegotiation hadn't been exactly designed correctly. The idea was that the designers assumed that when you were renegotiating, you would be renegotiating from within the SSL tunnel. That is, within an existing established security construct, you would be sending renegotiation back and forth. They failed to see that there was a way that a hacker could use renegotiation in order to sort of splice their own data in.
So what was required to fix this was an explicit use of the previous security context, that is, information that would only be known to each endpoint, explicitly connected to and added to the renegotiation process. So that strengthens the protocol. The problem is that we've ended up moving towards a kludge, unfortunately, because the specification states that this extension information, this renegotiation extension information should be able to be appended to the end of the existing handshake without upsetting either end. It turns out there are implementations of SSL and TLS which this breaks. So they have been unable to extend the protocol the way it was designed to be extended without breaking existing implementations, which is really a shame.
So what they've had to do, and this is the kludge part, is we talked about the way the SSL protocol works in detail. There is something called a cipher suite which essentially each end sends back and forth. The client initiating the connection says here's the collection of ciphers I know about. The server from that set looks at those that it understands and chooses one in an order of most desirable to least desirable, and then says this is the one we'll use. That's how they agree on a cipher for their encryption that they both know. Well, by design, any that are not known are ignored. And that is done correctly. So the bad news is this fix for the SSL/TLS protocol requires, in order not to break poorly implemented but widely distributed existing SSL requires that the extra information for securing renegotiation be stuck in as a fake cipher. Which is really annoying. I mean, it's the definition of a kludge. LEO: Kludge, yeah.
STEVE: But it's the only way they were able to get it to work and not break things. Now, maybe in the fullness of time, like a decade from now, these existing broken implementations will go away, and then it'll be possible to say, okay, we no longer need to overload the cipher suite definition with this kludge-y renegotiation information because all of those old, poorly implemented endpoints have died off. So we can just do it the way we always intended to. We can hope that that ends up happening. So who knows. But I did want to let people know that we're moving forward. Now, nobody's implemented this yet. The spec is done. The RFC exists. We know how to do it. So now what'll happen is these will be implemented and put into test. And it'll be a while before we start actually seeing this rev. But I'm sure that our listeners will know right here on this podcast because I'll know, and I'll let everyone know, as these fixes begin to migrate into downloadable updates. I'm sure Windows and Mac and the Linuxes will get new distros that have this thing fixed. So anyway, we're moving towards getting SSL cleaned up. Then last little bit of interesting - this really qualifies more as errata, is I have a couple old email accounts that I've sort of left around because they pick up interesting stuff every so often. And for the last week I've been getting an interesting piece of email that was just sort of a case in point. It reputes to be from, in one case, UPS Manager Bret McCracken, and every couple days... LEO: I'm a crackin' you. STEVE: I'm a crackin' you. Every couple days I get one from someone else. But this one, Bret McCracken kind of cracked me up. And the email address of service@ups.com. The subject is, in this one case, "UPS tracking number 55741879. " Well, first of all, I know what UPS tracking numbers look like. LEO: That ain't it, yeah. STEVE: That's not one. LEO: At least they could fake it well. You know? C'mon, guys. STEVE: Don't you wish? LEO: Look one up.
STEVE: And so then it says, "Dear Customer! " Okay. They're not going to use, you know, UPS is not going to use an exclamation point. And it reads, "The courier company was not able to deliver your parcel by your address. " Close, but not quite the way we would speak English. "Cause: Error in shipping address. You may pick up the parcel at our post office personaly," spelled with one "l. " Well, of course post office is different from UPS, and we've got a typo, a spelling mistake. Then it says, "Please attention! " Okay. LEO: It's amazing this stuff works.
