The Guide

Home

Search

Forum

Feedback

Credits

About Raj

Security Issues with MS Windows


*
Introduction
*
The Problem
*
Why is this Misleading?
*
So How is security breached?
*
Can Things get shoddier?
*
Other Resources
*
Analysis and comparsion with NSA guidlines
*
World Class Authority
*
Conclusions
*
Further links for Reference


Can things get shoddier?

Well shoddier is the least they can get -- Let us see why and how?

 

The link below shows - CryptoAPI has NOT passed tests for "standard functionality" according to US Government FIPS-140-1 evaluations

<URL: http://www.microsoft.com/security/tech/cryptoapi
/default.asp
>
... and a copy of those standards at NIST (The National Institute of Standards and Technology)
<URL: http://csrc.nist.gov/fips/fips1401.htm>

 

When asked "Could someone use these keys to weaken my security?"
Here is what Microsoft says:

<URL: http://msdn.microsoft.com/workshop/security/capi/cryptapi.asp>

"No. They would need the private half of either key pair; and as noted, we have not shared these keys with anyone, including the NSA.  Even Microsoft could not use the keys DIRECTLY to weaken your security.  The worst thing that could be done with the keys would be to digitally sign poorly-written CSPs, but even then, there would be no way to get the CSPs onto your computer without your approval."

Well, let's see if that's true.  Let's see if the user must approve the execution of software or a specific function from system software We saw above that the protection of the user's private key is dependent upon CryptoAPI not being compromised (above) - so we already know that if that fall-back key has been compromised the entire CryptoAPI that is responsible for protecting it is also compromised, but let's see if even THAT PART of the statement (requiring the user's permission) is true...

  • <URL: http://msdn.microsoft.com/workshop/security/capi/cryptapi.asp>

    Microsoft Corp's Java Virtual Machine ... in Internet Explorer, Microsoft Outlook, and the Eudora e-mail program ... An (Java) applet can exploit the glitch and override JVM security doing such things as reading private data or modifying and deleting files on a victim's machine.

  • <URL: http://www.cnn.com/TECH/computing/9910/18/microsoft.jvm.hole.idg>

    The weak point is an ODBC driver in Excel97, the spreadsheet program for Office97.  A malicious hacker can create an Excel spreadsheet that exploits the weak point in this database driver, allowing him or her to delete files or "perform other malicious acts," according to Microsoft.

  • <URL: http://www.cnn.com/TECH/computing/9908/03/excelbug.idg/>

    The Marine Corps official said it was not clear how the virus entered its system.

  • <URL: http://www.cnn.com/TECH/computing/9910/22/marines.worm.01/>

    The worm that infected computers at the Marine Corps headquarters at the Pentagon early Friday was "ExploreZip", an especially malicious virus that typically travels by e-mail, according to a Marine Corps spokesman.

  • <URL: http://www.cnn.com/TECH/computing/9910/22/virus/>

    Apparently, this is the first time a virus can permeate your computer from a simple e-mail form -- no opening of attachments are necessary to launch it.  So there's little way to protect yourself.  It's believed to work by taking advantage of a security hole in Internet Explorer 5.0. NOVEMBER 10TH 1999

  • <URL: http://www.msnbc.com/news/296945.asp?cp1=1>

    October is the cruelest month for Microsoft and Internet Explorer 5, complements of one Georgi Guninski, noted hacker from Bulgaria. Exposing nor fewer than three security holes over the last 30 days, Guninski has recently uncovered yet one more privacy flaw in IE5 If you recall the earlier "Download Behavior" bug, which also necessitated the dismissal of Active scripting, this all-encompassing approach leaves your browser incapable of interacting acting with JavaScript and VBScript-centric content.  This means you'll have to add trusted sites to IE5's Trusted Sites Zone from the security tab within your Internet Options dialog box (when this can't be done automatically via script).  ...

  • <URL: http://www.msnbc.com/news/326233.asp?cp1=1>
    <URL: http://www.msnbc.com/news/325291.asp?cp1=1>

    Microsoft has found out about another security hole in Internet Explorer 5.0.  An unscrupulous webmaster could construct a page that takes advantage of IE5's Import Export Favorites function to run malicious code on a visitor's computer ...  See Patch: http://www.microsoft.com/security/bulletins/MS99-037faq.asp

  • <URL: http://support.microsoft.com/servicedesks/productflashes/Internet/intfc421.htm>
    [October 5, 1999] Internet Explorer 5 includes a Download Behavior that allows Web page authors to download files for use in client-side scripts. By design, a website should be able to download only files that reside in its domain, this prevents client-side code from exposing files on your computer or local intranet to the Web site. However, a server-side redirect can be used to bypass this restriction.

    The net result is that a malicious Web site operator could potential read (but not modify or erase) filse on your computer or other computers on your local Intranet.

    This means that a substituted _NSAKEY could be verified as installed without even using it.

  • <URL: http://support.microsoft.com/support/kb/articles/Q179/6/52.ASP>
    In order to step out of the Java "sandbox," applets need to be packaged in CAB files for use with Internet Explorer 4.0x (and up). ... The Microsoft model is a static model that requires the user to trust the code up front.
  • <URL:http://www.securityfocus.com/new.html> IMail POP3 Buffer Overflow ... may be possible to execute arbitrary code. (NT4.0)... "InterScan Virus Wall Long HELO Buffer Overflow Vulnerability" (NT4.0) ... IE5.0 for Win98 buffer overflow IE4.0 for Win98 buffer overflow ... Outlook/Outlook-Express (on) Win95/98/NT/2000 MS ActiveX CAB File Execution Vulnerability ... NT Spool's Buffer Overflow (NT4.0 through SP6) ... aVrt Mail buffer overflow ... Excel SYLK Macro... IE5 IFRAME executes code with local-file system permissions ... MSN Setup BBS buffer overflow... hhopen OLE Control buffer overflow ... IrfanView32 buffer overflow ...
    About a dozen bugs reported in the last 30 days that could cause code to be executed WITHOUT the permission of the logged in user.

  • <URL: http://www.microsoft.com/security/tech/cryptoapi/cspdev.asp>
    a list is given of vendors with security-specific wares based on CryptoAPI, hence potentially compromised if the 2nd key (or 3rd key?) is replaced.  This is a pretty impressive list, which shows that MOST of the Windows community depends on one or more of these technologies.

"Authenticode" is the technology that is perhaps the biggest hole for a compromised (or replaced secondary) CSP key.  Here's some links that deal with all of this.  Especially see the graphic on the link mentioned below.

Other Resources [Next]



Copyright 1999 Dr. Raj Mehta. All rights reserved.