Microsoft Security Bulletin MS10-046 was released this morning and has extensive detail on how to patch or workaround the vulnerability in windows shell that allows remote code execution.

A couple keys points in the advisory:

First, Microsoft notes that the exploit only gains the rights of a local user. It is fine to suggest a role-based control approach. It is a best practice. However, everyone knows that Windows runs best with a local user in the Administrator group. It echoes my earlier post on this issue, where I tried to emphasize that this story has not significantly moved the dial in terms of Windows exploits. It is significant more because it was targeted to a specific vendor (Siemens) implementation of Windows. This is an excellent example of an Advanced Persistent Threat, versus an Advanced Threat. Persistence comes in the form of intelligence gathering and targeting specific/unique weaknesses. I would wager that Siemens software requires Administrator privileges.

Second, a specific service is implicated as an attack vector

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

Once again we can say all unnecessary services should be disabled as a best practice and for compliance (e.g. PCI DSS). Nothing new here. WebClient is even disabled by default in server versions of Windows since 2003 (they also have a redirector option). It has been enabled in Microsoft desktop systems since Windows 98. Windows 7 even provides a webdav server capability.

The WebClient service does nothing more than allow webdav (Web-based Distributed Authoring and Versioning) access. The service description calls them “Internet-based files”, which is too broad to be a useful definition.

With this functionality in mind it is interesting to note that the attack was distributed by USB. A network-based attack was not chosen perhaps because the systems targeted were said to be disconnected from a network. A WebClient service should only be enabled on a system that needs to manage HTML files via HTTP over a network. So the advisory pins together a local hardware attack with a network service exploit.

Did the Stuxnet authors know that Siemens runs on Windows XP or 98 with default services enabled? Does Siemens WinCC software or the SIMATIC distributed control system require WebClient, thus making it a networked system after all? I would wager, as above, the Siemens systems were configured without security in mind and an unnecessary service was enabled.

Therefore, from the above two points, a Windows user who disables unnecessary services and uses role-based access would reduce the risk of attack.

The real rub in this issue is that these basic security and compliance controls may not be present in utilities and attackers will use this to their advantage. Change to the environment will not come quickly, unfortunately, because some continue to argue against it. Control systems specialists, for example, often try and defend control gaps as another form of control – necessary for safety

One workaround that Siemens users should avoid, however, is changing the default passwords on their control systems, warned control systems expert Joe Weiss, writing on his blog. “Microsoft wants default passwords changed — standard IT policy — while Siemens is telling its customers not to change the default passwords as it could cause problems,” he said.

The disconnect highlights how in control environments, safety — not security — comes first, he said. “The IT folks do not understand why anybody would want to keep a default or hardcoded password as an emergency back door. IT in enterprises, outside of banking, simply doesn’t have real-time emergencies.”

This is very wrong. I could give obvious examples of enterprise IT that has real-time emergencies outside of banking and utilities (e.g. health-care). More to the point, however, even an emergency back door can be setup in a controlled fashion. A vendor default password should not be confused with the need and option for an emergency back door. Role-based access is the difference. Only some people should be authorized to have access to the back door. Access to the back door also should be monitored and logged. I think it stands to reason that a back door that everyone and anyone can access, without an audit trail, actually increases the risk of real-time emergency.

P.S. Kudos again to Microsoft for a thorough and highly useful report on the update as well as the vulnerability. Customers benefit greatly from this exchange of information.

Compare Microsoft’s excellent work with the current method used by Google, as demonstrated by the update report for a High Risk vulnerability in Chrome:

[$500] [43813] High Issue with large canvases. Credit to sp3x of SecurityReason.com.

Imagine if Microsoft had posted only “[2568] Critical Issue with Shell. Credit to Stux.”

Paul Krugman gives his explanation of why people choose not to act despite data showing risk.

So it wasn’t the science, the scientists, or the economics that killed action on climate change. What was it?

The answer is, the usual suspects: greed and cowardice.

If you want to understand opposition to climate action, follow the money. The economy as a whole wouldn’t be significantly hurt if we put a price on carbon, but certain industries — above all, the coal and oil industries — would. And those industries have mounted a huge disinformation campaign to protect their bottom lines.

Thomas Friedman gives a very concrete security example in his analysis of the American paralysis to regulate the coal and oil industries.

Making our country more energy efficient is not some green feel-good thing. Retired Brig. Gen. Steve Anderson, who was Gen. David Petraeus’s senior logistician in Iraq, e-mailed to say that “over 1,000 Americans have been killed in Iraq and Afghanistan hauling fuel to air-condition tents and buildings. If our military would simply insulate their structures, it would save billions of dollars and, more importantly, save lives of truck drivers and escorts. … And will take lots of big fuel trucks (a k a Taliban Targets) off the road, expediting the end of the conflict.”

Friedman then comes to the same conclusion as Krugman

I have a much simpler but plausible ‘conspiracy theory’: the fossil energy companies, driven by the need to protect hundreds of billions of dollars of profits, encourage obfuscation of the inconvenient scientific results. I, for one, admire them for their P.R. skills, while wondering, as always: “Have they no grandchildren?”

The Jet Beetle page is downright hilarious. Read the whole thing.

Street racing action. The other guy wimped out after a few “big-fire” demonstrations. What you see in the picture is about one-twentieth the full size of the fireball. Guy standing beside car had never seen it run before and was smiling ear-to-ear throughout the show. Had I launched, I would have burned him to a crisp. Well, live and learn.

We get this a lot. A police officer picking at his nose while trying to figure out what to charge me with. Notice the hopeful anticipation of us on the right. We’re rooting for him and offer suggestions but unfortunately, the California Department of Motor Vehicles did not anticipate such a vehicle so he’s out of luck. Hmmm, the car has two engines making the car a hybrid so maybe we can drive in the commuter lanes along with the Toyota Priuses.

*** Update 7/18/06 *** You have to give the California Department of Motor Vehicles (the DMV) credit for creativity on this one. A DMV insider has disclosed to me that the DMV has made a formal request to a federal agency to rule if my Beetle constitutes a threat to national security based on what could happen if it got into the wrong hands. This raises three questions in my mind: #1 Does this mean I’m the right hands? #2 If someone with the name “b_laden13” is the highest eBay bidder for my Beetle can I refuse his offer even if he has the prestigious eBay Red Shooting Star feedback rating (the highest)? #3 Would this affect my eBay rating?

#1) Yes
#2) Yes
#3) Do you really care?

Four years and a quarter million dollars to build, it gets 15 gallons per mile:

Three years of aerodynamics research has created the Bloodhound supersonic car design, unveiled recently at Farnborough:

It looks just like The Blue Flame to me, which set the land speed record in 1970.

The Blue Flame reached 1014.513 km/h (630.388 mph), a record that lasted 27 years.

This post might reveal my lack of expertise in rocket cars, I realize, but I had hoped for a much more radical design than just a rocket with wheels. The Thrust2 and ThrustSSC broke The Blue Flame record but they also did it with new designs. The Thrust2 looked like the BatMobile. The ThrustSSC looked like an F-4 fighter jet without wings, perhaps because that is what it was.

When I say I want to see a more radical design I really wonder about efficiency. How much fuel is used to reach these speeds? What would the records look like if they had to account for input? I have similar questions about output in terms of emissions and air quality.