Without any fanfare, Microsoft recently released its Office 2003 SP2 patch — and hidden deep within is a very useful anti-phishing feature.

The service pack has the usual assortment of bug and security fixes. But it’s the anti-phishing feature that’s the biggest news. With it, by default, when you’re hit by a phishing attack, Outlook disables all the links in the offending email, so that you won’t be able to head to the spoofing Web site. You’ll also get a warning that the email may be a spoof. If Outlook incorrectly called it a phishing attack, you can turn the links back on.

If, for some reason, you don’t want this protection, you can turn off the feature. Choose Tools–>Options–>Junk Email, uncheck the box at the bottom of the screen that begins “Don’t turn on links in messages that might connect to unsafe or fraudulent sites,” then click OK.

Kudos should go to Microsoft on this one; it’s badly needed protection, and something that other email programs should emulate.

What do you think of the Office 2003 SP2 patch?

Microsoft’s vision of Windows everywhere seems to be coming true. I just returned from the supermarket after surviving a close encounter with Windows in which I almost couldn’t pay for my garlic, pound of ground beef, and frozen yogurt.

My local supermarket has a slew of self-checkout aisles where you can scan and pay for your groceries yourself. I found a vacant one and began scanning, but noticed the machine was excessively sluggish — it took about 10 to 15 seconds to recognize each of my items. I began experiencing an odd feeling of deja vu, but wasn’t sure why.

It was time to pay, and suddenly in front of the normal screen display of green peppers and the like, an all-too-familiar error message popped up, warning me there was an error in my DLL library. Aha! No wonder I felt deja vu. This was just like sitting in front of my PC.

Now, I’ve been using Windows since the days of Windows 3.0, so I’m certainly used to getting these errors, but only when I’m seated at my computer, not when I’m trying to pay for ground beef.

I couldn’t figure out how to reboot the thing, but amazingly enough, all I had to do was press the OK button on the error message, and I was able to pay and finish checkout.

If only my PC could recover so quickly from system crashes. If Microsoft can solve problems with Windows in the aisles of grocery stores, why can’t it solve it at my PC? Maybe if there was a slot for my credit card next to my keyboard, it would work.

Have you had an odd encounter with Windows in a place you wouldn’t expect it? If so, let me know, below.

Have you had an odd encounter with Windows in a place you wouldn’t expect it?

Microsoft will ultimately spend many hundreds of millions of dollars developing and marketing Vista in a bet-the-farm strategy on the new operating system.

Unasked is the question: Does Vista really matter?

The real danger to Microsoft isn’t from another company overcoming it with a rival operating system. It’s from Google, which is taking an end-around, and building applications on top of the Internet, which in essence has become the world’s largest operating system, dwarfing even Windows.

Google’s applications are simple, lean, and elegant — everything from Gmail to the Google Toolbar, Google Maps, Google News, and more. It may ultimately even build Internet-based applications like a word processor. And there is plenty of evidence it may even be launching a national Wi-Fi service, and appears to be building what may be the world’s largest backbone network.

Microsoft, meanwhile, slaves away on Vista, and fumbles every time it tries to create a Web-centric service. Does anyone remember Hailstorm from several years back? Enough said.

Google appears to be proving that in an Internet-centric world, the operating system may not matter. Internet-focused applications do. And so despite all the hype about Vista, what’s really important may be Google applications like blog search and whatever else the company is cooking up in the labs. Vista may be pretty and powerful and useful, but it may be a look backwards, not to the future.

Does Vista Matter, or should Microsoft spend its money on Internet applications? Let me know what you think.

Symantec’s newest Internet Security Threat Report claims that Firefox has twice the number of vulnerabilities as Internet Explorer. Does that mean that Firefox is twice as dangerous as IE?

In a word, no. In fact, despite the Symantec report, Firefox remains a far more secure browser.

How can that be? First of all, even though Firefox may have twice as many theoretical vulnerabilities as IE, those vulnerabilities are rarely targeted. That’s because IE is so much more popular that it’s a much bigger target.

Second, Firefox vulnerabilities are patched far more quickly than IE ones, the report notes. So a Firefox security hole lasts a shorter time than one in IE.

Finally, when you attack Firefox you attack just a browser. When you attack IE, you can attack Windows itself and wreak far more damage. So a Firefox security hole, by nature, is less severe than an IE one.

Does this mean that Firefox users can remain smug about their security? Far from it. It should be a wake-up call to them and to the Mozilla Foundation that more work needs to be done. As Firefox gains in popularity, its security holes may be increasingly exploited.

Still, if you’re worried about security, you’d do well to switch from IE to Firefox — it’s flat-out more secure.

What do you think about Firefox security?

Related link: http://www.leastprivilege.com/HttpCfgACLHelper.aspx

Windows 2003 and XP SP2 include HTTP.SYS. This is a kernel mode http listener that is e.g. used by IIS6. A nice thing with http.sys is, that it enables port sharing. That means you can have several processes on your system listen e.g. on port 80. If you want to host a http listener in your own application, you use the http API to register a URI namespace with http.sys, e.g. ‘http://*:80/MyApp/’ registers for receiving all incoming requests to that URI. The new HttpListener class which will be included in .NET 2.0 is a nice managed wrapper for that functionality.

This can enable all kinds of interesting scenarios, e.g. embedding lightweight web servers in applications or hosting a web service or ASMX endpoint (like Aaron described in his article on MSDN here). Indigo uses HttpListener for ServiceHost<T> e.g.

One security feature of http.sys that most developers are not aware of is, that only users with administrative privileges can register arbitrary namespaces (sorry, of course i know that YOU are not running as admin, but most of the others do :)). This is by design. Otherwise it would be very easy for malware to ‘hide’ behind already opened ports.

If you want to enable HttpListener in applications which will be run by normal users, you have to reserve and ACL a namespace during deployment of the application. A tool called ‘httpcfg.exe’ can be used for this (included in the support tools for Server 2003 or for download for XP here).

The problem is, there is no managed API for reserving namespaces, but this would be indeed very useful for setup programs. The command line tool version is not very user friendly too, e.g. you have to set the ACL as a SDDL string, and i guess not everybody is fluent in that. A example (sets a GENERIC_EXECUTE on a URI for a user account):

httpcfg set urlacl /u http://*:8080/MyEndPoint/ /a D:(A;;GX;;;S-1-5-21-1144070942-1563683482-3278297161-1114)

I wrote a little tool where you can select user accounts, groups and well known SIDs (I currently don’t support well known SIDs that need a domain SID). The tools spits out the right httpcfg syntax for your selection as well as copies the SDDL string to the clipboard.

Make httpcfg your friend. There is no excuse to run with elevated privileges!

HttpCfgAcl.zip (24.19 KB)

In my last weblog entry, I noted that the upcoming beta of Internet Explorer was a significant upgrade over the existing IE — so much so that it could jeopardize widespread acceptance of Firefox.

But as the song goes, it ain’t necessarily so. There are seven things that can be done to Firefox to make sure it beats back the IE challenge:

1. Fix its rotten updating scheme. The number one complaint I’ve heard about Firefox is how poorly its update scheme works. System crashes, incompatibilities, and just plain chaos…I’ve heard them all and been victimized as well. This needs to be fixed, and apparently version 1.5 will go a long way towards doing that.
2. Offer better tab controls. Tab browsing is great…but just offering tabs is no longer enough. Firefox needs to add ways to more easily open, close, and manage them. Sure, there are plenty of extensions that do that for you, but it should be built right into the browser itself, and not be add-ons.
3. Build better security. IE 7 will be a more secure browser than the current IE, and include built-in phishing tools. Firefox has rested on its security laurels too long — and it’s increasingly subject to security holes. It’s time to build in better anti-phishing and other security tools.
4. Fix the extension security problem. I’ve downloaded countless extensions. Every single one of them has been “unsigned” and carries a security warning. I’ve downloaded them anyway, and have yet to have a problem. But what happens when one of them really is malicious? Some way has to be found to check if the extensions are malicious.
5. Solve extension incompatibilities. I’ve run across to many instances in which extensions cause problems when I browse Web sites. That needs to be cleaned up.
6. Build RSS into the browser. The Firefox Sage extension is a great “lightweight” RSS reader. But IE is going to include RSS right in the browser. So Sage, or some other comparable RSS functionality, needs to be built right into the browser.

What do you think needs to be done to beat back IE? Let me know, below.

What does Firefox need to do to fight back against IE?

Related link: http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx

Given the complexity of today’s Active Directory installations, the only safe way of getting all Windows groups a user is member of, is to inspect the token.

After you have acquired a token (e.g. though IIS authentication, LogonUser or Protocol Transition), wrap it in a WindowsIdentity and call:

List<string> getGroups(WindowsIdentity id)

{

  List<string> groups = new List<string>();

  IdentityReferenceCollection irc = id.Groups;

  foreach (IdentityReference ir in irc)

  {

    NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));

    groups.Add(acc.Value);

  }

  return groups;

}

Related link: http://www.leastprivilege.com/UpdatedShowContextsAndRequestLogonUserIdentity.asp…

In ASP.NET you have to juggle with a number of identities, e.g.

• The account of the worker process
  
• The account of the client (= Context.User / Thread.CurrentPrincipal)
  
• The Thread identity (when client/application impersonation is used)
  
• The outcome of IIS authentication (used by the FileAuthorizationModule)

This can be confusing, e.g. when IIS is set to anonymous, but ASP.NET <authentication> is set to Windows (the default), you may wonder why the IUSR_ account needs read access to the .aspx files. This is because the FileAuthorizationModule uses the the security context that resulted from IIS authentication to check if the user is authorized.

In ASP.NET 2.0 you can now access this identity, too. It is stored in Request.LogonUserIdentity. So if you should need to impersonate the account that is set in IIS for anonymous access, this is now easily possible. I have updated the ShowContext.aspx helper, to show you all four identities. Nice for troubleshooting.

ShowContexts2.zip (1.24 KB)

Hello everyone,

my name is Dominick Baier.

I am leading the security curriculum at Developmentor, this includes security courses for .NET 1.1/2.0, ASP.NET and WinFX/Vista. Currently, most of my time is dedidated to writing a book about ASP.NET Security for O’Reilly.


My main blog is at www.leastprivilege.com - but whenever I write something about ASP.NET security I will link the content here. If you have any question about this topic, just leave me a comment.



cheers
dominick

From details about beta 2 of IE 7 that Microsoft recently revealed at the Professional Developers Conference, it looks as if IE 7 has the chance to be a Firefox killer.

The beta appears to have enough new features that it may stop people from flocking to Firefox. A new Quick Tabs feature, for example, will let you better manage tabs, and gives you a thumbnail view of all of your tabs — something that Firefox doesn’t do. Page Zoom will let you zoom in on text and graphics on Web pages.

There’s bigger news on the security front. “ActiveX Opt-in,” will disable most ActiveX controls by default. You’ll have to selective enable those controls you want to work. This is a very big deal and a big surprise. ActiveX is one of the browser’s biggest security holes, and one that Microsoft, up until now, has been reluctant to plug. Let’s hope this spells the ultimate death knell for ActiveX.

An even bigger IE hole is that the browser is directly tied to the operating system, and so an attack on IE means an attack on Windows itself. Microsoft is taking a halfway measure against this in the next version of IE. In Vista, but not in XP, there will be a “protected mode” that isolates IE from the operating system and other applications, so IE won’t be able to write to a file without a user’s consent.

Does all this mean that IE will be superior to Firefox? No. But to squash Firefox, it doesn’t have to — it just has to improve its security, and add a few extra features. It looks like IE 7 is on the road to doing that. Given that the beta of Firefox 1.5 doesn’t add many big new features, aside from handling auto-updates better, this could mean that IE will start to take back the ground it’s lost to the Open Source browser.

Do you think IE 7 will be a Firefox killer?

Complain all you want about bloated Microsoft software, but some of their best tools are free little utilities called PowerToys that do all kinds of cool tasks — everything from letting you tweak the XP interface to resizing single or multiple images with a single click.

The newest PowerToy is out, and I think it’s the best one yet. It’s called SyncToy, and it does exactly what it says — it lets you synchronize files and folders with a simple click or two.

I work on several computers, and often transfer files between the two. Countless times I’ve overwritten newer files with older ones. And even when I don’t do that, it takes me far too much time to copy files between the two machines.

SyncToy lets you create “folder pairs,” and then define how they should synchronize. There are far too many options than I can go into here. Suffice it to say that if you want to do a simple synch it’s a breeze — and the advanced options are similarly easy.

Little utilities like this often make computing worth the occasional pain. If you have a favorite freebie, let me know, below.

Tell me about your favorite free utilities.

Whatever else you may think of Microsoft, there’s no disputing that Bill Gates is probably the world’s foremost philanthropist, giving away billions of dollars every year from his personal fortune to countless good causes.

Microsoft is following suit to help with Katrina relief. Using .NET technology, a group of employees quickly put together the Katrina Safe Web site. The site allows anyone to type in the name, city, and phone number of someone from the area hit by Katrina, and the site will then report on the person’s whereabouts, if they have been located.

At a time when families have been torn apart, and when thousands of people don’t know where friends and family are, this site can be a tremendous help. In addition to the Web site, Microsoft also developed a set of related .NET applications to help relief workers in the field. For more details, check out this article from eWeek.

When looking at technology, it’s easy to forget that it can be used for more than for increasing productivity, and for entertainment. It can be a life-saver as well, and bring together families — so here’s hoping that more companies follow Microsoft’s lead and donate time to the relief effort.

Do you know of other technology companies helping with the Katrina relief effort? Let us know.