Recently in Security Category

Windows users have more security options, and that's just the way it is. Or is it?

Let's start with the obvious: I love BitLocker and I cannot lie. Despite its faults, it remains a great example of a real-world security feature that delivers immediate value. It's fully supported by the OS manufacturer, meets government security standards, and doesn't have to rely on skanky hacks to work its magic.

Windows laptop users can also take advantage of Seagate's Momentus FDE line of disk drives. These disks, sometimes called self-encrypting disks or just SEDs, perform hardware encryption, and they are qualified by the US National Security Agency as meeting NSTISSP #11. Unfortunately, these drives require support in the BIOS. Since Apple's laptops all use EFI instead of the standard x86/x64 BIOS, you can't just plop a Momentus FDE into your Mac and expect it to work.

The only solution I've found to get an SED to work in a modern Mac laptop is from WinMagic. Their SecureDoc product is essentially a full-volume encryption tool that competes directly with BitLocker, as well as with other FVE products from PGP, PointSec, and so on. The big difference: the Mac version of SecureDoc supports Momentus FDE disks. Naturally I had to try it.

Installation is simple: you run an installer, which adds a couple of kernel drivers and modifies the boot loader. If (and only if) it detects an unlocked Momentus FDE as the boot volume, it will ask whether you want to use hardware or software encryption. (The installer also tells you that it will change the system's hibernation mode, but let's not get ahead of ourselves yet…)

When you're done, you must reboot, at which point you see the new (and quite ugly) SecureDoc login screen. When you log in here, the SecureDoc bootloader unlocks the FDE disk and the normal Mac OS X boot cycle proceeds.

The docs ask that you turn off pagefile encryption by unchecking the "Use secure virtual memory" option in the General pane of the Security preferences tool. This makes sense: there's no reason to ask the OS to encrypt the page file if the disk on which it lives is already encrypted. You must also turn off the "Put hard drive to sleep whenever possible" checkbox, as the OS doesn't deal well with having the disk go to sleep (and thus get locked) while you're using it.

In my test install, I ran into an odd problem: the machine would freeze when waking from sleep. The cursor and keyboard would work normally, but I'd get the spinning rainbow pizza of death. After doing some digging, and with the help of WinMagic's tech support folks, I determined that the system's hibernation mode wasn't properly set by the installer. (Page 4 of this document is the only place I've found the different hibernation mode codes explained.) Uninstalling the SecureDoc software, manually setting the hibernation mode with the pmset tool, and reinstalling it fixed the problem and it has worked flawlessly since.

The standalone version of SecureDoc doesn't have the same set of management or control features that BitLocker does. Of course, that's because WinMagic wants you to buy their server-based toolset, which uses a group policy-like mechanism to enforce whatever encryption policies you choose. Without having tested either the server tool or the Windows version, I'm not ready to pick a winner between BitLocker and SecureDoc, but for the Mac it's a low-impact solution that does what it says, and I'm happy with it so far.

If you use a computer-- at work, at home, at school-- you should be reading The Risk Factor, a blog on computer-related risks operated by the fine folks who bring us the IEEE Spectrum. There's a ton of fascinating stuff there, like this and this. The Risk Factor is like a gateway drug, though. After reading it for a while, you'll be ready for the hard stuff.

Cue the tiny violins: a federal judge ruled that Oracle "destroyed or failed to preserve Chief Executive Larry Ellison's e-mail files sought as evidence in a class-action lawsuit filed in 2001 against the software maker." The alleged destruction (or failure, depending on how you look at it) happened in 2006-- well after Oracle touted archiving features in Oracle Collaboration Suite. Ooops.

A few weeks ago, I wrote a column highlighting Microsoft's announcement of their Exchange 2007 virtualization strategy. I just found out that the team that owns the Internet Security and Acceleration (ISA) Server and Forefront Threat Management Gateway (TMG) has announced their virtualization policy... and it's a good one! Basically, they'll support ISA and TMG on virtualization solutions that are part of the Server Virtualization Validation Program (SVVP)-- including Hyper-V.

The full document is here. Here's the money graf:

… if a hardware virtualization platform is listed as "validated" with the SVVP (not “under evaluation”), Microsoft ISA Server and Forefront TMG will be supported for production use on that platform within the limits prescribed in the Microsoft Product Support Lifecycle, Non-Microsoft hardware virtualization policies and the system requirements for that product version and edition.

This will make both ISA and TMG much more palatable to a wide variety of customers, particularly in the SMB space. I'm looking forward to redeploying ISA (which I haven't been using for a few years) now that it won't cost me a server's worth of electricity to use.

Update: this VMware press release says that VMware ESX has passed the SVVP. This is huge news given that it essentially means Microsoft is now supporting Exchange, ISA, and TMG on the most widely deployed virtualization platforms-- welcome air cover for all the folks who have been doing it for a while now :)

A few weeks ago, I wrote a column highlighting Microsoft's announcement of their Exchange 2007 virtualization strategy. I just found out that the team that owns the Internet Security and Acceleration (ISA) Server and Forefront Threat Management Gateway (TMG) has announced their virtualization policy... and it's a good one! Basically, they'll support ISA and TMG on virtualization solutions that are part of the Server Virtualization Validation Program (SVVP)-- including Hyper-V.

The full document is here. Here's the money graf:

… if a hardware virtualization platform is listed as "validated" with the SVVP (not “under evaluation”), Microsoft ISA Server and Forefront TMG will be supported for production use on that platform within the limits prescribed in the Microsoft Product Support Lifecycle, Non-Microsoft hardware virtualization policies and the system requirements for that product version and edition.

This will make both ISA and TMG much more palatable to a wide variety of customers, particularly in the SMB space. I'm looking forward to redeploying ISA (which I haven't been using for a few years) now that it won't cost me a server's worth of electricity to use.

Update: this VMware press release says that VMware ESX has passed the SVVP. This is huge news given that it essentially means Microsoft is now supporting Exchange, ISA, and TMG on the most widely deployed virtualization platforms-- welcome air cover for all the folks who have been doing it for a while now :)

It's like a joke that never gets old. I've written about Oracle's terrible approach to product security before (here, here, here, and here are a few examples... bonus: this). Now security legend Jericho has written this outstanding timeline of exactly what Oracle has failed to do in the security arena. He should have subtitled it "Bring Me the Head of Mary Ann Davidson". Well worth a read.

It's like a joke that never gets old. I've written about Oracle's terrible approach to product security before (here, here, here, and here are a few examples... bonus: this). Now security legend Jericho has written this outstanding timeline of exactly what Oracle has failed to do in the security arena. He should have subtitled it "Bring Me the Head of Mary Ann Davidson". Well worth a read.

I was recently asked a really good question: how can you disable the "Play on Phone" functionality in Exchange 2007 Unified Messaging? PoP is a handy feature because it lets you use a simple UI in Outlook or OWA to get your voice mail on any phone that your UM server can dial out to. For security reasons, though, some organizations want to prevent people from placing outbound calls to potentially untrusted numbers (like, oh, I don't know, this).There's no direct way to do this from the UI, but you can accomplish it with a bit of trickery: set the OutCallsAllowed attribute on the IP gateway used by the UM server (set-UMIPGateway MyUMGateway -OutCallsAllowed $false will do the trick.)

Why does this work? This flag tells the UM server to never send SIP INVITE messages to the gateway for the new call. If there are no gateway objects with the property set to true, then UM will not attempt to place any outbound calls. PoP is the only Exchange UM feature that will result in new outbound SIP INVITE messages; call transfers use the SIP REFER message, so the automated attendant and call answering features will still work. However, this doesn't disable the PoP user interface, so users will still see the buttons; they just won't work when clicked.

Good news for all you feds out there: Vista's BitLocker Drive Encryption was just certified by NIST as meeting the FIPS 140-2 standard. If you don't know what this means, you probably don't care. If you do know, check out some of the other certificated products on that page-- there's some pretty neat stuff lurking there.

Good news for all you feds out there: Vista's BitLocker Drive Encryption was just certified by NIST as meeting the FIPS 140-2 standard. If you don't know what this means, you probably don't care. If you do know, check out some of the other certificated products on that page-- there's some pretty neat stuff lurking there.

Nice to see that noted security guru Crispin Cowan has a blog.

Nice to see that noted security guru Crispin Cowan has a blog.

But you probably knew that already.

A survey out today by the organizers of the tech-security conference Infosecurity Europe found that 21% of 576 London office workers stopped on the street were willing to share their computer passwords with a good looking woman holding a clipboard. People were offered a chocolate bar in exchange for the information. More than half of the people surveyed said they used the same password for everything.

There are a lot of skeptical comments over at the WSJ blog. However, a friend of mine who is a well-known figure in the security community said this in e-mail:

...we did a similar chocolate bar or $2 pen hand out in London to collect passwords. Our gathering password rate was 84%. We then contacted each security domain (we asked for their related email address to send them a free voucher entry for more candy bars). We asked the domain administrators (ISPs, businesses, etc.) to simply review the list and send back the percentage of correct collected passwords. Our response rate from the domain administrators was only 30% or so…I can’t remember the exact number…but it was less than half and more than a quarter. The ones that did respond confirmed that over 60% were the actual passwords.

To this day, if I hadn’t participated in the survey and collected the results myself, I would not have believed it.

So, clearly if you want to fish for passwords, your odds of getting something useful in exchange for a chocolate bar and a few minutes of face time with a good-looking woman are pretty darn good. Scary!

Great post by Michael Howard today:

A few years ago I spoke to some senior technical people from a large financial organization about software security. After visiting Microsoft they were off to visit another operating system vendor. I won't name names. The financial company was very interested in our early results, and they were encouraged by what they saw because of the SDL. I asked the most senior guy in the room to ask the other company one very simple question, "What are they doing to improve the security of their product? And by that I mean, what are they doing to reduce the chance security vulnerabilities will creep into the product in the first place? And they cannot use the word ‘Microsoft' in the reply." Two weeks later, the guy phoned me and said...

I won't tell you what they said; for that, you'll need to read Michael's article. I promise that it's worth your time.

From Steve Riley's blog, news of a new IPsec diagnostic tool that you can use to troubleshoot IPsec configuration problems. I haven't tried it yet, but I definitely plan to in my copious free time.

I had no idea you could do this, but it turns out that it's possible to dual-boot both Linux and Windows Vista on the same machine while retaining Windows Vista's ability to encrypt disk data using BitLocker. Cyril Voisin's blog has the details; basically, you install Linux, then install Vista, then use the Vista Boot Manager to enable Linux booting from the Vista boot loader, then turn on BitLocker.

This just in from Secunia:

Multiple vulnerabilities have been reported in IBM Lotus Notes, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information and by malicious people to bypass certain security mechanisms or compromise a user's system.

One of the reported vulns is in the Notes ECL mechanism. I'm really interested to see the details, although these vulns are fixed in 7.0.3 and 8.0.

Matt Blaze, world-famous cryptographer and security expert, has a blog. Drop by and see what he thinks of the electronic voting machines used in California.

Man, what was Apple thinking? Turns out all iPhone applications run as effective UID 0. What a boneheaded decision, at least from a security point of view. Too bad Steve Jobs didn't hire me when he had the chance.

At long last, the secret is out: Microsoft now has a solution toolkit to help companies make sure that their sensitive data is properly protected on mobile PCs. Last week at TechEd, they formally announced the Data Encryption Toolkit for Mobile PCs, which combines a thorough analysis of the BitLocker and Encrypting File System features of Windows with a set of prescriptive instructions on how to use BitLocker and/or EFS to protect your company's data. There's also a nifty tool, the EFS Assistant, that you can deploy to automatically scan for files that should be protected, then encrypt them with EFS.

3Sharp was responsible for the entire document set; I worked with David Mowers on the security analysis and wrote the planning and implementation guide, and Paul Flynn wrote the bulk of the EFS Assistant administrator's guide. It's great to have this toolkit out in the world, because I really believe it will help people avoid mishaps like what happened to TJX (so far, they've spent $20 million in 1Q 07 alone, with more to come!)

Yesterday Apple released a beta version of Safari for Windows. Later the same day, David Maynor released information on six bugs (4 denials of service and 2 remote code execution bugs) that he'd found. What a nice way to welcome a new browser to the Windows platform :)

More to the point, this highlights how much things have changed in the Windows security world. It's hard to write a secure browser. Microsoft has put an enormous amount of energy and effort into securing IE 7 and the components that use it. Are there still security flaws in it? Probably (in fact, almost certainly). However, IE7 is still, literally, years ahead of Safari in that respect. There are no shortcuts to building secure applications, as Apple is now learning.

What do you do with an old PC? Most of us just give it away; if you're mindful of privacy issues, you might format the disk first. There have been lots of recent cases where organizations have failed to properly clean disks of confidential information before decommissioning the disks and selling or giving them away. The BitLocker Drive Encryption feature of Windows Vista can help solve this, though-- when you decommission an encrypted volume, you can remove the keys (as detailed in this column) and render the volume permanently unreadable. Sweet!

Microsoft updated their BitLocker FAQ, which now answers every question you've ever had about BitLocker (plus some you probably haven't.)

Wow, this is kind of a big hole: Palm OS Treo Find Feature Information Disclosure Vulnerability. Basically, if you set a password on your Treo, the Find function still works even when the device is locked. (See the details here.) In defense of Palm, the exploit requires physical access, so if your phone is always with you the risk is fairly low. However, according to Symantec, Palm was notified of the exploit and has decided not to fix it. -1 for them.

Wow, this is kind of a big hole: Palm OS Treo Find Feature Information Disclosure Vulnerability. Basically, if you set a password on your Treo, the Find function still works even when the device is locked. (See the details here.) In defense of Palm, the exploit requires physical access, so if your phone is always with you the risk is fairly low. However, according to Symantec, Palm was notified of the exploit and has decided not to fix it. -1 for them.

Back in September I wrote a pair of columns about how Exchange 2007 uses certificates. In it I pointed out the utility of having multiple subject alternative names, or subjectAltNames, in a single certificate; doing so allows you to have a single cert that works with autodiscover.yourdomain.com, mail.yourdomain.com, and the real underlying FQDN, all in one cert. Unfortunately, as far as I can tell no commercial CAs will actually issue such a certificate.

However, I got mail today from Andrew Codrington at Entrust. They've just introduced a new "unified communications certificate" as part of their partnership with Microsoft. The UC cert includes 10 subjectAltNames, with the option of adding 3 more for an additional $99. Good deal? Maybe; the 1-year cert price is a whopping $599. Still, that's certainly cheaper than buying 3 standard Entrust certs @ $159 each when you factor in the time and labor required to obtain and install them. More on this later...

Technorati Tags: Exchange 2007

So, you can probably tell I'm working on a BitLocker-related project by now...

One drawback to storing BitLocker recovery passwords in Active Directory is that there's no good way to retrieve the recovery password when you need it, or so I thought. I suggested to the BitLocker team that they consider writing an extension to AD Users & Computers to make it easy for authorized admins to get a recovery password for a given computer-- turns out they'd already done it and were deep into the signoff process!

The tool is officially documented in KB 928202. It's an AD U&C extension that makes the BitLocker recovery information visible; you need to get it from PSS, but it's a free call, so why not?

Great news-- Security Analysis, the first part of the Data Encryption Toolkit for Mobile PCs, just went live.The overall Data Encryption Toolkit is a set of tools and guidance to help people secure the data on their laptops using Windows Vista with BitLocker and the Encrypting File System (EFS) in Windows XP and Windows Vista. Look for more pieces of the DET coming soon, as soon as we finish writing them :)

BitLocker allows you to store your recovery password in a file, in Active Directory, or on paper. However, Microsoft's Troy Larsen has another, extremely valuable, suggestion:

You might also consider saving a copy of the recovery password to your cell phone—then you will have it when you are a 1000 miles from home and discover that your two year old took your dongle off the desk when you were packing. Not that that sort of thing ever happens.

Windows Vista's new BitLocker encryption technology is a two-edged sword. On the one hand, it offers excellent protection because it encrypts the entire OS volume with AES-256. On the other hand, if you lose the volume master key (VMK), you're screwed-- there's no way for you to unlock and recover data from the volume.

To make this less of a danger, Microsoft allows you to create a recovery password that you can use to decrypt the disk. More precisely, the technical overview says:

In BitLocker, recovery consists of decrypting a copy of the volume master key blob that has been encrypted with a recovery key stored on a pluggable USB flash drive or with a cryptographic key derived from a recovery password. The TPM is not involved in any recovery scenarios, so recovery is possible if the TPM fails boot component validation, malfunctions, or disappears.

However, you still have to be very, very careful not to lose the recovery password! Vista includes the ability to back up the recovery password to Active Directory, but Microsoft hasn't released the public details of exactly how to do this... until today, that is. The new BitLocker AD Guide describes how to enable AD backup of BitLocker recovery information (including the TPM owner password and the BitLocker recovery password for each protected volume).

You'll need to extend your AD schema to enable this recovery mode. Don't use the schema extension files on the Vista product DVD to do this. They don't contain the correct schema properties. Instead, use the schema extension included with the AD Guide itself.

I've gotten several inquiries about how we selected the products we tested in the anti-phishing technology evaluation. That's a fair question; some companies are unhappy that they were included, and some that they weren't.

When we defined the parameters for the testing, we selected the vendors that had either browser-based toolbar add-ons or built-in anti-phishing technology in the browser as of May 2006 and that (in our opinion or by market data) had a significant usage presence. There are dozens of products that meet the first test, but not that many that meet the second. We picked the top 8 based on our understanding of actual usage and deployment. I didn't want to include payware products because the original objective was for us to help Microsoft understand how well IE 7 worked compared to its biggest competitors-- and in this market segment, payware products are at a disadvantage.

Would we have preferred to test all the products? Sure. The team at Carnegie Mellon that did a similar study (with a smaller list of products and a smaller set of URLs) said the same thing. However, we had to draw the line somewhere. When we redo the tests, we'll probably change the product mix around; I'd expect to see Firefox 2.0 included, and maybe some of the commercial products.

To address Symantec's complaint, I'd make two points. First, Norton Confidential wasn't announced until June, so how could we have included it? You're making the Firefox argument. We only tested products that were publicly available at the start of our time period; we excluded Norton Internet Security 2006 because it was commercial (and I suspect that if we'd tested the 2006 version, we'd be hearing that we should've tested the 2007 version instead. Sic transit gloria annual releases...)

Second, it's pretty worthless to have a blog but not allow comments or trackbacks. That's not a blog, it's a monologue. Whatever you think of the quality of Microsoft's products (including IE), you have to admit that they have aggressively embraced blogging as a way to communicate directly with customers-- something I'd like to see more security companies emulate.

Update: fixed the link to McAfee's SiteAdvisor blog.

Technorati Tags: 3sharp, phishing

Oh, bother.

I got a testy e-mail from Shane Keats of McAfee asking us to remove SiteAdvisor from the study, based on his claim that SiteAdvisor isn't an anti-phishing toolbar. I wrote a detailed response, in private e-mail, and was prepared to leave it at that.

However, Mr. Keats cried "foul" to InfoWorld and on the IE blog, saying that including SiteAdvisor is "silly and wrong. We don't claim, anywhere, to offer phishing protection. In fact, we're pretty explicit that we don't."

I'll admit to sometimes being silly, and I've certainly been wrong before, but I think in this case it's fair to include SiteAdvisor. Here's why:

• The SiteAdvisor.com home page contains this text: “McAfee SiteAdvisor also complements and enhances your existing security software by detecting threats which traditional security products often miss, including spyware attacks, online scams, and sites that spam you”. I think a reasonable person would likely interpret the reference to “online scams” as including phish.
• Question 2 of the SiteAdvisor FAQ page says “SiteAdvisor is a consumer software company dedicated to protecting Internet users from all kinds of Web-based security threats and annoyances including spyware, adware, unwanted software, spam, phishing, pop-ups, online fraud, and identity theft.” This definitely seems to represent SiteAdvisor as an anti-phishing tool.
• Mr. Keats included a partial quote from this support article: "SiteAdvisor's software does not currently provide automated or real-time phishing detection". However, the full text of this article explicitly says that user reports of phish sites are reported by SiteAdvisor. In our report, we didn’t distinguish between tools that use automated reporting and those, like SiteAdvisor, that can incorporate user-generated reports.
• On August 3rd, I spoke via phone with both Craig Kenwec of McAfee and Scott Van Sickle of Global Fluency, a PR agency that handles client-security PR for McAfee. Both of them told me that SiteAdvisor incorporates anti-phishing functionality.

Technorati Tags: 3sharp, phishing

Microsoft pointed to our study from the IE blog, where there are already several comments, including this one from "Sheep and Duck":

3Sharp was founded in 2002 by three friends: Paul Robichaux, Peter Kelly, and John Peltonen, all experts in their respective fields. Their goal was to establish a company that could demonstrate the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies. By working closely with Microsoft's Information Worker Group, 3Sharp has always been able to stay on the cutting-edge of the Office System technologies.

http://www.3sharp.com/about_us.htm

Somehow I don't trust this "study".

To which I say:

Sheep and Duck, I understand why you're skeptical. No matter who commissioned the study, *someone* would distrust the results on that basis alone. However, I think if you read the report, you'll see that we have been transparent about our test methods and the data we used for the test. If you read the report and still have questions, feel free to contact me via e-mail (paulr@3sharp.com) or my blog (www.robichaux.net/blog) and I'll do my best to address them.

The report even says that the actual scores of which product blocked or warned on which URLs is available from us on request. It's hard to be much more transparent than that!

The folks over at mozilla links also asked a good question that I should have addressed in the FAQ: because some of the URLs came from a feed generated by opt-in Hotmail users, does IE have an unfair advantage? The answer is "no", because the feed we used wasn't incorporated in the data feeds that Microsoft uses for the Phishing Filter.

Technorati Tags: 3sharp, phishing

When we started working on "Gone Phishing", I anticipated that I'd get some questions, so I've been keeping a running list of things that I expect to be FAQs.

Q: What's unique about your study?
A: As far as we know, no one's done a public study that directly compares multiple products against a meaningful number of URLs. Most of the evaluations that have been put out there are anecdotal and only used a few URLs.

Q: What did you test?
A: We took 8 anti-phishing products (including the Netcraft toolbar, IE 7's Phishing Filter, Google's Safe Browsing for Firefox, Netscape 8.1, GeoTrust TrustWatch, McAfee SiteAdvisor, the eBay toolbar, and EarthLink's ScamBlocker) and ran two sets of tests: one to determine how good each technology was at catching known phish, and one to see how many mistakes each made on known-good URLs.

Q: Who won?
A: IE 7 came out best overall, with a score of 172 of a possible 200. Netcraft was a very close second, scoring 168/200. For the rest of the scoring, see the report.

Q: Microsoft commissioned the study. Isn't it biased?
A: No. 3Sharp, not Microsoft, designed the methodology, picked the URLs, and ran the tests. The report includes a complete discussion of how we did this, and even lists of the URLs we tested. We believe our methodology is sound and we're being 100% transparent about how we got the results we did so that others can duplicate the results if they like.

Q: How'd you decide who won?
A: We calculated a composite accuracy score for each technology. This score combined the product's performance at blocking or warning phish with its accuracy in not blocking or warning on legitimate URLs. Each technology earned points for correct blocks/warns and lost points for bogus blocks/warns. (See p10 of the report for the full scoring formula). A product that blocked all 100 phish and none of the 500 good URLs would score a perfect 200; a product that didn't block anything (e.g. IE 6, Safari, Firefox 1.5, Opera, etc.) would score 0.

Q: 200? I thought there were only 100 phish.
A: We used 100 live phish and 500 known good URLs for the test. However, our scoring formula counts 2 points for a block and 1 point for a warning-- so if product X blocked all 100 phish, it would score 200.

Q: Why'd you decide that a block should score twice as much as a warn?
A: Users have increasingly become conditioned to ignoring security warnings. In our view, stopping someone from going to a potentially dangerous site is better than suggesting that they not do it.

Q: What URLs did you use?
A: We gathered 100 phish for the tests; we did this by using several data feeds, scanning them using regular expressions, and then manually culling out the real phish. We tested each phish by hand to make sure that it was still live before running our tests, then we manually tested each phish in each technology and scored the results. Each phish was tested within 48 hours of its arrival to make sure it was fresh (or is that "phresh"?) See appendices A and B of the report for a complete list. For the known-good URLs, we took a set of 500 randomly selected URLs from our data feeds, then manually checked them to make sure they weren't 404.

Q: Why didn't you test <my favorite product>?
A: We had to take a snapshot of available products at a point in time. We couldn't test all of the products, and we couldn't go back and re-do the tests every time one of the technologies got updated. For example, EarthLink released an update to ScamBlocker during our test period, Mozilla released Firefox 2.0 (which includes anti-phishing features) recently, and Microsoft has updated IE 7 twice since the tests. Because phish have such a short lifetime, we couldn't go back and re-run the tests.

Technorati Tags: 3sharp, phishing

Reuters has an interesting story today on how phishers are cranking up their attempts to steal your money-- and your identity. Symantec released a study today claiming an 81% increase in the number of unique phishing message sent out in the first half of 2006 vs the second half of 2005-- not a huge surprise to anyone who has an e-mail account.The story is particularly timely, though, given that 3Sharp will be making a phishing-related announcement later this week; I'll have more to say later in the week.

Kerry Thompson just posted a solid article exploring the pros and cons of getting a CISSP (Certified Information Systems Security Professional) certification. The CISSP curriculum is demanding, that's for sure; Thompson presents some good arguments both pro and con. (His final take: if you want more money, get an MCSE or CCNA :))

All sorts of folks are calling for restrictions on camera phones. Some propose legislative remedies, while others just want the phones banned from their facilities.

Ed posted comparing IBM and Microsoft's security update records. He missed a few important details, though that's understandable given that he's not a security dude. Just to set the record straight, though, I wanted to point out something that security folks learn pretty quickly: simplistic comparisons that claim that "vendor X has better security than vendor Y based on patches" are worthless. Any time you see one, there are some hard questions you should be asking.

First, what products are included? We don't know what criteria McAfee used to make their pretty graphs. Did they include Office updates? Updates for Windows 2000 before it went EOL? Windows Media Player? Who knows? Reputable researchers and vendors will always include their source data; if you don't see it, you should be wary.

Second, what basis of comparison is being used? Most broad-based comparisons of vendors are flawed because they mix dissimilar items, usually applications and OSes. You can say "Microsoft had to issue more patches than IBM", but that's meaningless unless you're talking about specific products. A more interesting question would be to ask something like "Who had more patches to install: an Exchange 2003 admin on Windows 2003, or a Lotus Domino 6.5 admin on RHEL?" Well, according to Secunia, the numbers break down like this:

• 8 patches for Exchange 2003 + 100 patches for Windows Server 2003 Standard, versus
• 22 patches for Domino 6.5 + 212 patches for Red Hat Enterprise Server 4

All of a sudden the comparison doesn't favor IBM quite so much! A more proper comparison might leave the operating system out of it (after all, there are more Notes seats on Windows than on Linux), but even then there's still room for argument: Secunia doesn't break down Domino R6 vs 6.5, so the vuln count of 22 may include some items that aren't relevant.

Third, counting patches alone leaves out some important dimensions. It's like counting the money in your wallet by counting bills and ignoring denominations-- would you rather have 10 $1 bills or 1 $100? Other factors to evaluate include the severity of the vulnerability and how long between its emergence (or disclosure) before the vendor gets a patch out-- the so-called "days of risk" model.

Fourth, not all vendors tell the truth. More kindly, not all vendors tell the whole truth and nothing but. For example, IBM doesn't include severity ratings on its security page, so you can't judge the severity of a reported vuln unless you're already pretty knowledgeable. Oracle is flat-out dishonest in some of its security patch release notes. When you're comparing vendor security, you should include the nature, frequency, and accuracy of their security-related disclosures and communications.

For the security-minded: get the truth about Bruce Schneier, popular crypto-pundit.

I've been spending a lot of time working with various client-side anti-phishing products, including GeoTrust's TrustWatch. Turns out it appears to have a fairly serious bug: if you go to an unverified site (which should show a yellow icon), then visit a verified site, the toolbar icon won't update-- so the known-good site still shows as untrusted! If you click the toolbar icon itself, the detailed site report is correct. However, this problem a) makes it hard for me to have a lot of confidence in TrustWatch's services and b) is certainly misleading, since it makes good sites appear to be bad.

Update: not only is this a bug, it's inconsistent. Sometimes refreshing the page fixes it, but not always. Sometimes moving through the page history fixes it, but not always. There's also a case that looks like a bug but isn't: when page A (which shows up as unverified) redirects to page B (which is verified), the icon will change.

Steve Riley has a great blog post on mandatory integrity control (MIC) in Windows Vista. MIC is an old concept I fondly remember the old Multics machine that USL had; Multics was one of the first machines to implement MIC in any meaningful way. Anyway, the Vista implementation of MIC is pretty interesting; read Steve's blog to find out more.

I haven't had time to post the slides yet, but Hunter gives a pretty good overview of what I covered. (Thankfully, he didn't mention the icy-cold room or the mysterious problem we had with the lights, both of which cost me in my session evaluations; this guy mentioned the lights, though)

Great news from Microsoft's Core Infrastructure Solutions group: they've released a new guide called the Regulatory Compliance Planning Guide. It explains how to use a control-based framework to help ensure that your company complies with various regulations, including Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, the EU Data Protection Directive, and ISO 17799. Good stuff.

From CERT yesterday, an announcement of Oracle's latest security patch. They're so clueless it's not even worth making fun of them at this point.

Various Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

Hot on the heels of the recent BackupExec vulns, the folks at NGS have been busy finding similar buffer overflow vulnerabilities in the StorageExec product. This Windows IT Pro article credits NGS, but NGS' own web site doesn't seem to have an alert. Anyway, Symantec has released hotfixes for StorageExec and StorageCentral.

Of course, the real question is whether Symantec is going to institute the same kind of deep-dive security effort that Microsoft did with their Secure Windows Initiative and Trustworthy Computing. Vendors who don't do that (paging Mr. Ellison! paging Mr. Ellison to the white security phone!) are going to continue to get their pants pulled down by eager, skilled firms like NGS.

Wow, this is hard to stomach. CERT is reporting TA05-224A: "VERITAS BackupExec Uses Hard-Coded Authentication Credentials". It's astonishing that any company could be so stupid as to ship a product that still uses hard-coded credentials; it's a wonder that it's taken this long for an exploit to start circulating. (Note that this is different than the vuln-o-rama announced last month.)

According to Symantec's page on the vuln, only BE versions 8.0, 8.5, and 8.6 have the flaw. I'd bet that's a significant portion of the installed base, so a) I hope they're protected and b) I sure would feel more comfortable if the page also said "hey, don't worry, we fixed the problem in BE 9". My concern is that BE 9.x and 10.x have the same, or similar, problem but that attackers haven't found the creds yet.

Update: Symantec updated the vuln page last night with this additional page. Turns out that BE 9.0, 9.1, and 10.0 are vulnerable too. Sheesh. Making things worse, to fix the remote agent you have to uninstall the remote agent, reboot, install the new version of the agent, and reboot again. There's no hotfix.

Last week, Veritas released a set of advisories for security flaws in various versions of BackupExec. This flaw, a buffer overflow in the BackupExec remote agent, is apparently being attacked in the wild. InformationWeek reported yesterday that the vuln is already being actively attacked by a W32.Toxbot variant. If you're running BackupExec, make sure you get the patch, and don't allow remote traffic to TCP port 10000 (not that you should normally be doing that anyway, but still...)

Bruce Schneier is reporting that the SHA-1 hash algorithm has been broken:

The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper describing their results:

• collisions in the the full SHA-1 in 2**69 hash operations, much less than the brute-force attack of 2**80 operations based on the hash length.
• collisions in SHA-0 in 2**39 operations.
• collisions in 58-round SHA-1 in 2**33 operations.

This attack builds on previous attacks on SHA-0 and SHA-1, and is a major, major cryptanalytic result. It pretty much puts a bullet into SHA-1 as a hash function for digital signatures (although it doesn't affect applications such as HMAC where collisions aren't important).

From the "I hate it when that happens" department: there's a vuln in the BlackBerry software (at least in the 7230 model) that can be used to cause the device to reboot on demand. The problem is triggered by >128Kb of text in the "Location" field of a meeting request. As RIM points out, Outlook limits that field to 255 characters, so you'd have to hand-craft attack messages. However, these messages don't do permanent damage; they just cause annoying reboots.

This month's Security Tuesday only includes one bulletin: 04-026. It fixes a cross-site scripting/script injection vulnerability in Exchange 5.5's Outlook Web Access component. If you're using OWA 5.5, a) you should get this fix and b) you should probably be upgrading.

Microsoft has taken the unusual step of releasing a security fix outside of their normal release cycle. The bulletin, MS04-025, is a cumulative update that addresses three separate vulns in IE: CAN-2004-0549, CAN-2004-0566, and CAN-2003-1048.

It's Security Tuesday again. This month, we get MS04-015, which covers a vuln in Help and Support Center on XP SP1 and Windows 2003 RTM (32- and 64-bit versions), and updates to MS04-014 (pretty much everyone) and MS01-052 (NT4.0 TSE SP6 and Windows 2000 SP2). Happy patching!

Well, it's the second Tuesday of the month, so it must be time for the latest crop of Microsoft security bulletins. The summary is here. There are four bulletins (MS04-011, MS04-012, MS04-013, and MS04-014), and all of them are rated "critical". Patch now.

In a recent post to NTBugTraq, Rene points out what he calls a "problem" with Exchange 2000 and Exchange 2003: under some circumstances, Exchange will convert a distribution group to a security group.

Regular users with no rights to modify ad security groups have the ability to change a distribution list to a security group.

Steps to recreate problem.

1: User opens a mailbox with Outlook 2000 / XP / 2003
2: Navigates to mailbox permissions
3: Add distribution list from Gal access as contributor.
4: Save changes

Once the user adds the distribution list Exchange will convert the distribution list to a like security group.

As another reader correctly noted, this behavior is by design, and it's controlled by the msExchDisableUDGConversion attribute on the Exchange organization object. In Exchange 5.5, you could apply public folder permissions by assigning DLs. That doesn't work in Exchange 2000 and later, since a distribution group doesn't have a SID and thus cannot be used for permission assignment. Normally this conversion only takes place during an upgrade from Exchange 5.5 (a process described in chapter 10 of the Exchange 2000 resource kit). The default attribute value of 0 lets the conversion take place at any time; a value of 1 only allows conversions requested by the store (not by clients; this setting would fix Rene's problem). A value of 2 disallows all such conversions (but as described in this webcast, this value isn't recommended.) Kieran McCorry has a good article that talks more about the conversion process, why it's necessary, and how to control it.

If you're using removable USB sticks, keys, or pen drives, you can format them as NTFS. This is handy if you want to apply permissions to the files contained thereon, as you might want to if you're, say, an administrator. However, the default setting for removable devices is "optimize for quick removal", meaning that write caching and NTFS formatting are turned off. If you use Device Manager to inspect the properties of the USB stick while it's mounted, you can change that setting to "optimize for performance", and NTFS will become available. You may be able to format sticks as NTFS from the command line, but this doesn't work consistently across all models and drivers.

Update: of course, the biggest benefit from formatting a thumb drive with NTFS is that you can use EFS on it. I should have mentioned that in the original post.

I've never been much on centralized contact managers like Plaxo. Why would I want to outsource all of my contacts to some company in the naïve hope that they won't hose me? Turns out that this may have been a legitimate concern; this describes a trivial script injection attack against Plaxo that lets an attacker 0wn your contact data. Oops. So, if you're using Plaxo, you should probably stop.

The US Department of Justice has an interesting guide to computer forensics, titled Electronic Crime Scene Investigation: A Guide for First Responders. From the abstract:

Computers and other electronic devices are being used increasingly to commit, enable, or support crimes against persons, organizations, or property. This NIJ Guide (NCJ 187736) is intended for use by law enforcement and other responders who have the responsibility for protecting an electronic crime scene and for the recognition, collection, and preservation of electronic evidence.

For experienced admins, there's not much new here, but it's a good overview of different classes of devices and some of the forensic concerns surrounding them. One question I'm often asked when I teach is whether forensic recovery is important. The answer is a little surprising.

There's a major security vulnerability that affects practically every retail outlet in the US. See the description here.

Microsoft announced a security flaw in Exchange 2003. Basically, if you install Windows SharePoint Services (WSS) on an Exchange 2003 back-end, you may be allowing OWA users to access other users' mailboxes. This occurs when Kerberos authentication gets turned off; to fix things, you should make sure that Kerberos is turned back on. You can also turn off connection reuse to fix the problem. The number of affected users is quite small, and it's certainly understandable that MS didn't test this particular configuration, but it's still embarrassing.

I'm not normally one to post the same thing on both blogs, but this deserves double posting: Michael Howard (author of Writing Secure Code) has a blog, in which he discusses all sorts of tasty security stuff. (Too bad gotdotnet doesn't support trackbacks.)

Tip for potential identity thieves: be careful whose identity you steal, or you may be worse off than you were before.

C|Net (and others, but I'm picking on them because their reporter should know better), are breathlessly reporting an allegedly new approach to breaking Windows passwords. The article conveniently ignores the fact that trading space for time is a well-known technique for lots of applications, and it presents without comment the claim that this is a major vuln. It's not. Here's why:

• The attack depends on breaking the LM hash, which is known to be weak. You don't have to store it (read up on the NoLMHash setting); even if you have Win9x clients, you can install the directory services client and use NTLMv2. In fact, if you follow MS' recommendation of using >15-character passphrases for critical accounts, you'll find that no LM hash is stored for those passphrases.
• The space/time tradeoff doesn't scale. Even if you just use upper case, numbers, and symbols, you will get somewhere around 3.37134E+14 different 8-character passwords on a standard US keyboard-- you'll get more if you include Unicode characters, which MS has been recommending for a while. Storing the hashes for that many passwords takes about 5.4 petabytes of space. Even if you manage to store that many password hashes on a disk, it is pretty unlikely that you will find a system fast enough to compare that many passwords in a matter of seconds. The problem still boils down to weak passwords, not to the fact that you can crack weak passwords in 13.6 seconds instead of 1 minute and 41 seconds. Weak passwords are still weak, regardless of how fast you can crack them.
• The only way to mount this attack is to grab the password hashes.
  • If you gain physical access to the box, the stored hashes are effectively salted by syskey, so they're not directly vulnerable.
  • If you mount an online attack, you must either be admin or be able to get admin privileges to get the hashes from the LSA so you can attack them. If an attacker can get admin privileges, you have bigger problems than weak passwords.

Oracle has been loudly hyping the stability and security of their products with their "Unbreakable" campaign. Better people than I have already debunked the security aspects of their claims. Now this week, Orbitz suffered a major outage because of Oracle's... (wait for it) clustering software. That's right; the very software (called the Oracle Real Application Cluster package) that's supposed to guarantee that their systems are 99.999% available caused a major outage. This eWeek article explores Orbitz's solution (e.g. moving off RAC).

Fearless prediction: Orbitz is going to start looking for another database vendor. eBay dumped Oracle and Sun after their 1998 outage, and I fully expect to see it happen again. Since Orbitz' new CIO started work on Monday, I bet this is suddenly very high on his to-do list.

Thundermain has a new RSS feed that lsts the ten most recent downloads posted in the Microsoft Download Center. This is a simple way to keep up with new white papers, documents, and patches. Check it out.

For bonus points, check out Jiri Ludvik's list of security blogs, from which this blog is inexplicably absent. It's still a good list. (Hat tip: Susan Bradley via NTBugTraq.)

I'm flying ATA to Seattle today, so I tried to use their web site to check in. I had some printer trouble while printing boarding passes, so I clicked the "Go Back" button on the boarding pass page. Imagine my surprise when I got someone else's boarding pass. I immediately pegged it as a session-rollover hole, so I called 'em up and spoke to a helpful lady at their Internet service desk. I followed up with a screenshot showing the other passenger's boarding pass, and they followed up with a call from their webmaster. It turns out that instead of including a "your session has timed out" page like, oh, 99.8% of other e-commerce sites, they throw up this fake boarding pass. It's being fixed. I'm glad it was a placeholder and not a real security flaw, and I'm even gladder that they took prompt action to square it away. I hope their IT staff's attitude is reflective of the flight and cabin crew's attitude.

Microsoft has MS03-007 out. The bulletin describes a buffer overflow vulnerability in the WebDAV component of IIS 5.0 on W2K; Windows 2003 and Windows XP aren't affected. The practical effect of this vuln is that an attacker can run code of her choice on your server (at which point it's not really your server anymore.) The worst part is that an exploit for this problem is already circulating.

There are several ways to avoid this problem:

• If you were already running URLScan, you're in good shape. Its whole purpose is to block malformed or bogus requests before IIS ever gets them. If you're not running URLScan, well, why not?

• Go to the download page and download the patch. It's a self-installing executable; after installing it, stop and restart the W3SVC service. You don't need to reboot.

• Go to

  Windows Update and scan for the patch. The Windows Update installer may prompt you for a reboot.

• Use the Automatic Updates client to download and install the patch. Unfortunately, this route will prompt you for a reboot, although you can sneak by by killing its process and bouncing the W3SVC service.

• Disable or remove IIS. Obviously you can't do this for your Exchange servers, but other servers may not need IIS. See KB article 321141 for details.

• Disable WebDAV only. This is easy to do.

• Download the URL Buffer Size Registry tool and use it to set the MaxClientRequestBuffer value. Microsoft recommends setting MaxClientRequestBuffer to 16K, but in the same sentence they warn that doing so may break "some programs." In my testing, a setting of 16K didn't seem to interfere with OWA or Exchange, but your environment may have a different mix of requests. I've asked MS for a definitive statement on this; in the meantime, you can either use a larger value or use URLScan, which has templates for OWA. (Side note: of course, by reading KB article 816930 you could make this change yourself, but the tool can scan multiple machines to find those that haven't had this limit applied).

• If you choose to apply MaxClientBufferSize, you should probably also use a group policy setting to apply the registry key and you're in business.

What about long-term solutions? Well, you should definitely be using IIS Lockdown on all your Windows 2000 servers. If you combine that tool with reasonable attention to patches, you will be in relatively good shape. You should aggressively follow up with MBSA scans to check for correct patch installation. In almost all cases, your life will be easier if you deploy the Software Update Service (SUS) to pull patches and stage them for mass installation. When I get a free minute, I'll be writing an article here describing exactly how to use SUS.

In the meantime, if you read and follow the recommendations in chapters 6 and 14 of the book, you can relax.

Technically, this isn't a security alert, but Microsoft has released the first post-SP3 rollup fix for Exchange 2000. KB article 813840 links to the list of fixes.

There's a companion set of fixes for the Active Directory Connector. KB article 815452 contains its list of fixes.

UPDATE: Microsoft has pulled the downloadable update, citing mismatches between the rollup binaries and the associated symbol files. They haven't yet provided an ETA for restoring the download, although the KB articles are still there.

Microsoft has released a terrific new white paper:

This white paper provides information about the communication that flows between components in Windows XP Professional Service Pack 1 (SP1) and sites on the Internet, and how to limit, control, or prevent that communication in an organization with many users.

In other words, this paper debunks the FUD surrounding XP's communications with the Internet by explaining when XP connects, why, and what it sends or receives. Highly recommended.

Scott Culp's two essays on the ten immutable laws of security (one set for administrators, one for users) turned two years old last month. They're still timely and useful. Read them, live them, and know them.

Want to set up IPsec? Here's a detailed step-by-step guide.

Here's a useful tip: many SMTP proxy servers don't support ESMTP. In particular, most of the SMTP proxies that clean and scan viruses don't support it. What this means to you is that if you're using a virus-scanning proxy, users aren't likely to get delivery receipts. RFC 1891 specifies how SMTP delivery status notifications (DSNs) are to be requested; if your virus scanner blocks out additional parameters to rcpt to (like, for example, rcpt to: joe@blow.com notify=failure), you won't get a DSN from that message.

If you allow Windows Messenger on your network, you might want to review this MS whitepaper on controlling Messenger via group policies. At a minimum, you'll probably want to turn off file transfers.

For bonus points, consider blocking AOL IM, ICQ, and Yahoo! Messenger from your network. Tom Shinder explains how.

I had just gotten done writing a sidebar for Chapter 15 that said there was no good way to use SSL+IMAP on a PocketPC. Lo and behold, a little Googling produced at least one way to do it, although it requires you to install stunnel. If anyone's gotten this to work, I'd love to hear about it.

There's a new Windows worm spreading. It exploits a flaw in Outlook and Outlook Express that were patched by Microsoft on March 29, 2001. Of course you know what this means: the mass media, and the unwashed masses, will start clamoring that Microsoft doesn't care about security. There will probably be some quotes from clueless "analysts" who claim that these worms are proof of the impending end of Western civilization, too. I expect that none of this blather will point out that the patch which prevents this exploit has been out for 18 months, which is surely enough time for even the slowest user to get it and install it.

Remember, you heard it here first: if you get this worm, it's your own doggone fault. Patches don't do any good if you don't install 'em.

Dave Farber today said:

As of the time of this posting , the ms home page certainly does not have
any eye catching pointer to the fix. Shame on them.

To which I replied as follows:

To be fair, Dave, there are several ways to learn about security patches as soon as they're released besides the MS home page (which I rarely visit). One channel, of course, is the ubiquitous (and frequently sensationalistic or incorrect, but hey, that's another story) press reports, as represented by the Reuters report. It was filed at 8:11pm on 8/22. 99.9% of the time, press reports lag the other channels of notification, though.

First off, Microsoft has a free email service that sends security bulletin notifications. Visit http://www.microsoft.com/technet/security/bulletin/notify.asp or send email to securbas@microsoft.com. The bulletins are PGP-signed, so you can verify their authenticity if you like. If you don't want to sign up for the MS notification service, you can subscribe to Ntbugtraq or other similar services which reprint the bulletins as they are issued. The Office security bulletin was released overnight on the 20th, so you would have learned about the bug two days earlier than Reuters reported it if you were a bulletin subscriber.

If you use the new Software Update Service (available for WinXP and Windows 2000 SP3), you'll get a little system tray icon that appears when new security-critical Windows updates are released. You can choose whether or not new patches are automatically downloaded, and whether or not downloaded patches are installed.

Finally, there is a clear link to the Office XP SR2 release from the home page; it's #1 under the "support" group on the lower-right corner. It is unfair to complain that there's no big red "DANGER WILL ROBINSON" label applied to it. If Microsoft doesn't release timely patches, people complain. If they do release timely patches, some segments of the community complain that it's a vehicle to sneak in new license terms or get up to other mischief.

It's official: I just signed a contract with Microsoft Press to write a book on Exchange 2000 security. The working title is Securing Microsoft Exchange, so that should give you some idea of its contents. The contract calls for me to finish it by 10/30 so it can be in stores by Christmas. I plan to post draft chapters online for review, and I will soon have a form that lets you sign up to be a reviewer. This is my first book in a while, and it's my first book with MS Press, so it's going to be like riding a bike for the first time after a long hiatus.

Wayne Rash trashes ISS in a ZDnet piece today. He's got a very good point, one which was made in Brian Bilbrey's comment the other day: ISS jumped the gun, released a broken patch, and violated their own agreement. I suspect Brian still thinks MS put them up to it, but I am willing to not ascribe to malice what can be explained by incompetence; I don't think ISS has a very long track record in the OSS world. Not like this is gonna help...

Brian Bilbrey asks who ISS is and whether they're in bed with Microsoft:

According to their website, ISS is Internet Security Systems. I hadn't heard of them before this last few weeks. Certainly not one of the big boys, until all this recent press. From their marketing crap on the homepage (http://www.iss.net), it appears they are in the same biz as McAfee and Norton, but at a different tier.

So, let's start with the simple stuff: ISS has been around for a long, long time as security firms go. I believe they started officially started operating in 1992 or so. Chris Klaus, the founder, dropped out of Georgia Tech after developing the core of what became ISS' lead product, the RealSecure scanner. ISS had the first useful security scanner for Windows NT, and their products are very widely used out in industry and government. So, the answer to question #1: ISS is for-real, they didn't just fall off the truck, and they are well-regarded in the security community.

Now, for Brian's more interesting question: is ISS in bed with Microsoft?

I consider Bob Thompson a good friend, as well as being a very knowledgeable guy. We've had a number of friendly debates about various things (hey, Bob, you still owe me a 3-liter bottle of caffeine-free diet Coke for this one!) We're now engaged in a religious battle about Microsoft's security. You can get the backstory of this particular debate here.

Greg Lincoln chimed in thusly:

It really annoys me when people call OpenSSH or Apache or "insert app that just happens to run on Linux here" vulnerabilities "Linux" vulnerabilities. OpenSSH and Apache are NOT Linux. They are applications that run on Linux. They also run on Windows and quite a few other OSes.
Most of the recent reports against Windows are in the media player or IE, or some other component which is considered by Microsoft as part of Windows and can not be removed. Therefore, they are holes in Windows.

Well, OK, I can see why that would bug Greg, but I think he's wrong. Is Apache installed by default on the most common Linux distros? Yes. How about OpenSSH? I am less sure, but I'd bet the answer is "yes". The issue isn't whether or not they can be removed, but whether or not they're default parts of the OS. Point being, of course, if I install a new Windows or Linux box, am I getting vulnerabilities without my knowing it? In addition, let's not forget that one key feature in Windows XP SP1 is compliance with the consent decree requiring increased modularity in Windows. (And, FWIW, you can certainly remove, or not install, the Windows Media Player; I don't have it installed on any of my boxen.)