From Erik\\\\\\\\\\\\\\\'s IT-Security notes
Jump to: navigation, search

EZSecurity Bulletin for July of 2011


We’re currently in the fly-over season of the year. You know, the summer. Nice view, but not where we’re heading. Ok, I probably need my vacation more than I realize. Anyway, onwards!

Next up on the chopping block: service pack 1 for Windows 2008!

Continuing our tradition to warn you about things that have already happened, it’s time to inform you that service pack 1 for Windows 2008 will be retired in -1 days. So, I would recommend that you start looking for 2008-servers stuck with service pack 1. Windows 2008 R2 is not affected by this. (Yet!)


As per usual, Microsoft release their security bulletins the second Tuesday every month. This month comes along with 4 bulletins.

Recommendation: all patches (except MS11-053, which most likely will not apply to any servers) should be applied, but it can wait until the patching window for August.

MS11-053 Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (2566220)
MS11-054 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917)
MS11-055 Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2560847)
MS11-056 Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938)


Why won’t we ever get rid of vulnerable software and hardware? What does it take to make everything perfectly secure? Most people I ask those questions respond by saying it cannot be done and I think they’re right. But why do we still act as if there was a way to make all security problems go away?

I think there are a lot of different reasons that causes us to push forward to remove all risks by being “proactive”. To be proactive is thus to solve any problem before it appears, right? If so, why do we need early warning system to be proactive? Just let that sink in for a moment.

If you detect a problem before it gets critical, you’re not really proactive. You’re reactive, but reacting in time. The word “proactive” means to “(…) initiate change rather than reacting to events.” 1) In order to be proactive, you cannot ever look at any values or logs, because the moment you detect that something heading the wrong way, you’re reacting to an event. The only true way to be “proactive” is to be Nostradamus. And his track record is … well … almost entirely wrong.

So, what’s the point of this discussion? I’m not trying to discourage early detection of problems or forward planning. Those two factors can really increase reliability and uptime for any system. The problem is that we see any problem “getting through” as a total failure.

Good security involves protecting a system in proportion to the loss a compromise would cause. This is in many of the security books you can read. By implication, a sound security plan accepts that enough resources spent by an attacker will give them a good chance to actually succeed. This also means giving up the pipe dream of never getting hacked or having a system failure.

If Mother Nature applied for the position of system administrator, no one would hire her.

- “So, how would you make sure the network can handle an intrusion?” - “I would let it happen and let the devices that survive remain online afterwards.”

Not exactly what you want to hear from your system administrator? Still, that’s how it’s done in reality. When an intruder is successful, smart people learn how it was possible for the intruders to get through and then they adapt their infrastructure to cope with the new situation. And sometimes they still get hacked again, until their security is good enough to stand the test of time. But this cannot last either, because any security stance will weaken over time. So the cycle repeats as long as there are enough dangerous risk agents around. There is a reason risk management plans include terms such as “annual rate of occurrence” and “single loss expectancy”. Security planners actually expect attacks to be successful more than once in the life time of an organization. With as little exposure of vital systems as possible, smart and fast detection of attacks, forward planning (this is as close to “proactive” you get in reality) and reduction of complexity of the systems; you can mitigate your risks. But eliminating them? Please! Not even Mother Nature would try to do that! Instead plan ahead and learn how to survive when it happens while still upholding a good security regiment.

Anyone talking about “zero tolerance” or “proactive security” is either blind or not telling you the truth.



The official bulletins from Microsoft:

ISC Sans's monthly Microsoft-analysis is always a good read:

All back-issues of this newsletter can be found here:

And on the EZSecurity blog at Tieto DF:

My private blog:

Bruce Schneier’s excellent news letter:

A collection of useful security links:

A good site to check for known vulnerabilities for your favorite programs:

What's the general state of the Internet?:

OWASP Sweden's email list archive:

Recommended for you developers out there:

My own, random knowledge base:

Erik Zalitis
Lead Infrastructure Architect
Certified Ethical Hacker
MCSE:Security 2003
MCSE:Messaging 2003
Citrix Certified Administrator for PS4.
VMware Certified Professional on VI3
ITIL Foundations
Mobile: + 46 (0)70 673 07 54