Archive for the ‘Uncategorized’ Category

Huge OS X Update Fixes Almost 100 Security Flaws

Posted by Isaac Blum at 30 March 2010

Category: Uncategorized

** And they say MAC’s don’t get viruses….

 I always said, once it was popular to get a MAC, they would suffer

 the same fate as the PC. **

Severity: High

30 March, 2010

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
  • How an attacker exploits them: Multiple vectors of attack, including visiting malicious websites or enticing one of your users into downloading and viewing various malicious media files
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, potentially gaining full control of it
  • What to do: OS X administrators should download, test and install Security Update 2010-002 or the 10.6.3 update.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes well over 90 (number based on CVE-IDs) security issues in around 43 components that ship as part of OS X, including Quicktime, CoreMedia, and Mail. Some of these vulnerabilities allow attackers to gain full control of your OS X machines, so we rate this update Critical. Apply it as soon as you can. Some of the fixed vulnerabilities include:

  • Various QuickTime Code Execution Vulnerabilities. Quicktime is the multimedia (video and audio) player that ships with OS X. According to Apple, QuickTime suffers from nine code execution vulnerabilities involving its inability to properly handle maliciously crafted movie files. Though the flaws differ technically, they share the exact same scope and impact.  If an attacker can lure one of your users into playing a malicious movie (perhaps hosted on a malicious website), he could exploit this flaw to either crash QuickTime or to execute attack code on that user’s computer. By default, the attacker would only execute code with that user’s privileges. However, the attacker could also leverage other privilege elevation flaws described in Apple’s alert to gain complete control of your user’s Mac. 
  • Multiple Image-related Memory Corruption Vulnerabilities. ImageIO and Image RAW are both OS X components that help the operating system handle various types of image files. Both components suffer from memory-related vulnerabilities involving the way they handle certain types of image files. Though the vulnerabilities differ technically, they share a very similar scope and impact. If an attacker can get a victim to view a specially crafted picture (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash the viewing application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. However, the attacker could also leverage other flaws in Apple’s alert to gain complete control of your user’s Mac. 
  • Disk Images Code Execution Vulnerabilities. Disk Images is the OS X component that mounts the DMG disk image files commonly used to install software on Mac computers. Apple’s OS X update fixes two code execution vulnerabilities in Disk Images. Though they differ technically, an attacker could leverage both in the same way. By enticing you to mount a malicious DMG file, an attacker could exploit either of these flaws to execute code on your computer, with your privileges. Like the previous flaws, the attacker could then leverage other vulnerabilities to gain complete control of your Mac.

Apple’s alert also describes many other vulnerabilities, including some Denial of Service (DoS) flaws, information disclosure issues, and Cross Site Scripting (XSS) vulnerabilities. Components patched by this security update include:

    AppKit Application Firewall
    AFP Server Apache
    ClamAV CoreAudio
    CoreMedia CoreTypes
    CUPS curl
    Cyrus IMAP Cyrus SASL
    Desktop Services Disk Images
    Directory Services Dovecot
    Event Monitor FreeRADIUS
    FTP Server iChat Server
    ImageIO Image RAW
    Libsystem Mail
    Mailman MySQL
    OS Services Password Server
    perl PHP
    Podcast Producer Preferences
    PS Normalizer Quicktime
    Ruby Server Admin
    SMB Tomcat
    unzip vim
    Wiki Server X11
    xar  

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details

As an aside, if you haven’t installed the Safari update Apple released earlier this month, we recommend you install it as well.

Solution Path:

Apple has released OS X Security Update 2010-002 and 10.6.3 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

  • Share/Bookmark
No Comments

Check out these social sites

Posted by Isaac Blum at 16 March 2010

Category: Uncategorized

http://foursquare.com/businesses/

&

http://gowalla.com/

  • Share/Bookmark
No Comments

Deactivate a Feature on all Sites for a web application

Posted by Isaac Blum at 31 December 2009

Category: Uncategorized

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

###############################################################################################################
##Deactivate a Feature on all Sites for a web application ###
## http://Blog.IsaacBlum.com ##
###############################################################################################################
###############################################################################################################
 
 
 
#Create function deactivatefeature
function deactivatefeature{
 
## Reference to SharePoint DLL
[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
 
## Location of sharepoint STSADM utility program, You may need to change this
$stsadm = "$env:programfiles\Common Files\Microsoft Shared\Web Server Extensions\12\BIN\STSADM.EXE"
 
#Ask for WebApp Root url to enumerate
$url = Read-Host "Please enter root url of WebApplication"
 
#Enumerate available features in SharePoint Farm
write-host -foregroundcolor green " Below are the available features in SharePoint Farm"
&stsadm -o scanforfeatures
 
#Ask for Feature Name
Write-Host "Please enter feature name that will be deactivated at all Sites and Sub-Sites of the specified application"
$feature = Read-Host "do not add the \feature.xml. ex: NewsGator.SocialSites.SiteSkin"
 
#Returning info for use in remainder of script
$webapp = [Microsoft.SharePoint.Administration.SPWebApplication]::Lookup($url)
 
#List Sites Affected
write-host -foregroundcolor green " The feature will be deactivated on the following Sites:"
foreach ($site in $webapp.Sites) {
#        write-host $webapp.Name
	foreach ($web in $site.AllWebs) {
        write-host $web.URL
		}}
 
##Actvate Feature on all Sites
foreach ($site in $webapp.Sites) {
	foreach ($web in $site.AllWebs) {
    	$sResult = &stsadm -o deactivatefeature -name $feature -url $web.URL -force
		if(($sResult -like "*Operation completed successfully*")){ write-host -foregroundcolor green "Feature Deactivated : "$web.URL}
   		else {
      			Write-Host -ForegroundColor "red" -BackgroundColor "white" "Deactivate of feature '$feature' for" $web.URL "Failed! `n $sResult"
	}
    }
	}
 
}
 
 
 
 
###############################################################################################################
###############################################################################################################
###############################################################################################################
  • Share/Bookmark
No Comments

Actvate a Feature on all Sites for a web application

Posted by Isaac Blum at 31 December 2009

Category: Uncategorized

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

 
##########################################################
##Actvate a Feature on all Sites for a web application ###
## http://Blog.IsaacBlum.com ##
##########################################################
##########################################################
 
 
#Create function activatefeature
function activatefeature{
 
## Reference to SharePoint DLL
[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
 
## Location of sharepoint STSADM utility program, You may need to change this
$stsadm = "$env:programfiles\Common Files\Microsoft Shared\Web Server Extensions\12\BIN\STSADM.EXE"
 
#Ask for WebApp Root url to enumerate
$url = Read-Host "Please enter root url of WebApplication"
 
#Enumerate available features in SharePoint Farm
write-host -foregroundcolor green " Below are the available features in SharePoint Farm"
&stsadm -o scanforfeatures
 
#Ask for Feature Name
Write-Host "Please enter feature name that will be activated at all Sites and Sub-Sites of the specified application"
$feature = Read-Host "do not add the \feature.xml. ex: %featurename%"
 
#Returning info for use in remainder of script
$webapp = [Microsoft.SharePoint.Administration.SPWebApplication]::Lookup($url)
 
#List Sites Affected
write-host -foregroundcolor green " The feature will be actvated on the following Sites:"
foreach ($site in $webapp.Sites) {
#        write-host $webapp.Name
	foreach ($web in $site.AllWebs) {
        write-host $web.URL
		}}
 
##Actvate Feature on all Sites
foreach ($site in $webapp.Sites) {
	foreach ($web in $site.AllWebs) {
    	$sResult = &stsadm -o activatefeature -name $feature -url $web.URL -force
		if(($sResult -like "*Operation completed successfully*")){ write-host -foregroundcolor green "Feature Actvated : "$web.URL}
   		else {
      			Write-Host -ForegroundColor "red" -BackgroundColor "white" "Activate of feature '$feature' for" $web.URL "Failed! `n $sResult"
	}
    }
	}
}
 
 
 
########
########
########
  • Share/Bookmark
No Comments

http://discuss2010.com/

Posted by Isaac Blum at 23 December 2009

Category: Uncategorized

Tags:

I manly just like the video, not convinced on the Google wave, but I’m sure I’ll come around..

YouTube Preview Image
  • Share/Bookmark
No Comments

Get Tables Sizes for a Database

Posted by Isaac Blum at 6 November 2009

Category: Uncategorized

Tags: , , ,

Thanks  to http://www.pgrconsulting.com/useful_p_and_t.htm 

– Create the temp table for further querying

CREATE TABLE #temp(

            rec_id               int IDENTITY (1, 1),

            table_name       varchar(128),

            nbr_of_rows     int,

            data_space       decimal(15,2),

            index_space     decimal(15,2),

            total_size          decimal(15,2),

            percent_of_db  decimal(15,12),

            db_size             decimal(15,2))

 

– Get all tables, names, and sizes

EXEC sp_msforeachtable @command1=”insert into #temp(nbr_of_rows, data_space, index_space) exec sp_mstablespace ‘?’”,

                                    @command2=”update #temp set table_name = ‘?’ where rec_id = (select max(rec_id) from #temp)”

 

– Set the total_size and total database size fields

UPDATE #temp

SET total_size = (data_space + index_space), db_size = (SELECT SUM(data_space + index_space) FROM #temp)

 

– Set the percent of the total database size

UPDATE #temp

SET percent_of_db = (total_size/db_size) * 100

 

– Get the data

SELECT *

FROM #temp

ORDER BY total_size DESC

 

– Comment out the following line if you want to do further querying

DROP TABLE #temp

  • Share/Bookmark
No Comments

windows auto logon

Posted by Isaac Blum at 2 November 2009

Category: Uncategorized

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  3. Using your account name and password, double-click the DefaultUserName entry, type your user name, and then click OK.
  4. Double-click the DefaultPassword entry, type your password under the value data box, and then click OK.

    If there is no DefaultPassword value, create the value. To do this, follow these steps:

    1. In Registry Editor, click Edit, click New, and then click String Value.
    2. Type DefaultPassword as the value name, and then press ENTER.
    3. Double-click the newly created key, and then type your password in the Value Data box.

    If no DefaultPassword string is specified, Windows XP automatically changes the value of the AutoAdminLogon registry key from 1 (true) to 0 (false) to turn off the AutoAdminLogon feature.

  5. Double-click the AutoAdminLogon entry, type 1 in the Value Data box, and then click OK.

    If there is no AutoAdminLogon entry, create the entry. To do this, follow these steps:

    1. In Registry Editor, click Edit, click New, and then click String Value.
    2. Type AutoAdminLogon as the value name, and then press ENTER.
    3. Double-click the newly created key, and then type 1 in the Value Data box.
  6. Quit Registry Editor.
  7. Click Start, click Restart, and then click OK.
  • Share/Bookmark
No Comments

What Anti-Virus scanning exclusions should be considered for system and servers

Posted by Isaac Blum at 2 November 2009

Category: Uncategorized

 I am not the orginal author.  I have updated some of the info:

Consider the following file scanning exceptions for your Anti-Virus software where applicable:

NOTE: The %systemroot% is normally the C:\WINDOWS or C:\WINNT directory depending on your OS. 

NOTE: the %systemroot% variable will not work as an exclusion for some OSs.  So make sure to spell out full path in your exclusion files (GPO or via AntiVirus Server)

1.) %systemroot%\System32\Spool (and all the sub-folders and files)
2.) %systemroot%\SoftwareDistribution\Datastore
Refer to the following article for information:
KB822158 – Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, or Windows XP http://support.microsoft.com/kb/822158
3.) Any Network Drives that are mapped.

The following steps are Server Role specific:
==========================================================
1.) If your system is also a Domain Controller (DC) / DNS / DHCP also exclude the following from Anti-Virus Scanning:
a.) %systemroot%\Sysvol folder (include all the sub-folders and files)
b.) %systemroot%\system32\dhcp folder (include all the sub-folders and files)
c.) %systemroot%\system32\dns folder (include all the sub-folders and files)
d.) %systemroot%\ntds
Refer to the following article for information:
KB822158 – Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, or Windows XP http://support.microsoft.com/kb/822158

2.) If File Replication (NTFR) service is running on your system, make sure your Anti-Virus software is compatible:
KB815263 – Antivirus, backup, and disk optimization programs that are compatible with the File Replication Service
http://support.microsoft.com/kb/815263
And exclude:
a.) %systemroot%\ntfrs folder (include all the sub-folders and files)
b.) Files that have the .log and .dit extension

3.) If you have IIS installed, exclude:
a.) The IIS compression directory (default compression directory is %systemroot%\IIS Temporary Compressed Files)
b.) %systemroot%\system32\inetsrv folder
c.) Files that have the .log extension
Refer to the following knowledge base articles for reference:
KB817442 – IIS 6.0: Antivirus Scanning of IIS Compression Directory May Result in 0-Byte File
http://support.microsoft.com/kb/817442
KB821749 – Antivirus software may cause IIS to stop unexpectedly
http://support.microsoft.com/kb/821749

4.) If you have SQL installed, you may want to exclude the SQL folder and databases files (or database file types) from scanning for performance reasons:
KB309422 – Guidelines for choosing antivirus software to run on the computers that are running SQL Server
http://support.microsoft.com/kb/309422

5.) If you have Exchange installed, perform the relevant file-based scanning exclusions listed in Knowledge Base articles:
KB328841 – Exchange and antivirus software
http://support.microsoft.com/kb/328841
KB823166 – Overview of Exchange Server 2003 and antivirus software
http://support.microsoft.com/kb/823166
KB245822 – Recommendations for troubleshooting an Exchange Server computer with antivirus software installed
http://support.microsoft.com/kb/245822

6.) If you have Cluster services, make sure your Anti-Virus software is compatible:
KB250355 – Antivirus Software May Cause Problems with Cluster Services
http://support.microsoft.com/kb/250355
NOTE: If you have a SQL cluster, make sure that you exclude these locations from virus scanning:
a.) Q:\ (Quorum drive)
b.) %systemroot%\Cluster
c.) SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension

7.) If you have Sharepoint installed, you should exclude:
a.) Drive:\Program Files\SharePoint Portal Server
b.) Drive:\Program Files\Common Files\Microsoft Shared\Web Storage System
c.) Drive:\MSDEDatabases (particularly on SBS) (where Drive: is the drive letter where you installed SharePoint Portal Server)
Refer to the following knowledge base articles for reference:
KB320111 – Random Errors May Occur When Antivirus Software Scans Microsoft Web Storage System
http://support.microsoft.com/kb/320111
KB322941 – Microsoft’s Position on Antivirus Solutions for Microsoft SharePoint Portal Server
http://support.microsoft.com/kb/322941

8.) If you have a Systems Management Server (SMS), you should exclude folders:
a.) SMS\Inboxes
b.) SMS_CCM\ServiceData
Refer to the following knowledge base articles for reference:
KB327453 – Antivirus programs may contribute to file backlogs in SMS 2.0 and in SMS 2003
http://support.microsoft.com/kb/327453

NOTE: If you exclude the SMS\Inboxes directory from virus scanning or remove the antivirus software, you may make the site server and all clients vulnerable to potential virus risks. The client base component files reside in the SMS\Inboxes directory.

9.) If you have a MOM (Microsoft Operations Manager) Server, you consider excluding:
a.) Drive:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Operations Manager
b.) Drive:\Program Files\Microsoft Operations Manager 2005 (where Drive: is the drive letter where profiles are located)

10.) If you have an Internet Security and Acceleration Server (ISA) Server, you should exclude:
a.) The ISALogs folder. By default, the ISALogs folder is located in the folder where you installed ISA Server. Typically, this location is Drive:\Program Files\Microsoft ISA Server.
Refer to the following knowledge base articles for reference:
KB887311 – Event ID 5, event ID 14079, and event ID 14176 are logged in the Application log on your Internet Security and Acceleration Server 2000 computer
http://support.microsoft.com/kb/887311

11.) If you have a Windows Software Update Services (WSUS) Server role, you consider excluding:
a.) Drive:\MSSQL$WSUS
b.) Drive:\WSUS
(where Drive: is the drive letter where you installed Windows Software Update
Services)
Also refer to the following knowledge base articles for reference:
KB900638 – Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file is copied
http://support.microsoft.com/kb/900638

MORE INFORMATION:
KB49500 – List of antivirus software vendors
http://support.microsoft.com/kb/49500
KB129972 – Computer viruses: description, prevention, and recovery
http://support.microsoft.com/kb/129972

Small Business Server (SBS):
========================================
KB885685 – How to troubleshoot the POP3 Connector in Windows Small Business Server 2003
http://support.microsoft.com/kb/885685

SOX050603700001 – How do I exclude a file from AV scanning?
SOX040212700018 – Anti Virus Software and System State Backup
SOX060301700048 – ISA 2004 Firewall Service crashes intermittently with Event ID: 5 Source: Microsoft Firewall
SOX060307700037 – MOM 2005/ File level Anti-virus scanners
SOX061205700029 – MOM Agent Installation fails with -2147023277

KB837932 – Event ID 2108 and Event ID 1084 occur during inbound replication of Active Directory in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/kb/837932
Anti-Virus folder exclusions have not been configured (Exchange)
http://www.microsoft.com/technet/prodtechnol/exchange/Analyzer/9fb755f5-5f0b-4817-a584-70c76a62eae2.mspx
Process: Manage Antivirus Software on Domain Controllers
http://www.microsoft.com/technet/solutionaccelerators/cits/mo/winsrvmg/adpog/adpog3.mspx#

  • Share/Bookmark
No Comments

Which w3wp.exe process belongs to which App Pool in IIS6

Posted by Isaac Blum at 2 November 2009

Category: Uncategorized

The script is already placed in systemroot\system32 on Windows Server 2003 so simply go to your Command Prompt and type in iisapp.vbs (the .vbs is optional) and you’ll have an instant list of all the App Pool information you’ve always wanted to know. You may need to type cscript iisapp.vbs if CScript isn’t your default WSH script host.

Let’s see an example of the output:

W3WP.exe PID: 1468 AppPoolId: AppPoolForSite1.com
W3WP.exe PID: 3056 AppPoolId: AppPoolForSite2.com
W3WP.exe PID: 1316 AppPoolId: AppPoolForSite3.com

Microsoft documents this:

http://www.microsoft.com/resources/documentation/WindowsServ/2003

  • Share/Bookmark
No Comments

SQL EXECUTE

Posted by Isaac Blum at 2 November 2009

Category: Uncategorized

SQL Server 2005 improves on the current situation by making the EXECUTE permission grantable at the database scope. This means that we can issue a statement like the example below and this will GRANT execute permissions on all existing stored procedures and scalar functions AND all subsequently created ones. Thus it acts very much like the current fixed database roles such as db_datareader

/* CREATE A NEW ROLE */
CREATE ROLE db_executor

/* GRANT EXECUTE TO THE ROLE */
GRANT EXECUTE TO db_executor
  • Share/Bookmark
No Comments
« Previous

  • Archives

  • Pages

  • Tags

  • More

Get Adobe Flash playerPlugin by wpburn.com wordpress themes