[Owasp-singapore] [security-77] Does the DirectDraw vulnerability affect non-IE browser too?

Winston.Leong at sg.ey.com Winston.Leong at sg.ey.com
Tue Jul 14 23:48:34 EDT 2009


Agreed Onn Chee. The intend was to provide a more vendor independent
approach to security. However, with the suggestion to installing multiple
browsers, I would like to present the other side of the story.

1. The more browser you install, the more vigilant you have to be in
patching. For example, instead of just IE, now you need to patch Firefox
regularly too. This is something that (unfortunately) administrator do not
like. I personally know of examples where organizations BANS Firefox simply
for this reason.

2. Installing more browser increases the exposure of being attacked.
Because browsers often comes with many components, it can often be
exploited as long as the component exist. This can also applies to the
number of plugins you install onto the browsers in order to increase the
functionality (as well as security risk).

3. Developers resists to multiple browser. They only wish to test their
software on 1 and make sure it work. The more browser there is to test, the
more work they need to do. Therefore more often than not, they simple put a
disclaimer to say it only works in browser X.

Being said the above, I installed more than 5 browsers myself though. The
reasons is more for testing and cross referencing the diff behavior (for
example to certain exploits).

As for the IE plugin, the affected DLL is msvidctl.dll. Microsoft's
solution via
http://www.microsoft.com/technet/security/bulletin/ms09-032.mspx
addresses this by using the Killbit to disable the function. Remember to
reboot your system after installing the patch though.

And kinda of a good news for Vista and 2K8 users, the vulnerability takes a
lot more to work on these systems.




The information contained in this communication is intended solely for the
use of the individual or entity to whom it is addressed and others
authorized to receive it. It may contain confidential or legally privileged
information. If you are not the intended recipient you are hereby notified
that any disclosure, copying, distribution or taking any action in reliance
on the contents of this information is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify
us immediately by responding to this email and then delete it from your
system. We are neither liable for the proper and complete transmission of
the information contained in this communication nor for any delay in its
receipt.

Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
liability partnership registered in Singapore under the Limited Liability
Partnerships Act (Chapter 163A). On 1 July 2008, it was converted from a
firm to a limited liability partnership.

Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
liability partnership registered in Singapore under the Limited Liability
Partnerships Act (Chapter 163A).

Ernst & Young Advisory Pte. Ltd. is a company incorporated in Singapore
with UEN 198905395E.

Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
Singapore with UEN 199702967E.

Ernst & Young Customs & International Trade Services Private Limited is a
company incorporated in Singapore with UEN 200206660G.

                                                                           
             Wong Onn Chee                                                 
             <ocwong at usa.net>                                              
                                                                        To 
             15/07/2009 11:19          Winston.Leong at sg.ey.com             
             AM                                                         cc 
                                       fs chan <chanfs16 at gmail.com>,       
                                       owasp-singapore at lists.owasp.org,    
                                       security-77 at meetup.com              
                                                                   Subject 
                                       Re: [Owasp-singapore] [security-77] 
                                       Does the DirectDraw                 
                                       vulnerability affect non-IE browser 
                                       too?                                
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi Winston,

Agree, we (at least for me) are not saying which browser is better than the
other.
Just as you said that FF (or Opera and Safari) has its own share of
vulnerabilities.
This topic is not about a browser war. :-)

Instead, I want to highlight that the usual practice of a single browser in
corporates is high risk and should be discouraged.
It is common sense that we do not put all our eggs in 1 basket.
And if we can do so for our security systems, such as F/W, why not apply
such good practice to the browser too?

I strongly advocate a dual browser environment for corporates, so that
organisations can enjoy the flexibility of switching browsers (can be
temporary) when any unpatched vulnerabilities in one of the browser are
found. To achieve this, all internal web applications must be cross-browser
compatible. Hence, the IS team must also work with the apps team to achieve
better protection from browser vulnerabilities.

Lastly, as a matter of curiosity, you mentioned that the recent IE is a
plugin problem.
So can we uninstall DirectDraw plugin from IE?
If yes, can you share with group?
Uninstallation, if possible, should be more effective than the MS method.




On 07/15/2009 11:00 AM, Winston.Leong at sg.ey.com wrote:
      To be fair, this vulnerability affected a particular plugin in IE,
      not the
      browser itself.

      All browsers has their own issues, you install one, you make sure you
      patch
      that one more. I believe safe browsing is still the fundamental
      protection
      that is required rather than a technical solution.

      Just for the scoreboard, Firefox just got 0-dayed against with
      another
      vulnerability.
      http://www.f-secure.com/vulnerabilities/SA200903371

      Regards, Winston Leong

       (Embedded image moved   Winston Leong | Technology and Security Risk
      Services
       to file: pic32371.gif)


                               Ernst & Young Risk Advisory Services Pte.
      Ltd

                               One Raffles Quay, North Tower, Level 18,
      Singapore 048583

                               Office: +65 6309 6766 | Fax: +65 6532 7662


                               Mobile: +65 9028 3600


                               Website: www.ey.com


                               Thank you for considering the environmental
      impact of printing emails.






      The information contained in this communication is intended solely
      for the
      use of the individual or entity to whom it is addressed and others
      authorized to receive it. It may contain confidential or legally
      privileged
      information. If you are not the intended recipient you are hereby
      notified
      that any disclosure, copying, distribution or taking any action in
      reliance
      on the contents of this information is strictly prohibited and may be
      unlawful. If you have received this communication in error, please
      notify
      us immediately by responding to this email and then delete it from
      your
      system. We are neither liable for the proper and complete
      transmission of
      the information contained in this communication nor for any delay in
      its
      receipt.

      Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
      liability partnership registered in Singapore under the Limited
      Liability
      Partnerships Act (Chapter 163A). On 1 July 2008, it was converted
      from a
      firm to a limited liability partnership.

      Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
      liability partnership registered in Singapore under the Limited
      Liability
      Partnerships Act (Chapter 163A).

      Ernst & Young Advisory Pte. Ltd. is a company incorporated in
      Singapore
      with UEN 198905395E.

      Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
      Singapore with UEN 199702967E.

      Ernst & Young Customs & International Trade Services Private Limited
      is a
      company incorporated in Singapore with UEN 200206660G.


                   fs chan

                   <chanfs16 at gmail.c

                   om>
      To
                   Sent by:                  Wong Onn Chee <ocwong at usa.net>

                   owasp-singapore-b
      cc
                   ounces at lists.owas         security-77 at meetup.com,

                   p.org
      owasp-singapore at lists.owasp.org

      Subject
                                             Re: [Owasp-singapore]
      [security-77]
                   13/07/2009 09:36          Does the DirectDraw

                   PM                        vulnerability affect non-IE
      browser
                                             too?











      yes, and usually IE is the one browser...  i am still wondering
      why....




      On Sun, Jul 12, 2009 at 5:37 PM, Wong Onn Chee<ocwong at usa.net> wrote:

            Thanks, Aung.

            This incident further gives merit to the good� practice to use
            multiple
            browsers. :-)

            That's why I find corporates, who standardise on only 1
            browser, look a

      bit

            naive in terms of web security.

            Just like one should not only have firewalls from a single
            vendor, one
            should not only use web browser from a single vendor too.

            But well, good advice tends to fall on deaf ears.

            And many in Singapore have deaf ears. ;-)
            LOL.

            Cheers
            Onn Chee

            On 07/11/2009 11:59 PM, Aung Khant wrote:

            only IE 6,7 under

            Windows XP Service Pack 2 and Windows XP Service Pack 3
            Windows XP Professional x64 Edition Service Pack 2
            Windows Server 2003 Service Pack 2
            Windows Server 2003 x64 Edition Service Pack 2
            Windows Server 2003 with SP2 for Itanium-based Systems


                  The compromised websites link to a series of servers that
                  exploit a
                  zero-day vulnerability in an IE component that processes
                  media. The
                  vulnerability affects those using the XP and 2003
                  versions of Windows,
                  Microsoft warned in this advisory.


            On Sat, Jul 11, 2009 at 8:18 AM, Wong Onn Chee <ocwong at usa.net>
            wrote:

                  Hi,

                  Does anyone know whether the latest MS vulnerability also
                  affect non-IE
                  browsers, such as Firefox and Opera, in Windows?

                  Regards
                  Onn Chee




                  --
                  Please Note: If you hit "REPLY", your message will be
                  sent to everyone

      on

                  this mailing list (security-77 at meetup.com)
                  http://security.meetup.com/77/
                  This message was sent by Wong Onn Chee (ocwong at usa.net)
                  from The

      Singapore

                  Security Meetup Group.
                  To learn more about Wong Onn Chee, visit his/her member
                  profile:
                  http://security.meetup.com/77/members/1756147/
                  To unsubscribe or to update your mailing list settings,
                  click here:
                  http://www.meetup.com/account/comm/
                  Meetup Support: support at meetup.com
                  632 Broadway, New York, NY 10012 USA




            --
            Best Regards
            YGN Ethical Hacker Group
            http://yehg.net





            --
            Please Note: If you hit "REPLY", your message will be sent to
            everyone on
            this mailing list (security-77 at meetup.com)
            This message was sent by Aung Khant (aungkhant at yehg.net) from
            The

      Singapore

            Security Meetup Group.
            To learn more about Aung Khant, visit his/her member profile
            To unsubscribe or to update your mailing list settings, click
            here

            Meetup Support: support at meetup.com
            632 Broadway, New York, NY 10012 USA

            _______________________________________________
            Owasp-singapore mailing list
            Owasp-singapore at lists.owasp.org
            https://lists.owasp.org/mailman/listinfo/owasp-singapore






      --
      View my IT blog at http://fooksheng.blogspot.com/
      _______________________________________________
      Owasp-singapore mailing list
      Owasp-singapore at lists.owasp.org
      https://lists.owasp.org/mailman/listinfo/owasp-singapore


More information about the Owasp-singapore mailing list