One way to receive up-to-date reports about vulnerability issues is subscribing to vulnerability RSS feeds: they update on demand, they don’t rely on your mail subsystem and they don’t fill up your mailbox. The only drawback is that you could miss alerts if you don’t sync your feeds for a long time, but if you’re a IT security manager, you don’t have a life, so how could it happen anyways?
Here’s the top feeds you should be subscribed to (CVE tags are reported in brackets):
A few people on Earth still have a Windows 2000 machine laying around in their lab, mostly schools with severe budget cuts. Some time ago, one of these retro labs had a problem with roaming profiles: apparently Windows 2000 desktop machines refused to sync their profile on logoff. A collegue of mine asked my help to try and fix the issue, so I started debugging user environment using the classic procedure.
What I found out was that machines were configured to access netlogon share and run a VBScript script upon logon, to set a few things like printing shares and stuff like that. Unluckily, Windows 2000 has a problem with this, because if VBScript instantiates a WMI object and uses it to read registry keys, then WMI object is not released correctly and this locks the registry hive and therefore Windows logoff sync aborts after a long wait.
According to this advisory written by Tavis Ormandy, Windows has been exposed to a vulnerability for over 15 years! Microsoft will only release a patch for supported products, so if you have any Windows 2000 or earlier in your lab, the only way to fix is disabling DOS and WOWEXEC.
If anyone ever, ever, ever dares saying again that open-source-ness is not relevant to security assessment (or worse, that it’s counter-productive), I will kick them to China. Freedom of choice, yeah right.
