Avast WEBforum
Other => Viruses and worms => Topic started by: polonus on May 01, 2014, 01:03:23 PM
-
See: http://www.microsoft.com/en-us/download/details.aspx?id=41138
Wrong signature on EMET installer?
Anyone?
polonus
-
Hmm, weird... it doesn't verify on an old system of mine (WinXP), but the same file does verify on a new one (Win7).
-
Hi igor,
You probably won't believe your eyes when you see these asafaweb scan results:
https://asafaweb.com/Scan?Url=www.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D41138
Insecure server settings at Microsoft Download Center:
1. Excessive headers warning: Result
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET, ARR/2.5
X-AspNet-Version: 4.0.30319
2. Clickjacking warning
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.
Result
It doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.
From a website like Microsoft I at least expected that they used best security server configuration practices.
This means a disillusion for me,
polonus
-
Microsoft needs to update there ASAP.
-
Well Steven Winderlich,
But for an ASP.NET: Microsoft-IIS download server these guys at Redmond that secure these racks should know how to harden and secure the download server so that it no longer spreads this excessive info to the world and potential attackers alike.Excessive header info spreading like server banner proliferation can be easily abused, these info does not belong to potential attackers - one working zero day exploit and you are running behind the actual facts and you are food for the birds. For securing and hardening the server you do not need high class technology, it is just changing some internal settings.
These guys that run that server should go back to the classroom and get some server security implementation training a.s.a.p.
Then they would learn about how to perform this: http://stackoverflow.com/questions/12803972/removing-hiding-disabling-excessive-http-response-headers-in-azure-iis7-without (info credits go to stackoverflow"s giveme5minutes and Ilya Grebnov)
Their own MSDN published method
<security>
<requestFiltering removeServerHeader ="true" />
</security> (info credits go to AKhooli)
Avast knew what to do as they renamed their nginx server header information into "AWS" server. (Avast Web Server - clever and it does not make any potential script kiddie hacker any the wiser) and those who want to know the probable real server configuration have to go to online archives reports for the website to get a good guess, but then we are talking about advanced forensics. ;D (No, I am not going to explain further).
polonus