Sunday, August 21, 2011

IE Cookies now look like a box full of chocolates…

I guess I just took it for granted, but apparently, for the longest time, Internet Explorer has stored its browser cookies using plain-text filenames that were relatively self-apparent as to their site-ownership.  Chrome and Firefox use a database file to accomplish things rather than singular cookie files.

Bill Pytlovany of “WinPatrol” fame recently discovered that a Windows Update has now changed that cookie-naming behavior, much to the (temporary) detriment of a cookie-management feature of WinPatrol.

Bits from Bill: Windows Update Changes IE Cookies Names

Luckily for us, Bill is both a very sharp guy, and openly communicates the best of his findings so we can now learn about this security improvement from Microsoft.

While in-of-itself this probably isn’t major news except for some application programmers who do IE cookie review/reporting, it was an interesting look at how Microsoft is continuing to try to tweak the security model for IE.

In that post in a followup update, Bill dug up some great resource linkage from Microsoft on this change over at Eric Law’s blog that is a must-read for those working directly with IE cookies in this post-update landscape.

Specifically, it is Microsoft Security Bulletin MS11-057 - Critical: Cumulative Security Update for Internet Explorer (2559049) which is impacting cookie-handling.

Internet Explorer 9.0.2 Update - EricLaw's IEInternals

From that post (which contains wonderfully illustrative screen shots of the pre and post-update cookie storing behavior) Eric explains thusly:

Cookie Filenames are Randomized

As a rule, Internet Explorer attempts to prevent Internet sites from storing content in predictable locations on the local computer, in order to foil a number of attack types. That rule is why, for instance, the Internet-cache stores content in randomly-named subfolders.

Prior to this update, Cookies were an exception to this behavior—their location was insufficiently random in many cases. Generally, cookie files were stored under the \AppData\Roaming\Microsoft\Windows\Cookies folder, in files named using the user’s login name, an@ symbol, and a partial hostname for the cookie’s domain:

Given sufficient information about the user’s environment, an attacker might have been able to guess the location of a given cookie and use this information in a multi-stage attack.

To mitigate this threat, Internet Explorer 9.0.2 now names the cookie files using a randomly-generated alphanumeric string. Cookies are not instantly renamed on upgrade, but are instead renamed as soon as any update to the cookie’s data occurs. You can see the impact thusly:

We do not expect significant compatibility fallout from this change either, as the names of these files have always been somewhat dynamic. Directly enumerating or reading the Cookie files has never been supported. Instead, local applications that wish to interact with cookies can use the InternetGetCookieEx and IEGetProtectedModeCookie APIs, or they can use the WinINET cache-enumeration functions.

Another treat in the comments is Eric’s clarification that the name randomizing behavior only (should) impact cookies from the Internet zone (in IE’s terms) and not the Intranet zone. So if you have any in-house/network applications that also create/store local cookies in IE, then they should not be randomized if your IE zone settings are set correctly.

Also, it appears that the internal contents of each cookie file are not changed by this handling and can otherwise be viewed using normal methods.

Eric specially address this operation in IE 9.0.2 but earlier in his post’s introduction he wrote that “…two of the security-related changes impact obscure Internet Explorer behaviors in all supported browser versions (6 to 9)—I’ll discuss both of these changes in this post.” So it may be that randomization will be seen in cookie stores of other IE versions.

Finally, it seems (based on my own IE 9 cookie store review post-update) indeed that the cookie-name randomizing only occurs as new cookies are being set or updated as Eric had described above in his post.

While I suspect that any forensicators won’t have much problem dealing with this IE cookie-handling change (I think someone wondered aloud about what’s in a name?), it may prevent the casual inspectors of cookie crumbs from reading too much meaning into them.  However the contents, file meta-data, and such should still provide more than enough meat and potatoes to keep the pros happy.

I imagine some IE-behavior inspecting tools and utilities may need to be updated just a bit, but besides being a new “item of note” regarding the IE browser landscape and behavior, it’s will be business-as-usual.

To my untrained eyes, it’s kinda like trying to pick out the chocolate truffle ones from a box of mixed-chocolates. Unless you know the particular swirls and marks, it’s a pot-luck game.

Fortunately I’ve got a friend to help me out. Nir Sofer’s IECookiesView v1.74: Cookies viewer/manager for Internet Explorer seems to have no problems with the post-update changes.  In my testing, it happily reports the correct Web-site, access-date, modify date, create date, and domain (among other details) while also showing the newly randomized filename. It does a few other things as well to make IE cookie managing a breeze.

Nothing earth-shattering here, but interesting for the geek crews.

Related and easily overlooked in Eric’s post a link to this A Primer on Temporary Internet Files post at EricLaw's IEInternals that provides some fresh info on IE Temp file handling. Sweet!

--Claus V.

Freeware Smorgasbord

Here is a collection of new and/or updated freeware offerings that caught my eye over the last month.

Because they survived the winnowing process, there was something about them that was worth me keeping and may be worth you checking out…even briefly.

Advanced Visual BCD Editor for Windows 7 and Vista via The Windows Club  “Visual BCD Editor is an advanced GUI for the BCDEdit utility in the Windows operating system. In fact it looks to be the first GUI utility to implement full editing of the BCD store. The user can create and change the value of more than 120 properties of BCD objects by simple edits. Other similar utilities do not  give access to not more than 30 properties.”  Utility project page link: BCD Editor for Windows 7 / Vista

Looks be be a lower-level BCD editor than my favorite EasyBCD 2.1 - NeoSmart Technologies utility.

H2testw 1.4 (via Google Translate) - German c’t website utility that is useful to check and verify your bargain bin USB drive grab is really not a fake that has had the reported storage-size manipulated. Use with caution (remove key data from your drive and not for use on the system-boot disk).

MJ Registry Watcher (Version - free registry change watcher/monitor application has been updated with some new features.

TEncoder: Open Source Multi-threaded Video Encoder [Windows] - via MakeUseOf blog review. Video format converters are now a dime-a-dozen. I probably have a collection of at least six portable ones that I keep handy (although-truth-be-told, I tend to use one or two exclusively.) However, this one caught my eye as it offers multi-thread processing.  Very handy if you have a multi-core system and a lot of video files to process. Utility project page link: TEncoder 

TeraCopy - my favorite alternative Windows copy handler from Code Sector has been updated again some time ago and I missed it. FileHippo has a well-summarized Change Log outlining the latest adds and fixes.

FreewareGenius reviewed ProEject recently. Eject USB devices quickly and safely with ProEject post via Clever tool to help those who live off their USB sticks manage them a bit more friendly-like.  Not a critical tool but a useful one.

Virtual Magnifying Glass Portable 3.5 (screen magnifier) - No, the Valca eyes have not gone so bad that I need this tool (yet) but that said, there are a lot of commercial products around there that accomplish what this one does, and not quite as nicely. So if you need an on-screen magnifier utility…for your family/relations, keep this one in mind. Just saying friendly like.

CCleaner 3.09 and CCleaner for Mac Beta 3 - Piriform has been hard at work enhancing their premier system cleaning tool and it shows.  Amazing both in terms of features and performance, this and Nir Sofer’s CleanAfterMe are the only two Windows cleaning tools I go to when doing the kind of Windows housecleaning work that must be done from time to time. (related: CCleaner Enhancer Adds 270 New Rules to CCleaner - How-To Geek ETC)

Newsfox - My favorite RSS Feed Reader for Firefox got an update.

This TinyApps.Org Blog : Backup to drive label instead of drive letter led me to the wonderfully featured Create Synchronicity backup and sync tool. Sweet! Thanks TinyApps!

VIrualBox has been getting some updates of late. BetaNews introduces the biggies in their post Finally, VirtualBox 4.1 brings Aero support, VM cloning.

Having been spoiled with Widows Virtual PC and it’s bundled “PC Additions” pack, I guess I didn’t do due-diligence in my ongoing parallel use of VirtualBox. Embarrassingly, I appear to have overlooked the fact that while you can install a similar “additions” pack into guest systems in VIrtualBox, there is also a separate “extensions pack” to bring more enhanced features to the VirtualBox software.

Installing VirtualBox and extension packs - manual page.

Downloads - VirtualBox (and the Extension Pack)


--Claus V.

NirSoft Utility Births and Growing Spurts

Nir Sofer continues to provide some of the best Windows system support and administration utilities, freely, that are available over at his NirSoft website. Period.

In my humble opinion, only Mark Russinovich’s Microsoft Sysinternals tools offer the width and breadth of must-have system utilitarianism as Nir’s.  And those is mighty big boots to be standing alongside.

So it should come to no surprise that Nir’s prolific coding power hasn’t been resting with a whole slew of new and cool system utilities (all standalone) along with nice updates to some previously released goodies.

I submit to you tonight for your most geeky downloading:

BatteryInfoView -- More into at NirBlog Post New utility that displays battery information on laptops and netbooks

Wireless Network Watcher-- More into at NirBlog Post New utility that shows who is connected to your wireless network.

I really, really like this one.  With a few clicks, you can discover and monitor which devices are making wireless connections and keep an eye out for unwanted/unauthorized connections to a large degree. (Alvis…I know you haven’t gone to bed yet! Why is your laptop still on?)

CustomExplorerToolbar-- More into at NirBlog Post New utility to customize the Explorer toolbar of Windows 7

ProcessThreadsView -- More into at NirBlog Post New utility that shows information about all threads in a process, and this BetaNews post Find out what's really happening on your PC with ProcessThreadsView.  I see it as a very useful companion to both ProcessActivityView from NirSoft and Process Explorer from Sysinternals.

TableTextCompare-- More into at NirBlog Post New utility to compare comma-delimited (csv) or tab-delimited files created by other Nirsoft tools

DomainHostingView-- More into at NirBlog Post New utility that shows the hosting/owner information of a domain. I’ve already done a few URL studies on suspcious/spam/phishing links. It aggregates a lot of information quickly and provide wonderfully useful information.

WakeMeOnLan-- More into at NirBlog Post New utility that turns on computers on your network with Wake-on-LAN packet.  I like it’s enumeration of active devices including IP, Name, MAC, and various other details. Nice one-stop shopping, even if you don’t use it for managing WOL packet sends. Very similar to Nir’s FastResolver network discovery tool but with the added WOL capability.

Keeping up with latest and greatest offerings from Nir certainly can be daunting

Luckily you can subscribe to his Update/Announcements syndication feed link: NirSoft - Freeware Utilities as I do.

You may also want to add the syndication feed link of his NirBlog page which provided some more in-depth software tool background and musings.

There have been quite a few updates as well to existing tools. Of note to me for enhanced usage in incident-response or administration use were:

DevManView v1.23 - Update was as noted on the page “…added a second Device Registry Time value, which usually displays the installation time of the device.”

USBDeview v1.92- Recent updates up to and including this version release as noted on the page include:

“Added 'Turn Off Device On Disable/Remove' option, only for Windows 7/2008/Vista. As opposed to Windows XP, Windows 7/2008/Vista doesn't turn off the USB device when you disable or 'Safely Remove' the device. This new option make a small Registry change to make Windows 7/2008/Vista behave like Windows XP and turn off the device after disable or 'Safely Remove' action. For more information: USB Port Remains Active for Disabled or Safely Removed USB Device.  Be aware that this change takes effect only after reboot, and requires full admin rights (execute USBDeview.exe with 'Run As Administrator')

“For USB To Serial devices, USBDeview now displays the port name (Com1, Com2, Com3,...), if it's stored in the Registry. The port name is displayed on the 'Drive Letter' column.

“Improved the detection of the 'Last Plug/Unplug Date' value.“

OpenedFilesView v1.52- Update was as noted on the page “…Added 'Open File Folder' option (F8), which opens the folder of selected file in Windows Explorer.“

SmartSniff v1.80 - Update was as noted on the page “…Added 'Extract HTTP Files' option (under the File menu), which allows you to easily extract all HTTP files stored in the selected streams, into the folder that you choose.”

Now go forth and download!

--Claus V.

Giving it the boot

…as in off-line system booting, not the GSD blog (despite the drought of posts strangely mirroring the lack of rain and rise in thee-digit temps here on the Texas coast).

I still continue to find joy and purpose for my portable iodd : Multi-boot madness device.  It is humming along and greedily continues to consume the bootable ISO files I toss at it.

I-Odd (South Korea) has released some newer firmware updates.  In summary, the i-odd is an external USB2.0/eSATA drive enclosure that allows you to store boot-disks in ISO format and then boot a system with any of them via the selector toggle.  The I-Odd site has gotten a refresh and much easier to navigate. They are offering firmware update versions 1.42.64N (for NTFS-formatted I-odd partitions, and 1.42.64F for the FAT32/exFAT formatted i-odd partitions. Download page.  There are also some utilities and whatnot listed there as well. Only drawback is that as none of the links are clearly time/date noted, it is hard telling if something is a new update or not.

The US i-odd site is (still) offering Firmware Version 1.42.48 (ISO) that supports either FAT32, EXFAT or NTFS partition handling for loading disk images.  I’m getting the feeling that this US branch isn’t providing a lot of product love considering the SK site is way ahead of their game.

The maintainer of TinyApps.Org Blog is the kind individual who first set me on notice and then use of the i-odd device.

Not too long ago he sent word of a Kickstarter project called the ISOStick which though not related to the iodd device, is likely to be a kissin’ kousin if all goes successfully.

That last link is really cool as the developer shows all the work that is going into the design and development. It’s a neat behind-the-curtain look at what it takes to make and bring these magical but ubiquitous “flash-drive” units to life.

In the meantime, if you don’t have a iodd or ISOStick device, you might want to check out these additional neat boot from a flash-drive projects:

WinToFlash - Install Windows from usb

From that project page link:

“WinToFlash starts a wizard that will help pull over the contents of a windows installation CD or DVD and prep the USB drive to become a bootable replacement for the optical drive. It can also do this with your LiveCD.”

YUMI - Multiboot USB Creator (Windows) via USB Pen Drive Linux

From that project page link:

“YUMI (Your Universal Multiboot Installer), is the successor to MultibootISOs. It can be used to create a Multiboot USB Flash Drive containing multiple operating systems, antivirus utilities, disc cloning, diagnostic tools, and more. Contrary to MultiBootISO's which used grub to boot ISO files directly from USB, YUMI uses syslinux to boot extracted distributions stored on the USB device, and reverts to using grub to Boot Multiple ISO files from USB, if necessary.”

The MakeUseOf Blog has a great review/how-to post on YUMI: Boot Multiple Live CDs From One USB Disk With YUMI [Windows]

LiveUSB MultiBoot - This is a French-based project but English-versions have been translated by community members.  It is a Linux boot CD project. Here is a Google Translate link for easier reading if you are interested.

Multi-booting systems via a USB device is still cool and useful, particularly for the sys-admin/incident responder crowds. While probably never to become a main-stream product for the masses, it is nice to see these projects and capabilities continue in development.


--Claus V.