January 31, 2006
From Computer World...
JANUARY 30, 2006 (IDG NEWS SERVICE) - Users of Advanced Micro Devices Inc.'s microprocessors may want to think twice before looking for technical support on the company's Web site. Customer support discussion forums on the forums.amd.com site have been compromised and are being used in an attempt to infect visitors with malicious software, an AMD spokesman confirmed Monday.
Yep - you read that right - the hackers are going after the geeks with more esoteric attacks. This is the WMF flaw coming back to bite those who haven't patched their systems yet... for whatever reason. (some of those reasons are good - but that doesn't help once you're system has been compromised)
Attackers have figured out a way to use AMD's forums to deliver maliciously encoded WMF images to visitors, which are then used to install unauthorized software on the unpatched systems, he said.
In this case, the software appears to be a number of different malicious tool bars. "Most of the tool bars show pop-ups, follow your search and other keyword activity, and use that to target ads to you," Hypponen said. "It's for-profit hacking. Somebody is making money from each machine that is hit by these tool bars."
Because of the nature of the WMF vulnerability, however, hackers could install any type of software they wanted on unpatched systems, he said.
Interesting and scary thought. Here you wanted some info on an AMD product and who knows what you've picked up! So far they're talking about toolbars... but I wonder if there were any more malicious payloads out there.
These attackers need to be seriously hurt... seriously.
I've just spent a good chunk of time moving my personal email over to Thunderbird. It's time consuming and annoying to make even minor changes like this. The nitpicky details of getting things set up the way I want them and making the rules work for distributing my email. You see... I have specific folders I like to use so I know who the emails are coming from. And even though I still overlook stuff - I "lose" less email in the mess of too many messages when I can distribute to different folders.
What I want to see is if their spam filter actually works.
I've been using the "evil" Outlook for a number of years. Some of this had to do with compatibility issues with my husband's work email. The rest had more to do with laziness than anything else. But in the last couple of months the spam has become intolerable. I spend more time deleting that than actually reading emails. It was either - get a filter for Outlook - requiring much research on what's available and pouring through reviews to see what problems people run into... OR I could try Thunderbird...
So here I am - messing about with my regular email when it occurs to me, I might as well mess about with my blog email too. Why not. I've never been very happy with Hotmail - I just don't like the interface... it's a personal preference. Plus it dawned on me that I have several available email accounts sitting around not being used. So, I created a new account - and thus you see the new and improved email addy on the right sidebar at the top.
I'll see how it goes - I may even try working it out so the sidebar account gets POPped directly to my new Thunderbird setup. If I like this enough - I may end up moving blog comments off gmail and putting them on this account too. But - one thing at a time.
January 26, 2006
OS X contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago, according to a security researcher credited with finding numerous bugs in Apple's increasingly popular platform.
So, the next time a Mac user laughs at you for being on a Windows platform (maybe even out of necessity)... you may want to tell them to keep an eye on their own systems instead of mocking yours.
"In my experience -- which is also the experience of some of my peers -- Apple has been very slow to respond to reported security vulnerabilities. It expects security researchers to wait indefinitely to release the vulnerabilities and offers no incentive for them to do so," said Archibald.
Apple's impressive security record is likely to be tarnished if the company continues to grow its market share while undervaluing security researchers and not properly auditing its code: "During the small time Suresec researchers spent auditing Mac OS X, many vulnerabilities like this turned up. Suresec is currently aware of many bugs which exist by default in the latest version of Mac OS X, on both the Intel and PPC Architecture."
Yep, just because you haven't heard about a bug - doesn't mean it's not there just waiting to pounce. Keep your eyes open Mac users. Learn how to deal with bugs and security patches or you may be sorry one day.
Jan. 24, 2006 (KRT News delivered by Newstex) -- SAN JOSE, Calif. -- Google announced that it is officially launching its services in China, a move that will require the Internet firm to subject itself to self-censorship.
Google is one of the last large U.S. Internet companies to officially set up shop inside China. The delay reflects months of internal wrangling over how to balance business interests against its distaste at having to comply with China's restrictive speech policies.
Oh they certainly are not alone, Yahoo is in China, Microsoft, News Corp... among others. All of them censoring items that the Chinese government decrees are off limits. They must, that's the only way you can do business in China.
This does make one stop to wonder... all of our search engine companies here in the US are bending right over for the Chinese government - this is something we know about and is publicly being bandied about. My question is... what is being censored over here? I know there are government censorship rules in place on things like bomb making... but it's a simple step from there, to censoring other things.
That's the problem. When you help a repressive government try to maintain it's iron fist over it's own people, you become tarred with the same dreck as those you are helping. It leads people to believe that you will cave in all aspects of your business. (unless of course you are talking about pornography... they won't cave on that one - well that's a relief...)
JANUARY 26, 2006 (COMPUTERWORLD) - The U.S. Federal Trade Commission (FTC) has imposed a $10 million civil penalty against data aggregator ChoicePoint Inc. for a massive data security breach that resulted in the compromise of nearly 140,000 consumer records last year (see "ChoicePoint to tighten data access after ID theft").
In addition to the penalty, which FTC Chairman Deborah Platt Majoras described as the largest ever levied by the agency, ChoicePoint has been asked to set up a $5 million trust fund for individuals who might have become victims of identity theft as a result of the breach.
As part of its agreement with the FTC, Alpharetta, Ga.-based ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.
Do have a look at what ChoicePoint did on it's way to giving out customer information to anyone who claimed to be a legitimate business...
In its decision, the FTC slammed ChoicePoint, saying that it did not have reasonable procedures in place to screen prospective subscribers and that it turned over sensitive personal information to subscribers whose applications raised obvious red flags. The FTC said ChoicePoint approved customers for its service who lied about their credentials and used commercial mail drops as business addresses. In addition, the applicants reportedly used fax machines at public commercial locations to send multiple applications for separate companies.
According to the FTC, ChoicePoint also failed to tighten its application approval procedures or monitor subscribers, even after it got subpoenas from law enforcement authorities alerting it to fraudulent activity that dated back to 2001.
While I'm assuming they have a firewall in place, you almost have to wonder why. They pretty much threw open the information to anyone who asked for it... and television commercials would have you worry about dumpster diving - good grief! Why go to the trouble of going through people's trash, when all you have to do is call ChoicePoint?
They deserved this penalty and far more! The 140,000 names that were disclosed last year as being compromised is simply the tip of the iceberg. I'm sure far more data has left their hands to go to the criminals before it became illegal to cover it up.
Now the question becomes, are they going to levy such huge fines against companies that try their hardest and are still breached? As current systems stand right now, it is impossible to be connected to the internet doing business, and be totally secure. Yes, ChoicePoint deserved it and the ruling will definitely make other companies look very hard at their security. But it remains to be seen if the real punishment will be reserved for those who simply ignore security in the quest for business, or if the penalties get tougher even for those who do all in their power to prevent data theft.
January 12, 2006
The immediate answer is - well you protect it from those nasty scum who would send viruses and trojan horses, or from those who would use your machine as a zombie to send out spam... that sort of thing.
However, it seems that they also try to protect users from themselves...
Symantec has been caught in this double jeopardy and now has a live update fix that you will need to apply if you use their Norton Software.
Symantec has released an update to its popular Norton SystemWorks to fix a security problem that could be abused by cybercriminals to hide malicious software.
In the PC-tuning application, a feature called the Norton Protected Recycle Bin creates a hidden directory on Windows systems. The feature is meant to help people restore modified or deleted files, but the hidden folder might not be scanned during scheduled or manual virus scans, Symantec said in an advisory released Tuesday.
As usual, you can do things with the best of intentions and yet end up helping the bad guys because the malicious use of your helping hand was never considered. It is certainly extremely difficult to think like a criminal if you are not inclined to criminal activity, but Norton has been at this for many years... someone missed the boat on this bug.
Unfortunately Znet then tries to equate this with the Sony fiasco of a few weeks ago...
Symantec's alert has echoes of Sony BMG Music Entertainment's recent PC security fiasco. The record label was found to be shipping copy-protected compact discs that planted so-called rootkit software on the computers that played them. The rootkit technology also offered a hiding place for malicious software.
This is wrong on Znet's part - so far as I can tell - the only thing that Symantec's software is doing is creating a hidden directory that is not scanned by their AV software - they aren't breaking anything nor are they doing any extra screwing around with the registry (outside of the humongous amount they do anyway) in order to keep you from getting rid of this hidden directory.
So, the only real connection between the two scenarios is the word "hidden".
What's the value of hiding the directory?
When the recovery feature was first introduced, hiding the directory helped ensure that a user would not accidentally delete the files in it, Symantec said.
There it is - trying to save the users from themselves. Sadly, I don't think that's possible. We've all deleted stuff from our computers that we wanted or needed to keep. We've all done dumb stuff to our computers.
In the case of Symantec and other AV providers, I think they need to stick to keeping out the bad guys. Users will simply have to take the risk of losing some data in order to keep their systems safe. In this case the best of intentions can be detrimental.
Now - if you use Symantec products - go to live update and get the fix. BTW - you'll have to reboot.
January 05, 2006
The company is breaking with its monthly patch cycle because it completed testing of the security update earlier than it anticipated, it said in a note on its Web site. "In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible," the company said.
Shall we stop for a moment and just remember exactly what the WMF flaw will allow...
What’s the fuss about? A major security hole involving WMF files. Exploits targeting the hole can use WMF files to run malicious code on a target machine -- infecting it with spyware, stealing data or recruiting it into a zombie network. The problem has existed for years, but its discovery was publicly announced in late December 2005.
Which versions of Windows are vulnerable? Microsoft stated that the vulnerability applies to all versions of Windows from 98 onward, though, practically speaking, only XP and Server 2003 installations are likely to have problems. Secunia confirmed the following systems to be at risk: Microsoft XP Pro, Microsoft XP Home, Microsoft Windows Server 2003 Datacenter Edition, Microsoft Windows Server 2003 Enterprise Edition and Microsoft Windows Server 2003 Standard Edition.
Is any real-world malware targeting this hole? Like rust, exploit writers never sleep, or even slow down enough to be counted. As of yesterday, 73 known exploits had been noted on the CastleCops.com discussion board, and antivirus firm Sophos reported over 200 attack methods thus far.
How are the exploits traveling? Infection vectors will be familiar to anyone who follows the malware scene: graphics or executables opened from within e-mail or instant messages, malicious or compromised sites, fake e-cards, fake system messages and the like. Antivirus firms have discovered instances of a stand-alone utility called WMFMaker that quickly constructs a malicious WMF. That program is believed to have been used in the first wave of exploits.
There are a couple of things that sorta jump out at me here.
First is the rather offhand manner of the release... "...releasing the update early in response to strong customer sentiment ..." almost as if they wouldn't have bothered except that the customers are being so damned annoying.
Second is... they are rushing out with the patch. I think I'm going to wait a few days to see what happens. Somehow I have the feeling that there will be some big breakdowns very quickly. I could be wrong, but that seems to be the case more often than not when software fixes are rushed.
I forsee that when problems DO occur, Microsoft will point to the manner of the release, saying that they did their best and since they were rushed... what do people expect?
It will be interesting to see what happens.
January 03, 2006
After yesterday's post about an unofficial patch for a huge hole in Windows... today's post has some grim humor associated with it. The problems are coming from a Sanctioned Microsoft Patch distributed through their own system.
Installing the patch can cause serious problems, Microsoft said in an advisory posted to its Web site Friday. The patch could lock users out of their PC, prevent the Windows Firewall from starting, block certain applications from running or installing, and empty the network connections folder, among other things, the software maker said.
It is the sort of thing happens often enough that I have a difficult time endorsing those who want to push patches to unsuspecting users. In an effort to get these patches out, they sometimes miss important things and cause users no end of hassle to get their systems back up.
The trouble appears to occur only when default permission settings on a Windows directory have been changed, according to Microsoft. The software maker has received "limited reports" of problems from customers but is still investigating the issue, a representative said.
This means that typical users at home are not as likely to be affected by the patch, but I can see it causing big issues with company systems where there are often changes to file and directory permissions for security reasons.
To resolve any problems caused by the MS05-051 patch, users should restore the default permissions for the Windows folder and the COM+ catalog. A guide is available on the Microsoft Web site, and steps start with changing the permissions on the "registration" folder in the Windows directory.
My question is... if the patch has locked you out of your PC... how are you supposed to apply these changes?... much less GET TO THE INTERNET to read about how to fix it! I haven't gone to read the link to the Microsoft site yet... maybe they answer this question, but I bet they don't. I foresee people having to reload PCs...how annoying.
Although I must say that I did apply these patches to my machine yesterday and had no problem. I really try to keep my work system very simple. Easier to keep track of that way!
January 02, 2006
JANUARY 02, 2006 (IDG NEWS SERVICE) - Users of the Windows OS should install an unofficial security patch now without waiting for Microsoft Corp. to make its move, security researchers at The SANS Institute's Internet Storm Center (ISC) advised yesterday.
Their recommendation follows a new wave of attacks on a flaw in the way versions of Windows from 98 through XP handle malicious files in the WMF (Windows Metafile) format. One such attack arrives in an e-mail message entitled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg" that is really a disguised WMF file, security research companies including iDefense Inc. and F-Secure Corp.
However, simply viewing the folder that contains the affected file, or even allowing the file to be indexed by desktop search utilities such as the Google Desktop, can trigger its payload, F-Secure's Chief Research Officer Mikko Hypponen wrote in the company's blog.
In addition, source code for a new exploit was widely available on the Internet by Saturday, allowing the creation of new attacks with varied payloads.The file "HappyNewYear.jpg," for example, attempts to download the Bifrose backdoor, researchers said.
As you can see - it's already morphing into newer and better exploits.
At the end of the article they have a link another article which in turn links to Steve Gibson's site - Steve has a great explanation. He tells you why the unofficial patch is currently the way to go for this particular exploit.
Please Note: Unlike the "DLL unregister" recommendation offered by Microsoft (see RED box below) Ilfak's patch completely eliminates the vulnerability. Therefore, until Microsoft is able to update and repair their vulnerable GDI32.DLL, this is what you should use. You do NOT need to unregister the DLL as described in the RED box below.
Since I couldn't get the links to work for me from Steve's site, I went back to the article and clicked over to Ilfak Guilfanov's Hexblog and found the post about the hotfix.
The fix does not remove any functionality from the system, all pictures will continue to be visible. You can download it here:
It should work for Windows 2000, XP 32-bit, XP 64-bit, and Windows Server 2003.
I went over to Slashdot to see what they had to say and found a comment from Ilfak addressing the patch question.
The hotfix must be tested on as many machines as possible. Possible negative consequences must be determined and decided upon if they are acceptable or not.
In short, more rigorous testing is required.
The link to the original post is here. I've only read a few of the comments, but there appear to be some good ones.
YMMV, but I have installed the patch - so far no problems. If you are a gamer - you may want to be aware that it might possibly break something. However, since it is an uninstallable patch... I think it is certainly worth considering.
Last of all - at the bottom of Ilfak's post on the hotfix...
If for some reason the patch does not work for you, please uninstall it. It will be in the list of installed programs as "Windows WMF Metafile Vulnerability HotFix". I'd like to know what programs are crippled by the fix, please tell me.
I recommend you to uninstall this fix and use the official patch from Microsoft as soon as it is available.
One other comment in the Slashdot thread may shed a bit of historical light on this problem. I'm not versed enough in Microsoft code to be sure that the commenter is completely correct, but it is certainly the kind of thing many people in computer security have been warning about for years.
Changing code that's this deeply buried in Windows is risky. The interpreter for WMF is one of the remnants of code left over from single-user computers, and they'll have to test changes very thoroughly. They're GOING to break things with this patch, because they're removing a designed-in feature. They're probably working feverishly to figure out how to minimize the damage, but some damage is inevitable. And the problem could be far worse than it appears; that DLL could be riddled with problems. It may not have been audited in many years.
This is yet another example of how you can't retrofit security; the first Windows versions were designed when security wasn't even an issue, when the Internet was barely a twinkle in Al Gore's eye. There's a mountain of code that was written just to work, not to worry about being handed malicious data. If a user passed bad values to a system call and it crashed, oh well. It was their fault for doing it. It's not like they had anything to gain from it, after all. They owned the computer. Why on earth would the computer need to protect itself from its owner?
Whether or not the WMF problem is as proposed by the commenter, the problem he posits is one that every operating system running today has to face. Windows has more people trying to exploit it, but few OS's were written with security in mind - security is applied after the fact. Therein lies the problem with computers today. Unless someone starts from scratch and designs an OS from the ground up - with an eye for security - things won't get better from here.
All that is very time consuming and expensive - to say the least. Backward compatibility would mostly be gone. How many of us as individuals and companies as a whole can afford to start over from the beginning? It's not a feasible option. It only becomes a reality if we get to the point where the net comes to a complete halt, or computers are shut down by an exploit and can't be restarted. In that case - our entire system financially would come to a stop - and we would be in dire straights indeed. And please remember how long Microsoft, Unix, and Linux have been around - it takes YEARS to develop a complete OS. I hope someone is working on it now...
At the moment I don't foresee that happening, but one never knows. If you feel comfortable enough with what you've read, go patch your system. If not, wait for the Microsoft patch.
71 queries taking 0.0176 seconds, 248 records returned.
Powered by Minx 1.1.6c-pink.