This is starting to wear on my nerves. This non-stop parade of patches is really tiresome. It would be rather lovely if code could be written well. Then again it makes for job security.

Ugh.

From The Register:

Microsoft plans to issue two emergency patches next week that fix vulnerabilities in the Internet Explorer browser and Visual Studio developer suite that allow attackers to remotely execute malware.

The patches, which will be delivered on Tuesday, will be only the third time Microsoft has issued an out-of-band security patch in the past 25 months. That suggests the updates are serious enough to warrant the extra fuss. Typically, the company issues patches on the second Tuesday of each month to allow administrators time to plan for and test the updates.

According to the bulletin one is for a “moderate” problem with Visual Studio and a “critical” in Internet Exploder Explorer both of which result in remote access. For the advance notification from Microsoft read on.

Article Link

Security researchers have apparently devised a way to take over a Windows 7 system.

Well, sort of…

From Network World:

Researchers Vipin Kumar and Nitin Kumar used proof-of-concept code they developed, called VBootkit 2.0, to take control of a Windows 7 virtual machine while it was booting up. They demonstrated how the software works at the conference.

“There’s no fix for this. It cannot be fixed. It’s a design problem,” Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack.

When I first read this I was smiling thinking wow, that’s cool. Until I read a little further on and noticed that in order for the attack to work there has to be physical access to the machine. This attack does not work remotely.

Not nearly as sexy as I first thought. Still it makes for some interesting reading.

Article Link

Tuesday March 10th and it’s once again Patch Tuesday for all you Microsoft users. Yesterday’s release was a very straightforward and light load of fixes but spanned all supported versions of Windows. Some specific updates pushed out are MS09-006, MS09-007, and MS09-008. MS09-006 is a update for the Windows kernel vulnerability that is labeled critical for Windows 2000 SP4 all the way up to Vista SP1. The other two updates fix vulnerabilities in SChannel and DNS/WINS Server respectively and is important for Windows 2000 SP4 up to XP SP3 and Server 2003. Other than that the only things to look out for are the ordinary Malicious Software Removal Tool and Windows Mail spam filter. Full write up.

Possibly more interesting than that is the fact that Symantec and Adobe released updates on the same day under unusual circumstances.  George Hulme has a good write up of the situation the he posted this afternoon. To sum it up Adobe has been working on a fix for their recent zero-day and announced it would be released March 11th. They decided to release it yesterday, March 10th, which happened to be Patch Tuesday which can be commended for getting it out early but for most working in the trenches that are operations probably wasn’t appreciated.

On top of that Symantec released a patch with the filename PIFTS.exe, which looks up the Symantec product and version on a system and reports it back. Well this report back happened to not be signed because of human error and sent up some firewall flares for most users. This must have been a Help Desk nightmare along with the Adobe issue on Patch Tuesday. Not only a Help Desk problem, if the users decided to search what PIFTS.exe was on their own it is reported that malicious sites recognized this and made their sites appear at the top of those searches. Good write up on the PIFTS.exe and malicious site issue on SC Magazine found here.

This onslaught of patches and patch mishaps must have really affected a lot of companies big and small as they had their time allotted for the Microsoft patches to be pushed. Anybody who works in operations and is part of the team responsible for patch management knows the trials of Patch Tuesday when that is the only issue to deal with. The fact that Adobe pushed their release up and Symantec had an inexcusable mistake all on the same day can really bring things down. Not only can this cause a headache for the people on the team responsible for pushing these patches but if the team required more than one patch in the same day at 3 separate times you are going to have some angry users who aren’t going to restart their machines for you. Heat will be felt all along the food chain and $DIETY forbid if somebody clicked on a site taking advantage of the PIFTS.exe curiosity. Productivity won’t be the only issue that companies will have to deal with this Patch Tuesday or for the rest of the week for that matter.

Tags: microsoft, security, patch tuesday, ms09-006, ms09-007, ms09-008, symantec, adobe, pifts.exe, patch hell

Trying out Windows 7? Surprises this time around include several antimalware vendors being ready to roll with support for the new operating system. This is a stark contrast to the release of Windows Vista when only McAfee was ready to support the now ill-fated system.

Ina Fried has a nice write up over on CNET.

From CNET:

This time around, it is AVG, Kaspersky, and Symantec that have products that are being touted from Microsoft’s site. McAfee said it will have support by the time Windows 7 launches, while Trend Micro is working to have a compatible product in the next month or so.

“It is great to see that these partners were able to have their solutions working so early in our development process,” Microsoft’s Brandon LeBlanc said in a blog posting.

Dave Cole, a senior director of product management at Symantec, said his company decided to offer up a test version of its Norton 360 product for use with Windows 7, even though the company knows there are still a few things left to work out.

Sounds like there is in fact hope (don’t make me eat my words) for security being addressed by inclusion of security vendors with the latest offering from Microsoft. As for the vendors, well, Symantec added this:

“We determined that we could run reasonably well under Windows 7,” Cole said. “There are bugs that we know about, but we’re comfortable enough with the effectiveness of the product that when they called us to participate we took them up on the offer.”

It’s only a beta release, it’s only a beta release, there is no spoon.

Read on.

Article Link

Wait, what?

I almost fell over when I learned this morning that Microsoft was still issuing licenses and providing support for Window 3.x until November 1, 2008. This OS for those playing the home game is 18 year old. Time to kick the kid out the house.

From BBC News:

Microsoft maintained support for Windows 3.x until the end of 2001, and it has lived on as an embedded operating system until 1 November 2008.

As an embedded system, it was used to power such things as cash tills in large stores and ticketing systems.

One of its more glamorous uses as an embedded operating system is to power the in-flight entertainment systems on some Virgin and Qantas long-haul jets.

Not to mention the fact that I have seen this OS installed on numerous gate computers in airports.

Well, the long running movie has come to the credit reel. Read on for the full story.

Article Link

From Network World:

After all these years I am willing to admit that Microsoft has won the desktop and server wars. Thanks to VMWare Windows is spreading throughout the datacenter. And, of course, there is only one operating system to use if you are dependent on Microsoft apps like Outlook, Word, and Excel. While I have joined the chorus of security folks who rail against the Microsoft Monoculture I still cannot believe some of the uses for Windows. Some of them are just downright silly, some you may claim are criminally negligent.

So here is the Top Ten List of Worst Uses for Windows:

I would respectfully argue that the war isn’t over. Why? One word, Vista. Microsoft has declared war on itself from within.

I noticed that Richard still thinks that SCADA is a protocol. That being said, I am glad to see in number 10 he touches on a subject that I believe to be a real and growing problem.

For the list follow the link.

Article Link

Ah, Microsoft. You’ve been relatively good lately. Then, I read this passage over on ZDNet UK.

Software giant Microsoft has claimed user “complacency” is to blame for malware infections, and denied that its Vista operating system is less secure than Windows 2000.

While I would agree that user education leaves a LOT to be desired this is hardly a way out. And a quote from Simon Clausen,

“Ironically, the new operating system has been hailed by Microsoft as the most secure version of Windows to date,” said Simon Clausen, the chief executive of PC Tools last week. “However, recent research conducted with statistics from over 1.4 million computers within the ThreatFire community has shown that Windows Vista is more susceptible to malware than the eight-year-old Windows 2000 operating system, and only 37 percent more secure than Windows XP,” Clausen said.

Of course Microsoft had to hit back at that one. They’d be remiss if they didn’t react. But, to lay the blame on the users? Sure they help the spread but, not the initial infection. That would be bad code no? Then of course the article has the routine “he said, he said” exchange. We the people will stipulate that every OS has its share of problems. Agreed. The greater the distribution a platform, the greater the bull’s eye painted on it.

It’s not rocket science.

Then again the average monthly percentage of Vista users that we have here on Liquidmatrix is 6%. Coming in squarely behind XP, Mac and Linux.

The article puts Windows 2000 security ahead of Vista. Ouch, that’s gotta sting for a “work in progress“. So, how long until Microsoft does itself a favour and gives Ballmer his walking papers? His comments and bluster remind me of…of…

Oh yeah.

This guy.

Article Link

I can’t say that I’m overly surprised. I had loaded up a copy of 2008 that I received at Black Hat last year into a virtual machine. I poked around in it for a couple minutes and shut it down. I just didn’t have the stomach to deal with it at the time. Well, it appears that others had the intestinal fortitude that I was sorely lacking.

From eWeek:

Cesar Cerrudo, founder and CEO of Argeniss Information Security, in Parana, Argentina, says the weaknesses could lead to privilege escalation attacks opens the door for a skilled hacker to take complete control of the operating system.

“[We found] from design issues that were not identified by Microsoft engineers during the Security Development Lifecycle (SDL), and allows accounts commonly used by Windows services — NETWORK SERVICE and LOCAL SERVICE — to bypass new Windows services protection mechanisms and elevate privileges, Cerrudo explained.

He said the discovery also affects Internet Information Services 7 in the default configuration, allowing ASP.NET applications to “completely compromise” operating system security.

Cerrudo, a security researcher who is highly regarded for his work on database security, said the problem also afects Windows Vista, Windows XP and Windows 2003.

“On Windows XP and Windows 2003 the problem is especially severe since any Windows service, even when running under a low privileged account, can potentially break through the security protections and fully compromise the operating system. This includes all web applications deployed on Internet Information Services 6,” he added.

He’ll be releasing details of his fun with Windows at HITB 2008 Dubai.

Article Link

Apparently, Microsoft feels it necessary to provide a primer on why/how IT managers should upgrade to Vista. I guess this means that Vista must be worse on sales than was initially ballyhooed. Circling the bowl like Britney’s career?

The primer that I mention, entitled “How to Justify a Desktop Upgrade”, appears on a web page found on their Microsoft Canada website (via Slashdot) which says,

“The problems with positioning upgrades is that, from a user perspective, the changes may not seem significant. But from an administrative perspective, some of the security features are huge,” he said.

“So, as an IT person, who is responsible for the security of the company from viruses and for making sure that everyone is safe, there are many features in Windows Vista that I like. It does a great job of keeping people from being able to browse certain sites. It protects from viruses, because there are a lot more things that will get locked down, and the lock down tends to be tighter. You have a tougher time having things happen accidentally. Probably the biggest hassle from a security perspective [with past technologies] is that users tended to run as administrators. In Vista, that’s not the default anymore.”

OK, so this is a patch for XP then? Is that the rationale? The article goes on to outline how XP is more expensive to run than Vista. Hmm, hardware upgrades must have come down in price and I missed it (yes, I’m being sarcastic).

I love this closing line from the document:

“The increase in security – the inability for users to just simply install stuff, means that you are decreasing the amount of reactive tasks that an administrator has to perform,” said Johnson. “This allows him to become proactive in all things you want in your company.”

Wow, I guess it’s time to upgrade…yes, more sarcasm.

This just tells me that Linux/Mac are beating Microsoft’s brains into the floor. No great shock there. I can only hope that the folks in Redmond spend a little less time with their Google fixation and get down to brass tacks.

Article Link

In case the page mysteriously vanishes in the night here is a .pdf of the original.

Tags: Vista Failure, Microsoft Selling Vista, Vista vs XP

Windows Vista has been underwhelming folks since in left the dock. This OS smells like a load of dead fish. OK, a touch much. I had decided to give it a fair shake. I have a computer running Vista in my lab and I have been forcing myself using it off and one now for months. I just can’t take it anymore. The security approach is nutty. Death by a thousand pop ups. And, to be honest I find Linux and Mac OS X far more user friendly.

That being said, the news isn’t any more positive for the SP1.

From PC World New Zealand:

Devil Mountain ran its DMS Clarity Studio framework on a laptop Barth described as a “barn burner” — dual-core processor, dedicated graphics, and either 1GB or 2GB of memory — to compare performance of the SP1 release candidate that Microsoft released last week with the RTM version that hit general distribution last January. The Vista RTM was not updated with any of the bug fixes, patches or performance packs that Microsoft has pushed through Windows Update since the operating system’s debut.

“One gigabyte, 2GB [of memory], it didn’t make a difference,” said Barth. “SP1 was never more than 1% or 2% faster.”

The difference between Vista RTM and SP1 on Devil Mountain’s Microsoft Office-based test script was “statistically insignificant,” Barth said, while a multitasking test panel produced results for SP1 less than 1% faster than RTM.

“Our goal wasn’t to bash Vista,” said Barth. “We’ve been doing this for a while, we know how to do it, and we tried to be as clinical as possible. But SP1 is not going to be a panacea for any performance problems users have with Vista. If you’ve been disappointed with the performance of Windows Vista, you’re not going to be any happier with SP1.”

May not have been the goal. But, it was always a possible outcome. Bad luck that.

Article Link

Tags: Windows Vista SP1, Vista SP1