Non-Microsoft Patch for Unsupported MS Systems Against VML Exploit

As this blog post was possible because of information from Freedomlist, it is only appropriate that the image used to accompany it also be from Freedomlist. The original image is worth checking out. See long-time Freedomlist member Curious John's original image of his favorite wild persimmon tree .

~~~~~~~~~~~~~~~

Ordinarilly, I do not recommend using a patch for a Microsoft Operating System that was not created and tested by Microsoft. The reason is that Microsoft has tremendous resources at hand for testing in countless environments that others do not have available. Even then, there is no way possible for Microsoft to test every possible configuration or software interaction. However, in this instance, I decided it is a good idea to at least let readers know of the availability of this particular unofficial patch.

As background, on October 10, Microsoft released Security Bulletin MS06-055 as a critical update. The purpose of the update was to fix a security issue identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. The problem is that there are still a fairly large number of Windows operating systems in use that have reached the end of "Life Cycle" where Microsoft will provide updates. (The information for all Microsoft software, games, tools, hardware is available in Product Life Cycle, which Microsoft reviews and updates regularly.)

ZERT (Zeroday Emergency Response Team) created a patch for Windows 9X, ME, 2000 (to SP3) and XP systems that have not updated to SP1, 1a or SP2 for the VML exploit. Hat Tip to "Lost" at Freedomlist for the link to c|net News in "Security pros patch older Windows versions", By Joris Evers which reports:

"The vulnerability, first reported last week, lies in a Windows component called "vgx.dll." This component supports Vector Markup Language (VML) graphics in the operating system. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable PC when the user clicks on a malicious link on a Web site or an e-mail message."

Of course the standard warnings of keeping antivirus software updated and and using caution when browsing the Internet applies, as does not clicking on a link in an e-mail from an untrusted source. If you still do not feel your computer is secure, check to see if the version of your operating system has been tested, see ZERT's Libraries Tested.
Here are the instructions for those downloading the file for the older computers, by Plodr:

1. Grab the download from here: http://isotf.org/zert/download.htm
2. Unzip it and you'll get a ZPatch folder. Make sure you close IE and OE before you try to apply the patch.
3. Click on the ZVGPatcher.exe which brings up a window
4. Click on patch and close the window
5. Open IE and go to http://www.isotf.org/zert/testvml.htm

As Plodr also noted:

"If IE crashes, then you are not patched. Believe me I've had my share of crashes in the last several days until I got both 98SEs and ME patched. "

ewido anti-spyware 4.0 Now AVG Anti-Spyware 7.5

One of the most popular tools used in the anti-malware community to help users clean their computers of trojans, worms, dialers, hijackers, spyware and keyloggers is ewido. When ewido became part of the Grisoft family, no one was sure what to expect.
As the leaves change colors in the autumn, so it appears is ewido changing. However, this change looks to be for the good. The first is a name change. The product is no longer known as ewido anti-spyware. The announced name change is AVG Anti-Spyware 7.5.

ewido anti-spyware 4.0 will now continue under the new product name AVG Anti-Spyware 7.5. AVG Anti-Spyware 7.5 contains the same ewido technology, but with some further enhanced features:

Highly improved cleaning
Lower resource usage
Additional languages supported

All current licenses for ewido anti-spyware 4.0 will continue to be valid, and users can change over to the new AVG Anti-Spyware 7.5 for free.

Features of AVG Anti-Spyware

	NEW Completely renewed user interface
	NEW Possibility to create exceptions
	NEW Shredder for secure file deletion
	NEW XP Antispy
	NEW BHO Viewer
	NEW LSP Viewer
	Heuristics to detect unknown threats
	Scanning and cleaning of the Windows registry
	Support for NTFS-ADS scanning
	Daily database updates
	Patch proof by using strong signatures
	Analysis tools (startup, connections and processes)
	Intelligent online-update
	Scan inside archives
	Secure detection and deletion of DLL-Trojans
	Generic crypter detection through emulation
	Generic binder detection
	Free E-Mail Support
	Automatic Clean Engine
	Quarantine for suspicious files
	Multilingual User Interface

Additional features of the Plus-Version

	NEW Scheduled scans
	Real-time monitoring of the entire system
	Memory Scan detects active threats
	Self-protection at kernel layer guarantees gapless monitoring
	Automatic online-update

Witness a VirusBurst Type Rogue Takeover

Just as this ivy is taking over the garden wall, so will a browser hijack take over your computer.
There has been a lot of press to the VirusBurst, VirusBurster, MediaCodec, WinMediaCodec, X Password Generator, strCodec, pCodec and other rogue installations. (Instructions for removal are here.) If you have been fortunate and not experienced this happening to your computer, you can see what it looks like as the folks over at SiteAdvisor have made a video on spyware, called "Spyware Rubbernecking". You can see it here.
After watching the video, remember the repeated advice: Make sure your computer has all the latest Microsoft Updates (see Notes below). Keep your antivirus software updated and and use caution when browsing the Internet. Do not click on a link in an e-mail from an untrusted source.

Advance Notice Microsoft Security Bulletin

On Tuesday, October 10, Microsoft will release the Security Updates listed below. In addition, it will be the last update for XP SP1 and SP1a. The details are here.

The following suggestions on what you can do before “Patch Tuesday” are from Calendar of Updates:

• Undo any 3rd party work-around or any work-around that you did on affected system or components in Windows that is going to be patched
• Create a backup of your good system (see also: System Back-up) and/or ensure that System Restore service is enabled, actually running, working and not corrupted or in the good state. Note: System Restore is available in Windows Millennium (Me) and the Windows XP (Home and Professional) Operating Systems.

To check whether System Restore is enabled and actually running:

• Type services.msc
• Click OK button
• Locate System Restore Service in the list of services and verify that the status is “Started”.

Note: You may also access the Services Console by going to Control Panel>Performance and Maintenance>Administrative Tools>Services.

Microsoft Technet has complete details of today's Microsoft Security Bulletin Advance Notification.
that Microsoft is planning to release on 10 October 2006.

=================================================
Security Updates
=================================================

• Six Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool (EST). Some of these updates will require a restart.

• Four Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

• One Microsoft Security Bulletin affecting Microsoft .NET Framework. The highest Maximum Severity rating for this is Moderate. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. These updates may require a restart.

Mozilla Releases Firefox 2 Release Candidate 2

While the temperature in my area reached the low 30's last night, the folks at Mozilla were uploading uploading Release Candidate 2 (RC2) to the servers. Should you decide to give it a test run, please keep in mind that RC is not final and bugs and incompatabilities may exist with installed extensions.
For enhancements and changes to Firefox 2 RC2., see the Release Notes. Please read the Installation Instructions. I also recommend backing up your profile, bookmarks and cookies before installing a new version as well creating a restore point if using Microsoft XP.
Also released for testing is Firefox Portable 2.0 Release Candidate 2. Firefox Portable can be run from a USB flash drive, iPod, portable hard drive, CD, etc and used on any computer. It can also be run from a local hard drive or your desktop. This would be a handy way to test Firefox 2 RC2 without affecting the version installed on your computer.

Microsoft Apparently Rescinds MVP Award

It certainly has been an interesting week. It began with the sharing of the excitement and thrill of the newly awarded and re-awarded Microsoft MVPs. Shortly thereafter, everything seemed to go on a downward spiral over the awarding of MVP to the developer of Messenger Plus!.
Messenger Plus! in and of itself is a well-designed add-on to Messenger. The problem the members of the security community (myself included) have is with the "optional" sponsor program. Unfortunately, that sponsorship leads to some not-so-pretty additions. It has been well documented what the results are when accepting the sponsor install with Messenger Plus! so I won't go into that here.
The understandable argument is that the sponsorship itself does not need to be accepted in order to install the software. Although this is true, unfortunately, Messenger Plus! is extremely popular with teen and preteens. With adults known to not read (and freely admit not understand) EULAs (end user license agreements), how would 11-17 year-olds be expected to do so? In addition, those under 18's are anxious to install the software that their friends have on their computers. Taking it a step further, accepting sponsorship (read advertisements) is certainly not the same as the actual end result.

Would those involved in the MVP selection process even realize the severity of the effects of the documented sponsorship? Not likely as they are adults who are familiar with EULAs and would not have been checking the sponshorship box. Remember, Microsoft is a huge corporation with multiplie disciplines.

Did this and perhaps other information that we have no way of knowing about result in a mistake being made by Microsoft? It appears so, at least based on the the apparent necessity for Sandi and Paperghost to post, respectively, "The saga of Patchou and his short lived MVP award" and "Caught in a Crossfire Hurricane" with links to a msghelp.net forum thread entitled "Patchou Lost MVP Status :(". (Note: Registration is required to access the referenced link at msghelp.) Sadly, those supporting Patchou have resulted to mud-slinging and bad-mouthing others.

Edit Note: The thread at msghelp.net has apparently been deleted (or relocated to a private location since portions of it have been quoted elsewhere.) A better action would have been moderating the foul language and locking the thread.

A new week has begun. I hope that the turmoil of the past week can be put behind us.

9SEP06 Update Note: The following was reported at Microsoft Informer:

"Cyril Paciullo was awarded with MVP status this year on the basis of his technical expertise and strong community contribution. However, his active MVP Award status was revoked as soon as the extent of the connection between his application and spyware was made apparent to the MVP Program," the company said in a statement.

It was published at Mess.be (which I understand is the official site for Messenger Plus!) :

dwergs says:

When Patchou last week proudly announced his freshly acquired Most Valuable Professional (MVP) status, the news spurred so much criticism from fellow MVPs and security experts that Microsoft decided to take back the award on Friday. The whos, whats and whys can be found eg. here and here.

It needs to be clearly understood that the Microsoft MVP Program is wholly managed by Microsoft, not the MVPs. There are approximately 2600 MVPs worldwide. Out of those 2600 MVPs only about 145 are WIndows Security MVPs. I hardly think that small a minority could have such an effect.

Suzi Turner posted an excellent summary and reflection of my opinion in "MVP awards, Messenger Plus! and adware -- a good combination?" at ZDNet.

Preparing for and Installing IE7

Background

IE7 is scheduled for release on October 18 and will be delivered via Automatic Updates:

"Automatic Updates will notify all such users (including those with Automatic Updates configured to automatically download and install updates) when Internet Explorer 7 has been downloaded and is ready to install."

John Hrvatin, Program Manager, wrote that most people have not had any problems with the installation of IE7 but, particularly due to the wide variety of anti-malware applications, explained why it is recommended that anti-virus and anti-malware applications be disabled when installing IE7. He provided some excellent advice. However, in my opinion, his advice falls a bit short of the mark. Let's start with what Mr. Hrvatin posted in the IE Blog in "IE7 Installation and Anti-Malware Applications":

"A few people have asked why we recommend temporarily disabling anti-virus or anti-spyware applications (which I’ll refer to together as anti-malware) prior to installing IE7, so here’s a little insight to the situation.
Along with copying IE7 files to your system, IE7’s setup writes a large number of registry keys. A common way anti-malware applications protect your computer is by preventing writes to certain registry keys used by IE. Any registry key write that fails during setup will cause setup to fail and rollback changes. We work around the problem in most instances by checking permissions at the beginning of setup, but many anti-malware programs monitor the key rather than change permissions. Therefore, setup thinks it has access when it starts, but then fails when it later attempts to write the key."

There you have it. On one hand, Mr. Hrvatin is recommending disabling anti-virus and anti-malware software, but, as I emphasized in the quote above, Automatic Updates will have IE7 already downloaded to your computer and ready to install. So, before clicking "Install" a couple of extra steps are necessary.

Although directed toward corporate and small business users, the IE Team has made available tools for testing application compatibility, extensions, and the like. Additional information and links to the tools can be found in the IE Blog in "IE7 Is Coming This Month . . . Are You Ready".
I suggest you print or copy the instructions below so you will know what to do before clicking the Install option when you are presented with the following:

Preparation
When presented with the above image, IE7 will already be downloaded to the computer. Following are my recommendations before clicking "Install".

1. Disconnect from the Internet and save any work and close all open programs.

2. Disable your anti-virus software and close your firewall.

3. Create a restore point.

Before installing any software, it is wise to create a restore point. Creating a restore point is easy to do. Just follow these steps:

• Click on the following: Start > All Programs > Accessories > System Tools > System Restore

• On the next window that opens, select the option to "Create Restore Point"

• Click Next. In the next window that opens, type in a description that you will remember.

• Choose "Create" and then close System Restore.

4. Disable real-time protection

As recommended by Mr. Hrvatin, the next step is to disable real-time protection afforded by any anti-malware applications on your computer. The list is quite long so the main thing to remember is if during or after installation of IE7 you are prompted by the real-time protection software on your computer whether to allow or disallow the changes to the registry, it is important to allow the changes.

With most of the real-time protection applications accompanying anti-malware software programs, merely disabling the software is sufficient. However, for Lavasoft's Ad-Watch, additional steps may be necessary. As written in the Ad-Aware SE manual:

Even if Ad-Watch is turned off and something DOES install onto your system, it will recognize it and will kill the process as soon as it has seen it when turned back on.

Because of the variety of settings that can be selected for Ad-Watch, for this situation, I strongly suggest that anyone using Lavasoft's Ad-Watch take the extra precaution of disabling all blocking prior to the installation of IE7. After the installation is complete, re-enable the settings you had before. In the event you do not elect to take these steps, it is vital that you accept any changes that may be alerted by Ad-Watch.

To disable Ad-Watch:

• Right-click on the Ad-Watch icon in the system tray
• Select "Restore Ad-Watch"
• At the bottom of the screen you will see 2 options -- Active and Automatic.
• Uncheck both options (red X).
• Under "Tools and Preferences" turn off all blocking actions:

Instructions for disabling other real-time protection is available in the Castle Cops Wiki. Follow the links below now for any of the listed software installed on your computer so you will know how to disable their real-time protection prior to installing IE7.

• Spybot S&D (Teatimer)
• Spywareguard
• Windows Defender(Beta2)
• MS AntiSpyware (MSAS) Beta
• TrojanHunter Guard
• SpySweeper
• WinPatrol
• CounterSpy
• ewido (now AVG Anti-Spyware)
• Spyware Doctor
• Prevx
• ProcessGuard
• ZoneAlarm's OS Firewall

Install

Having followed the above safety precautions, the computer is now ready for installing IE7.

Clicking on the install button will start the process, which will require Windows Genuine Advantage validation. A restart will be necessary to complete the install.

Note that installation of Internet Explorer 7 will not override any default browser settings. In addition, all compatible toolbars, home/start page, favorites, and search settings will be transferred to IE7. When Internet Explorer 7 is launched, there will be a presentation offered that highlights new features and changes in IE7.

Addendum::

Microsoft MVP Harry Waldron installed IE7 after it was released in final. Here is what he discovered and posted in his blog:

"IE 7 - Recommended installation approach

* Use only the official download from Microsoft's site
* Reboot PC for fresh start (e.g., advanced users should take a system restore point)
* Shut down all started applications and Disable AV scanner
* Do not run anything else during the complete install process
* Wait patiently as some processes are long-running and might seem to hang, (overall this required about 5 to 10 minutes for me).
* Reboot as prompted (twice)
* Select the "run" to continue the process after 1st reboot.
* Keep lucky charms and a celebration kit handy, e.g., plenty of Mountain Dew "

Changes at Microsoft - One leads to Another

It started with this reorganization announcement, as reported at Microsoft Watch, by Peter Galli in "Microsoft Gets a New Security Group ",

"Microsoft is bringing its security, Trustworthy Computing and Engineering Excellence teams together in one group, known as the Trustworthy Computing Team."

That was yesterday. Today it was reported that Ben Fathi, who had replaced Mike Nash, will be heading up development of the core components of the Windows operating system. The security unit that he had been runnig will be absorbed into the new Trustworthy Computing Team, reported above. Scot Charney will head up the Trustworthy Computing Team. (See "Microsoft Security Czar Fathi to Focus on Windows OS" for the complete story.)

Follow that reorganization with this announcement about Windows Vista at c|net, "Microsoft changes Vista over antitrust concerns":

"Microsoft had planned to lock down its Vista kernel in 64-bit systems, but will now allow other security developers to have access to the kernel via an API extension, Smith said. Additionally, Microsoft will make it possible for security companies to disable certain parts of the Windows Security Center when a third-party security console is installed, the company said.

Security companies had complained that a kernel protection feature called PatchGuard in 64-bit versions of Vista not only locked out hackers but also prevented some security software from running."

The lock-down was one of the major security features we have been hearing about for some time. Particularly, after reading "McAfee and Symantec get vocal about Vista - but do they *really* have our best interests at heart" co-authored by Microsoft MVPs Sandi and Walter Clayton, I am concerned about what certainly appears on the surface as caving in. As Sandi wrote:

"The bad guys are getting past McAfee and Symantec and others, and if the “Big Two” were *truly* concerned with user security, they would not be fighting this change, which is going to make such a big difference in the malware fight by stopping the bad guys *before* they can do some of their most damaging and difficult to remove tricks. They’d be working on changing their code to work with what is going to be a quantum leap forward in security improvement for users.

Prevention is better than cure. Signature based scanning, heuristics and adding detection for new malware *after* it has already been released and has started infecting machines around the world, isn’t working. I need help to stop the bad guys from getting their tendrils so deep into the OS that it is getting more and more difficult to remove. It is getting to the stage where reformatting is sometimes the only option for systems infected with the worst malware, even with McAfee, Symantec or other security vendor's products installed, and that is simply not good enough."

Consider this quote in Sandi and Walter's article by Jesper Johansson:

"In a sense, [McAfee and Symantec] have built their business on protecting users of Windows from Microsoft, and Microsoft healing the patient cuts into their business doing the same. As Microsoft's Security Chief Ben Fathi said, the security vendors want Microsoft to "keep the patient sick," and by extension, keep customers at risk, so that the security vendors can keep charging for the healing."

But Ben Fathi is no longer Microsoft's Security Chief. Seems like the security vendors will continue charging for the healing.

Mozilla Firefox 2 Release Candidate 3 Available

It was announced at mozillaZine today that Mozilla Firefox 2 Release Candidate 3 (RC3) is available for download. It contains several bug fixes as well as security and stability updates.

If you used previous release candidates (RC1 or RC2) you can upgrade to RC3 using the software update feature.

Anyone who has not installed Firefox 2 is reminded that, although tagged "release candidate", this is not the final version. There may be additional bugs that need to be worked out. Please do not install on a production-critical machine and, of course, always create a System Restore Point prior to installing any software.

Microsoft Security Advisory 917021

Microsoft has released Security Advisory 917021 – Description of the Wi-Fi Protected Access 2 support for Wireless Group Policy in Windows XP Service Pack 2 - on 17 October 2006.

========================================
Summary
========================================

Microsoft is releasing this security advisory to inform customers about an update that enables Wi-Fi Protected Access 2 (WPA2) support for Wireless network Group Policy settings in Windows XP Service Pack 2. This update is being released to provide parity between Windows XP Service Pack 2 (before a broad release vehicle, like a service pack, is released) and the upcoming release of Windows Server 2003 Service Pack 2. With this update, customers can create Wireless network Group Policy settings to simultaneously manage WPA2 on systems running Windows XP Service Pack 2 and for any versions of Windows targeted by the upcoming Windows Server 2003 Service Pack 2.

Also included in this update are Wireless client behavior changes for non-broadcast and ad-hoc networks. These defense-in-depth changes are intended to help prevent systems from connecting to networks other than those a user intends to connect to.

The reason these defense-in-depth changes are included in this update in addition to the WPA2 support for Wireless network Group Policy is to provide parity between the two Windows versions. This makes it possible to manage WPA2 settings for wireless clients on different Windows versions using the same Wireless Group Policy.

These defense-in-depth changes will be included in Windows 2003 Service Pack 2 as part of the same WPA2 support for Wireless network Group Policy settings. For more information about the upcoming Windows 2003 Service Pack 2 see the Windows Service Pack Road Map: http://www.microsoft.com/windows/lifecycle/servicepacks.mspx. The broad release vehicle is still considered to be a service pack for Windows XP for the defense-in-depth changes included in update 917021.

========================================
Recommendations
========================================

Review Microsoft Security Advisory 917021 for an overview of the issue, details on affected components, suggested actions, frequently asked questions (FAQ) and links to additional resources.

========================================
Additional Resources
========================================

• Microsoft Security Advisory 917021 – Description of the Wi-Fi Protected Access 2 support for Wireless Group Policy in Windows XP Service Pack 2:
http://www.microsoft.com/technet/security/advisory/917021.mspx

• Microsoft Knowledgebase Article 917021 - Description of the Wireless Client Update for Windows XP with Service Pack 2:
http://support.microsoft.com/kb/917021

Java Update

Those of us in the security community will be enjoying our "Java" just a bit more these days. It isn't that the vulnerability issue with prior versions of Java no longer exists. Rather, it is that Sun Java has finally acknowledged the problem.

For a bit if history, Microsoft MVP CalamityJane detailed at Broadband Reports that fellow Microsoft MVP, Steve Welscher wrote to Sun about this issue in February, 2005:

Fellow MS MVP Steve Wechsler (aka MowGreen) wrote to Sun Microsystems (makers of Sun Java) to express the concerns raised in the Security Community that autoupdaters of Sun Java do not uninstall previous (vulnerable) versions of the program. He asked for clarification that if a User utilizes the automatic update mechanism of the JRE the previous vulnerable version is left on the system, and that those previous vulnerable versions can still be called by malware. The folks at Sun Microsystems wrote back confirming this is true and they would be investigating updating the java.com pages and the auto update uninstallation issue.

I wonder how many thousands of computer have been needlessly infected merely because there was no warning to uninstall prior versions of this software for 18 months after Sun Microsystems acknowledged the problem. Coincidentally, after seeing that there was still a lot of confusion in both updating and knowing what Java components to remove, I provided instructions just the other day in Java.

Below is a partial copy of Sun Alert ID 102557. Please keep in mind that this is merely an acknowledgement of the problem. It is still necessary to follow the instructions to remove prior versions of Java to avoid the Winfixer/Vundo/Virtumundo infection.

Java Plug-in and Java Web Start May Allow Applets and Applications to Run With Unpatched JRE

1. Impact

The Java Plug-in and Java Web Start both allow applets and applications to specify the version of the Java Runtime Environment (JRE) to run with. However, the versions of Java Web Start and the Java Plug-in listed in Section 2 below may allow applets or applications to run with a specified version of the JRE that does not have the latest security fixes.
2. Contributing Factors

This issue can occur in the following releases (for Solaris, Linux and Windows platforms):

* Java Plug-in included with J2SE 5.0 Update 5 and earlier, 1.4.x, 1.3.1, and 1.3.0_02 and later
* Java Web Start included with J2SE 5.0 Update 5 and earlier, and 1.4.2
* Java Web Start 1.2, 1.0.2, 1.0.1, and 1.0

{snip}
Java Web Start:

* Java Web Start 5.0 Update 6 and later for Windows, Solaris, and Linux

Note: Prior to 5.0 Update 6, an application could specify the version of the JRE on which it would run. With 5.0 Update 6 and later installed, unsigned Java Web Start applications that specify a version other than the latest installed will trigger a warning, requiring explicit user permission before the application will run. Signed Java Web Start applications are not affected.

{snip}

Note: It is recommended that affected versions be removed from your system. For more information, see the installation notes on the respective java.sun.com download pages.

Code Popping Up All Over

There have been many explanations for crop circles, many implying that they are some kind of code either created by or as a message to life in outer space. These days, I think I would rather deal with crop circle code than the type I have seen infecting people's computers.

Until today, the most recent "code" I had heard of was the "Media-Codec", associated with the securitypagenet.net. Today, I read about zCodec at CyberNews4You. That led me to do a bit of checking around. I discovered at Nick's Security Ticker that there is a difference in zCodec from the rogue programs like VirusRescue, SpywareQuake, and the like. As Nick wrote:

The trojan from Zcodec is a bit different. You won't get the warning ballon saying you have spyware. Instead, your search results will get redirected. If you go to Google and search for books, NY Times book review and Amazon.com are top results. Clicking on Amazon.com will be redirected to some other web site. Depending on what you are searching for, you might end up on a page that will put spyware on your computer.

Also, it seems that McAfee's SiteAdvisor hasn't figured out that zcodec.com is a bad site. Despite most people saying it is a bad site, it remains a green site.

Microsoft Security Advisory 925059 Released

The following is a Security Advisory from Microsoft regarding a Vulnerability in Microsoft Word.

Please follow the usual warnings. Do not open any email attachments from an unknown source. Also, be wary of unexpected or unusual attachments from someone you know. A telephone call or confirming email may save you from a lot of grief.

Security Advisory (925059) - Vulnerability in Word Could Allow Remote Code Execution - 06 September 2006.
========================================
Summary
========================================
Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Word 2000. In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker.
|
Opening the Word document out of email will prompt the user to be careful about opening the attachment.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

========================================
Recommendations
========================================
Do not open or save Microsoft Word files that you receive from un-trusted or that are received unexpected from trusted sources. This vulnerability could be exploited when a user opens a file.

Review Microsoft Security Advisory 925059 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQ) and links to additional resources.

Customers who believe they have been attacked should contact their local FBI office or report their situation to www.ic3.gov. Customers outside the U.S. should contact the national law enforcement agency in their country.
Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY)

Microsoft Security Bulletin Advance Notification

Tuesday, September 12, is again "Patch Tuesday". Before Tuesday comes along, there's time to do some cleanup preparation. Nellie2 has a nice set of instructions on "How to Prepare for Patch Tuesday".

On 12 September 2006 Microsoft is planning to release:
Security Updates

•	Two Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Important. These updates will be detectable using the Microsoft Baseline Security Analyzer. Some of these updates will require a restart.
•	One Microsoft Security Bulletin affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

Mozilla Adds Window

I read with interest this morning the writeup from Bleeping Computer on "Potential security vulnerability in Firefox?"

"Klocwork’s K7 static analysis tool was used to analyze the programming code for the latest version of Firefox 1.5.0.6. The tool reported that there are 655 defects and 71 potential security vulnerabilities. This analysis was then sent on to Firefox where they can determine what will be fixed or left alone."

Defects seem to be inherent in software. However, that is not always the fault of the software. After all, as soon as a computer is taken out of the box, we add our own personal fingerprint, usually in the form of other software. No software can be tested against all possible interactions with other software programs.
As to the 71 potential security vulnerabilities, it appears that Mozilla.org has leadership to address security issues in Firefox. From eWeek:

"Ex-Microsoft Security Strategist Joins Mozilla By Ryan Naraine
September 6, 2006

Former Microsoft security strategist Window* Snyder is joining Mozilla to lead the company's effort to protect its range of desktop applications from malicious hacker attacks. Snyder, who was responsible for security sign-off for Microsoft's Windows XP Service Pack 2 and Windows Server 2003, will spearhead Mozilla's security strategy, eWEEK has learned.
The group has seen its flagship Firefox Web browser chip away at the market dominance of Microsoft's Internet Explorer, largely because of high-profile security flaws in and attacks on IE, and the addition of Snyder is sure to help beef up Mozilla's security process and improve its communications with bug finders."

*Emphasis added. Window really is Ms. Snyder's name. It is rather ironic that someone with the name "Window" has left Microsoft and will now be working for a competitor.

Changing Places -- A New Star for Vista

Sometimes we need to step outside the garden to see what else is "out there". Inevitably, we return to our roots, to what gives us the most satisfaction.
Stephen Toulouse has been a program manager on Microsoft's Security Response Center team, dealing with security response for the past four years. In a manner of speaking, "Stepto"is now moving back to his roots, although at much higher level than his early days with Microsoft and Windows 95!
With the emphasis on security in Vista combined with Stepto's background with the MSRC, it sounds like a perfect match. The improvements he made while with the MSRC will likely flow over to Vista. Read about it in his own words at Stepto.com.

Microsoft Security Bulletins - September 2006

It does not take much effort on your part to update your home computer. After all, we're only talking about Microsoft updates once per month and always on the second Tuesday. That is easy enough to keep track of. But don't worry. If you forget, I'll be sure to remind you.

For September, Microsoft released 3 new bulletins (1 critical, 1 important and 1 moderate), 2 re-released bulletins and 2 security advisories today. For more detailed information see this month’s bulletin summary.

Critical:

• MS06-054: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)

Important:

• MS06-052: Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution (919007)

Moderate:

• MS06-053: Vulnerability in Indexing Service Could Allow Cross-Site Scripting (920685)

Re-Released Bulletins:

• MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (Originally released August 8. This addresses a critical security problem)

• MS06-042: Cumulative Security Update for Internet Explorer (918899) (Originally released August 8 and updated on August 24.)

Additionally note that Microsoft issued two security advisories today:

• Microsoft Security Advisory (922582) -- announces the availability of an update that addresses errors trying to update a computer that has a minifilter-based application installed.
  
• Microsoft Security Advisory (925143) -- provides awareness of Adobe Security Bulletin: APSB06-11. This bulletin provides guidance to users of Macromedia Flash Player from Adobe - version 8.0.24.0 and earlier which is redistributed with Microsoft Windows XP Service Pack 1, Windows XP Service Pack 2, and Windows XP Professional x64 Edition.

Fox Update

Although Firefox 2 is in the Beta2 stage, Mozilla.org jumped ahead and released version 1.5.0.7. This release fixes several critical security vulnerabilities. Anyone using Firefox is strongly encouraged to be sure to get the update.

The same security issues were also addressed in Thunderbird, Camino and Seamonkey (both based on Gecko 1.8.0.7).

These are serious issues that have been addressed. Stay safe, surf safe. Update now.

Fixed in Firefox 1.5.0.7

MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
MFSA 2006-62 Popup-blocker cross-site scripting (XSS)
MFSA 2006-61 Frame spoofing using document.open()
MFSA 2006-60 RSA Signature Forgery
MFSA 2006-59 Concurrency-related vulnerability
MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
MFSA 2006-57 JavaScript Regular Expression Heap Corruption

Microsoft Security Advisory 925444 Released

Below is a Security Advisory from Microsoft regarding an AxtiveX control that could allow remote control execution. The code, if installed could result in browser hijacking of Internet Explorer to malicious websites.

Workarounds are provided in the Advisory, two of which should be set for regardless of this advisory. In particular, see the instructions for configuring Internet Explorer to prompt before running Active Scripting or AxtiveX controls.

Security Advisory 925444 – Vulnerability in the Microsoft DirectAnimation Path ActiveX Control Could Allow Remote Control Execution - on 14 September 2006.

========================================
Summary
========================================

Microsoft is investigating new public reports of vulnerability in Microsoft Internet Explorer on Windows 2000 Service Pack 4, on Windows XP Service Pack 1, and on Windows XP Service Pack 2. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly but we are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. We will continue to investigate these public reports.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs.

========================================
Mitigating Factors
========================================

• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.

• By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted Sites zone. Additionally, Outlook 2000 opens HTML e-mail messages in the Restricted Sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted Sites zone if Microsoft Security Bulletin MS04-018 has been installed.

• By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because ActiveX and Active Scripting are disabled by default.

========================================
Additional Resources:
========================================

• Microsoft released Security Advisory 925444 – Vulnerability in the Microsoft DirectAnimation Path ActiveX Control Could Allow Remote Control Execution.
http://www.microsoft.com/technet/security/advisory/925444.mspx

• Microsoft Knowledgebase Article 925444 - Microsoft Security Advisory: Vulnerability in the Microsoft DirectAnimation Path ActiveX control could allow remote code execution
http://support.microsoft.com/kb/925444

• MSRC Blog:
http://blogs.technet.com/msrc/

Note: check the MSRC Blog periodically as new information may appear there.

Are you ready for Vista?

Have you been anxiously awaiting the opportunity to experience Vista? If so, the Windows Team Vista Blog reports:

RC1 CPP Now Available to General Public

A quick update on CPP status:

Windows Vista RC1 is now publicly available. This means that 32- and 64-bit downloads for all three languages (English, German, and Japanese) are live. If you did not receive and email in the previous wave, you can now both download the ISO image and request a product key (PID).

First and foremost, if you are not "computer saavy" or if your computer is "mission critical", I would advise you to wait until the final product release. Otherwise, you can find the necessary information at the Windows Vista "Customer Preview Program" page.
Whether you are ready now or anticipating an upgrade after final release, find out if your Windows PC can run Windows Vista with the Windows Vista Upgrade Advisor RC, which works with 32-bit versions of Windows XP and Windows Vista. Note, however, that it does not work with Windows 98, Windows 2000, or Windows XP Professional x64 Edition.
From there, go to Upgrading Planning for Windows Vista to find out if your system can be upgraded to Vista or if a clean install will be required.

Mozilla Firefox Version 26.0 Released

Mozilla sent Firefox Version 26.0 to the release channel.  At the time of this posting, no security fixes for this version have been listed in the Security Advisories page.  However, the default for Java plug-ins to "click to play" is a welcome change as is script-generated password fields.

Update:  The security updates have now been posted.  Version 26.0 includes five (5) critical, three (3) high, three (3) moderate, and three (3) low security updates.

Fixed in Firefox 26

• MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate
• MFSA 2013-116 JPEG information leak
• MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
• MFSA 2013-114 Use-after-free in synthetic mouse movement
• MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
• MFSA 2013-112 Linux clipboard information disclosure though selection paste
• MFSA 2013-111 Segmentation violation when replacing ordered list elements
• MFSA 2013-110 Potential overflow in JavaScript binary search algorithms
• MFSA 2013-109 Use-after-free during Table Editing
• MFSA 2013-108 Use-after-free in event listeners
• MFSA 2013-107 Sandbox restrictions not applied to nested object elements
• MFSA 2013-106 Character encoding cross-origin XSS attack
• MFSA 2013-105 Application Installation doorhanger persists on navigation
• MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)

What’s New

• NEW -- All Java plug-ins are defaulted to 'click to play'
• NEW -- Password manager now supports script-generated password fields
• NEW -- Updates can now be performed by Windows users without write permissions to Firefox install directory (requires Mozilla Maintenance Service)
• NEW -- Support for H.264 on Linux if the appropriate gstreamer plug-ins are installed
• CHANGED -- Support for MP3 decoding on Windows XP, completing MP3 support across Windows OS versions
• CHANGED -- CSP implementation now supports multiple policies, including the case of both an enforced and Report-Only policy, per the spec

Known Issues

• Unresolved -- Moving Firefox to background while playing a flash video in full screen mode and bring it back to view will freeze the app (see 809055)

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

Microsoft | Dell Create Super-Cool Custom PC

I have been following Donna Buenaventura's adventures installing and experimenting with Vista on her Dell laptop (See Vista on Dell XPS M1210; Vista & Dell MediaDirect; Incompatible software). I think about now she may be sorry she has a laptop instead of a desktop like the one featured in the Windows Vista Blog today in Windows Vista Custom PC Design. That is most definitely a Windows PC!
When it comes to PC's for myself, I'm afraid that I have to stick to basics. I have a favorite local PC shop that I visit and pick out as much of a system as I can afford. I'm still using the 17" monitor I got with my old Win95 system and when the box was built for XP, they transferred the diskette drive and CD reader from the old box. It saved a few dollars. The nice part about using a local shop is in the event of a problem, they are close by and stand behind their work.

Firefox 2.0 and 3rd Party Cookies

One of the comments I've seen about Mozilla Firefox 2.0 is the removal of the option to block 3rd party cookies. Firefox people have explained that the reason that feature was removed is because it was not reliable and did not work in all configurations.
Now, before you get all hot under the collar about the cookie issue, I suggest you visit, or revisit in the case you have already read Ben Edelman's analysis, sponsored by Clicks2Customers, in "Cookies Detected by Anti-Spyware Programs: The Current Status".
However, if you still want to make a change to Firefox, and we are talking about 3rd party cookies anyway, it can be easily made in Firefox about:config.

• Open a Firefox browser tab
• Type about:config in the address bar
• Scroll down the page to network.cookie.cookieBehavior
• If the value is 0 (zero), right click on that line and change the 0 to the number 1 (if it is already a 1, that means the configuration was carried over in the upgrade to 2.0).

Vista Yields Almost Double the Drivers of XP!

As a take-off on the old 1980's gum commercial, it looks like Windows Vista will "Double your drivers, double your fun".

When I read Langa Blog: Vista to Ship with Nearly 20,000 Device Drivers, I had to check the RCP Mag myself. Sure enough, the article indicates that Vista will ship with 19,500 device drivers.
According to Jim Allchin, however, this may not be all bad. Hopefully, when installing Vista, users will find that the drivers needed to run their software are already on board. Here's what was reported:

"The number of device drivers is really a small way of looking at it, since each driver can usually support numerous actual different device models. Indeed, sometimes a single driver can support hundreds of different models, as often is the case with video drivers," Allchin's posting said. "But, what is even more significant is that at the RTM [release to manufacturing] for Windows Vista, we already had an additional 11,700 device drivers on Windows Update compared to just 2,000 for Windows XP when it RTM'd in 2001."

Having read reports of Vista installations, it appears that this really has been paying off. I think its just the shock of the large number that sounds so unrealistic.

Microsoft Office 2007 UI Licensing "Open Source"

With all the recent talk about patents, infringement and licensing, some of the critics should step back and take a look at the licensing terms for Microsoft Office 2007. The guidelines are incorporated in a mere 120 page (gulp) document. However, there is a preview available for download as well as video on Chanel 9. Both links are available in Jensen Harris' blog writeup, "Licensing the 2007 Microsoft Office User Interface"

The long and the short of it, however, is that developers can use the Office 2007 UI (user interface) in open source projects as long as they meet the license terms. Not only that, the UI can be used on any platform.

As stated by Jensen Harris in "Licensing the 2007 Microsoft Office User Interface"

"There's only one limitation: if you are building a program which directly competes with Word, Excel, PowerPoint, Outlook, or Access (the Microsoft applications with the new UI), you can't obtain the royalty-free license."

Considering the high cost of development, I think this is both very fair and generous of Microsoft.

References provided by Jensen Harris:

• 2007 Microsoft Office System User Interface Licensing web site
• User Interface Guidelines Preview (A short excerpt of the actual guidelines)
• Channel 9 video discussion with more about the UI and the UI license
• Press release and Q & A about the licensing announcement
• Frequently asked questions

Firefox 2.0 Password Manager Bug Exposes Passwords

This is a serious bug if you use the Firefox Password Manager. As described at Slashdot.org:

"The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials."

Using Control + Shift + Delete will clear private data in Firefox. In addition, turn off the Password Manager and the Firefox extension "Master Password Timeout" if you use it.

Mac OS X Zero-Day Exploit

Whether it is because there are fewer Mac users and thus a smaller target or because it is more difficult to target, few vulnerabilities are reported on Macs. As David Utter reported in Mac OS X Receives Unwanted Attention:

". . . To compromise a Mac, the user must be enticed into clicking a link in Safari to a malformed image.

Should this happen, the exploit corrupts memory and could lead to the execution of arbitrary code on the now-compromised system. Safari users can avoid this worry by deactivating the preference permitting "safe" files from being opened after download. "

Safari users could also try an alternative browser if this continues to be problemmatic.

United States vs. Microsoft Corporation

The U.S. Department of Justice has cleared Windows Vista of antitrust concerns. As described by Joe Wilcox in "Microsoft's Antitrust Control Problem":

The joint filing explains that Microsoft and the government-mandated technical committee, or TC, "have increased their cooperation in several ways to help ensure that middleware ISVs achieve 'Vista-readiness' prior to the shipment of Windows Vista." The TC also has released a Windows XP and Windows Vista registry tool for developer download. Aside from issues pertaining to protocol licensing, cooperation defines Microsoft's recent relationship with US trustbusters. The cooperation works for Microsoft. Of 25 complaints made since May, all "were non-substantive," according to yesterday's court filing.

While the rest of the U.S. is celebrating Thanksgiving tomorrow, Microsoft attorneys will be presenting the next set of legal documents to the European Union's Competition Commission, who has not been as favorable toward Microsoft as the U.S. DOJ.
By the way, in discussing other legal issues, I mentioned Microsoft would likely consult with outside counsel. In scanning the DOJ report, I spotted the names of their outside counsel. Microsoft is definitely using the best and the brightest. Both Fried, Frank, Harris, Shriver & Jacobson LLP and Sullivan and Cromwell LLP have excellent reputations.

Countdown to Windows Vista

Time for a bit of fun. Join in the countdown to January 30, 2007 when Windows Vista "hits the streets". I've added it to the sidebar here at Security Garden.

See Nick White's explanation and the code in Counting Down to the Consumer Launch of Windows Vista.