Posts Tagged ‘Windows XP’

Authentium Circumvents the PatchGuard Kernel Protection

I’ve posted before about how security companies are up in arms about the new Windows PatchGuard protection from Microsoft that can block any application from accessing, or “hooking” Vista’s kernel commands, a technique utilized by vendors in sophisticated anti-tampering and behavior monitoring tools, and used by hackers in attacking computer systems with rootkits. Authentium says they have circumvented this feature using a loophole that allowed the operating system to support older hardware.

The company, based in Palm Beach Gardens, Fla., maintains that it has built a version of its Authentium ESP Enterprise Platform that can bypass PatchGuard without setting off the desktop alarms produced by the security feature when the Vista kernel is compromised.

When a program of any kind attempts to modify the kernel on a system running PatchGuard, which is already available in 64-bit versions of Microsoft’s Windows XP OS, the computer produces a blue screen and stops all other Windows applications from running.

Authentium said its workaround allows it to access the kernel without incurring the shut-down.

The company specifically said that it is using an element of the kernel meant to help the OS support older hardware to bypass the feature. The loophole allows the company’s tools to infiltrate Vista’s kernel hooking driver, and get out, without the OS knowing the difference. Source: eWeek

Looks of good reading there, including more info on PatchGuard and links to other articles where security companies have taken Microsoft to task over it. One industry insider says he thinks McAfee and Symantec have already done this themselves, but are keeping the heat on for a different reason,

At least one industry watcher believes that Symantec and McAfee have developed methods of their own for working with, or circumventing, PatchGuard, and contends that the firms have only kept the heat on Microsoft over the feature to keep antitrust regulators alert to Microsoft’s continued push into their territory.

Which makes sense, they have to protect their bread and butter. Alex Eckelberry from Sunbelt has posted a few articles on PatchGuard, but the one he posted today actually made a lot more sense than the other complaints I have seen from Symantec,

The lesson? We cannot predict how malware authors will work in the future, and that is one reason why PatchGuard is such a potentially dangerous technology.

PatchGuard creates a barrier to the kernel, against which security vendors (the major defensive bulwark for Microsoft) can’t get in to to help the operating system against an attack, at least without permission through APIs.

The ability of security companies to fully support the 64 bit Windows platform itself, a fact that Gartner’s Neil McDonald recently highlighted in his warning that if enterprises use HIPS technology, they should postpone deployment of Vista. After all, the APIs won?t even be available until 2008!

HIPS (which stands for Host Intrusion Prevention System), uses methods at the kernel to prevent certain types of attacks. HIPS is part of our Kerio line and it?s also part of other products out in the market. For example, our HIPS functionality helps protect against buffer overflow attacks, by watching for system functions being called from memory locations where they shouldn’t be called. As another example, our Kerio Server Firewall uses HIPS to provide application lockdown.

McAfee, Symantec and other companies, like Sunbelt, need this access. For Symantec, it?s around a number of technologies they’ve implemented at the kernel, including Tamper Protection, which prevents hackers from attacking Symantec products themselves. For us, it’s around HIPS, but it could also affect other technologies that we are developing.

Now, every other article I have read on PatchGuard and these security companies, and I could have missed a bunch I am sure, has just pretty much been whining about how Microsoft won’t allow use access to the kernel, this is the first good explanation of why they need this access. If some new threat, remember Code Red, comes out that requires access to the kernel to prevent it, then these security companies will have to ask Microsoft for an API to the kernel, where, before they could have just added the extra functionality. And we all know how long it takes Microsoft to issue patches, what will they do if a new threat comes out, will they help security vendors fix it, or will they try to fix it themselves?

1 comment - What do you think?  Posted by Jimmy Daniels - October 25, 2006 at 3:50 pm

Categories: Microsoft News, Security, Software, Virus Info   Tags: , , , , , , ,

Windows Defender Final Finally Released

Looks like Microsoft has quietly released the final version of Windows Defender. This version will not run on Windows 2000 or Windows Vista, Vista will have an integrated version.

Yes, as a complete suprise it seems that Microsoft has released the final version of their long-time-in-the-making Anti-Spyware program, Windows Defender.

The build is marked as 1.1.1592.0 and it seems it can be installed over top previous versions (Beta 2, It can not be installed over top Beta 1 previously known as Microsoft Anti-Spyware Beta). Source: JCXP

Download 32 bit version here.

Download 64 bit version here.

Some of the improvements in Windows Defender:

  • Enhanced performance through a new scanning engine.

  • Streamlined, simplified user interface and alerts.
  • Improved control over programs on your computer using enhanced Software Explorer.
  • Multiple language support with globalization and localization features.
  • Protection technologies for all users, whether or not they have administrator rights on the computer.
  • Support for assistive technology for individuals who have physical or cognitive difficulties, impairments, and disabilities.
  • Support for Microsoft Windows XP Professional x64 Edition.
  • Automatic cleaning according to your settings during regularly scheduled scans.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - October 24, 2006 at 4:07 am

Categories: Security, Software   Tags: ,

IE7 Update Could Adversely Affect Many Websites

In July, Microsoft announced that it will update Windows XP SP2 users automatically using Windows auto updates, in the past Microsoft has phased them in slowly, this one will be done practically overnight. Now, I’ve heard mostly good things about IE7, I still have not tried it myself, I know, I know, what kind of geek am I, I will probably wait until it upgrades everyone and see what happens. But, when that happens, online merchants will see the biggest part of their userbase changing browsers, and they will be answering the phones a LOT more than they do now, until users get used to using IE7.

“I applaud what Microsoft’s done with IE 7, and the browser works very well,” said Richard Litofsky of Rockville, Md.-based cyScape. “But even the best software needs time to work out things once it’s in the wild.”

The automatic updating of most browsers — Internet Explorer controls 83 percent of the world’s browser market according to the most recent data from Net Applications — will stress Web sites’ help desks like nothing before, Litofsky claimed.

“Virtually overnight all these sites are going to be running a whole new platform.” Source: Techweb

If you have trouble when you are updated to IE7, you can use this tool, User Agent String Utility version 2, to make the website think your browser is IE6, as you could have rendering problems if the website does not know what browser you are using.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 30, 2006 at 1:17 am

Categories: IE7, Windows XP   Tags: , , ,

Windows XP Tweaking Utility

Looking for an easy to use utility to help you make Windows XP more efficient, boot up faster, improve performance and functionality, improve the appearance of Windows XP, increase windows security, and prevent others from changing your settings. The Tweaking Utility from TweakXP.com can help you do all of this and much more. You can lockdown control panel applets, Internet Explorer options, even choose which applications can or can’t run on the computer.

Easily tell Windows to keep the Windows XP core system in memory and not paged to disk, to help improve performance. You can use it to optimize the CPU and memory usage for programs, systems cache or background services. Easily remove Microsoft Windows Messenger and other “unremovable” programs, this tweaking utility has hundreds of tweaks for the serious tweaker, and can change hundreds of registry settings in Windows XP.

Download a copy and try it free.

Note: I saw a couple complaints about the trial expiring too soon and they noted a work around since this could happen in a couple different situations. Use this to register to get 14 more days, just in case:

Name: TTXP

Registration Code: EVALMORE

Clicking “Next” will permit 14 more days of evaluation.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 16, 2006 at 2:57 am

Categories: Software, Windows XP   Tags: , , , ,

MANY People Will Not Be Able to See Windows Fancy Graphics

Thinking of upgrading to Windows Vista as soon as it comes out? You’ll definitely want to check your machine out to make sure it is capable of running the Aero display. You will need to have a legitimate copy of Vista, and not just any copy, Vista Basic will not show them at all. You’ll also need a Windows Vista specific video drivers. You’ll need a minimum of 1,800 MB per second of graphics memory bandwidth. Has anyone ever seen such a measurement before? I probably have, but it’s not something you see everyday or we would remember it. Microsoft said a tool would be available to measure it, to make sure your machine is capable of doing it. And you will need lots of graphics memory, a of 1280 by 1024 pixels or less will require 64MB, and for a larger screen, 256MB may be required.

Windows Vista plans to offer you spiffy new graphics, as long as you’re not a pirate.

With the new operating system, Microsoft is offering plenty of new graphics tricks, including translucent windows, animated flips between open programs and “live icons” that show a graphical representation of the file in question.

But before Vista will display its showiest side, known as Aero, it will run a check to make sure the software was properly purchased.

But it’s not just pirates who will be blocked from Windows’ fanciest graphics. The Aero display also won’t be available to those who buy Windows Vista Basic, the low-end consumer version of the operating system. And even those with higher-end versions won’t be able to see the fancy graphics if they don’t have enough memory, lack sufficient graphics horsepower or have a graphics chip that doesn’t support a new Vista driver.

Those Aero requirements are not easily understood by buyers or computer salespeople, said Michael Cherry, an analyst at market research firm Directions on Microsoft. He said, for example, that he has no idea how much memory bandwidth his computer has. “I wouldn’t even know how to begin to measure it.” Source: News.com.

Me either Michael. Microsoft did say this was not the final draft and it somehow got posted by mistake.

With the big graphics requirments, this will be limited to home users and gamers probably for awhile, most businesses will not upgrade their pc’s to make it work, they will just wait until it starts showing up on new pc’s and then start dealing with it, much like we did with XP. Although, Windows XP has been the best version of Windows by far for me. I never have any trouble with it.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - April 13, 2006 at 12:48 pm

Categories: Windows Vista, Windows XP   Tags: , , ,

Windows Defender Beta 2 Review

Suzi Turner, of SpywareWarrior.com fame, had said she would do a review of Windows Defender Beta 2, and she’s finally gotten around to it. I myself plan on reviewing it, but it’s little league baseball time and I have been very busy in the evenings. I may end up waiting until my son get’s his machine all infected again.

As promised a few days ago, I finally got a virtual machine upgraded to Service Pack 2 for testing Windows Defender Beta 2. For the sake of convenience, I’ll refer to it as WD for most of this post. When I wrote about WD previously, I mentioned the review at PCMag.com where WD was tested against 6 keyloggers, which is not a particularly valuable test in my opinion.

The tests were done on a virtual machine with Windows XP with SP2, fully patched, running in VMware Workstation 5.5.1. Testing consisted of two parts. For the first test, I had WD running with all components of real-time protection turned on. I surfed to Claria’s website and downloaded two Claria apps, GotSmiley and a screensaver. When I downloaded the apps, Windows Defender presented an alert and asked whether or not to remove, get more information or ignore. I chose ignore and allowed the installation. After installation, I did the full scan and WD detected both apps correctly and asked me to select an action.

In the second test, I went to a website known to spyware researchers as a consistently reliable source of spyware. Immediately prior to going to the site, I ran InCtrl5 in order to track changes to the system. I turned off WD’s real-time protection for this test so I could test scan and removal capabilities. I had to restart the test twice because the vm quickly became so infested it froze. On the third try, after about 5 minutes on the site, I disconnected NAT, killing the internet connection for the vm, so I didn’t lose control of the machine. Before running any scans I ran InCtrl5 again. In less than 6 minutes, the spyware had added 230 registry keys, deleted 32 keys, added 386 values, deleted 82 values, changed 46 values, added 16 folders, and added 389 files. I ended up with the following:

SpySheriff
QuickLinks
CmdServices, also known as Command
ZToolbar
AzeSearch
NetMon aka Network Monitor
Paytime.exe, related to CoolWebSearch
AvenueMedia/Internet Optimizer also known as DyFuCa
Targetsavers
SurfSideKick
Smitfraud-C
CAS-Client (ConsumerAlertSystem)
AproposMedia
Trojan.VB.TG
Trojan.Downloader.VB.TW
Trojan.Tofger.CD
TagASaurus, aka enbrowser
Trojan.StartPage.GEN
ADSlime
W32.Spybot.Worm
Look2Me
drsmartload1.exe aka Troj/Drsmartl-N
MoneyTree Dialer
Service: Windows Overlay Components – file name C:\WINDOWS\tihotdj.exe, aka Trojan.Adclicker
My homepage was changed to c:\secure32.html

Click here to read the results, they are very interesting as it includes some info about the major free anti spyware programs. I just wish she would’ve included X-Cleaner in it as well, as it is one of the best programs, in my personal opinion. Suzi posted an article about the review here, but that just links to the zdnet post, the main reason to click there is to read everything else, loads and loads of spyware info, including research and info on our favorite spyware app, 180solutions.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - March 8, 2006 at 2:34 pm

Categories: Reviews, Spyware Info   Tags: , , ,

Temporary Fix for the WMF Exploit

Since Microsoft has decided to wait until Tuesday to release it’s patch for the latest Windows exploit, the WMF security flaw, F-Secure has posted on their site about a fix released by the author of Interactive Disassembler and probably one of the best low level Windows experts in the world, Ilfak Guilfanov. The fix is here.

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF’s SETABORT escape sequence that is the root of the problem.

This flaw has already spawned dozens of attacks from a MSN Messenger worm to spam that tries to get users to click on malicious web sites.

The vulnerability can be easily exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003, security experts said. Older versions of the operating system, including Windows 2000 and Windows ME, are also at risk, though in those cases the flaw is more difficult to exploit, said Mikko Hypponen, chief research officer at F-Secure.

“We have seen dozens of different attacks using this vulnerability since Dec. 27,” Hypponen said. “One exploits image files and tries to get users to click on them; another is an MSN Messenger worm that will send the worm to people on your buddy list, and we have seen several spam attacks.”

He added that some of the spam attacks have been targeted to select groups, such as one that purports to come from the U.S. Department of State. The malicious e-mail tries to lure the user to open a map attachment and will then download a Trojan horse. The exploit will open a backdoor on the user’s system and allow sensitive files to be viewed.

A chief researcher at F-Secure said,

“We are still far away from a massive virus,” he said. “Most people get attacked by this if they (search for something on the Internet) and get a million results. They may click on a link that goes to a malicious Web site or one that has been hacked, and then get infected.”

In an article from News.com posted today, an antivirus specialist stated that over a million pc’s have been compromised,

More than a million PCs have already been compromised, said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. He has found a hidden Web site that shows how many copies of a program that installs malicious software have been delivered to vulnerable PCs.

“I’m sure it’s just a matter of days until the first (self-propagating) WMF worm will appear,” he said. “A patch is urgently needed.”

So, with Microsoft waiting until Tuesday, attackers are going to have about a week with no worries to try to take advantage of this. So far, most of the attacks have involved installing spyware and adware to display pop up advertising on the infected pc’s.

Microsoft has completed a fix for the problem and is currently testing and localizing the update into 23 languages, the software maker said in its advisory, updated on Tuesday. “Microsoft’s goal is to release the update on Tuesday, Jan. 10, 2006, as part of its monthly release of security bulletins,” the company said.

To protect Windows users, Microsoft shouldn’t wait, but release the patch now, several critics said.

“The flaw is actively exploited on multiple sites, and antivirus provides only limited protection,” said Johannes Ullrich, the chief research officer at the SANS Institute. “Active use of an exploit without sufficient mitigating measures should warrant the early release of a patch, even a preliminary, not fully tested patch.”

Once again, we see a large company not really caring about the users and all they are doing is creating even more ill will.

Added: One of the F-Secure researches stated that one of their test machines became infected after downloading an infected file using the Wget command line tool, without even executing it.

It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

2 comments - What do you think?  Posted by Jimmy Daniels - January 4, 2006 at 11:39 am

Categories: Microsoft News, Spyware Info, Tech News, Virus Info   Tags: , , , , , ,

Xbox Controllers Work on PCs

The new controllers for the Xbox 360 will work on Windows XP based computers as well. The controller, when sold by itself will include a driver for the Windows XP operating system, and the one that comes with the Xbox 360 will work with Windows XP based PCs after the driver has been downloaded. This from News.com

“Gamers can simply unplug their controller from their Xbox 360 system and plug it into their Windows XP-based PC,” Chris Donahue, director of Windows gaming at Microsoft, said in a statement. “This is a great breakthrough for the gaming industry as we make it easier for developers to create multiplatform titles.”

The controller features a new design meant to improve ergonomics. It also offers “force feedback vibration support” and a button layout.

This is a great feature, now you won’t be buying two seperate controllers, unless, ofcourse, you need different functionality, such as a joystick or steering wheel. Good move Microsoft.

The controller, which features a 9 foot cable, will sell for $39 and is already available in the US, and will be released soon in Asia and Europe.

Last month, Microsoft said the Xbox 360 would come in two flavors: a base model for $299 and a souped-up version with a 20GB hard drive and wireless controllers for $399.

The company is trying to alter a current-generation console landscape in which archrival Sony has sold 75.6 million PlayStation 2s worldwide, compared with Microsoft’s global sales of just 19.8 million Xboxes, according to IDC analyst Schelley Olhava.

xbox 360 controller

3 comments - What do you think?  Posted by Jimmy Daniels - October 19, 2005 at 12:46 pm

Categories: Gaming News   Tags: , ,

Windows Patch May Lock Users Out

A patch for Windows XP, Windows 2000 and Windows 2003 operating systems that is meant to fix a critical flaw, can lock users out, the windows installer service may not start, and more. Systems that have changed the default Access Control List permissions on the %windir%\registration directory may experience these and other problems.

On a computer that is running Microsoft Windows XP, Microsoft Windows 2000 Server, or Windows Server 2003, one or more problems may occur after you install the critical update that is discussed in Microsoft Security Bulletin MS05-051. These problems include the following:
The Windows Installer service may not start.
The Windows Firewall Service may not start.
The Network Connections folder is empty.
The Windows Update Web site may incorrectly recommend that you change the Userdata persistence setting in Microsoft Internet Explorer.
Active Server Pages (ASP) pages that are running on Microsoft Internet Information Services (IIS) return an HTTP 500 Internal Server Error? error message.
The Microsoft COM+ EventSystem service will not start.
COM+ applications will not start.
The computers node in the Microsoft Component Services Microsoft Management Console (MMC) tree will not expand.
Authenticated users cannot log on, and a blank screen appears after the users apply the October Security Updates.

The resolution is posted on this page discribing the problem, it just invloves changing the permissions on a couple folders as it has to do with your system not being able to access the COM+ catalog files.

Via News.com.

2 comments - What do you think?  Posted by Jimmy Daniels - October 14, 2005 at 11:00 pm

Categories: Microsoft News, Windows XP   Tags: , ,

New IE Flaw Affects Windows XP Sp2

eEye Digital Security has warned that a flaw with Internet Explorer could enable a remote attack on computers running Windows XP SP2. This is the intital reporting stage, so they have released no info to the public, they do not release info until the vendor issues an advisory or releases a patch.

The flaw, which also affects systems running Windows XP, is found in the default installations of Microsoft’s IE, according to an advisory released by the security company on Thursday.

“The flaw is not wormable but allows for the remote execution (of code) with some level of end-user intervention,” said Mike Puterbaugh, eEye’s senior director of product marketing.

No one should be at risk, YET, unless someone has also discovered the vulnerability and released a virus or some other kind of exploit. Read more here.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 16, 2005 at 12:03 pm

Categories: Windows XP   Tags: , ,

« Previous PageNext Page »