|
Softpanorama
(slightly skeptical)
Open Source Software Educational Society |
May the
source be with you,
but remember the KISS principle ;-)
|
Softpanorama Malware Protection Bulletin, 2005
A former executive of McAfee agreed to pay about $757,000
to settle charges that he played a role in the company’s $622 million accounting
fraud.
I think that even $9.99 is too much, but still it is at least reasonable price
for this kind of software :-)
IE7 shipped. The software can run on Windows XP Service
Pack 2, XP 64-bit Edition and Windows Server 2003 Service Pack 1, according to Yahoo's
Web site.
Especially valuable are countermeasures against phishing sites. IE7 includes
powerful but mostly invisible changes to how IE handles URLs and scripts. It also
provides for the user the ability to control IE add-ons. Microsoft also made significant
default changes in the "Internet Zone" and "Trusted Sites" zone to provide defense-in-depth
against most dangerous IE attack vectors. The Internet zone, where most users browse
was tightened down with two very notable changes. It will run in Protected Mode
on Windows Vista and has " ActiveX Opt-In" feature on old versions of Windows. It
definitely will also help to reduce the spyware attacks in the internet zone. Also
useful is that ability to scale fonts on any page (for long-sighted people that
provides the ability to view pages without glasses), newer version of JavaScript
engine and better compatibility with the W3C standards.
As you can see Yahoo immediately put it for download as they used to have problems
with IE6 on their popular Finance site :-)
October 19, 2006
(IDG
News Service) -- Yahoo Inc. put a customized
version of Internet Explorer
7 on its Web site for downloading on Wednesday,
before Microsoft Corp.'s own release of the browser.
The download page for the specialized final version of IE7 appeared during
the afternoon on Wednesday, U.S. Pacific time. Microsoft, in Redmond, Wash.,
had given Oct. 18 as a tentative release date for the product but had not made
the software available itself before Yahoo did.
Yahoo's version of IE7 includes the Yahoo toolbar and uses Yahoo's search
tool as a default. It also features two home pages, Yahoo and Yahoo News, according
to the company's Web site. It can be
downloaded here.
[Oct 8, 2006]
Users differ over benefits of Microsoft's Patch Guard --
The Patch Guard technology is already included in 64-bit
versions of Windows XP and Windows 2003
Users generally do not care. They just want better security at the lowest price
and hassle possible.Symantec and McAfee are companies by-and-large created by Microsoft
security blunders. And they are not interested in correcting them. It is easy to
blame Microsoft but in this particular case limitations make sense. Actually there
are a lot of problems with Symantec (and some other security vendors) approach as
if I remember correctly they were accused using rootkit technology in their products.Also
they are really dangerous as kernel co-developers: the quality of software is far
from being perfect.
October 06, 2006
(Computerworld)
-- IT managers have divided views of a simmering dispute between
two major security vendors and Microsoft Corp. over the latter's
Patch Guard technology, which prevents access to the 64-bit Windows
kernel.
Security software vendors Symantec Corp. and McAfee Inc. say
the Patch Guard technology prevents the use of certain features
in third-party tools that would make Windows safer from hackers.
McAfee this week took out a full-page advertisement in London's
Financial Times newspaper and charged that Microsoft's use
of Patch Guard is anticompetitive behavior.
Microsoft, meanwhile, contended that the technology itself closes
the 64-bit Windows kernel to unauthorized access.
"This is a double-sided sword," said Andreas Wuchner, head of
IT security architecture and strategy at Novartis Pharma AG in Basel,
Switzerland. "Microsoft got blamed in the past for not being able
to [better] protect their customers. Now that they are moving forward,
everyone starts blaming them again for being a monopolist."
... ... ...
The Patch Guard technology is already
included in 64-bit versions of Windows XP and Windows 2003,
and it will be included in the 64-bit version of the next-generation
Windows Vista operating system due out by early next year.
"In the 32-bit version of [Windows], there has always been
these undocumented and unsupported ways of modifying the kernel
while it is running," said Stephen Toulouse, senior product manager
in Microsoft's security technology unit. Such access "introduced
stability problems, performance problems and security problems,"
he said.
Symantec and McAfee argue that restricting access to Vista's
kernel hampers their ability to deliver functions such as behavior-based
virus blocking and rootkit detection. They also maintain that hackers
have already gained access to the kernel of 64-bit Windows systems
that are now shipping.
"The notion that by keeping everybody out of the kernel nothing
will happen is false," said Sarah Hicks, vice president of consumer
product management at Cupertino, Calif.-based Symantec.
A spokeswoman for Santa Clara, Calif.-based McAfee suggested
that Microsoft at least allow security vendors to access the Vista
kernel. She contended that giving security vendors access to 32-bit
versions of Windows has led to the development of "sophisticated
security technology."
... ... ...
Conversely, Lloyd Hession, chief security officer at BT Radianz,
a New York-based telecommunications provider, said that Patch Guard
appears to be a response to critics calling for such features in
Microsoft operating systems.
"I don't think you'll find a lot of sympathy for Symantec and
McAfee. They made their millions off other people's ill fortune,
if you will," he said.
Hession predicted that as more security features are bundled
into Vista, some of today's stand-alone security products will become
irrelevant. "It's a positive for users," he said, "but it sucks
to be a Symantec."
[Sep 25, 2006]
USB memory sticks pose new dangers -- U3 technology when flash drive imitated
CD/DVD autoexecution feature might means return of boot viruses on a new technological
level
September 25, 2006 (Computerworld) The ability to use tiny USB memory
sticks to download and walk away with relatively large amounts of data has already
made the ubiquitous devices a potent security threat in
corporate environments. Now, the emergence of USB flash drives that can
store and automatically run applications straight off the device could soon
make the drives even more of a security headache.
Demonstrating the potential danger, Hak.5, a security-related podcast, earlier
this month showed how a USB memory stick can -- in just a few seconds -- be
turned into a device capable of automatically installing back doors, retrieving
passwords or grabbing software product codes.
Hak.5's "hacking framework" is called USB SwitchBlade and gives hackers a
way to automate different payloads running on a USB flash drive, said Darren
Kitchen, the Williamsburg, Va.-based co-host of Hak.5.
SwitchBlade takes advantage of a relatively new technology from Redwood
City Calif.-based U3 LLC that allows software and applications to be executed
directly from USB drives. U3's technology is designed to increase mobility by
letting users store their personal desktops -- including their programs, passwords,
user preferences and other data -- on a memory stick and then run it on any
computer without worrying about whether those applications are installed on
that system.
Unlike traditional USB flash drives, U3 memory sticks are self-activating
and can auto-run applications when inserted into a system. They're part of an
emerging set of "smart" flash drives becoming available from vendors such as
Migo Software Inc. and Route 1 Inc.
But the same functions that allow for such mobility also give hackers another
way to break into systems, said John Pescatore, an analyst at Gartner Inc. in
Stamford, Conn. "Most people think of these things as storage sticks. But U3
is a little computer on a thumb drive" that could be dangerous in the wrong
hands, he said.
Hak.5 has developed code that can replace parts of the original content on
a U3 flash drive with a payload for "instantly" retrieving Windows password
hashes when a memory stick is inserted into a computer, Kitchen said. Also available
within the Hak.5 community are payloads that in seconds can retrieve AOL Instant
Messenger and MSN passwords, browser histories and software products keys. Payloads
can also be used to install back doors and Trojan horse programs on computers.
None of the hacker tools used in SwitchBlade are new. And security analysts
have for some time now been warning that USB-connected devices such as flash
drives and iPods can be used to sneak viruses and other malware into corporate
environments,
But the fact that such tools can now be run automatically on a self-activating
flash drive makes them far more accessible and easier to exploit, said
Ken Westin, a security analyst at Centennial Software Ltd. a Swindon, England-based
IT asset management company. "The combination is creating a perfect storm,"
he said.
The Hak.5 demonstration again highlights the need for companies to adopt
holistic policies for managing USB ports, Pescatore said. "There is a growing
awareness of this problem and a desire to do more port control," he said. The
focus, however, should not just be on preventing data leaks but should also
address other potential threats, he said.
The availability of such exploits also highlights the need for companies
to disable the Windows AutoRun feature and limit administrative privileges on
end-user systems. Kitchen said. One mitigating factor is that physical access
to a computer is still required for someone to carry out an attack using USB
drive, he said.
There are several options available to enterprises for securing USB ports
on users' systems, said Jonathan Singer, an analyst at Yankee Group Research
Inc. in Boston. Companies, for instance, can choose to disable USB ports through
group policy management -- either on their own or through third-party vendor
tools, he said. But that doesn't allow for a great deal of "granularity by system
or by user," he said. Several tools are also available from vendors such as
Centennial, SecureWave SA and SafeBoot NV, that let companies apply very granular
and specific port control rules, he said.
Companies also need to pay attention to educating users about the potential
security risks posed by USB flash drives he said.
"If you have sensitive data, you might want to institute some sort
of USB control -- especially if you are in a regulated industry," Singer said.
"You can have a user walk away with a whole bunch of information, or someone's
PCs could get owned by a USB device they picked up in a parking lot," he said.
The results of the security software were quite shocking. I've always known
that being most involved with the system, antivirus and firewall programs are
going to make things slower, but I was just completely astounded by the Norton
result when compared against the other software on show.Fonts were as, if
not more, amazing. I know people always say not to install too many fonts (which
is really hard when you have a DVD full of them), but this is the first proof
I've seen that shows fonts have a massive effect on the windows load time.
One conclusion that we can take from this is software that makes many, many
changes to the system when it installs is going to have a larger effect to windows
boot timings. Examples of this were shown by the .NET runtime (both standalone
and part of Visual Studio) and the fonts which get scooped up by system services.
VMWare Workstation installs a lot of system drivers to emulate hardware properly
which also goes a long way to slow down a computer. Furthermore, if that software
loads at boot, this is going to have an added knock on effect, shown best by
the antivirus programs and the chat clients.
Microsoft today posted a mildly revised and more secure Beta 3 version
of Internet Explorer 7 free for
public download.
New features and functionality in the Beta 3 release include:
- All security updates for IE7 released through June.
- The ability to drag-and-drop reorder browser tabs in the tabbed-browsing
bar.
- The reappearance of the optional read e-mail button for the customizable
"Command" bar, or main toolbar.
- The Web page zoom-in scaling feature adds a horizontal scroll bar automatically.
- A global RSS feed settings dialog.
- A global RSS "refresh now" function.
- Additional work carried out since the Beta 2 release aimed at improving
Web-site compatibility.
"SecurityFocus has published an
interesting
interview with
Rachna Dhamija,
co-author of the paper 'Why
Phishing Works' and creator of
Dynamic Security Skins (a plugin for Mozilla). She presented some very interesting
results from her research efforts, for example 'simply showing a user's history
information ("you've been to this website many times" or "you've never submitted
this form before") can significantly increase a user's ability to detect a spoofed
website and reduce their vulnerability to phishing attacks.' She also suggested
to 'make it easy for users to personalize their interfaces. Look at how popular
screensavers, ringtones, and application skins are — users clearly enjoy the
ability to personalize their interfaces. We can take advantage of this fact
to build spoof resistant interfaces.'"
Download details Internet Explorer 7 Beta 2 Preview, Technology Overview Better
late then never: Microsoft raised the security bar in IE7: all browser windows require
an Address Bar. Because hackers often have abused valid pop-up window actions to
display windows with misleading graphics and data as a way to convince users to
download or install their malware, the requirement of an Address Bar in each
window will help ensure that users always know more about the true source of information
they are seeing. Internet Explorer 7 IDN rules force the display of the
Punycode domain name format when multiple character sets are contained within
a single domain name label. For example, the URL http://www.microsóft.com
would be displayed in punycode since it mixes both the French and English character
sets in the same label portion. The address bar would display www.xn--microsft-03a.com,
alerting the user and calling attention to the suspicious URL. The URL http://ŵŵŵ.microsoft.com
would be displayed correctly because the language character sets are contained in
separate labels.
Web browsers perform a broad range of functions in the computing
environment. They must be open and flexible enough to enable users to interact
with multiple data sources housed on a range of systems around the globe and
at the same time be secure enough to prevent unwanted data access or application
behaviors. Managing this balance is a top priority for Microsoft’s customers.
The combination of the ubiquitous and essential nature of the Web browser with
the requirement for bidirectional network communications gives browsers the
unenviable responsibility of being both a critical element of the computing
infrastructure and the primary attack point for malicious software.
Vulnerabilities exist in all sophisticated software code; the
differences essentially come down to the degree of difficulty required to exploit
them and what a hacker can do upon exploiting them. Further, some security vulnerabilities
are not even technological in nature. For example, malicious individuals can
exploit social behaviors and user misinformation techniques, resulting in users
being tricked into turning over personally identifiable information through
obscured Web sites, confusing dialog boxes and unexpected add-on behavior. Web
browsers represent an alluring target for hackers because many users can be
easily confused and, historically, have not applied all security updates in
a timely manner.
Windows XP SP2 greatly improved security in the operating system
and the browser. Internet Explorer 7 on Windows XP and Windows Vista goes well
beyond those changes, providing a significantly strengthened browser by eliminating
legacy code to deliver stronger and more secure software. Along with the Microsoft
Windows Defender application (currently in beta testing and formerly known as
Windows AntiSpyware), Internet Explorer 7 helps users achieve an unprecedented
level of security protection.
Microsoft has two primary security objectives with Internet Explorer
7:
-
Protection against malware.
Microsoft is committed to giving customers more confidence in the security
of their browsing activity and helping to prevent the installation of malicious
software. The company defines malware as all malicious code or unwanted
software, including worms, viruses, adware and spyware.
-
Personal data safeguards.
Microsoft aims to protect users from phishing attacks, prevent fraudulent
Web sites from stealing user data, and help users more safely and securely
engage in legitimate e-commerce without divulging their personal information
unintentionally.
Malware, short for malicious software, refers to software applications
designed to damage or disrupt a user’s system. The proliferation of malware
and its impact on security is a driving force behind the design of Internet
Explorer 7. The new version has been improved to reduce the potential for hackers
to compromise a user’s browser or system. In addition, Internet Explorer 7 includes
several technical features designed to thwart hackers’ efforts to lead users
into giving away personal data when they should not. Core parts of the browser’s
architecture also have been fortified to better defend against exploitation
and improve the way the browser handles data.
Historically, attackers have taken advantage of internal code
design issues within the Web browser to attack a system. A hacker would rely
on a user clicking on an HTML link referencing some type of malformed URL that
contains odd or excessive characters. In the process of parsing the URL, the
system’s buffer would overflow and execute some code the hacker wanted to install.
Given the size of Web browser application code, the most efficient solution
to fixing these types of attacks was to issue updates as each was discovered
and the root cause identified. Yet even with only a handful of such updates
required, the more optimal solution was to rewrite the baseline application
code. Internet Explorer 7 benefits from these experiences and the analysis of
attack signatures. Rewriting certain sections of the code has drastically reduced
the internal attack surface of Internet Explorer 7 by defining a single function
to process URL data. This new data handler ensures higher reliability while
providing greater features and flexibility to address the changing nature of
the Internet as well as the globalization of URLs, international character sets
and domain names.
Internet Explorer offers Web developers the ActiveX®
platform as a mechanism to greatly extend browser capabilities and enhance online
experiences. Some malicious developers have co-opted the platform to write harmful
applications that steal information and damage user systems. Many of these attacks
were made against ActiveX Controls shipped within the Windows operating system,
even though the controls were never intended to be used by Internet-facing applications.
Internet Explorer 7 offers users a powerful new security mechanism for the ActiveX
platform. ActiveX Opt-In automatically disables entire classes of controls —
all controls the user has not previously enabled — which greatly reduces the
attack surface. This new feature mitigates the potential misuse of preinstalled
controls. Users will now be prompted by the Information Bar before a previously
installed but as-yet unused ActiveX Control can be accessed. This notification
mechanism will enable users to permit or deny access when viewing unfamiliar
Web sites. For Web sites that attempt automated attacks, ActiveX Opt-In protects
users by preventing unwanted access and giving the user total control. If the
user opts to permit loading an ActiveX Control, the appropriate control is easily
enabled by clicking in the Information Bar.
Cross-domain scripting attacks involve a script from one Internet
domain manipulating content from another domain. For example, a user might visit
a malicious page that opens a new window containing a legitimate page (such
as a banking Web site) and prompts the user to enter account information, which
is then extracted by the hacker. Internet Explorer 7 has been improved to help
deter this malicious behavior by appending the domain name from which each script
originates and limiting that script’s ability to interact only with windows
and content from that same domain. These cross-domain script barriers will help
ensure that user information remains in the hands of only those the user intentionally
provides it to. This new control will further protect against malware by limiting
the potential for a malicious Web site to manipulate flaws in other Web sites
and initiate the download of some undesired content to a user’s PC.
Available only to users running Internet Explorer 7 in Windows
Vista, Internet Explorer Protected Mode will provide new levels of security
and data protection for Windows users. Designed to defend against “elevation
of privilege” attacks, Protected Mode provides the safety of a robust Internet
browsing experience while helping prevent hackers from taking over the browser
and executing code through the use of administrator rights.
In Protected Mode, Internet Explorer 7 in Windows Vista is completely
unable to modify user or system files and settings. All communications occur
via a broker process that mediates between the Internet Explorer browser and
the operating system. The broker process is initiated only when the user clicks
on the Internet Explorer menus and screens. The highly restrictive broker process
prohibits work-arounds from bypassing the Protected Mode. Any scripted actions
or automatic processes will be prevented from downloading data or affecting
the system. Specifically, Component Object Model (COM) objects will only be
self-aware and will have no reference information by which to identify and attack
other applications or the operating system.
Internet Explorer Protected Mode helps protect users from malicious
downloads by restricting the ability to write to any local machine zone resources
other than temporary Internet files. Attempting to write to the Windows Registry
or other locations will require the broker process to provide the necessary
elevated permissions. Internet Explorer Protected Mode also offers tabbed browsing
security protection by opening new windows — rather than new tabs — for content
contained outside the current security zone.
Fix My Settings
Knowing that most users are likely to install and operate applications
using the default configuration, Internet Explorer 7 ships with security settings
designed to provide the maximum level of usability while maintaining controlled
security. There are legitimate reasons why a custom application may require
a user to lower security settings from a default, but it is critical the user
reverse those changes when they are no longer needed. Internet Explorer
7 introduces users to the new Fix My Settings feature to keep users protected
from browsing with unsafe settings. This new feature in Internet Explorer
7 warns users with an Information Bar when current security settings may put
them at risk. When a user makes changes in the security settings window,
they will see settings automatically highlight in red if they modify certain
critical items. In addition to dialog alerts warning the user about unsafe
settings, the user will be reminded by the Information Bar as long as the settings
remain unsafe. Users can instantly reset the security settings to the
‘Medium-High’ default level by clicking the ‘Fix My Settings’ option in the
Information Bar.
Microsoft Windows Defender enhances security and privacy protections
when used with Internet Explorer 7. Extending the protections against malware
at the browser level, Windows Defender helps prevent malware entering the machine
via piggy-back download, a common mechanism by which spyware is distributed
and installed silently along with other applications.
Although the improvements in Internet Explorer 7 cannot stop
non-browser-based spyware from infecting the machine, using it with Windows
Defender will provide a solid defense on several levels. Windows Defender is
available in a beta release now for Windows XP SP2 and will also be in Windows
Vista.
Most users are unaware of how much personal, traceable data is
transmitted with every click of the mouse while they are browsing the Web. The
extent of this information continues to grow as browser developers and Web site
operators evolve their technologies to enable more powerful and convenient user
features. Similarly, most online users are likely to have trouble discerning
a valid Web site from a bogus copy.
The extent to which convenience and discount pricing are
available online gives users an attractive reason to click and buy. The Internet
enables any large or small business to easily create an online storefront for
selling goods, enabling the business to reach a consumer audience well beyond
traditional physical and geographic boundaries. Search engine marketing efforts
allow these Web sites to establish instant consumer credibility and reach millions
of users through some of the largest search engines or portal Web sites. The
combination of these factors creates situations in which consumers are dealing
with distant businesses and left with fewer concrete mechanisms to differentiate
legitimate businesses from those seeking to collect their information for improper
gain. Another challenge facing users is the ability for malicious Web site operators
to abuse the same search listing services to attract unsuspecting consumers
to knockoff Web sites designed to mimic the appearance and function of well-known
and trusted businesses.
A technique used by many malicious Web site operators to
gather personal information is known as phishing — masquerading online as a
legitimate person or business for the purpose of acquiring sensitive information.
Such fake Web sites designed to look like the legitimate sites are referred
to as spoofed sites. Over the past year, phishing attacks have been reported
in record numbers, and identity theft is emerging as a major threat to personal
financial security. In the past year, the number of confirmed phishing sites
has grown fivefold — from 580 to more than 3,000 (source: Anti-Phishing Working
Group, April 2005 report).
Unlike direct attacks where hackers break into a system to obtain
account information, a phishing attack does not require technical sophistication
but instead relies on users willingly divulging information such as financial
account passwords or Social Security numbers. These socially engineered attacks
are among the most difficult to defend because they require user education and
understanding rather than merely issuing an update for an application. Even
experienced professionals can be fooled by the quality and details of some phishing
Web sites as hackers become more experienced and learn to react more quickly
to avoid detection.
Internet Explorer 7 offers a range of enhancements and
solutions to better protect against malicious Web site operators and help prevent
users from becoming victims of confusing URLs. The new Security Status Bar,
located next to the Address Bar, is designed to help users quickly differentiate
authentic Web sites from suspicious or malicious ones. In addition, Internet
Explorer provides a simple file cleanup utility.
Certificates also play an essential role for users in validating
e-commerce Web sites and helping to thwart phishing scams. Internet Explorer
7’s Security Status Bar enhances access to certificate information by placing
it more prominently in front of users and providing single-click access to the
certificate.
Security
Status Bar
Over the past few years, Web browser users have been introduced
to the concept of encrypted communications and secure sockets layer (SSL) technologies
to better protect their information from being obtained by third parties. Although
many users have become quite familiar with SSL and its associated security benefits,
a large proportion of Internet users remain overly trusting that any Web site
asking for their confidential information must be protected. With the explosion
of small- and home-based business Web sites selling goods that span the pricing
spectrum, users are even more likely to encounter unknown entities asking for
their financial information. The combination of these factors creates a situation
ripe for abuse. Internet Explorer 7 addresses this issue by providing users
with clear, prominent, color-coded visual cues to the safety and trustworthiness
of a Web site. With the assistance of Internet Explorer 7 to help identify legitimate
Web sites, users can more confidently browse and shop anywhere on the Internet.
Previous versions of Internet Explorer placed a gold padlock
icon in the lower-right corner of the browser window to designate the trust
and security level of the connected Web site. Given the importance and inherent
trust value associated with the gold padlock, Internet Explorer 7’s new Security
Status Bar places it more prominently in users’ line of sight. Users can now
view the certificate information with a single click on the padlock icon. The
Security Status Bar also supports information about High Assurance (HA) certificates
for those sites meeting guidelines for better entity identity validation. Users
can benefit from support for HA certification by having instant visual
access to the increased validation of authenticity for a given Web site. To
provide users with another visual cue designed to help them recognize questionable
Web sites, the padlock now appears on a red background if Internet Explorer
7 detects any irregularities in the site’s certificate information. By contrast,
trusted Web sites will clearly display the name of the certificate owner and
a gold background to indicate that users can provide confidential data.
Developers of phishing and other malicious activities thrive
on lack of communication and limited sharing of information. Using an online
service that is updated several times an hour, the new Phishing Filter in Internet
Explorer 7 consolidates the latest industry information about fraudulent Web
sites and shares it with Internet Explorer 7 customers to proactively warn and
help protect them. The filter is designed around the principle that, to be effective,
early warning systems must derive information dynamically and update it frequently.
The Phishing Filter combines
client-side scans for suspicious Web site characteristics with an opt-in online
service. It helps protect users from phishing scams in three ways:
1.
It compares the addresses of Web sites a user attempts
to visit with a list of reported legitimate sites that is stored on the user’s
computer.
2.
It analyzes sites that users want to visit by checking
those sites for characteristics common to phishing sites.
3.
It sends the Web site address that a user attempts
to visit to an online service run by Microsoft to be checked immediately against
a frequently updated list of reported phishing sites.
Internet Explorer 7 uses the
Security Status Bar to signal users (in yellow) if a Web site is suspicious.
Hi, my name is John Hrvatin and I'm the program
manager for Internet Explorer setup. I'd like to share some of the ways setup
in IE 7 helps keep you more secure and IE running smoothly.
Prior to installing IE 7, setup runs the
Windows Malicious Software Removal Tool to clean your system of known malware
and help prevent problems installing IE 7 or running it for the first time.
If you keep your computer up-to-date using
Windows Update,
which hopefully everyone does, you will already have the latest version of the
cleaner. In that case, setup will re-run the installed version; otherwise, it
will download and run the latest version.
Setup also makes sure you have the latest-and-greatest
by downloading and installing any available IE updates. In previous versions
of IE, users had to install updates after IE installation and anyone who didn’t
was out-of-date. In IE 7, setup takes care of the updates so you can get right
to using IE 7.
[Feb 17, 2006]
Download details Windows® Defender (Beta 2) This is a new, better version of
the tool that was known Microsoft Windows AntiSpyware (Beta). Upgrade is highly
recommended...
Windows Defender (Beta 2) is a free program that
helps you stay productive by protecting your computer against pop-ups, slow
performance and security threats caused by spyware and other potentially unwanted
software.
This release includes enhanced features that reflect
ongoing input from customers, as well as Microsoft’s growing understanding of
the spyware landscape.
Specific features of Windows Defender Beta 2 include:
- A redesigned and simplified user
interface – Incorporating feedback from our customers,
the Windows Defender UI has been redesigned to make common tasks easier
to accomplish with a warning system that adapts alert levels according to
the severity of a threat so that it is less intrusive overall, but still
ensures the user does not miss the most urgent alerts.
- Improved detection and removal
– Based on a new engine, Windows Defender is able to detect and remove more
threats posed by spyware and other potentially unwanted software. Real Time
Protection has also been enhanced to better monitor key points in the operating
system for changes.
- Protection for all users
– Windows Defender can be run by all users on a computer with or without
administrative privileges. This ensures that all users on a computer are
protected by Windows Defender.
- Support for 64-bit platforms, accessibility
and localization - Windows Defender Beta 2 also
adds support for accessibility and 64-bit platforms. Microsoft also plans
to release German and Japanese localized versions of Windows Defender Beta
2 soon after the availability of the English versions. Use WindowsDefenderX64.msi
for 64-bit platforms.
Important Notes
- Microsoft Windows AntiSpyware (Beta):
Windows Defender (Beta 2) is the final name for Microsoft’s antispyware
solution. Current Windows AntiSpyware (Beta 1) customers will be notified
automatically to upgrade.
- Globalization:
The current beta is in the English language although we will deliver German
and Japanese localized versions. All versions can be installed on any locale
but the user interface will only be delivered in these three languages for
testing purposes.
- Beta Support Policy:
This is pre-release (beta) software distributed for feedback and testing
purposes. Microsoft only provides best effort support through the newsgroups.
If Windows Defender (Beta 2) is causing an issue with your system, we recommend
removing it by using Add or Remove Programs and even using System Restore
if the problem persists.
- Access to Newsgroups:
Although formal support is not offered for this beta, we have provided
newsgroups to help get your questions answered.
[Feb 10, 2006]
Slashdot Microsoft Anti-Spyware Removes Norton Anti-Virus Ms Antispyware is
one of the best tools. Norton AV (home edition) is a very questionable bloatware.
So removal is not a big deal. It might be even a "good thing"
(Score:5, Informative)
If MS Antispyware wipes out your Norton install, the fastest and easiest
way to clean out Norton to prepare for a reinstall is with Symantec's Norton
Removal Tool, aka SymNRT. It's available for free from their website and
is designed for situations like this where the install gets corrupted and
you can't remove it.
The tool removes every trace of Norton from your system. It does a better
job than the normal uninstaller.
(Score:5, Informative)
Seriously. Considering how good NAV is at sucking up memory and CPU cycles,
the only way anyone probably noticed was when their computer suddenly seemed
much smoother and more responsive.
I agree. I am a computer services provider for mostly home users and
I often find NAV and internet tools to be single greatest contributor to
draining system resources. I usually recommend disabling NAV, using safe
internet practices, and scanning weekly or if there appears to be a problem.
(Score:3, Interesting)
That is most likely the Corperate version of Symantec AV, which is *far*
better than the desktop version that most people usually purchase. The corp
version just sits in the tray until something comes along that might need
some attention.
(Score:5, Informative)
Well that's not surprising considering NAV runs at least 14 processes. I
think it might be 15 including that glorified advertisement they call Norton
Protection Center.
We're still selling it at the shop that I work at. I'm not sure why... We
recommend AVG Free for most people, but for business users we sell NAV.
(Score:5, Funny)
Just because these products must use continuous system resources doesn't
mean they need all of them. That would kind of defeat the purpose of having
a computer.
But the purpose of having a computer is to run anti virus software, spy
ware detectors, and firewalls. Between running those tools and updating
the system there is not much time or resources for anything else.
(Score:5, Informative)
Microsoft knows something we don't?
Norton/Symantec hasn't always been nice (are they now?) - remember when
Norton Utilities couldn't be removed on DOS installations? The only option
was to totally format the drive and start over. I know people who won't
even try Norton/Symantec products after all of those years because of these
types of problems.
(Score:5, Informative)
This was a full product called Giant Anti-spyware that MS acquired.
"Beta" is their term.
75% of my private client calls involve removing malware, and the MS product
is a champ at this task.
MS antispyware gives you a summary screen that breaks down each item it
found,
assigns it a perceived threat rating, and gives you the choice to "Remove,
Ignore, Quarantine."
So, anyone watching with any degree of care should notice that Norton was
one of the choices
and simply select the "ignore" option.
Personally, I haven't seen this happen myself.
I agree with many other posters that Norton isn't that great of a product.
I've noticed their firewall suddenly,without provocation, start blocking
all websites.
I've also noticed their antivirus turn itself off for no reason, never
to be turned on again. Reinstalling is often interesting, since even the
least little trace of the product prevents an install/reinstall, but it
almost never uninstalls cleanly.
Netscape 8.1 offers built-in spyware and adware protection that scans files
that Web users try to download as well as those that are sent to them without
their interaction, according to a representative for Netscape, a division of
Time Warner's America Online subsidiary. The updated browser will also let consumers
run complete memory and disk scans.
Other security features include an updated blacklist of potential phishing
sites and a security center people can access to see if they need to take action
on their computer.
Netscape's move to increase security features comes as malicious attackers
are increasingly
targeting browser flaws, including vulnerabilities
found last spring in Netscape's browser.
The latest version of the browser also offers updates designed to enhance
its RSS (Really Simple Syndication) support. RSS feeds, for example, can be
viewed within the browser rather than requiring a separate viewer.
In addition, a new profile manager is designed to let multiple Web users
share the same browser but maintain different bookmarks, passwords and other
customizations.
The Windows operating system expert who exposed
Sony BMG Music Entertainment's use of "rootkit" cloaking techniques last year
is now criticizing security vendors Symantec Corp. and Kaspersky Lab Ltd. for
shipping software that works in a similar manner.
Mark Russinovich, chief software architect with
systems software company Winternals Software LP, says that the techniques used
by Symantec's Norton SystemWorks and Kaspersky's Anti-Virus products are rootkits,
a term usually reserved for the techniques used by malicious software to avoid
detection on an infected PC. There is "no good justification," for the use of
such techniques, Russinovich said. "If the vendor believes that the implementation
of their software requires a rootkit then I think they need to go back and re-architect
it."
Both Symantec and Kaspersky concede that they
have shipped software that hides information from system tools, but they told
IDG News Service that they disagreed with Russinovich's use of the term rootkit,
saying that because their software was not designed with malicious intent, it
should not be lumped into the same category.
Still, both companies appeared sensitive to Russinovich's
criticism.
Symantec on Tuesday issued a
patch to SystemWorks that disabled the cloaking feature. On Thursday, a
representative from Kaspersky said that it was possible that his company could
take similar action. "I don't know whether we've got a plan to do that, but
that's obviously one thing that we could do here," said David Emm, a senior
technology consultant with Kaspersky.
Unlike Sony's XCP (Extended Copy Protection)
software, the Symantec and Kaspersky products do not cloak the fact that certain
pieces of software are running on the computer. Instead, they hide data
... ... ...
Kaspersky's use of cloaking software is more
recent. With version 5 of its Kaspersky Anti-Virus software, first released
about a year ago, the company used cloaking techniques to hide "checksum" information
that the software used to determine which files on the computer it had or had
not scanned.
... ... ...
While Russinovich agreed
that the Symantec and Kaspersky cloaking techniques are not as dangerous as
Sony's, which was ultimately exploited by virus writers, he said that all three
vendors were engaging in a practice that was bad for users and IT professionals.
"You don't want IT not knowing what's on the systems,"
he said. "Not being able to go to the system to do software inventory and disk
space inventory, that's just not a good idea."
A new Windows Metafile (WMF) vulnerability potentially affects most versions
of Windows (including 2000 and XP) , and could theoretically be exploited to
allow to install arbitrary programs on the system by tricking a user into viewing
a maliciously formatted Metafile image on computers with enabled
shimgvw.dll
(see below on how temporary disable it until the patch
is available).
This is not an automatic self-propagating vulnerability, therefore even on
unpatched PCs it potentially affects only naive users (children, senior people),
very gullible users or users inclined to visit "grey" or "black" Internet sites
or respond to unsolicited e-mail advertising:
- In a Web-based attack scenario, an attacker would have to host
a Web site that contains a Web page that is used to exploit this
vulnerability. An attacker would have no way to force users to visit a malicious
Web site. Instead, an attacker need to use social engineering to persuade
a naive user to visit the Web site, typically by getting them to click a
link that takes them to the attacker's Web site.
- In an E-mail based attack scenario involving the current exploit, a
user would have to be persuaded to click on a link within a malicious e-mail
or open an attachment that exploited the vulnerability.
- An attacker who successfully exploited this vulnerability could only
gain the same user rights as the local user. Users whose accounts are configured
to have fewer user rights on the system could be less impacted than users
who operate with administrative user rights.
Due to those mitigating factors Microsoft Corp. said today that it does not
plan to release a fix for the Windows Metafile (WMF) flaw
until Jan. 10,
when a patch will be included as part of the company's
scheduled monthly updates for January.
Microsoft has completed development of a patch for the flaw and is now testing
it for quality and application compatibility, the company said in an
advisory
updating an earlier advisory released the last week. The update will be available
at Microsoft's Download Center. "Microsoft has been carefully monitoring the
attempted exploitation of the WMF vulnerability since it became public last
week, through its own forensic capabilities and through partnerships within
the industry and law enforcement," the company said in its statement. " Although
the issue is serious and malicious attacks are being attempted, Microsoft's
intelligence sources indicate that the attacks are not widespread."
This attack is directed on a flaw in the way Windows handle malicious files
in the WMF format. For example one such attack arrives in an e-mail message
titled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg"
that is really a disguised WMF file.
To protect yourself (especially important at home users where you are not
protected by mail gateway and corporate firewall) you can execute the command
on the command line (or via Start -> Run menu):
Windows 2000:
regsvr32 -u
C:\WinNT\system32\shimgvw.dll
Windows XP:
regsvr32 -u
C:\Windows\system32\shimgvw.dll
In case this leads to problems with applications (very unlikely) you need
to register this DLL again using the command:
Windows 2000:
regsvr32
C:\WinNT\system32\shimgvw.dll
Windows XP:
regsvr32
C:\Windows\system32\shimgvw.dll
Please note that attacks can come in attachments with files that have any
extension. For example, any graphic extension can be used. One reported attack
used GPEG (extension .jpg). Even though the file has extension classifying it
as a JPEG-file, Windows recognizes the content is actually a WMF and attempts
to execute the code it contains.
Microsoft stresses that to exploit a WMF vulnerability by e-mail, "customers
would have to be persuaded to click on a link within a malicious e-mail or open
an attachment that exploited the vulnerability."
We hope that there will be few such BASF users in view of recent training
that everybody got with spam and fake financial letters.
Still please be careful as in this case following the links is as dangerous
as clicking on the attachment. For example, even if you just attempt to visit
an file site using Internet Browser viewing the list folders can trigger its
payload as the attacker can maliciously put infected icons and they will be
"executed" when you open the link.
Usual payload associated with this exploit is spyware. The file with working
exploit that supposedly was already in the wild today was called "HappyNewYear.jpg".
It attempts to download the Bifrose back door, researchers said.
General Recommendations
Before patch is applied to all systems please be especially vigilant with
emails that contain attachments or if a email try to persuade you to follow
some html link:
- Be somewhat suspicious (but not paranoid, this is a holiday season
after all :-) of any graphical files attached to a e-mail message. Do not
use "preview" functionality in your email client as it renders files automatically
and thus triggers exploit.
Note: WMF exploit that can be disguised as any graphic file
(for example attachment can have extension BMP, DIB, GIF, EMF, JFIF
JPE, JPEG, JPG, PNG, TIF, TIFF or even WMF)
Please remember that malicious files can also be converted to ZIP,
RAR, ARJ or other archiver format, or imbedded into the composite document
(PDF, RTF, DOC. XLS) to bypass mail gateway filtering.
Although this is probably redundant recommendation and everybody is aware
about this, don't trust the "From" address in a e-mail message that came
from internet (has globe as the post stamp in the left corner of the header
in Lotus Notes). For any unusual or suspicious message you can check the
headers to see from what server the message actually came (it often is forged).
There is a flood of financial
scams that pretends coming from eBay, PayPal or some bank and ask you to
verify your account or use some other social engineering trick.
To view e-mail message header information while in Netsape Messanger
use View -> headers -> All (in Microsoft Outlook View -> all Headers).
- The most interesting header is the "Received" header. There are
usually several of them that can help you to track the origin of the
message (the situation is better and simpler on home PCs as you can
view all the headers in their natural order at once).
The most interesting is the header that follows (sometimes precede
depending on some unknown to me Lotus Notes setting) the "Received"
record your ISP (here this record is in blue and corresponds to
optonline.net ISP):
Received: from www.hosting.com (www.hosting.com [99.235.196.41])
by mta28.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005))
with SMTP id <0ISJ00JH19ZF7EA2@mta28.srv.hcvlny.cv.net> for
joeuser@optonline.net (ORCPT joeuser@optonline.net); Tue,
03 Jan 2006 15:23:40 -0500 (EST)
Received: from unknown (HELO omc2-s29.bay6.hotmail.com) (65.54.249.39)
by df04.dot5hosting.com with SMTP; Tue, 03 Jan 2006 20:23:39 +0000
Received: from hotmail.com ([65.54.173.7]) by omc2-s29.bay6.hotmail.com with
Microsoft SMTPSVC(6.0.3790.211); Tue, 03 Jan 2006 12:23:38 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue,
03 Jan 2006 12:23:38 -0800
Received: from 62.59.36.122 by by5fd.bay5.hotmail.msn.com with HTTP; Tue,
03 Jan 2006 20:23:38 +0000 (GMT)
Date: Tue, 03 Jan 2006 20:23:38 +0000
Legitimate messages have the next header that "makes sense" and that
can expect from a particular user. In case of from address
somebody@hotmail.com
it should be hotmail.com But we have
Received: from unknown (HELO omc2-s29.bay6.hotmail.com)
(65.54.249.39)
by www.hosting.com with SMTP; Tue, 03 Jan 2006 20:23:39 +0000
Forged letter often have questionable origin: foreign (often some
remote country in Asia or Europe), some university or a user of n major
ISPs clients that is different from the what you expect from "from envelope
(like mail from hotmail user coming from AOL, or AOL user from optonline.net,
etc). The latter are hijacked PCs called zombies:
Often you can see only IP address without any DNS name; that should
be highly suspicious:
" ([211.58.118.150])...
For example here is a fake PayPal letter header:
Received: from www.hosting.com (www.hosting.com [99.235.196.41])
by mta24.srv.hcvlny.cv.net
(Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005))
with SMTP id <0IRQ00EAF2AUOR00@mta24.srv.hcvlny.cv.net> for
joeuser@optonline.net (ORCPT joeuser@optonline.net); Sun,
18 Dec 2005 20:47:19 -0500 (EST)
Received: from unknown (HELO goliath.hostingwithus.net) (70.84.178.162)
by www.hosting.com with SMTP; Mon, 19 Dec 2005 01:47:18 +0000
Received: from mail.cvworkingfamilies.org ([209.49.192.80]:16900 helo=secure)
by goliath.hostingwithus.net with esmtpa (Exim 4.52) id 1Enkxf-0002Z6-3W; Sat,
17 Dec 2005 16:55:32 -0600
Date: Sat, 17 Dec 2005 17:59:27 -0500
From: "PayPal Inc." <security@paypal.com>
Subject: =?UNKNOWN?Q?PayPal=AE?= UPDATE TEAM
To: postmaster@secretbacard.com, postmaster@softpanorama.org,
postmaster@somedomain.com, postmaster@somewhere.net,
postmaster@spiritofforest.com, postmaster@starbulletin.com,
postmaster@suscom.com, postmaster@yourdomain.com,
postmaster@yourprimarydomain.com, postpowell@yahoo.com,
posts@workinghumor.com, posttrash@internettrash.com,
postulantes.cl@corp.laborum.com, potatoes@punkska.com.ar,
potion13mtl@hotmail.com, potsdam2020@hotmail.com, potw@pixel2life.com,
poul@drawshop.com, pound4pound_02@yahoo.com, powaygal@msn.com,
powderboyy69@yahoo.com, powell62@juno.com, powelson@roadrunner.com,
powerbooks@mail.maclaunch.com, powerbooks-on@mail.maclaunch.com
Message-id: <0IRQ00EAG2AVOR00@mta24.srv.hcvlny.cv.net>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Content-type: text/html; charset=Windows-1251
Content-transfer-encoding: 8BIT
X-Priority: 3
X-MSMail-priority: Normal
Delivered-to: softpano-postmaster@softpanorama.org
X-AntiAbuse: This header was added to track abuse,
please include it with any abuse report
X-AntiAbuse: Primary Hostname - goliath.hostingwithus.net
X-AntiAbuse: Original Domain - softpanorama.org
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - paypal.com
X-Source:
X-Source-Args:
X-Source-Dir:
Original-recipient: rfc822;joeuser@optonline.net
You can see that in this particular case the letter probably originated
at goliath.hostingwithus.net
(see X-AntiAbuse header below althouth
it can be faked (you can trust only the second header after the header
that lists your ISP)
Make sure your version of Antivirus and Antispyware software is
current and both have current signatures:
- Unless you already have something installed home users can install
Microsoft Windows AntiSpyware
(Beta) Tool -- free and pretty good
anti spyware tool from Microsoft. It has on option to automatically
update them on your PC to ensure that they are up-to-date: but don't
assume it guarantees safety. Spyware is a very tricky type of malicious
software. Home users can also visit
Windows Live Safety Center
and are encouraged to use the Complete Scan option to check for
and remove malicious software that takes advantage of this vulnerability.
- Home users in the U.S. and Canada who have legitimate copy of Windows
and believe they may have been affected by this vulnerability
can receive technical support from Microsoft Product Support Services
at 1-866-PCSAFETY. There is no charge for support that is associated
with security update issues or viruses.
Ensure that your home PC has all the patches and software updates from
Microsoft (you now can configure your home PC to get and install updates
automatically via Windows update feature ( see
Security at Home Updates & Maintenance
at Microsoft website).
Recommended Links
Microsoft Security Advisory (912840) Published:
December 28, 2005 | Updated: January 3, 2006
On Tuesday, December 27, 2005, Microsoft became aware
of public reports of malicious attacks on some customers involving a previously
unknown security vulnerability in the Windows Meta File (WMF) code area
in the Windows platform.
Upon learning of the attacks, Microsoft mobilized under
its Software Security Incident Response Process (SSIRP) to analyze the attack,
assess its scope, define an engineering plan, and determine the appropriate
guidance for customers, as well as to engage with anti-virus partners and
law enforcement.
Microsoft confirmed the technical details of the attack
on December 28, 2005 and immediately began developing a security update
for the WMF vulnerability on an expedited track.
Microsoft has completed development of the security update
for the vulnerability. The security update is now being localized and tested
to ensure quality and application compatibility. Microsoft’s goal is to
release the update on Tuesday, January 10, 2006, as part of its monthly
release of security bulletins. This release is predicated on successful
completion of quality testing.
The update will be released worldwide simultaneously in
23 languages for all affected versions of Windows once it passes a series
of rigorous testing procedures. It will be available on Microsoft’s Download
Center, as well as through Microsoft Update and Windows Update. Customers
who use Windows’ Automatic Updates feature will be delivered the fix automatically.
Based on strong customer feedback, all Microsoft’s security
updates must pass a series of quality tests, including testing by third
parties, to assure customers that they can be deployed effectively in all
languages and for all versions of the Windows platform with minimum down
time.
Microsoft has been carefully monitoring the attempted
exploitation of the WMF vulnerability since it became public last week,
through its own forensic capabilities and through partnerships within the
industry and law enforcement. Although the issue is serious and malicious
attacks are being attempted, Microsoft’s intelligence sources indicate that
the scope of the attacks are not widespread.
Copyright © 1996-2007 by Dr. Nikolai Bezroukov.
www.softpanorama.org was
created as a service to the UN Sustainable Development Networking Programme (SDNP)
in the author free time.
Submit
comments This document is an industrial compilation designed and created
exclusively for educational use and is placed under the copyright of the
Open Content License(OPL).
Original materials copyright belong to respective owners. Quotes are made
for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on
this web page are those of the author and are not endorsed by, nor do they necessarily
reflect, the opinions of the author present and former employers, SDNP or any other
organization the author may be associated with. We do not warrant the correctness
of the information provided or its fitness for any purpose.
Last modified:
February 28, 2008
Re:Symantec was one of the vendors shut out
(Score:0)