|
|
I’m really sorry about the continuous Windows security reports but they just keep on coming so what else can I do…
Data Execution Prevention is a security tool that Microsoft added to all versions of Windows since XP SP2. It’s meant to address buffer overflows by working with the CPU to mark all memory locations in a process as non-executable unless it explicitly contains executable code. That way, even if there was a buffer overflow, the malicious code couldn’t run in whatever memory it happened to find itself.
Unfortunately, Berend-Jan Wever, aka “Skylined,” a Google security software engineer, using a variation of a hacking technique he helped perfect called heap-spraying has busted DEP. In heap-spraying, the attack code made an educated guess at where vulnerable memory that could be used to execute unapproved programs could be found. In Wever’s latest trick, the attacking code looks for clues on where to find memory that’s allowed by DEP to run programs. Once armed with this information, the attack code can then successfully plant itself in the system.
It seems possible that this technique can be used to defeat ASLR (address space layout randomization) which is another Microsoft security improvement.
So 2 of Microsoft’s most important security features in Windows seem to be vulnerable to attack. Makes me feel warm all over knowing I run Linux …
As an aside, I’ve just spent half the morning trying to clean 2 Windows machines for a client. These were riddled with viruses which self-replicated to all the network shares. And no, it wasn’t me who hooked them up to the network. I finally managed to get the machines clean and removed all the viruses from the Linux-based network shares using ClamAV. Of course the Linux server didn’t miss a beat.
Someone is getting an interesting invoice next week.
The headline phrase typically refers to the buying of computers with Windows pre-installed by the OEM vendor when you don’t need or want it. I.e. you’ve paid more for the machine ( because it includes Windows ) when you aren’t going to use it.
Unfortunately this time it refers to you, a citizen, paying extra personal tax to fix issues in Microsoft’s software!!! What?!?! World gone crazy ( again )? According to Robert McMillan’s piece on ComputerWorld, Scott Charney (Microsoft’s veep for Trustworthy Computing) suggests that one way to fund fighting botnets is to tax users. “You could say it’s a public safety issue and do it with general taxation” Charney said.
For those not in the know, a botnet is a large collection of compromised PCs/computers ( these will typically be made up of almost 100% Windows machines that have been compromised by a virus, malware or some other piece of malicious software ). Most Microsoft software ( not only their operating systems ) have an atrocious track record when it comes to security and as a result, are the subject of frequent attacks, the result of which is large botnets that generate spam email, infect websites ( running Microsoft web servers ) and propagate other malicious software to infect even more machines.
90%+ of all email generated last year was spam – the direct result of the poor security in the operating system you are probably using on your PC. According to a McAfee report published in May 2009 the amount of energy used every year to transmit, process and filter spam would be enough to power 2.4 million homes, with the same Greenhouse Gas emissions as 3.1 million passenger cars.
Every year, millions of people are the subject of identity theft, banking account invasion, phishing and pharming scams, money loss, credit card schemes and fake software. All because of that one word – Microsoft. Billions are spent each year buying anti-virus and anti-spyware software for PCs, and these are at best only 33% effective. A complete industry of technicians and consultants grew up just to deal with Microsoft security issues.
Are you aware, as a Standard Bank client in South Africa, that every time you draw money from or use an SBIC ATM, you are working with Microsoft Windows XP – the most hacked OS ever?
To be clear, botnets are single biggest security threat on the Internet – because of the lax security in Microsoft products.
Now you may say that because of Microsoft software’s overarching ubiquity it’s subject to more attacks but that argument has left the building a long time ago. Along with Elvis. Linux is used in everything from phones, to set-top boxes, fridges, cars, industrial applications to your common or garden PC computer at home. MacOS X makes up a good proportion of computer sales world wide. AIX, HPUX, Solaris, VMS and other operating systems have been running the core institutional services of the world for decades without any known security breaches.
So the questions you need to ask yourself are:
- are you safe?
- are you willing to bet your security, identity and money on the Windows platform?
- are you happy to pay technicians to fix your PC when it becomes infected?
- are you willing to pay more personal taxes so that Microsoft can continue selling you insecure software?
I switched from the Microsoft Windows platform almost 6 years ago and I’ve never looked back. I work with a simple and reliable operating system that does what I need it to, yet doesn’t put my personal and financial well-being at risk. Can you say the same? No? Perhaps it’s time for a change …
I’ve been running Slackware-current ( the development version of Slackware ) for probably close to 5 years now. For the most part, it’s a pretty uneventful stream of upgrades however, every once in a while things get interesting.
The March 1 update is massive, has taken a month to release and includes around 465 updated packages. There are 2 main reasons for this:
- Xorg has been upgraded to 1.7.5
- a new version libpng is included which required the rebuild of a large number of dependant packages ( 13? )
I had some issues as follows …
On reboot I got ‘undefined symbols’ and ‘unknown module format’ when loading some modules. My NVidia binary driver would not load with a message the same as above. I had not upgraded the kernel so this was all a bit strange.
First step was to get a new NVidia driver ( 195.36.08 ) which installed fine but the driver still refused to load. Then I thought that a kernel package may have been installed erroneously so I upgraded all of them. Still no go.
To the LinuxQuestions forum where I gathered that there may have been an issue with a kernel config option ( CONFIG_PREEMPT ) in this particular kernel. The fix was straightforward – rebuild and install the kernel with the existing config file:
cp /boot/config-huge-2.6.33 /usr/src/linux-2.6.33/.config && cd /usr/src/linux-2.6.33 && make && make modules_install && cp arch/x86_64/boot/bzImage /boot/vmlinuz && lilo && echo “blacklist nouveau” >> /etc/modprobe.d/blacklist.conf && telinit 6
There was also an issue with the libgmp library which was updated today and fixed those issues.
Some other upgrades/changes:
- device-mapper is now included in the lvm2 package
- gzip security issue
- kernel 2.6.33
- kde 4.3.5
- openssl security fixes in 0.9.8m
- bash 4.1
I’m running AlienBob’s kde 4.4.x packages and hopefully he’ll have an updated ( to 4.4.1 ) set soon. All in all an interesting time however this is dev so it’s to be expected. Th problem is current is generally so stable that this is actually unexpected. No problems either way.
Thanks to Pat, Eric, Robby and all the rest.
… I spoke about in late January? Well Microsoft has finally come out and acknowledged it. Over a month later. Well actually 9 months later.
The hole, which originated with the release of Windows NT back in 1993 and is present in every 32-bit version of Windows since, including Windows 7, was discovered by Tavis Ormandy, a Google security team member in Switzerland. Ormandy said that he notified Microsoft of the hole in June 2009 but, after receiving no response other than an acknowledgment, decided to publish his discussion as well as a proof-of-concept exploit.
Compromising a machine requires physical access to the machine as well as authenticated password access, so it’s unlikely to be too serious an issue.
Another flaw has been found in versions 7 and 8 of Internet Explorer running on Windows XP. There’s an unpatched bug in VBScript that hackers can use to drop malware on 32-bit Windows XP machines. Microsoft says an exploit “was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box.”
Further more, “The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as ‘unsafe file types.’ Interesting that Microsoft views their own Help System as unsafe …
Microsoft says they are not aware of anyone using this exploit yet but that’s probably just them trying to tame the issue. If an exploit is available, someone will be using it. No patch is available yet so at minimum, switch to another browser; if you’re feeling a little more brave, switch to using another platform completely.
UPDATE: the list of platforms affected by this flaw, has now been expanded to include Windows 2000 and 2003, as well as any version of IE on those platforms including IE 6.
A new critical flaw has been found in all versions of Windows since Windows 2000 and affects even current releases like Windows 7 and Server 2008 R2. The vulnerability was found by 2X Software which says that the flaw can be used to create a DoS attack against any Windows systems from the last 10 years.
The US Copyright Lobby has indicated that using FOSS equates to the undermining of intellectual property rights. Yes you read that correctly. They want the US Trade Representative to place countries like Brazil, India, and Indonesia on the Special 301 list, which is a list of countries that do not, according to mostly the Pharmaceutical Research and Manufacturers of America and the IIPA, do enough to protect intellectual property rights.
The governments of the countries the IIPA wants to add have one thing in common: they’ve used or are encouraging the adoption of Free and open source software, which, according to the IIPA, “weakens the software industry” and “fails to build respect for intellectual property rights”. Huh? No I’m not making this up – take a look for yourself.
“The Indonesian government’s policy [...] simply weakens the software industry and undermines its long-term competitiveness by creating an artificial preference for companies offering open source software and related services, even as it denies many legitimate companies access to the government market,” the IIPA states, “Rather than fostering a system that will allow users to benefit from the best solution available in the market, irrespective of the development model, it encourages a mindset that does not give due consideration to the value to intellectual creations.”
Since when has FOSS denied anyone anything, let alone legitimate companies’ access to the government market? And how is FOSS not an intellectual creation? Besides giving no proof of their statements, these murmurings are just plain fiction. Perhaps the US Copyright Lobby should stop spouting trash in the name of big business and do something for the man in the street for a change.
Last week, a story broke in the US concerning invasion of privacy and has become a huge talking point globally. The Lower Merion School District provided Apple Mac laptops to students ( no private machines were allowed ) and installed remote control software on these, allowing the school to remotely activate web-cams in an apparent attempt to curb theft.
Unfortunately it appears that these web-cams have been used for a little more than that, as students with perfectly legal laptops indicated that their web-cams seemed to operate at times when not expected ( check many of the comments in this link ).
One of the students, Blake Robbins, and his parents, have filed a civil rights lawsuit against the school district accusing the school of turning on the web-cam in his computer while it was inside their Penn Valley home, which they allege violated wire-tap laws and his right to privacy. The suit, which seeks class-action status, alleges that Harriton vice principal Lindy Matsko on Nov. 11 cited a laptop photo in telling Blake that the school thought he was engaging in improper behaviour. He and his family have told reporters that an official mistook a piece of candy for a pill and thought he was selling drugs.
Of course the school district is claiming innocence … But things have got a lot more murky with some detailed investigation by Stryde Hax, a security consultant. Some of his findings:
- Mike Perbix is listed as a Network Tech at LMSD. Mr. Perbix has a large on-line web forum footprint as well as a personal blog, and a lot of his posts, attributed to his role at Lower Merion, provide insight into the tools, methods, and capabilities deployed against students at LMSD. Of the three network techs employed at LMSD, Mr. Perbix appears to have been the mastermind behind a massive, highly effective digital panopticon.
- In a promotional web-cast, Mike Perbix identifies himself as a high school network tech, and then speaks at length about using the track-and-monitor features of LanRev to take remote pictures through a high school laptop web-cam. A note of particular pride is evident in his voice when he talks about finding a way outside of LANRev to enable “curtain mode”, a special remote administration mode that makes remote control of a laptop invisible to the victim.
- Perbix discusses methods for remotely resetting the firmware lockout used to prevent jail-breaking of student laptops. A jailbreak would have allowed students to monitor their own web-cam to determine if administrators were truly taking pictures or if, as the school administration claimed, the blinking web-cams were just “a glitch.”
- In a September 2009 post that may come to haunt this investigation, Perbix posted a scripting method for remote enable/disable of the iSight camera in the laptops. This post makes a lot more sense when Perbix puts it in context on an admin newsgroup, in a post which makes it clear that his script allows for the camera to appear shut down to user applications such as Photo Booth but still function via remote administration
There’s even more information coming from the students themselves:
- Possession of a monitored Macbook was required for classes
- Possession of an unmonitored personal computer was forbidden and would be confiscated
- Disabling the camera was impossible
- Jail-breaking a school laptop in order to secure it or monitor it against intrusion was an offence which merited expulsion
So there are a few questions to ask here:
- was the school district aware of the potential for misuse of this system and the abilities?
- did the school district know about Perbix’s delusions of grandeur?
- if not, how could they be so stupid as to not inform of the students of this monitoring system?
No matter the outcome, this appears to be a simple case of invasion of privacy. Under no circumstances should anyone be allowed to remote view a machine without the user’s consent no matter whether that equipment is the user’s or not.
Perhaps it’s a matter of bravery on the school district’s part as anti-terrorist laws in the USA have increasingly encroached on citizens’ personal freedoms and civil liberties. If the government can do it, why shouldn’t we?
Malicious Acrobat Reader documents made up almost 80% of all exploits for 2009 according to security research company ScanSafe. Vulnerabilities have doubled year on year in Adobe’s PDF reader and they seem to be having a problem in keeping things under any sort of control. To keep yourself safe ( well sort of ) disable Javascript in Reader and don’t use the browser plugin. Adobe is patching several serious vulnerabilities today.
Apologies for the late notice on this but I only just learned of it myself: Microsoft will be releasing “Update for Microsoft Windows (KB971033)” today. This however is not an ordinary update. This one will change the current activation and anti-piracy behaviour of Windows 7 by phoning home every 90 days ( for now ). The purpose is to verify that you aren’t running a pirated copy of Windows and to take actions by changing the behaviour of your PC if it appears that you aren’t now properly authenticated and genuine. This falls under the new banner of Windows Activation Technology ( WAT ).
There are a few things that are worrying about this:
- if you have activated and authenticated your copy of Windows 7 at install or purchase time, why ( and/or how ) would this change over time?
- if your system is compromised and subsequently downgraded by WAT to non-genuine status, what will the affect on the user experience be?
- will a downgraded user lose access to any functionality ( Update: yes, they will not have access to certain future Windows Update )
- how does someone who has been downgraded get genuine again ( and how will it inconvenience them )?
- why should Microsoft have the power to downgrade a user’s copy when that user has legitimately purchased that copy?
The update is due for manual release today and is tagged as “important” therefore will be installed no matter the settings of Windows Update on your machine. You should set your machine to manually download and install updates, and then manually deselect this update for installation. It serves no useful purpose w.r.t. the security or stability of Windows, and in addition opens up a whole can of worms w.r.t. your privacy. If this update gets installed and you are still deemed to be genuine, then you should uninstall this update asap.
While everyone understands that Microsoft has a serious issue with pirating, I don’t think anyone would willingly agree to the unacceptable level of intrusion that Microsoft is forcing on users with this update. We’ve already had major issues with DRM-encumbered music from Microsoft and now comes their chance to not only disable your music, but your entire PC. It’s just not right and you shouldn’t let them.
While I’ve never assumed AV software will protect you from all ills on the Internet, new research from SurfRight shows just how bad things are. A sample of just under 110k users ( a very good sample I think ) shows that 32% ( yes 1/3rd ) of all machines running AV software were infected . What’s even more interesting is that the percentage of machines infected that are not running AV software is only 46%. This gives one some idea of how ineffective AV software is in practice. Of the sampled machines with AV installed, 73% had up-to-date signatures and 27% did not.
The report from SurfRight also highlighted the increased coverage provided by OS-level software such as Microsoft’s Malicious Software Tool and Security Pack.
The outcome is as always: defense in depth. Run multiple point products to provide more security, eg. AV software ( with definition updates ), a good anti-spam filter, keep your OS patches current and use an anti-malware/spyware tool. And use your head – if that email looks suspicious, it probably is.
XStore services will be down this evening at 6pm for scheduled maintenance for about 15 minutes. Services affected include:
- hosted Nagios monitoring
- hosted email/web
This coming Tuesday, Microsoft is releasing a slew of patch fixes, 5 of which are rated critical, 7 important and 1 moderate. All of the critical flaws result in remote code execution and 10 of these patches require a system restart. The list of operating systems affected includes everything from Win2k through to Win2k8 R2.
The 17-year old hole reported a week ago is being fixed however the latest IE flaw noted this week is not getting a patch yet. What is worrying, however, is that Redmond says it is still working on a patch for the SMB flaw that can be used crash Windows 7 and Server 2008 R2 remotely. That was disclosed three months ago, so the company is lagging quite a bit with that one.
Backups in a virtualisation environment take on a whole new meaning, typically complex ( as opposed to the simple outlook that the vm vendors would like to portray ) because now you are dealing with shared SAN storage, vm images instead of files, very specific requirements around backup hardware and setup, 3rd party backup agents and multiple methods for backup from VMware themselves. So much for simplifying your IT infrastructure. But it’s not all doom and gloom – I’ll try and break things down so VMware backup is not as dark as it appears to be.
VCB
VMware provides a Backup/DR API in the form of VMware Consolidated Backup ( VCB ) which allows you to either do backups with the VMware service console tools or integrate with a 3rd party backup tool. Doing backups via the service console is not for the faint of heart so most VMware users will go the 3rd party route. This is done by installing VCB and the 3rd party backup server on a machine ( vm or physical ), configuring VCB to talk to VCenter or ESX, and then setting up your backups via the 3rd party tool’s VMware agent/plugin.
VCB works by generating a snapshot of a vm and then storing it in a specified location on the VCB proxy machine. VCB proxy can run on a physical machine or in a vm. If running in a vm then you need to make sure you have sufficient space to store the vm images that are generated at backup time – take 3 to 4x the space of the largest vm you have as a rule of thumb.
VCB Modes
There are 3 main modes of backup using VCB proxy depending on your hardware setup/design. Let ’s take a look at each of these in turn and the pros and cons.
SAN mode
ESX needs to have its VMFS stored on shared FC SAN storage or iSCSI shared disk. Backups are offloaded to a physical VCB proxy which is also connected to the shared storage. In this mode, the LUNs exposed to the ESX servers need to be exposed to the VCB proxy machine as well.
SCSI Hot-add mode
In the SCSI Hot?Add mode, you set up one of your virtual machines as a VCB proxy and use it to back up other virtual machines residing on storage visible to the ESX Server that hosts the VCB proxy virtual machine. This mode eliminates the need of having a dedicated physical machine for your VCB proxy and does not require you to expose SAN LUNs to the Windows VCB proxy.
In this mode, you can use Consolidated Backup to protect any virtual disks on any type of storage available to your ESX Server host, including NAS or local storage. The only exception is that it does not back up any disks of the virtual machine that has any independent disk, Physical Compatibility RDM, or IDE (This is applicable to ESX 4 and ESXi 4.)
Consolidated Backup creates a snapshot of the virtual disk to be protected and hot adds the snapshot to the VCB proxy, allowing it to access virtual machine disk data. The VCB proxy reads the data through the I/O stack of the ESX host. If the ESX servers only have local disk then you need a VCB proxy on each ESX host.
LAN ( NBD ) mode
In this mode, Consolidated Backup uses an over-the-network protocol to access the virtual disk. The ESX Server host reads the data from the storage device and sends it across a network channel to the VCB proxy. A limitation is that vm’s should not be over 1TB in size.
You can also use a vm for this mode to host VCB proxy however remember the issues relating to tape connectivity. A separate ‘backup’ network can be used between a physical VCB proxy and the ESX hosts to split normal and backup traffic.
Types of backups
There are also a number of various ways of doing the backup:
- image level where one backups up the vm and all its associated files
- file-level ( via VCB or 3rd party agent ) where you backup the contents of the vm at the file level; this can be combined with full and incremental/differential backups ( note that file-level backups via VCB are only supported on Windows platforms )
In addition you can also load a backup agent in the vm and treat it as a normal backup client. Most likely you will use a combination of image-level VCB backup with agent-based file-level backup. Note that VCB can not be used to backup clustered vms and you will need to use 3rd party cluster aware backup tools for this scenario.
Tape connectivity/VTL
Tape can be connected in a variety of ways for the purposes of VMware backup, mostly depending on the storage mechanism you are using with VMware.
- connect the tape device to a standalone VCB proxy using FC, SAS or SCSI – this gives you the flexibility of breaking backups out of your VMware space
- connect the device to your FC fabric if you make use of shared storage for ESX VMFS
- connect a tape device to an ESX host using pass-through SCSI
In addition, you can use a 2 stage backup solution with disk-2-disk ( d2d ) as the first stage and tape as the 2nd. Using VTL is quite useful as it allows you to send more data flows to the backup server than you have physical tape drives. Tape devices are expensive and as such you may only have one or 2. With VTL, you can simulate as many drives as you’d like and send that amount of flows concurrently to the backup server. You need to be reasonable with this of course especially if you are using Ethernet for your transport.
VMware Data Recovery
DR is a new product with VSphere 4 that does VCB-style backups via the VCenter console and provides for de-duplication of data. There are some fairly severe restrictions with DR, so it’s possibly a tool that you will use in conjunction with VCB and a 3rd party tool.
DR is only a d2d tool so you will need disk in your SAN ( you can also use NAS or iSCSI ) to store the backup data, as well no tape devices are supported. It always de-dupes – you have no option in this regard. DR is an appliance that runs as a vm and provides what is essentially incremental forever backups. You can have up to 8 concurrent backups in flight however you can only use to simultaneous backup destinations. VSS is supported on certain Windows platforms and application-level integrity is provided under certain conditions. Stores can be up to 1TB in size and you can use a maximum of 2 stores with each de-dupe appliance.
Conclusion
Both VCB and DR provide for backups of running vms however they do so under different circumstances. Most often you will use VCB with a 3rd party tool, and perhaps DR when you need fast restore capability for vms. A 3rd party tool gives you the flexibility of backup/restore outside of your immediate VMware environment while the VMware tools give you highly integrated ability within VMware.
Microsoft has issued a new security advisory ( 980099 ) to address a publicly disclosed vulnerability in Internet Explorer that may allow information disclosure for Windows XP users or for users who have disabled Internet Explorer Protected Mode. The advisory explains that content can be forced to render incorrectly from local files in such a way that information can be exposed to malicious websites.
The result is that all files on your machine become accessible to those accessing it. Affected OS/browser combos include IE5.01 and 6SP1 on Win2k SP4 and IE6/7/8 on XP and Win2k3. Note that the browser needs to have Protected Mode disabled for the exploit to work. PM is enabled by default for IE 7 and 8 on Vista, 7 and Win2k8.
|
