Microsoft release an out-of-order patch yesterday for a critical vulnerability relating to custom fonts resulting in remote execution of code on a machine. More details here:
Note that because Windows Server 2003 has just gone end-of-life, there is no update for it.
Wow, now this is a turn-around for the books – Microsoft bed-partner Miguel de Icaza saying that Moonlight development is being stopped specifically because a. Microsoft is concentrating on HTML5 and b. because Microsoft has imposed certain restrictions on Silverlight. Never thought I’d see the day … Hooray for the death of non-standard protocols and apps!
Microsoft has always bigged up their products using whatever mechanisms they can, including paid-for campaigns/ads and sometimes outright lying. The latest statement that IE is the most secure browser ( according to their yourbrowsermatters website ) fits into this latter category.
One has to wonder how Microsoft comes about the scores provided on the site. Thumb suck I say. Where does the outright lying come into play? Well apparently my browser benefits from Windows Operating System features that randomize the memory layout to make it harder for attackers to find their target. And my browser benefits from Windows Operating System features that protect against structured exception handling overwrite attacks.
The only problem with the above 2 statements is that I don’t run Windows …
One also has to wonder how IE is given the most secure browser moniker when it’s just had a major patch released to fix what’s regarded by anyone as a serious flaw ( The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user ).
So when vendors trot out that “we’re the most secure” malarky, take it with a pinch of salt. Mind you, maybe a whole jar will be better.
Microsoft has always been accused of following the pack rather than innovating. So it’s no surprise that early screenshots of the Windows 8 copy dialogue seem to be a direct rip-off of the KDE 4 copy dialogue, from the ‘multiple copy operations in single dialogue’ visual aspect:
to the bandwidth usage graphs:
The look may not be exactly the same, however the idea is spot on. As they say, copying is the sincerest form of flattery.
Well if there’s ever been an advertisement against cloud services, Microsoft is it. The recent spate of outages on Microsoft’s BPOS system continued this weekend past with a 7 hour outage at their Dublin data centre after an ‘act of God’ took out their power grid and backup generators. Microsoft said it would “proactively provide impacted customers with a 25 per cent credit on a future monthly invoice”. Thanks Microsoft!
But one has to wonder at the value of the financially backed SLA offered by Redmond: customers with a monthly uptime lower than 95 per cent get a full discount; a 50 per cent credit on uptime between 95 per cent 99 per cent; and a 25 per cent note for uptime between 99 per cent and 99.9 per cent. So customers experiencing anything above 8.76 hours of downtime a year are able to make a claim against the Ts&Cs in Microsoft’s SLA. The SLA does not apply when the service is hit by availability issues arising from “factors outside of our control” – one of the criteria.
Microsoft also says that blackouts should never be a concern for prospective cloud customers.
“When you switch to cloud power Microsoft, you never have to worry about a power outage. You can rest easy. Our financially backed 99.9 per cent uptime guarantee means a steady stream of power is pumped directly into your business at all times and include 24/7 support if anything ever does go wrong,” said the vendor on its website.
Resellers should take note when advising customers to switch to Office 365, the successor to BPOS, as Microsoft previously admitted that outages on the new cloud service are also inevitable.
Considering last month’s outage, one would have thought the okes at Microsoft would have beefed up the BPOS service offering but it’s not to be. There were problems logging into Exchange and SharePoint Online yesterday morning for about 3 hours. This outage, apparently caused by network hardware issues, mostly affected North America and British customers.
Microsoft seems to be betting the house on Office 365, BPOS’ successor. Based on experiences related in the Online Services forum, Microsoft had better get it right otherwise customers will be flocking away from the service. Office 365, set to launch on 28 June, has come in for its fair share of criticism from Microsoft resellers, which suspect it is part of the first efforts from Microsoft to nick their business.
Since the release of SP1 for Win 7 and Server 2008 R2, there have quite a lot of issues relating to the installation of the service pack. Apparently many are seeing boot failures after the installation of the service pack, specifically with C00000034 fatal errors. Of course, those with WSUS will be getting automatic upgrades so you don’t even have a choice in the matter. Separately, Windows 7 users applying the SP1 update package have gone into a reboot loop after encountering: “Error C000009A applying update operation 120782 of 367890”.
The strange thing about this service pack install is that unlike other Microsoft software installations, this one removes restore points prior to the installation.
Microsoft has been fairly quiet about the issue leading many to speculate that they’re not sure exactly what the cause is. They do however have a workaround for the C00000034 issue here.
Apparently some guys in India also have a solution.
The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities.
Even Google has released a statement regarding targeted attacks on IE users. Apparently this MHTML vulnerability has been around for 7 years. Wow!
Windows 7 Service Pack 1 should be available soon and won’t have much new functionality, but will have the usual hot fixes and patches. 3 items that will make an appearance are:
- Advanced Vector Extensions ( AVX ) which will be available in forthcoming processors
- RemoteFX – an extension to RDP
- Dynamic Memory – intelligent allocation of memory
The last 2 are only relevant in networks running Win Server 2k8 R2. It also seems that there will be a dependency ( Update 976902 ) before one will be able to install SP1 through Windows Update.
Aw, aren’t we lucky ( well Windows users at least ) – G-Data and Sophos have stepped forward with free protection for the .lnk vulnerability.
G-Data’s solution LNK-Checker displays no-entry signs for iconss associated with exploits while other icons function as normal.However, users can still click on malicious LNK files and start the malware manually, unless it’s blocked by a virus checker. In addition, it appears that the tool marks all links associated with the Control Panel as dangerous resulting in falsely marked icons.
Sophos’ Shortcut Exploit Protection Tool attempts to intercept malicious LNK files and present a warning dialog box. The tool however does not respond to files stored on local disks so the protection offered from this is halfhearted at best.
These tools may be free but your protection is not guaranteed.
The unpatched LNK vulnerability in all versions of Windows ( from XP onwards ) is attracting a lot more attention from malicious code authors. A further 2 exploits have been detected in the wild. The 1st .lnk trojan Stuxnet, was very specific about it’s payload, attacking Siemens SCADA software specifically. But the effectiveness of .lnk attacks lies in the fact that the payload can be customised and changed as required to suit the attack.
Win32/TrojanDownloader.Chymine.A contacts a server in the US and downloads the Win32/Spy.Agent.NSO key logger from there. The Win32/Autorun.VB.RP worm is now also said to have discovered the .lnk hole as a suitable means for propagation. The worm even actively produces further compromised .lnk files so it can spread faster.
The German Federal Office for Security in Information Technology (BSI) has issued a warning (German language link): until the hole has been patched users are to follow the steps for the work around described in Microsoft’s security advisory. Microsoft’s fix-it is indeed the easiest way to protect a system from impending attacks. However, it does cause a loss of convenience, as Windows will only display standard icons for all short-cuts once the fix-it has been applied.
Incidentally, Microsoft has removed the official documentation for the .lnk file format from its server without comment. Critics sneer that this was done to remove the description of the format’s security measures on page 48 (see screen-shot below).
A new malicious attack has been spreading through the internet in the last few weeks, initially using USB memory sticks to propagate. Called, the LNK vulnerability, the attack uses specially crafted shortcut (.lnk) files, which trick Windows into running code of an attacker’s choosing. Any Windows application that tries to display the shortcut’s icon—including Explorer—will cause exploitation, so even the mere act of browsing a directory with the malicious shortcuts is sufficient for a system to be exploited.
The exploit has now been tested as working from SMB network shares as well as Windows’ WebClient services. The nature of this attack is very serious as noted by the ISC raising its Infocon level to Yellow. Even Microsoft is worried enough about this vulnerability that the guys from Redmond said, “Anyone believed to have been affected by this issue … should contact the national law enforcement agency in their country.”
The malware payload appears to be designed to specifically compromise the databases used by Siemens’ SIMATIC WinCC software. WinCC is SCADA software, used to control and monitor industrial systems, found in manufacturing plants, power generation facilities, oil and gas refineries, and so on. Siemens’ software uses hardcoded passwords, making attack particularly simple and potentially dangerous. ( Question: why would anyone use Windows software for controlling industrial equipment? )
Recommended temporary solutions are to turn off icons for shortcuts and disabling WebClient Services, but these are fairly intrusive and confusing for the average user. The recent protections for AutoRun capability are useless in this case. All versions of Windows from XP/200 and later are affected. Anti-virus vendors are so far unable to successfully halt the spread of this attack.