Tag Archives: Windows


Veronica Schmitt, a senior digital forensic scientist at DFIRLABS, recently featured on Paul’s Security Weekly, showcasing the Microsoft SRUM system tool (System Resource Utilization Monitor).

SRUM was first introduced in Windows 8, and was a new feature designed to track system resource utilization such as CPU cycles, network activity, power consumption, etc. Analysts can use the data collected by SRUM to paint a picture of a user’s activity, and even correlate that activity with network-related events, data transfer, processes, and more.

Very little is known about SRUM outside of a few notes and videos online, and most tellingly, very few sysadmins know about the storage function of this tool.

That sounds pretty interesting.  And it is, especially for performance and system monitoring.

But …

The output from SRUM is continually (at 60min intervals) written to an ese DB, which in turn can be read by a python tool called srum-dump written by Mark Bagget and output to a CSV for further analytics.

The scary part of this is how much data SRUM is actually writing out to the db and what info can be gleaned from this db in forensics terms. Essentially, any actions performed or data generated by a user on that system, can we retrieved at a later stage by srum-dump.

From a forensics pov, that’s brilliant but from a privacy pov, it is very scary. Especially as very few people realise this is going on in the background. It’s also scary in the way that if a (Windows) machine is compromised, the SRUM db can be used to propagate additional (lateral or vertical) malicious activity depending on the data identified.

Comments welcome …

MS Windows critical font vuln

Microsoft release an out-of-order patch yesterday for a critical vulnerability relating to custom fonts resulting in remote execution of code on a machine. More details here:


Note that because Windows Server 2003 has just gone end-of-life, there is no update for it.

The end of Windows XP

Windows XP support will officially end on April the 8th next week.

This is a very important change that appears to have escaped many people. Why important? Because you will no longer be receiving any updates ( security or other ) from Microsoft for XP. That effectively means that if there is a security hole discovered in Windows XP from the 8th of April, it will be open for anyone to exploit and no fixes will be forthcoming from Microsoft.

While Windows XP has never been what you might term a secure operating system, Microsoft have to this point, continued to fix vulnerabilities, bugs and other issues in XP.  And it’s these fixes that have improved the security level of XP significantly. That will no longer be the case from next week on.

What is really worrying is that many companies are still running a fairly large percentage of Windows XP systems – it’s estimated that up to 25% of Enterprise/Corporate systems are still Windows XP. And many smaller businesses have a higher percentage as they can’t afford the Windows software and hardware upgrade cycle.

The risk of security breaches on systems running Windows XP beyond April 2014 is high. This is not an overstatement – it’s a certainty! Even the European Cybercrime Centre has warned of impending XP security risks.

What can you do?

1. make an asset list of both hardware and software

It’s important to understand what hardware and software you have as this will dictate whether you can upgrade to a newer version of Windows or not. As well, certain older applications will not be able to run on Windows 7 and later, even in compatibility mode.

2. Test your hardware

Use one of your PCs/Laptops as a test-bed for checking if Windows 7/8 will run on them without issue. Use the Windows 7 Upgrade Advisor and Microsoft Upgrade Advisor to see if your machines meet the minimum requirements. Minimum requirements also don’t mean a good experience; Windows has, and always will, require more memory and faster disk to perform adequately.

Note that certain MS Windows version upgrades won’t keep any of your existing data or applications so you need to a. create backups and b. do a clean install. Check with your hardware vendor to see if there are any driver updates for your hardware that is required for Windows upgrades.

Here is more info on upgrading Windows XP to Windows 7. Note also that Windows 7 support ends in 2020 which is not that far away so keep that in mind when upgrading.

2. Test your applications

Take a Windows 7 or later system and run all your applications on that system to make sure they will execute without issues. If you find any issues, try the application compatibility modes in Windows 7 and later – if this does not solve the issue, then approach the manufacturer for a fix or look for equivalent applications that are compatible.

3. Update or install a good Anti-Virus package

It cannot be underestimated how valuable a good AV package is. This is generally the first line of defense when accessing network resources or using portable data devices ( USB, CD, DVD etc. ). The package should include malware protection, email scanning and URL/Link scanning. Many AV packages now also come with cloud-based sandbox technologies which enhance the ability to detect 0-day vulnerabilities. Note that AV packages will NOT be able to provide full protection for Windows XP systems after the end-of-support date.

4. Do not use Internet Explorer 6 or earlier

In fact, don’t use Internet Explorer at all – use an alternate browser such as Firefox or Chrome.

5. Do not use a Windows XP system to do banking or other financial transactions

You are literally inviting crackers into your bank account if you continue to use Windows XP from next week on for banking and/or other financial transactions. Use an alternate locked-down system running a memory stick-based system like Linux for any secure internet browsing requirements. You are welcome to contact me for pre-configured memory sticks or pen drives.

6. Contact your technical IT support  company for assistance

Your IT service company is in the best position to determine possible solutions for you in this regard. Don’t underestimate the value they can provide in assisting you in either mitigating the security risks for XP or upgrading to Windows 7 or something else.

9 years ago, I took the decision to ditch Windows altogether. I’ve never looked back – not only does my current system ( Linux ) provide good performance on lower spec hardware but it’s also relatively immune to the bulk of exploits out there. This means I’m secure in the knowledge that when I’m doing Internet Banking, my money is not going to disappear.

This path is not for everyone. However, you need to look at the  alternatives – whether it’s upgrading Windows to a newer version or migrating to a completely new platform like Mac OS or Linux, you need to make the decision now.

Any delay beyond next week is likely to be a costly move.

Indian call centre virus hoax

The Indian Call Centre virus hoax has been around for some years but has mostly targeted the US and Europe. But no more, as this morning I received a call from an Indian-sounding male which ran along exactly these lines. “Sir, we’re calling from Microsoft because your ISP has indicated you have viruses coming from your system.” So South Africans as now being targeted with the scam and likely some may fall to it if it’s new to them. It goes as follows:

  • you get a call from someone indicating they are from Microsoft or calling on behalf of Microsoft
  • they have an Indian or Middle-Eastern accent
  • they say that your ISP has indicated you have a virus on your system
  • for a small fee, they can login to your computer remotely and fix the problem
  • you give them your credit card details and access to your system or they redirect you to a website to buy a “Fix-It” program

The scam is mostly concerned with getting your money but the risk of opening your computer up to a complete stranger could be an even greater risk. It’s important to identify scams like these immediately so you don’t get drawn into a potentially harmful situation. If there was a problem with your machine being infected and causing issues with your internet link, your own ISP would call you. And make sure you get adequate credentials or call the person back on the ISP’s direct number. Whenever someone contacts you for information or access to a system ( via phone, email or another method ), always be mindful and suspicious – it could be a scammer intent on defrauding your or using your identity for other nefarious reasons. Better safe than sorry.

Here are some links that provide more information:







I’ve just had my second call today, this time from a lady – I went along with it for a while to see what exactly they wanted to do. When she asked me to go to the Start button ( of course I don’t have one seeing as I’m running KDE/Linux ), and I repeatedly told her I could find it, she asked me which version of Windows I was running. The moment I said Linux, she put the phone down. I wonder who is next?

Windows 8 a KDE clone?

Microsoft has always been accused of following the pack rather than innovating. So it’s no surprise that early screenshots of the Windows 8 copy dialogue seem to be a direct rip-off of the KDE 4 copy dialogue, from the ‘multiple copy operations in single dialogue’ visual aspect:


to the bandwidth usage graphs:


The look may not be exactly the same, however the idea is spot on. As they say, copying is the sincerest form of flattery.

Windows 7 SP1 breaking machines

Since the release of SP1 for Win 7 and Server 2008 R2, there have quite a lot of issues relating to the installation of the service pack. Apparently many are seeing boot failures after the installation of the service pack, specifically with C00000034 fatal errors. Of course, those with WSUS will be getting automatic upgrades so you don’t even have a choice in the matter. Separately, Windows 7 users applying the SP1 update package have gone  into a reboot loop after encountering: “Error C000009A applying update operation 120782 of 367890”.

The strange thing about this service pack install is that unlike other Microsoft software installations, this one removes restore points prior to the installation.

Microsoft has been fairly quiet about the issue leading many to speculate that they’re not sure exactly what the cause is. They do however have a workaround for the C00000034 issue here.

Apparently some guys in India also have a solution.

Win 7 SP1 out soon

Windows 7 Service Pack 1 should be available soon and won’t have much new functionality, but will have the usual hot fixes and patches. 3 items that will make an appearance are:

  • Advanced Vector Extensions ( AVX ) which will be available in forthcoming processors
  • RemoteFX – an extension to RDP
  • Dynamic Memory – intelligent allocation of memory

The last 2 are only relevant in networks running Win Server 2k8 R2. It also seems that there will be a dependency ( Update 976902 ) before one will be able to install SP1 through Windows Update.

IE hole has first blood drawn by Amnesty International

The latest 0-day hole in Internet Explorer has been exploited by vulnerabilities in the Amnesty International web site. The hole itslef is related to flawed processing routines for parsing certain Cascading Style Sheet combinations in HTML documents. This allows attackers to manipulate certain pointers and execute injected code at the user’s privilege level.

The new attacks confirm observations of the exploit in commercial packages sold to criminals – which means attacks will probably soon become more frequent. Exploit packs fire on visitors to manipulated web sites from different directions to increase the success rate of infection attempts. In addition to the exploit for Internet Explorer, the AI site also contained modules for holes in QuickTime, Flash, and Shockwave.

So far, IE 6, 7 and 8 are vulnerable. No patch is available yet but Microsoft have indidated users should enable/use the DEP ( Data Execution Prevention ) feature in XP, Vista and 7 ( IE 8 has DEP enabled by default ).

ZeuS banking trojan now into SMS

New versions of the ZeuS trojan are starting to target the SMS-TAN system which is used to send transaction numbers ( TANs ) to clients’ cell phones to authenticate that person for a online transaction. Now, the developers of ZeuS have pursued the last strategy to get trojans onto devices in an attack requiring multiple stages. The most important step is still infecting a Windows PC. Then, victims view a specially crafted web site that masquerades as a security update for the victims cell phone.

Victims are asked to enter their cell phone number so they can receive a link for the download in a text message. The PC infected with the trojan then promptly sends a text message containing a link to what appears to be a new security certificate. Users are then asked to download and install the certificate on their mobile phones, which requires an Internet connection on the phone.

This effectively completes the compromise of all stages of internet banking at this point in time, the starting point being MS Windows. There is only one solution for this:

Do NOT use a Windows PC for online banking.

The Microsoft Tax

The headline phrase typically refers to the buying of computers with Windows pre-installed by the OEM vendor when you don’t need or want it. I.e. you’ve paid more for the machine ( because it includes Windows ) when you aren’t going to use it.

Unfortunately this time it refers to you, a citizen, paying extra personal tax to fix issues in Microsoft’s software!!! What?!?! World gone crazy ( again )? According to Robert McMillan’s piece on ComputerWorld, Scott Charney (Microsoft’s veep for Trustworthy Computing) suggests that one way to fund fighting botnets is to tax users. “You could say it’s a public safety issue and do it with general taxation” Charney said.

For those not in the know, a botnet is a large collection of compromised PCs/computers ( these will typically be made up of almost 100% Windows machines that have been compromised by a virus, malware or some other piece of malicious software ). Most Microsoft software ( not only their operating systems ) have an atrocious track record when it comes to security and as a result, are the subject of frequent attacks, the result of which is large botnets that generate spam email, infect websites ( running Microsoft web servers ) and propagate other malicious software to infect even more machines.

90%+ of all email generated last year was spam – the direct result of the poor security in the operating system you are probably using on your PC. According to a McAfee report published in May 2009 the amount of energy used every year to transmit, process and filter spam would be enough to power 2.4 million homes, with the same Greenhouse Gas emissions as 3.1 million passenger cars.

Every year, millions of people are the subject of identity theft, banking account invasion, phishing and pharming scams, money loss, credit card schemes and fake software. All because of that one word – Microsoft. Billions are spent each year buying anti-virus and anti-spyware software for PCs, and these are at best only 33% effective. A complete industry of technicians and consultants grew up just to deal with Microsoft security issues.

Are you aware, as a Standard Bank client in South Africa, that every time you draw money from or use an SBIC ATM, you are working with Microsoft Windows XP – the most hacked OS ever?

To be clear, botnets are single biggest security threat on the Internet – because of the lax security in Microsoft products.

Now you may say that because of Microsoft software’s overarching ubiquity it’s subject to more attacks but that argument has left the building a long time ago. Along with Elvis. Linux is used in everything from phones, to set-top boxes, fridges, cars, industrial applications to your common or garden PC computer at home. MacOS X makes up a good proportion of computer sales world wide. AIX, HPUX, Solaris, VMS and other operating systems have been running the core institutional services of the world for decades without any known security breaches.

So the questions you need to ask yourself are:

  • are you safe?
  • are you willing to bet your security, identity and money on the Windows platform?
  • are you happy to pay technicians to fix your PC when it becomes infected?
  • are you willing to pay more personal taxes so that Microsoft can continue selling you insecure software?

I switched from the Microsoft Windows platform almost 6 years ago and I’ve never looked back. I work with a simple and reliable operating system that does what I need it to, yet doesn’t put my personal and financial well-being at risk. Can you say the same? No? Perhaps it’s time for a change …

Remember that 17-year old bug in Windows …

… I spoke about in late January? Well Microsoft has finally come out and acknowledged it. Over a month later. Well actually 9 months later.

The hole, which originated with the release of Windows NT back in 1993 and is present in every 32-bit version of Windows since, including Windows 7, was discovered by Tavis Ormandy, a Google security team member in Switzerland. Ormandy said that he notified Microsoft of the hole in June 2009 but, after receiving no response other than an acknowledgment, decided to publish his discussion as well as a proof-of-concept exploit.

Compromising a machine requires physical access to the machine as well as authenticated password access, so it’s unlikely to be too serious an issue.

Another IE hole

Another flaw has been found in versions 7 and 8 of Internet Explorer running on Windows XP. There’s an unpatched bug in VBScript that hackers can use to drop malware on 32-bit Windows XP machines. Microsoft says an exploit “was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box.”

Further more, “The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as ‘unsafe file types.’ Interesting that Microsoft views their own Help System as unsafe …

Microsoft says they are not aware of anyone using this exploit yet but that’s probably just them trying to tame the issue. If an exploit is available, someone will be using it. No patch is available yet so at minimum, switch to another browser; if you’re feeling a little more brave, switch to using another platform completely.

UPDATE: the list of platforms affected by this flaw, has now been expanded to include Windows 2000 and 2003, as well as any version of IE on those platforms including IE 6.