Archive for the ‘Windows’ Category

Unencrypted Windows crash reports give ‘significant advantage’ to hackers, spies

Wednesday, January 1st, 2014

Microsoft transmits a wealth of information from Windows PCs to its servers in the clear, claims security researcher

Windows’ error- and crash-reporting system sends a wealth of data unencrypted and in the clear, information that eavesdropping hackers or state security agencies can use to refine and pinpoint their attacks, a researcher said today.

Not coincidentally, over the weekend the popular German newsmagazine Der Spiegel reported that the U.S. National Security Agency (NSA) collects Windows crash reports from its global wiretaps to sniff out details of targeted PCs, including the installed software and operating systems, down to the version numbers and whether the programs or OSes have been patched; application and operating system crashes that signal vulnerabilities that could be exploited with malware; and even the devices and peripherals that have been plugged into the computers.

“This information would definitely give an attacker a significant advantage. It would give them a blueprint of the [targeted] network,” said Alex Watson, director of threat research at Websense, which on Sunday published preliminary findings of its Windows error-reporting investigation. Watson will present Websense’s discovery in more detail at the RSA Conference in San Francisco on Feb. 24.

Sniffing crash reports using low-volume “man-in-the-middle” methods — the classic is a rogue Wi-Fi hotspot in a public place — wouldn’t deliver enough information to be valuable, said Watson, but a wiretap at the ISP level, the kind the NSA is alleged to have in place around the world, would.

“At the [intelligence] agency level, where they can spend the time to collect information on billions of PCs, this is an incredible tool,” said Watson.

And it’s not difficult to obtain the information.

Microsoft does not encrypt the initial crash reports, said Watson, which include both those that prompt the user before they’re sent as well as others that do not. Instead, they’re transmitted to Microsoft’s servers “in the clear,” or over standard HTTP connections.

If a hacker or intelligence agency can insert themselves into the traffic stream, they can pluck out the crash reports for analysis without worrying about having to crack encryption.

And the reports from what Microsoft calls “Windows Error Reporting” (ERS), but which is also known as “Dr. Watson,” contain a wealth of information on the specific PC.

When a device is plugged into a Windows PC’s USB port, for example — say an iPhone to sync it with iTunes — an automatic report is sent to Microsoft that contains the device identifier and manufacturer, the Windows version, the maker and model of the PC, the version of the system’s BIOS and a unique machine identifier.

By comparing the data with publicly-available databases of device and PC IDs, Websense was able to establish that an iPhone 5 had been plugged into a Sony Vaio notebook, and even nail the latter’s machine ID.

If hackers are looking for systems running outdated, and thus, vulnerable versions of Windows — XP SP2, for example — the in-the-clear reports will show which ones have not been updated.

Windows Error Reporting is installed and activated by default on all PCs running Windows XP, Vista, Windows 7, Windows 8 and Windows 8.1, Watson said, confirming that the Websense techniques of deciphering the reports worked on all those editions.

Watson characterized the chore of turning the cryptic reports into easily-understandable terms as “trivial” for accomplished attackers.

More thorough crash reports, including ones that Microsoft silently triggers from its end of the telemetry chain, contain personal information and so are encrypted and transmitted via HTTPS. “If Microsoft is curious about the report or wants to know more, they can ask your computer to send a mini core dump,” explained Watson. “Personal identifiable information in that core dump is encrypted.”

Microsoft uses the error and crash reports to spot problems in its software as well as that crafted by other developers. Widespread reports typically lead to reliability fixes deployed in non-security updates.

The Redmond, Wash. company also monitors the crash reports for evidence of as-yet-unknown malware: Unexplained and suddenly-increasing crashes may be a sign that a new exploit is in circulation, Watson said.

Microsoft often boasts of the value of the telemetry to its designers, developers and security engineers, and with good reason: An estimated 80% of the world’s billion-plus Windows PCs regularly send crash and error reports to the company.

But the unencrypted information fed to Microsoft by the initial and lowest-level reports — which Watson labeled “Stage 1” reports — comprise a dangerous leak, Watson contended.

“We’ve substantiated that this is a major risk to organizations,” said Watson.

Error reporting can be disabled manually on a machine-by-machine basis, or in large sets by IT administrators using Group Policy settings.

Websense recommended that businesses and other organizations redirect the report traffic on their network to an internal server, where it can be encrypted before being forwarded to Microsoft.

But to turn it off entirely would be to throw away a solid diagnostic tool, Watson argued. ERS can provide insights not only to hackers and spying eavesdroppers, but also the IT departments.

“[ERS] does the legwork, and can let [IT] see where vulnerabilities might exist, or whether rogue software or malware is on the network,” Watson said. “It can also show the uptake on BYOD [bring your own device] policies,” he added, referring to the automatic USB device reports.

Microsoft should encrypt all ERS data that’s sent from customer PCs to its servers, Watson asserted.

A Microsoft spokesperson asked to comment on the Websense and Der Spiegel reports said, “Microsoft does not provide any government with direct or unfettered access to our customer’s data. We would have significant concerns if the allegations about government actions are true.”

The spokesperson added that, “Secure Socket Layer connections are regularly established to communicate details contained in Windows error reports,” which is only partially true, as Stage 1 reports are not encrypted, a fact that Microsoft’s own documentation makes clear.

“The software ‘parameters’ information, which includes such information as the application name and version, module name and version, and exception code, is not encrypted,” Microsoft acknowledged in a document about ERS.


Windows 7 given a reprieve of sorts to extend OEM sales

Friday, December 13th, 2013

October 30, 2014 is no longer the cut off date—well, at least for now.

Microsoft updated its Windows lifecycle table last week, quietly announcing that OEMs would have to cease preinstalling Windows 7 on new systems by October 30, 2014. Retail boxed copies of the operating system have already ceased, ending on October 30 of this year.

But the company has now removed that 2014 date, claiming that it was a mistake. The date is now “to be determined.” The issued statement about the mistake reads:

We have yet to determine the end of sales date for PCs with Windows 7 preinstalled. The October 30, 2014 date that posted to the Windows Lifecycle page globally last week was done so in error. We have since updated the website to note the correct information; however, some non-English language pages may take longer to revert to correctly reflect that the end of sales date is ‘to be determined.’ We apologize for any confusion this may have caused our customers. We’ll have more details to share about the Windows 7 lifecycle once they become available.”

This of course leaves open the possibility that the October 30, 2014 date could be the cut-off.

As things stand, Windows 7 is still due to leave mainstream support on January 13, 2015, giving Windows 7 systems just a few months of full support. Extended support—which for the most part means “security fixes”—is due to run until January 14, 2020.

More pressing is the end of Windows XP’s extended support, which is still due to terminate on April 8, 2014.


Microsoft exec hints at separate Windows release trains for consumers, business

Monday, December 9th, 2013

Resistance from enterprises, and Ballmer’s departure, may be changing Microsoft’s mind

Microsoft may revert to separate release schedules for consumer and business versions of Windows, the company’s top operating system executive hinted this week.

At a technology symposium hosted by financial services giant Credit Suisse, Tony Myerson acknowledged the operating system adoption chasm between consumers and more conservative corporations. Myerson, who formerly led the Windows Phone team, was promoted in July to head all client-based OS development, including that for smartphones, tablets, PCs and the Xbox game console.

“The world has shown that these two different customers really have divergent needs,” said Myerson Wednesday, according to a transcript of his time on stage. “And there may be different cadences, or different ways in which we talk to those two customers. And so [while Windows] 8.1 and [Windows] 8.1 Pro both came at the same time, it’s not clear to me that’s the right way to serve the consumer market. [But] it may be the right way to continue serving the enterprise market.”

Myerson’s comment hinted at a return to a practice last used in the early years of this century, when Microsoft delivered new operating systems to the company’s consumer and commercial customers on different schedules.

Before 2001’s arrival of Windows XP — when Microsoft shipped consumer and business versions simultaneously — Microsoft aimed different products, with different names, at each category. In 2000, for example, Microsoft delivered Windows ME, for “Millennium Edition,” to consumers and Windows 2000 to businesses. Prior to that, Windows 95, although widely used in businesses, was the consumer-oriented edition, while Windows NT 4.0, which launched in 1996, targeted business PCs and servers.

The update/upgrade-acceptance gap between consumers and businesses reappeared after Microsoft last year said it would accelerate its development and release schedule for Windows, then delivered on the first example of that tempo, Windows 8.1, just a year after the launch of its predecessor.

Enterprises have become nervous about the cadence, say analysts. Businesses as a rule are much more conservative about upgrading their machines’ operating systems than are consumers: The former must spend thousands, even millions, to migrate from one version to another, and must test the compatibility of in-house and mission-critical applications, then rewrite them if they don’t work.

That conservative approach to upgrades was a major reason why Windows XP retained a stranglehold on business PCs for more than a decade, and why Windows 7, not Windows 8 or 8.1, has replaced it.

It’s extremely difficult to serve both masters — consumer and commercial — equally well, said Patrick Moorhead, principal analyst at Moor Insights & Strategy. “No one has yet mastered being good on enterprise and good on consumer,” said Moorhead in an interview. “[The two] are on completely different cycles.”

In October, outgoing CEO Steve Ballmer dismissed concerns over the faster pace. At a Gartner Research-sponsored conference, when analyst David Cearley noted, “Enterprises are concerned about that accelerated delivery cycle,” Ballmer simply shook his head.

“Let me push back,” said Ballmer, “and say, ‘Not really.’ If our customers have to take DVDs from us, install them, and do customer-premise software, you’re saying to us ‘Don’t upgrade that software very often … two to three years is perfect.’ But if we deliver something to you that’s a service, as we do with Office 365, our customers are telling us, ‘We want to be up to date at all times.'”

Another Gartner analyst, Michael Silver, countered Ballmer’s claim. “Organizations need to be afraid of what’s to come,” Silver said at the time. “If [companies] get on this release train, Microsoft will take them where [Microsoft] wants to go, or [Microsoft] will run them over.”

Myerson’s hint of separate release trains, to use Silver’s terminology, may be a repudiation of Ballmer’s contention. Or not.

His statement of, “It may be the right way to continue serving the enterprise market,” could be interpreted to mean that Microsoft will maintain an accelerated tempo for business versions of Windows — one faster than the three years between upgrades that the company has used in the past — and speed up Windows updates to consumers even more.

“The consumer really is ready for things to be upgraded on their own,” Myerson said.

“Microsoft’s biggest strategic question is, ‘Am I an enterprise company or a consumer company, or both?” said Moorhead. “Something has to break here.”

And one crack might be, according to Myerson, a separation of consumer and commercial on Windows.


Microsoft ends Windows 7 retail sales

Friday, December 6th, 2013

Sets October 2014 cut-off for sales to OEMs

Microsoft has quietly ended retail sales of Windows 7, according to a notice on its website.

The company’s policies for shutting off sales to retailers and shipping licenses to OEMs (original equipment manufacturers) are posted on its site, which was recently updated to show that Windows 7’s “retail end of sales” date was Oct. 30.

The next deadline, marked as “End of sales for PCs with Windows preinstalled,” will be Oct. 30, 2014, less than a year away.

Microsoft’s practice, first defined in 2010, is to stop selling an older operating system in retail one year after the launch of its successor, and halt delivery of the previous Windows edition to OEMs two years after a new version launches. The company shipped Windows 8, Windows 7’s replacement, in October 2012.

As recently as late September, the last time Computerworld cited the online resource, Microsoft had not filled in the deadlines for Windows 7. At the time, Computerworld said that the end-of-October dates were the most likely.

A check of Microsoft’s own online store showed that the company has pulled Windows 7 from those virtual shelves.

In practical terms, the end-of-retail-sales date has been an artificial and largely meaningless deadline, as online retailers have continued to sell packaged copies, sometimes for years, by restocking through distributors which squirreled away older editions.

Today, for example, had a plentiful supply of various versions of Windows 7 available to ship, as did technology specialist The former also listed copies of Windows Vista and even Windows XP for sale through partners.

Microsoft also makes a special exception for retail sales, telling customers that between the first and second end-of-sale deadlines they can purchase Windows 7 from computer makers. “When the retail software product reaches its end of sales date, it can still be purchased through OEMs (the company that made your PC) until it reaches the end of sales date for PCs with Windows preinstalled,” the company’s website stated.

The firmer deadline is the second, the one for offering licenses to OEMs. According to Microsoft, it “will continue to allow OEMs to sell PCs preinstalled with the previous version for up to two years after the launch date of the new version” (emphasis added).

After that date, Microsoft shuts off the spigot, more or less, although OEMs, especially smaller “white box” builders, can and often do stockpile licenses prior to the cut-off.

But officially, the major PC vendors — like Dell, Hewlett-Packard and Lenovo — will discontinue most Windows 7 PC sales in October 2014, making Windows 8 and its follow-ups, including Windows 8.1, the default.

Even then, however, there are ways to circumvent the shut-down. Windows 8 Pro, the more expensive of the two public editions, includes “downgrade” rights that allow PC owners to legally install an older OS. OEMs and system builders can also use downgrade rights to sell a Windows 8- or Windows 8.1-licensed system, but factory-downgrade it to Windows 7 Professional before it ships.

Enterprises with volume license agreements are not at risk of losing access to Windows 7, as they are granted downgrade rights as part of those agreements. In other words, while Microsoft may try to stymie Windows 7 sales, the 2009 operating system will long remain a standard.

As of the end of November, approximately 46.6% of all personal computers ran Windows 7, according to Web measurement vendor Net Applications, a number that represented 51.3% of all the systems running Windows.


Windows RT 8.1 update temporarily pulled due to a “situation”

Monday, October 21st, 2013

Some devices left unbootable after installing the update.

The Windows RT 8.1 update for devices such as Microsoft’s Surface RT has been removed from the Windows Store temporarily, after a “situation” prevented a “limited number of users” from being able to upgrade successfully.

The problem appears to be that the update is damaging certain boot data, causing affected machines to blue screen on startup. The issue is recoverable if you’ve created a recovery USB key (or have access to a machine that can create one), but Microsoft currently appears to have no easy way to create a suitable USB key from non-ARM machines.

To call this embarrassing for Microsoft is something of an understatement. While x86 PCs have extraordinary diversity in terms of hardware, software, and drivers—all things that can prevent straightforward upgrading—the Windows RT devices are extremely limited in this regard. Upgrading Windows RT tablets should be absolutely bulletproof. It’s very disappointing that it isn’t.

Update: Partially alleviating the problem, Microsoft has released a system image for Windows RT 8.1, so as long as you have another PC and a USB key, it should now be relatively easy to recover from broken upgrades.


Update for deprecation of MD5 hashing algorithm for Microsoft Root Certificate Program

Thursday, August 22nd, 2013

Executive Summary

Microsoft is announcing the availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that restricts the use of certificates with MD5 hashes. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. Usage of MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

The update is available on the Download Center for all affected releases of Microsoft Windows except for Windows RT (no update for Windows RT is available at this time). In addition, Microsoft is planning to release this update through Microsoft Update on February 11, 2014 after customers have a chance to assess the impact of this update and take necessary actions in their environments.


Microsoft recommends that customers download, test, and apply the update at the earliest opportunity. Please see the Suggested Actions section of this advisory for more information.

Note that the 2862966 update is a prerequisite and must be applied before this update can be installed. The 2862966 update contains associated framework changes to Microsoft Windows. For more information, see Microsoft Knowledge Base Article 2862966.

Known Issues

Microsoft Knowledge Base Article 2862973 documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues.

Excerpt from:

Dangerous Linux Trojan could be sign of things to come

Friday, August 16th, 2013

‘Hand of Thief’ Trojan specifically targets Linux but operates a lot like similar malware that targets Windows machines

Desktop Linux users accustomed to a relatively malware-free lifestyle should get more vigilant in the near future — a researcher at RSA has detailed the existence of the “Hand of Thief” Trojan, which specifically targets Linux.

According to cyber intelligence expert Limor Kessem, Hand of Thief operates a lot like similar malware that targets Windows machines — once installed, it steals information from web forms, even if they’re using HTTPS, creates a backdoor access point into the infected machine, and attempts to block off access to anti-virus update servers, VMs, and other potential methods of detection.

Hand of Thief is currently being sold in “closed cybercrime communities” for $2,000, which includes free updates, writes Kessem. However, she adds, the upcoming addition of new web injection attack technology will push the price to $3,000, and introduce a $550 fee for major version updates.

“These prices coincide with those quoted by developers who released similar malware for the Windows OS, which would make Hand of Thief relatively priced way above market value considering the relatively small user base of Linux,” she notes.

Getting Linux computers infected in the first place, however, could be more problematic for would-be thieves — Kessem says the lack of exploits targeting Linux means that social engineering and email are the most likely attack vectors, citing a conversation with Hand of Thief’s sales agent.

Kessem also says that growth in the number of desktop Linux users — prompted, in part, by the perceived insecurity of Windows — could potentially herald the arrival of more malware like Hand of Thief, as the number of possible targets grows.

Historically, desktop Linux users have been more or less isolated from the constant malware scares that plague Windows, which is at least partially a function of the fact that their numbers represent a tiny fraction of the Windows install base.

Users of Linux-based Android smartphones, however, have become increasingly tempting targets for computer crime — and with the aforementioned growth in desktop users, the number of threats may increase even further.


Microsoft botches six Windows patches in latest Automatic Update

Friday, August 16th, 2013

Microsoft acknowledges problems with KB 2876063, KB 2859537, KB 2873872, KB 2843638, KB 2843639, and KB 2868846, all released earlier this week

In an amazing tour de force, Microsoft’s Automatic Update chute released at least six bad patches on Tuesday. Here’s what’s amazing: It’s just 48 hours or so since the bomb bay doors opened, and Microsoft has acknowledged problems with all of these patches. That’s a first, I think — and the biggest positive development in the Automatic Update minefield I’ve seen in a long time.

The gory details:

  • MS13-061/KB 2876063 — a remote code execution hole in Exchange Server — has been pulled. The problem only affects Exchange 2013. From the Exchange team blog:

Late last night we became aware of an issue with MS13-061 security update for Exchange Server 2013. Specifically, after the installation of the security update, the Content Index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed. For those that have already installed the MS13-061 security update for Exchange Server 2013, we already have KB 2879739 that provides the steps on how to resolve this issue. However, due to this issue and that it affects all Mailbox server installations, we have decided to pull the MS13-061 security update temporarily. Note: This issue does not occur in Exchange 2010 or Exchange 2007.

To give credit where due, Microsoft may or may not be the source of the problem. According to the SANS Internet Storm Center, “Oracle … disclosed the vulnerabilities in their patch updates in April and July 2013. Microsoft licensed the vulnerable libraries from Oracle. There are also functional changes non security changes rolled up into this update.”

  • MS13-063/KB 2859537 — another botched Windows Kernel patch — has not been pulled (at least it’s still being offered on the systems I work with), but Microsoft has acknowledged at least one problem in the KB article:

Some users may experience issues with certain games after they install security update 2859537. In some cases, users may not successfully start and sign in to the games. Microsoft is researching this problem and will post more information in this article when the information becomes available.

Apparently, with this patch applied, the game Rift crashes immediately after authentication, as does Defiance. Softpedia reports that the patch causes BSODs on Windows 7 systems. One poster on the Microsoft Answers forum says it triggers an Error 0xc0000005, and “it’s not possible to run almost all applications include IE, Personalize screen, components from control panel and many other ‘native windows features and applications.'” There’s an avalanche of bug reports online, many in Russian.

Microsoft is aware of problems with the security updates described in MS13-066 that affect Active Directory Federation Services (ADFS) 2.0. The problems could cause ADFS to stop working. Microsoft has removed the updates for ADFS 2.0 from Windows Update and the Download Center. Microsoft is researching this problem and will post more information in this article when the information becomes available.

In addition:

You may experience functionality issues with security update 2843639 if you do not have update 2790338 already applied. We recommend that that customers who are experiencing these issues install update 2790338. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2790338 Description of Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0

Here’s the punch line. The SANS Internet Storm Center religiously tracks which Microsoft patches cover holes that are publicly known. For this month’s bunch, only two of the eight security bulletins — MS13-061 and MS13-063 — have known active exploits; the others have no publicly known exploits. You guessed it: Both security bulletins are causing major headaches.

Microsoft has had no end of problems with patches lately, with at least four botched patches just last month. For a change, this time the company is fessing up to it — quickly and as best I can tell accurately, and the mea culpas are posted where they’re supposed to be posted.

That’s a start.


Microsoft security bulletin advance notification for July 2013

Friday, July 5th, 2013

This is an advance notification of security bulletins that Microsoft is intending to release on July 9, 2013.

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical
Remote Code Execution
May require restart Microsoft .NET Framework,
Microsoft Silverlight
Bulletin 2 Critical
Remote Code Execution
Requires restart Microsoft Windows
Bulletin 3 Critical
Remote Code Execution
May require restart Microsoft Windows,
Microsoft Office,
Microsoft Visual Studio,
Microsoft Lync
Bulletin 4 Critical
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
Bulletin 5 Critical
Remote Code Execution
May require restart Microsoft Windows
Bulletin 6 Critical
Remote Code Execution
May require restart Microsoft Windows
Bulletin 7 Important
Elevation of Privilege
Does not require restart Microsoft Security Software

Excerpt from:

Microsoft Windows XP support ends in 365 days

Monday, April 8th, 2013

Microsoft wants its Windows XP users to get with the program, and is giving them 365 days to do so.

One year from today, Microsoft will shut down extended support for its 12-year-old operating system, in favor of newer platforms like Windows 7 and 8.

In 2002, Microsoft launched its Support Lifecycle policy, allowing 10 years of combined mainstream and extended support for Microsoft Business and Developer products, including Windows OSes. To that end, Windows XP SP3 and Office 2003 will lose that support on April 8, 2014.

“If your organization has not started the migration to a modern desktop, you are late,” Stephen Rose, senior product manager for Windows Commercial, wrote in a blog post. He revealed that it takes an average company 18 to 32 months to reach full deployment, and urged businesses to begin planning and application testing “immediately,” to avoid issues later.

But don’t think that a simple upgrade from XP to Windows 7 or 8 — a “modern operating system,” according to Rose — will do the trick.

“You will need to do a clean install,” Rose said, meaning user data must be migrated and applications reinstalled on the new OS. More details on testing hardware and apps can be found on the Windows blog.

Microsoft already pulled mainstream support for Windows XP in April 2009, but come this time next year, it will drop extended support, meaning no more security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates.

Rose warned that running XP SP3 and Office 2003 after support ends can expose companies to potential security risks. Even anti-virus software support won’t be enough, and vulnerabilities discovered in the operating system or applications running on it will remain unpatched and open to malware.

“Using XP after April 2014 is an ‘at your own risk’ situation for any customers choosing not to migrate,” Rose wrote.

Windows XP launched in 2001, and has been named Microsoft’s most popular OS of its time. Redmond has given users plenty of time to make the move; the software giant announced the news last April, two years before the shutdown, before the Windows 8 launch.

According to March data from Net Applications, approximately 38.73 percent of PC users are still using Windows XP; the most popular OS is Windows 7 with 44.73 percent. About 4.99 percent are on Vista, while only 3.17 percent have upgraded to Microsoft’s latest, Windows 8.


Microsoft begins pushing Windows 7 SP1 as an automatic update

Tuesday, March 19th, 2013

Starting this week, Microsoft will begin giving Windows 7 users who have yet to install Service Pack 1 a helpful push into the safer, more secure future. SP1 will start rolling out as an automatic update, and that’s a very good thing.

Not only does Windows 7 Service Pack patch numerous flaws in the uber-popular OS, but it also bring loads of performance and stability tweaks. It’s also going to be a support requirement going forward come April 9, 2013. Microsoft wants to make sure everyone who’s using Windows 7 is running the version that’s in line for all the upcoming bug fixes. Critical security fixes, of course, will still be delivered to all Windows 7 users, not just those who welcome SP1 with open arms.

There’s really no reason not to install the update, unless you’re a network administrator with very particular platform requirements for your in-house apps… or you happen to be running a copy of Windows that might not be 100% legal.

Don’t be expecting to see any dramatic changes after you install, though. Microsoft’s official notes about what’s included in Windows 7 SP1 are thin on details and the few changes that do get mentioned aren’t very exciting. Better print output from the XPS viewer won’t make you want to raise your glass, but improved audio reliability over HDMI connections might at least be worth a golf clap if you’re going to be running SP1 on a media center computer.

To make sure you’re ready to receive Microsoft’s SP1 push, just pop in to the Control Panel and click the Windows Update icon. If you’re feeling a bit geekier, hit services.msc from the search box and verify that the Windows Update service is running.


New Microsoft patch purges USB bug that allowed complete system hijack

Tuesday, March 12th, 2013

Hole allowed USB-connected drives to infect machines with malware à la Stuxnet.

Microsoft has plugged a hole in its Windows operating system that allowed attackers to use USB-connected drives to take full control of a targeted computer.

Microsoft said it classified the vulnerability as “important,” a less severe rating than “critical,” because exploits require physical access to the computer being attacked. While that requirement makes it hard for hacks to spread online, readers should bear in mind that the vulnerability in theory allows attackers to carpet bomb conferences or other gatherings with booby-trapped drives that when plugged in to a vulnerable computer infect it with malware. Such vulnerabilities also allow attackers to penetrate sensitive networks that aren’t connected to the Internet, in much the way the Stuxnet worm that targeted Iran’s nuclear program did.

“When you look at it in the sense of a targeted attack, it does make the vulnerability critical,” Marc Maiffret, CTO of BeyondTrust, told Ars. “Because of things like Stuxnet raising awareness around the physical aspect of planting USB drives or having people to take these things into facilities, it does make it critical.”

According to Microsoft, the MS13-027 series of vulnerabilities can be exploited when a maliciously formatted USB drive is inserted in to a computer. When Windows drivers read a specially manipulated descriptor, the system will execute attack code with the full permissions of the operating system kernel.

“Because the vulnerability is triggered during device enumeration, no user intervention is required,” Microsoft Security Response Center researchers Josh Carlson and William Peteroy wrote in a blog post. “In fact, the vulnerability can be triggered when the workstation is locked or when no user is logged in, making this an un-authenticated elevation of privilege for an attacker with casual physical access to the machine.”

Over the past few years, Microsoft has closed a variety of security holes related to USB hard drives. In addition to fixing the LNK file vulnerability that allowed Stuxnet to infect machines when a stick was plugged in, company engineers have also reworked the autorun feature that used to automatically open a window each time a removable drive was connected. Hackers had long abused the feature to display options that would say things like “open folder to view files” but install malware when clicked instead.

MS13-027 is one of seven bulletins Microsoft issued as part of this month’s Patch Tuesday. (The company releases fixes on the second Tuesday of each month.) In all, the bulletins fixed 20 separate vulnerabilities in Internet Explorer, Silverlight, Visio Viewer, SharePoint, OneNote, and Outlook. While the USB patch isn’t among the four bulletins rated critical, readers might consider it urgent nonetheless.


Microsoft Patch Tuesday targets Internet Explorer drive-by attacks

Thursday, March 7th, 2013

Microsoft’s SharePoint, drawing application Visio get patched

Internet Explorer vulnerabilities warrant notice in this month’s set of Microsoft Patch Tuesday bulletins and need to be fixed quickly even though the sheer number of patches may seem daunting.

The weaknesses leave users open to drive-by attacks where malicious code is downloaded without the user’s knowledge while browsing. Not patching them because they are time-consuming will just widen the window of opportunity hackers have to exploit them, says Alex Horan, a senior product manager at CORE Security.

“Preventing future drive-by style attacks and protecting end-users appear to be the theme of this month’s Patch Tuesday,” Horan says. “These patches can be a hassle for users to deploy and have the potential to create a long enough delay where hackers can take advantage.”

So far the weaknesses haven’t been exploited. “Fortunately, this issue has no known attacks in the wild,” says Paul Henry, a security and forensic analyst at Lumension. “However, you should still plan to patch this immediately. ”

Four of seven bulletins for March are rated critical, with the first addressing browser problems. “It fixes critical vulnerabilities that could be used for machine takeover in all versions of Internet Explorer from 6 to 10, on all platforms including Windows 8 and Windows RT,” says Qualys CTO Wolfgang Kandek.

Microsoft’s Silverlight media application framework is also critically vulnerable, according to the company’s Security Bulletin Advance Notification. It affects Silverlight whether deployed on Windows or Mac OS X operating systems, where it is used to run media applications such as Netflix, Kandek says.

This vulnerability is more of concern to consumers because it only affects the Silverlight plug-in. Henry says plug-ins should be avoided in general. “[T]hey add another threat vector and are frequently an easy target for the bad guys,” he says.

Also in critical need of patching is Microsoft’s drawing application Visio, which comes as a surprise to Kandek. “It is puzzling to see such a high rating for this software that typically requires opening of an infected file in order for the attack to work. It will be interesting to see the attack vector for this vulnerability that warrants the ‘critical’ rating,” he says.

Critical vulnerabilities are those that could allow code execution without user interaction if they are successfully exploited. This type of exploit includes network worms, browsing to infected Web pages or opening infected emails.

The final critical vulnerability lies in SharePoint Server, Microsoft says.

Three of the bulletins are rated important and include two that could allow data to leak and one that could allow attackers to elevate privileges on an exploited machine. Important bulletins include vulnerabilities that could lead to compromised confidentiality, integrity or availability of user data, or of the integrity or availability of processing resources, Microsoft says. Such exploits may include warnings or prompts.


Retail copies of Office 2013 are tied to a single computer forever

Friday, February 15th, 2013

With the launch of Office 2013, Microsoft has seen fit to upgrade the terms of the license agreement, and it’s not in favor of the end user. It seems installing a copy of the latest version of Microsoft’s Office suite of apps ties it to a single machine. For life.

What does that mean in real terms? It means if your machine dies or you upgrade to a new computer you cannot take a copy of Office 2013 with you to new hardware. You will need to purchase another copy, which again will be tied to the machine it is installed upon forever.

This license change has been confirmed by The Age’s reporter Adam Turner after several frustrating calls to Microsoft’s tech support and PR departments. It effectively turns Office 2013 into the equivalent on the Windows OEM license where you get one chance to use it on a single piece of hardware.

On previous versions of Office it was a different story. The suite was associated with a “Licensed Device” and could only be used on a single device. But there was nothing to stop you uninstalling Office and installing it on another machine perfectly legally. With that option removed, Office 2013 effectively becomes a much more expensive proposition for many. As a reminder, Office 2013 costs anywhere from $140 to $400 depending on the version chosen (Office Home & Student, Office Home & Business, or Office Professional), all of which carry the new license agreement.

Of course, Microsoft has a solution to this in the form of Office 365. Instead of buying a retail copy tied to a single machine, you could instead subscribe to Office 365, which is tied to the user not the hardware, and can be used across 5 PCs or 4 Macs at any one time. But subscriptions aren’t for everyone, and eventually you end up paying more for the software.

It’s more likely these new license terms will push users to choose an alternative to Office 2013 or Office 365. Both OpenOffice and LibreOffice are free and good enough for the consumer market. Google is also continuing to push its free-to-use Google Docs as an alternative to Office.


Massive search fraud botnet seized by Microsoft and Symantec

Thursday, February 7th, 2013

Hundreds of thousands of Bamital bots made ring of 18 operators over $1M a year.

Users with computers infected by the Bamital botnet malware will see this page every time they click a search result.

A botnet that redirected clicks from millions of PCs has been, at least for the moment, shut down by Microsoft and Symantec. Based on the fraudulent traffic generated by the Bamital botnet, the two companies estimate that its operators netted more than $1 million a year by redirecting unsuspecting computer users to websites they didn’t intend to go, cashing in on the traffic with online advertising networks.

Acting on a court order they obtained from the US District Court in Alexandria, technicians from the two companies—accompanied by federal marshals—showed up at two data centers today to take down the servers controlling the Bamital botnet. A server in an ISPrime data center in Weehawken, New Jersey was seized, while the operators of a LeaseWeb data center in Manassas, Virginia voluntarily shut down a server at the company’s headquarters in the Netherlands. LeaseWeb is providing an image of that server to Microsoft and Symantec. “These servers were command and control servers, and were also absorbing the malicious traffic the botnet was creating,” said Vikram Thakur,  Principal Security Response Manager at Symantec in an interview with Ars.

Richard Boscovich, Microsoft’s General Counsel, said that while the malware had been identified as far back as 2011, nailing down the exact servers they needed to go after took some time. “The malware was morphing back and forth, so it made difficullt to identify the targets,” he said. But when the botnet stabilized a few months ago, “it offered a window of opportunity to go after them. The legal portion took about two months.”

Based on forensic evidence collected from infected computers by Symantec and Microsoft, there have been several generations of Bamital, with activity dating back at least three years. Early variants of the malware attacked users’ Web browsers with HTML injection. “They injected an iframe into every page,” Thakur said, “so whatever page loaded also loaded content from the bad guys.”

In later variants of Bamital, the malware simply redirected any click on a search page to the botnet’s own servers, which in turn used HTML redirects to feed the victims’ traffic into an advertising network. That network acted as a clearinghouse for other advertiser networks, so a click could go through several sets of redirects before it actually landed on a website—and not the one the user expected.

Because of the nature of Bamital, Microsoft is now in a position that’s different from some of its previous botnet takedowns—it has a direct line to victims of the malware. “One of things we’re doing a little differently in this case is we’re doing direct victim notification,” Boscovich said. Users with systems infected by Bamital will now be redirected to a Microsoft webpage offering tools to help remove the Bamital malware—as wellas any other malware that’s out there. “There are AV signatures out there for this malware already,” Boscovich said.

“They may have an OS that’s unpatched, or antivirus software that’s outdated. We’re taking control of the command and control network so that every time someone types in a search query, they’re going to get redirected to a page directly by Microsoft.”

Thakur said that the Bamital malware was initially delivered by a combination of methods, including in packages over peer-to-peer filesharing networks disguised as other content. But the majority of systems infected were the victim of “driveby downloads” from websites configured with malicious software intended to exploit browser security flaws. “We have evidence of [the botnet operators] polluting search engine results for certain search terms with links to servers with exploits,” he said.

As new variants of the botnet were developed, the operators made efforts to “upgrade” systems they had already infected. “But along the way they seemed to have left behind a number of people,” Thakur said. The older servers that had been used with previous versions of the malware appear to have been abandoned as well.

In 2011, Microsoft and Symantec were able to monitor the traffic going to one of the botnet’s servers. “We got back data that showed that 3 million clicks were being hijacked by that server on a daily basis,” Thakur said. Based on a conservative estimate of a payment for one-tenth of a percent of the advertising value for each click, the companies determined the fraud ring was pulling in over $1 million a year from advertising networks.  “And it could have been 2 or 3 times that much,” he said.

The advertising networks connected to Bamital themselves may be completely fraudulent.  They acted as clearinghouses for the traffic, and resold it to other, legitimate advertising networks and affiliate programs.  “Bamital went through several ad networks before it even displayed content,” Thakur said. “It was super convoluted.”

Microsoft and Symantec are hoping the data obtained through the seizure of the server in New Jersey will help them get a better understanding of the underground ecosystem of advertising networks that drives botnets like Bamital.  But it’s too early to tell if it will help catch the actual perpetrators. “We still have to go through the evidence,” Boscovich said, but he noted that Microsoft had had some success in the past in identifying botnet operators, as it did with Kelihos.


We’re going to blow up your boiler: Critical bug threatens hospital systems

Thursday, February 7th, 2013

21,000 vulnerable systems found on the Internet, used by hospitals, others.

More than 20,000 Internet-connected devices sold by Honeywell are vulnerable to a hack that allows attackers to remotely seize control of building heating systems, elevators, and other industrial equipment and in some cases, cause them to malfunction.

The hijacking vulnerability in Niagara AX-branded hardware and software sold by Honeywell’s Tridium division was demonstrated at this week’s Kaspersky Security Analyst Summit in San Juan, Puerto Rico. Billy Rios and Terry McCorkle, two security experts with a firm called Cylance, allowed an audience to watch as they executed a custom script that took about 25 seconds to take control of a default configuration of the industrial control software. When they were done they had unfettered control over the device, which is used to centralize control over alarm systems, garage doors, heating ventilation and cooling systems, and other equipment in large buildings.

Taking advantage of the flaw would give attackers half a world away the same control on-site engineers have over connected systems. Extortionists, disgruntled or unstable employees, or even terrorists could potentially exploit vulnerabilities that allow them to bring about catastrophic effects, such as causing a large heating system to explode or catch fire or to sabotage large chillers used by hospitals and other facilities. Attackers could also exploit the bug to gain a toehold into networks, which could then be further penetrated using additional vulnerabilities that may be present.

“We actually just used this against one of our premium clients a couple weeks ago,” Rios said, referring to a penetration test he performed to test a customer’s network for hacking vulnerabilities. “They were pretty shocked. They took their device off the Internet before the engagement was over.”

The researchers said a recent query on the Shodan computer search engine found 21,541 Internet-connected Niagara devices, some operated by military installations, hospitals, and other mission-critical facilities. Tests the pair performed on a small sample of the machines confirmed they were accessible over the Internet. The non-descript boxes are often installed by third-party contractors in out-of-the-way closets, so on-site administrators and managers may not even know they’re in use. In addition to opening up critical equipment to tampering, Tridium’s products also expose corporate and government networks to intruders since the devices often are connected directly to local networks using one of two Ethernet ports built into the boxes.

ICS: less secure than iTunes

This week’s hack was only the latest demonstration of the risks created by many industrial control systems (ICS), which are designed to use computers to control building temperatures, turn alarms on and off, and maintain emergency generators and industrial power supplies. Tridium quietly patched its Niagara software last year after Rios and McCorkle found it contained a separate vulnerability that also allowed unauthorized access. A raft of other ICS devices have been found to contain similar critical defects, including those from Siemens-owned Ruggedcom and another line of mission-critical routers made by a Fremont, California-based GarrettCom.

The devices are billed as a way to lower the cost of maintaining large collections of equipment that are often scattered throughout buildings or other facilities. Rather than requiring engineers to physically travel to where each device is physically located, they can make changes remotely, from a single office in the building, or even off site. Indeed, Tridium’s marketing material defines the Niagara framework as a “universal software infrastructure that allows companies to build custom, web-enabled applications for accessing, automating, and controlling smart devices in real time over the Internet.” The company provides a wealth of customer case studies, including one from the James Cook University Hospital in the UK.

Security experts have long argued that the convenience often comes at the price of security, and there are some disturbing examples of the risks from the last couple of years. In 2009, a recently discharged security guard who had physical access to ICS computers was arrested after posting screen shots and videos showing him planning to remotely cripple air-conditioning systems at a Texas hospital, where temperatures regularly reach into the triple digits. Last year, hackers illegally accessed the Internet-connected heating and air-conditioning controls of a New Jersey-based company. The vulnerability the intruders exploited was the same one Tridium patched in secret last year.

Despite the potentially critical consequences of ICS hacks, manufacturers sometimes decline to patch their wares at all, giving rise to the term forever-day vulnerabilities. Last year, Rios said the security of iTunes was more robust than most ICS software.

Game Over

Rios and McCorkle declined to describe the specific series of vulnerabilities behind their latest hack other than to say the bugs allowed them to remotely acquire a configuration file used to customize a Niagara box for a specific network. Among other things, the config.bog file contains user names and passwords that are encoded using “encraption,” the word the research pair uses to describe Tridium engineers’ encryption routines. Using the credentials, they were able to gain access to the “station” layer of the device that provides only limited user rights. Exploiting another series of vulnerabilities allowed them to access Niagara’s “platform,” which gives them full “system” access when it runs on Microsoft Windows or “root” access when running on Linux or a proprietary embedded operating system.

“Once we own the platform, it’s game over,” Rios said.

Enlarge / The Tridium hack in action. The screens on the left show the attack platform. The screen on the right is the Niagara AX framework responding.
Dan Goodin

Rios said he acquired a Tridium box by purchasing one on eBay. He then spent months reverse engineering the firmware it ran. His job was made easy by the fact that much of the Niagara framework uses unsigned, unobfuscated Java code, allowing him to decompile the binary and read the raw source code.

In a statement issued Wednesday evening, Tridium officials said:

Tridium takes these security issues very seriously and we appreciate the efforts by researchers like Billy Rios and Terry McCorkle to raise awareness about them.

Tridium was made aware of the vulnerability cited at the conference in late December 2012, and immediately began working on a solution, in cooperation with both ICS-Cert and the researchers. We will be issuing a security patch that resolves the problem by Feb. 13 and are alerting our user community about this today. We share the concern that Mr. Rios and Mr. McCorkle have in raising awareness about the need to protect Internet-facing control systems. The vast majority of Niagara AX systems are behind firewalls and VPNs – as we recommend — but clearly, as Rios and McCorkle have shown, there are many systems potentially at risk.

The Tridium vulnerabilities are among more than 1,000 bugs Rios and McCorkle have reported to ICS manufacturers over the past year, resulting in 30 advisories issued by the Department of Homeland Security-affiliated ICS-CERT. They said the engineers who designed the systems are often defensive and direct their anger back at the researchers once the vulnerabilities are disclosed.

“We don’t think we’re the only ones that are doing this,” Rios said of the research into ICS. “There’s tons of other people that are doing this and they’re not standing on a stage somewhere presenting their work for the whole world to see. That’s what they really need to worry about. These guys are kind of stuck a little bit in the stone age.”


Aussie firms embrace the deskless office

Tuesday, February 5th, 2013

Activity-Based Working: hipster style or hearty substance?

Australian organisations have taken to Activity-Based Working with gusto, with one in three planning to remove the binds that tie employees to their desks in the next few years.

Several Australian organisations have unveiled bold workplace strategies in the last three years, with ABW a popular approach in professional services, banking, finance and property development or management.

The list of early adopters occupy some of the more iconic buildings in capital cities across Australia. It includes: Macquarie Bank, Commonwealth Bank of Australia, Yarra Valley Water, GPT Group, Goodman, Jones Lang LaSalle, Microsoft, Savilles, BHP Billiton, Accenture, KPMG, PWC, and National Australia Bank, to name a few.

But is Activity-Based Working (ABW) a fad, a cost-saver or a better way to work?

Activity-Based Working broadly refers to work environments where employees come to collaborate on projects in shared spaces rather than sitting at pre-assigned desks.

“Activity-based working was firstly implemented in the Netherlands more than 15 years ago,” explains Veldhoen and Company ANZ partner, Luc Kamperman.

Veldhoen and Company has been one of the leading advocates of ABW in both the Netherlands and Australia, providing consulting services to Macquarie Bank and CommBank, among others

“It has become mainstream in the last eight years,” Kamperman predicted. “I predict that in five years’ time, one in two organisations will be considering this new way of working.

“Activity-Based Working will enable people to work with whomever they need, when they need, and wherever they need, to deliver results for their clients,” Kamperman says.

“This ability to work anywhere, anytime begs the question: what is the office for? Why would we invest heavily in a central office? Could the office support our work activities in a better way?

“The primary function of an office is shifting from a processing factory to a place where we collaborate and learn. In essence we all know already what activity-based working is because we use different parts of our home for different activities.”

The next iteration of hot-desking

While early adopters energetically espouse the benefits of this new approach to work, there are still many that view it as a nothing more than a trendy architectural fad, a cynical attempt to save money by reducing the floor space available to each employee or just another way of describing the well-established practice of hot desking.

By definition, ABW is not hot desking. Hot desking essentially means that staff have an assigned desk, but now have to share it.  Activity-Based Working, by contrast, does away with all notion of owning your own desk and the hierarchy this infers in a workplace, in order to help staff  focus on the task at hand. It allows staff to choose where they want to work to produce the desired outcome.

The question of whether ABW is an architectural design fad, meanwhile, is harder to dispel. Even if it is, it has made a lasting and generally positive impact on both the look of several of Australia’s newest office buildings and the way people work within them.

Which leaves only the frequently-asserted claim that ABW adopters have adopted the trend just to save money on floor space.

Kamperman freely acknowledges that this is a common driver.

“In itself, this is not a bad thing, but it is dangerous if it is the primary driver.”

Technology should equally not be the key driver, he said.

“Technology is merely the enabler,” he said. “An organisation’s vision, working culture and leadership should be the driver of what we want to do with the multiple opportunities new technologies bring to us.”

Accelerating IT and Business Alignment

Perth-based Bankwest adopted ABW en masse after moving into new headquarters in the first half of 2012.

The bank had previously conducted a one-year pilot in its previous home at Bankwest Tower, as had its parent company, the Commonwealth Bank.

Moving to an ABW approach at Bankwest Place enabled the bank to consolidate five offices into 13 floors in one newly decked out building.

Ed Cortis, Bankwest’s head of solution delivery, said a reduction in the number of employees per square metre wasn’t the main driver for the bank.

“In every single piece of documentation that Bankwest has produced on this it, is the last thing that is mentioned,” Cortis said. “Yes, of course it is lovely to enjoy that saving. But no doubt that wasn’t the driving reason.”

More important was the need to become an employer of choice and improve its talent management performance in the Perth economy, where the resources boom has resulted in a mismatch between supply and demand of talented staff.

Added to this was a desire for improved collaboration within teams and across the business, something that traditional office designs rarely provide – even with the advent of IT collaboration and social media tools.

ABW is, Cortis says, a boon for the IT department on this front. It not only allows staff to interact much more regularly and closely with a variety of colleagues from all parts of the business – and thus accelerates efforts to align IT with business goals – it also brings different IT roles closer together.

“We are still young in this, we’ve been doing it for six months,” Cortis said. “I see colleagues still sitting in the same spot and I’d like to see some more circulation. But we certainly see a lot more business people [mixing with IT]. The building is an enabler of that.

“We are also had some success implementing continuous delivery in some of our areas and I don’t think we would have been able to achieve that if I hadn’t been able to get all the operations staff, business analysts, testers and developers all sitting together and working together without friction,” he said.

“ABW has enabled me to do that. Speaking as head of solution delivery, that is fundamental to me and my strategy for the coming year – pushing continuous delivery across as many of our applications as we can and shifting code into production on a far more regular basis. If our ops guys were sitting in some dark building at the other end of town, that would be hard.”

However, one of the initial challenges the team faced was in locating their staff across the 13 floors as they have the flexibility to sit where they like on any given day. To overcome this challenge, Bankwest developed an internal application called “Locate myColleague”.

Cortis highlighted that the app isn’t being used to revert to the “bums on seats” management approach where managers need to physically see their staff to validate they are doing their jobs – something which runs counter to the culture of trust, flexibility and outcomes-centred accountability that ABW strives for. Instead, it is being used to help speed up collaboration and bring people together.

For the technology used to support the ABW program, Bankwest standardised on Dell notebooks with docking stations and monitors on each desk. When an employee docks their notebook they will also have their portable phone extension automatically logged in to the Cisco video phones.

The bank also uses the VMware View client virtualisation solution and Good Technology mobile device management (MDM). The 2700 employees use follow-me printing and the bank aims to eventually be a paper-independent office, although paper-based documents are still occasionally used.

While the bank is happy with the program, it is nonetheless evaluating a bring your own device program, has started to adopt Android-based devices and will upgrade the desktop standard operating environment from Windows XP to Windows 8.

“We are still evolving our way forward,” Cortis said. “One of our aspirations in our coming 12 months is to get closer to our customer and ABW will help us do that. We will push harder into dev ops and continuous delivery and ABW enables that.”

An ABW Future?

A 2012 survey by Colliers International found that one in three organisations were planning to implement ABW.

Ernst & Young recently signed a new lease for offices in Sydney and will join its peers KPMG and PWC in adopting the new work style.

“Our intention for 200 George St is to move to an activity-based working style for those areas of our business where it is appropriate,” an Ernst & Young spokesperson told iTnews. “However, it is still early days, as we have only just signed the lease agreement for our new office.”

Arup is another firm that has already completed an ABW pilot that now intends to adopt the approach more broadly this year before potentially going full steam in a new office in 2015.

“Our main driver is to make day-to-day collaboration easier,” says Arup senior business administrator Lian Heather.

“Our engineers work on numerous project teams at the same time and the individuals within those teams may be different, so being able to pick up and move quickly and easily allows greater co-ordination of project documents and better delivery outcomes for our clients.

“One of the great successes of the pilot was the introduction of the concentration space. The individual freedom to move away from the generic open-plan environment and focus on an immediate task is appreciated and regularly used. I know that this will be well received in further uptake.”

Heather said collaboration between IT and the business units was critical to solving issues before the ABW launch. The firm did not have to factor in additional IT budget – except for some laptops – as they already had most of the technology like wireless connectivity, follow-me printing, document collaboration and so forth in place.

“When asking staff to make a large-scale change such as this, any barrier will immediately create a negative reaction,” she said. “You want all interactions with technology in the ABW environment to be positive and if your IT department is not willing to invest time and energy, this would be very difficult to achieve.”


New ransomware trojan encrypts files to make you pay up

Friday, February 1st, 2013

A new type of ransomware has appeared, and it’s got the potential to be a lot more nasty than other trojans in the category. This as-yet unnamed trojan follows through on the threats made by other malware authors. It actually encrypts files on a PC in an attempt to force users to pay up.

Ransomware started popping up a few years ago with a now-familiar MO. An infected user is confronted by a message claiming that their PC has been somehow used in a criminal act or is at risk in some way. In order to rectify the imaginary problem, a fee has to be paid. This extortion scheme is sometimes accompanied by the locking down of parts of the system, but never before has ransomware gone to the extremes of actually encrypting files and holding them hostage. There’s no way to reclaim access to the files by simply removing the trojan.

When a PC picks up the new trojan, it goes to work by creating two encryption keys based on the PC’s ID. It also spawns a new instance of ctfmon.exe or svchost.exe and injects its own code there. This allows it to run in the background more stealthily. The first of the encryption keys is used to encrypt communications with the command and control server. The second key is the one causing all the heartache.

The second key is encrypted by the first, and sent to the command and control server for safekeeping. The server then determines which files should be locked up. It goes after images, documents, and some executables, using the second key to encrypt them. In this case, the scary warning that pops up is not making idle threats — those files aren’t coming back without the key.

The goal here is not to cripple a computer, so the Windows files are left intact. However, the malware does block regedit, task manager, and msconfig. Since the malware controller has the encryption keys, he or she could technically remove the file encryption if the fee is paid. That’s far from a guarantee, though.


Internet Explorer 10 will soon be auto updated to Windows 7 users

Friday, February 1st, 2013

Internet Explorer 10 will soon be delivered to Windows 7 users who have IE9 installed. Microsoft hasn’t officially announced when the push will begin, but the company has  issued a new IE update blocker toolkit. That’s usually a good indicator that a browser update is just around the corner.

The Internet Explorer 10 blocker is aimed at enterprise IT staffers, who don’t always want the latest and greatest browser being pushed to their users’ workstations. These updates can sometimes cause compatibility issues, so they’re usually rolled out after being thoroughly tested rather than whenever the Windows Update service decides it’s time for a push.

For the average user at home, however, there’s no reason to bother with the blocker. The Internet Explorer situation is vastly different than it used to be and the upgrade from IE9 to IE10 is a fairly subtle one — at least on the surface.

Under the hood, the changes are significant, and they’re all for the better. IE10 features faster, more powerful JavaScript and rendering engines, better hardware acceleration support, and it’s also Microsoft’s most standards-compliant browser ever. Many of these improvements have been aimed at making today’s intense web applications perform more like native apps — and to pave the way for even more complex web apps and games down the road.

It’s also defaulting to automatic updates like its rivals, so the initial Internet Explorer 10 install may be the last time you see a prompt to grab a new version. Microsoft won’t be sitting back and watching Chrome and Firefox evolve rapidly while IE gathers dust. The company’s going to do everything it can to make sure it keeps pace.


Yes, that PC cleanup app you saw on TV at 3 a.m. is a waste

Monday, January 28th, 2013

Why these apps are awful and what you really need to do about your slow PC

Maybe you’ve seen the ads on the Internet or on TV in the wee hours of the morning. They make lofty promises: get rid of blue screens and error messages! Increase your speed! Clean up your system! But even when these PC cleanup apps aren’t just malware in disguise, the things they’re doing for your PC are often dubious. Many either replicate tasks that can be handled by built-in utilities or do things that could cause more problems than they solve.

To highlight just why you and your loved ones should never let these applications anywhere near your PC, we picked one that we’d recently seen ads for: MyCleanPC. It’s the archetypal Windows cleanup app—and you probably shouldn’t install

Intimidation tactics

These ads for PC cleanup products often follow the same basic formula: appeal to people with slow or buggy PCs, throw in a few shots of an operating system that looks kind of like Windows, tack on some “customer testimonials,” and offer a free diagnosis that will make all the problems go away.

Once they’ve offered an easy solution and encouraged you to download and install the software, their next play is to make it seem like everything is wrong with your PC. Installing the free MyCleanPC scanner and running it using the default settings resulted in 1,020 “issues” on a PC with a week-old, barely-used clean install of Windows 8 running on it.

It turns out the threshold for what constitutes an “issue” is absurdly low. Each and every cookie and cache stored within Google Chrome—files that are completely normal and are in no way inherently problematic—are all counted as individual issues. Every individual fragmented file on your drive? Also an issue. Individual registry errors? Issues. Prepare for liberal use of scary red Xs and big warning labels hoping to further incite user panic.

The program is only too happy to identify all of these “issues” for you, but actually fixing them requires you to cough up $39.99 for a one-year license. These are business practices purpose-built to draw in especially worried or too-trusting users, with the ultimate goal of terrifying them about the run-down state of their PC before extracting money from their wallets.

So what should I do instead?

Many, many PC cleaning programs are designed to make your computer look more broken than it is, and to extract money from users who do not understand that. To many of you, I’m sure that’s a given. Luckily, the things these PC cleanup applications do (or say they do) are things that can be done just as easily with free tools, some of which are actually built into Windows itself.

If your PC is actually tossing up error messages and crashing all the time, the chances are good your needs go further than what some sham of a cleanup app can fix for you. So what’s the right way to handle a slow PC, or one that’s acting strangely?

Malwarebytes Anti-Malware

It goes without saying you should do a full scan of your hard drive with whatever anti-virus product you’re using (I think Microsoft’s solution, which is built-in to Windows 8 and freely downloadable for Windows 7, is fine, but your tastes may differ), but if your computer is already infected it might need a little extra help.

I’ve had excellent luck over the years with Malwarebytes Anti-Malware, a free security scanning product that does a decent job of cleaning infections that more conventional software can’t quite scrub away. Think of it as getting a second opinion about your computer’s health.

Let me Google that for you

Getting blue or black screens of death? Seeing particular error message pop-ups? There’s no shame in turning to a search engine for help. Just a couple of months ago I cleaned a particularly stubborn infection from a family member’s computer after Googling an error message I kept seeing. Neither Malwarebytes nor Microsoft Security Essentials could get rid of the infection entirely, but it was a common enough infection that another anti-virus vendor had issued a handy tool to destroy the malware.

Spring cleaning

If your PC is coming up clean but just seems slow, it might be time to try removing some apps. Installing an applications or plugin that you actually want can also sometimes install applications and plugins that you never asked for, and these superfluous system tray icons and browser toolbars have a way of adding up over time. I hesitate to recommend that you uninstall things indiscriminately just because you don’t know what they are… but you should consider it (and when in doubt, use the previous trick).

You should also run Windows’ built-in Disk Cleanup tool to get rid of old temporary files. Defragmentation can also help if you have a spinning hard drive but since Windows Vista, disk defragmentation is set to happen in the background on a schedule by default so it isn’t really the go-to recommendation it once was.

Check for hardware problems

If you’ve tried all of the above and your PC is still acting strangely, it’s time to start looking beyond software problems—it might be that you’ve got a bad stick of RAM or a failing hard drive that’s causing all of your trouble. Luckily for you, we’ve got a handy guide to help you diagnose most common hardware problems.

The nuclear option: Reinstall Windows

If your hardware is fine, your other PC cleanup efforts have failed, and your computer is still acting strangely, it’s time to resort to scorched-earth tactics. Reinstalling Windows is a gigantic pain, granted, but it’s also the best way to guarantee a clean system, especially if you’ve been afflicted by some kind of rootkit.

We’ve got a pair of guides—one for Windows 7 and one for Windows 8—that will take you all the way through the reinstallation process if you have to do it from scratch. Chances are your PC also came with some kind of recovery media or restore partition that you can use in a pinch.

In either case you’ll still need to take care of your own data, which you’ll want to move to an external drive before wiping your operating system. You’ll also want to be very careful when restoring this backed-up data to your fresh Windows installation—scan everything on the external drive with your anti-virus software of choice and Malwarebytes before moving it back to guard against re-infection.