Microsoft To Issue Emergency Fix For Windows .LNK Flaw

Trailrunner7 writes "Microsoft will issue an out-of-band patch on Monday for a critical vulnerability in all of the current versions of Windows. The company didn't identify which flaw it will be patching, but the description of the vulnerability is a close match to the LNK flaw that attackers have been exploiting for several weeks now, most notably with the Stuxnet malware. The advance notification from Microsoft on Friday said that the company is patching a critical vulnerability that is being actively exploited in the wild and affects all supported Windows platforms. The LNK flaw in the Windows shell was first identified earlier this month when researchers discovered the Stuxnet worm spreading from infected USB drives to PCs. Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer."

Slow news day

Microsoft has been suffering and fixing security holes for decades, not that interesting.

Re:Slow news day

[Dumnezeu]

Microsoft has been suffering and fixing security holes for decades, not that interesting.

Remember the Blaster worm? This is its younger cousin.

Re:Slow news day

Doubtful.

Re:Slow news day

[DAldredge]

Remember the Morris Worm?

Re:Slow news day

[symbolset]

Ah. *nix had, and fixed, network vulnerabilities long before there even was a Windows. Definitely before Windows even had networking.

We know this. What's confusing is how pointing this out serves your desire for advocacy.

Also curious is how this is an emergency. The patch blocks one hole in a colander. Couldn't that wait a week?

Too bad, it's a great conversion tool.

Converting anyone who listened to this podcast from Windows to Linux, that is.

Re:Too bad, it's a great conversion tool.

[Nialin]

I would learn Linux, if I wasn't completely retarded in regards to any type of coding or computer language in general. (this is based on the limited demos from Linux friends)

Re:Too bad, it's a great conversion tool.

[Freultwah]

When did they last show it to you? It's not 1995 anymore. It can be used as a desktop OS without knowing how to code and it has been this way for quite some time now. There can be problems with it, but they can definitely not be reduced to the lack of coding abilities. For most people, it's more like "too many varieties to choose from" and that applies to distributions, desktop environments and software.

Re:Too bad, it's a great conversion tool.

[poptones]

My GF uses ubuntu now and she's never touched linux before about a month ago. The only thing to "learn" is to lose the bad habits you pick up from a lifetime of windows use. Just back up your music, movies and emails and reload with ubuntu. Dual booting is poison because you will inevitably boot into windows more and more often because it is familiar and "easy." Just wipe out windows, reload the machine from the ground up with linux, use it for a month and you'll never go back. If you want to play games, buy a 360...

Re:Too bad, it's a great conversion tool.

you'll never go back

I hear you. Those damn Linux boot loaders can be hard to get rid of.

Re:Too bad, it's a great conversion tool.

[rduke15]

VirtualBox is great. I agree that dual boot is a pain, but no access to Windows at all is a pain too. I have an XP VM in VirtualBox (in Ubuntu), so I can use the few Windows-only programs I occasionally need without any trouble.

Re:Too bad, it's a great conversion tool.

[RulerOf]

I hear you. Those damn Linux boot loaders can be hard to get rid of.

Indeed. I've been using SYSLINUX and COM32 for some time now and I love them to pieces. They make NTLDR, and, to a lesser extent, the Windows Boot Manager, look like kids' toys.

Re:Too bad, it's a great conversion tool.

[Servaas]

I hear you. Those damn Linux boot loaders can be hard to get rid of.

Indeed. I've been using SYSLINUX and COM32 for some time now and I love them to pieces. They make NTLDR, and, to a lesser extent, the Windows Boot Manager, look like kids' toys.

The what now? Someone needs to tell Linux that the age of the 1-click iPad has begun. There is a reason for its success. Usability is one of them. Linux is good for being l33t though.

Re:Too bad, it's a great conversion tool.

That is ridiculous. Why should I spend more money to do something that my computer is already capable of doing right now? Right now, at this very moment I can use my computer to email, chat, browse the web, write documents, keep notes, create images, retouch photos, play audio/video, edit audio/video and play games. I should also mention that for any of the aforementioned, I have a choice of multiple software solutions ranging from limited/broken free stuff to decent mid level shareware to professional quality commercial software to choose from. Things like Illustrator CS5, Photoshop CS5, CorelDRAW X5, MS Office 2010, Ableton Live, Premiere CS5, Avid Media Composer, Pro Tools, FL Studio and StarCraft 2 can't be used on a Linux box or a game console. I can also buy and immediately use any computer peripheral available from any computer store without worries or workarounds. It just works.

Windows was a buggy graphical shell for DOS once upon a time, but it's come a long way since then. I have honestly had very few problems with any version of Windows since the release of Windows XP, including Vista. I'd list versions of NT even further back if you count only stability as important. Windows is my "do all" OS because I can do anything under Windows that could be done under any other desktop OS, but the reverse cannot be said. I'm also at an age now where I don't really care about youthful and/or irrelevant ideals regarding which OS I use. If a Linux OS one day surpasses Windows in hardware support, company support and available software, I'll switch. Until then, I'm going to continue to use what actually works for getting things done. Right now, that's Windows.

Re:Too bad, it's a great conversion tool.

[orangeplanet64]

If you want to play games, buy a 360...

i want to play starcraft 2 you insensitive clod..

Re:Too bad, it's a great conversion tool.

If you want to play games, buy a 360...

i want to play starcraft 2 you insensitive clod..

Allow me to reply for the freetards:

It is far more important to support free software and advance the cause of free software than to play a closed source game that shackles us with DRM and a closed source operating system. Besides, Starcraft is too hard and I'd get my ass kicked since it isn't anything like Tux Racer and I don't have the fine motor control or reflexes required to approach the APM of even a casual player of non-free games.

Re:Too bad, it's a great conversion tool.

[Jesus_666]

If you want to play games, buy a 360...

How do you install System Shock 2 on an X-Box 360? There are games that aren't supported by $CONSOLE but that people still want to play.

If you want to do dualbooting right, just move all of your data to one of the Linux partitions and erase them from the Windows partition. Then uninstall the corresponding programs. Once you're unable to check your mail/chat/etc. in Windows you'll have a much smaller incentive to stay ther for longer than neccessary.

Re:Too bad, it's a great conversion tool.

[RulerOf]

...SYSLINUX....COM32...NTLDR... Windows Boot Manager...

The what now? ...the age of the 1-click iPad has begun. There is a reason for its success...

My Lawn! You BASTARD!

Re:Too bad, it's a great conversion tool.

[dnaumov]

If you want to play games, buy a 360...

Do you want to sponsor me a 360 and a HDTV? No?

Re:Too bad, it's a great conversion tool.

[KiloByte]

All the reports on WineHQ say it works just fine.

Re:Too bad, it's a great conversion tool.

no access to Windows at all is a pain too. I have an XP VM in VirtualBox (in Ubuntu), so I can use the few Windows-only programs I occasionally need

So have I. But on my list of painful times, these rank among the top.

"Oh, no primary selection... Hm, no single-click menus, either. Oh yeah, also no horizontal/vertical maximize. Hm, no system-controlled full-screen. Damn, no Super-LMB/Super-RMB to drag/resize. Aaand no discrete workspaces. Where's my guake with zsh? Ok, anyway, let's just do this thing. Alright... keyboard, mouse, keyboard, mouse, keyboard, mouse. WTF, how did I ever use this thing?"

Re:Too bad, it's a great conversion tool.

You mean aside from all of the graphical glitches, performance issues and configuration needed just to get it working in the first place. If you also look at all of the entries it seems that nobody actually tested multiplayer or all of the missions.

Yeah, no thanks.

Re:Too bad, it's a great conversion tool.

[Anarki2004]

If you want to play games, buy a 360...

For those of us who don't have money, a 360 is rather expensive. I payed $20 for an NVIDIA GeForce 210 after the $30 rebate. That has 512 megs of DDR2 memory and some other pretty snazzy specs for the money. That opened up quite a few games for me. I've even managed to run Crysis (not at full spec, but it was smooth). An xbox is quite a bit more expensive than an upgrade.

Re:Too bad, it's a great conversion tool.

What works
Everything I tested which includes Single player gameplay, audio output, Cinamatics, multiplayer, Custom maps.

Re:Too bad, it's a great conversion tool.

I'm gonna pretend this is 2002 and this is the first time I hear people are "converting" to Linux because of a security flaw in Windows.

Re:Too bad, it's a great conversion tool.

You're too reasonable. We don't want you here.

Re:Too bad, it's a great conversion tool.

- Can't launch game from StarCraft II.exe
- I'm getting that ACCESS_VIOLATION error, applied to an apparently random memory location.
- DirectX / Graphics card error (Nvidia)
- DirectX hang up
- FIX? : Problem Installing from Disc
on Single player when i get into Hyperion Bridge, and select a "planet" for a mission the game close.
- Can't launch installer 2
- Graphical Bug
- Weird Graphical Issue at Login
- Can't launch installer.
-Still no sound
- Slow FPS
- Not working after install

Yeah, seems to be working just fine. According to usual Linux expectations, that is.

Re:Too bad, it's a great conversion tool.

[jlarocco]

If you want to play games, buy a 360...

Comments like this kinda piss me off, because they make Linux users look like idiots.

If you want to brag about the size of your e-penis, and how you "only use linux," then more power to you.

But it's pretty ridiculous to basically tell other people, "Linux isn't good at that, so fuck you, you shouldn't use a computer for it."

I use Linux on all four of my computers at home. But do you know what I would do if I wanted to play a Windows game? I'd install Windows on one of them.

It's an operating system. Get over it.

Friday sysadmin appreciation day,

[Major+Downtime]

followed by Monday-Out-Of-Band-Patch-Day.
http://blogs.technet.com/b/msrc/archive/2010/07/29/out-of-band-release-to-address-microsoft-security-advisory-2286198.aspx

Re:Friday sysadmin appreciation day,

And your point is?

Emergency ?

Microsoft To Issue Emergency Fix For Windows .LNK Flaw

LNK flaw that attackers have been exploiting for several weeks now

Umm... maybe my notion of emergency is outdated? Though, I certainly wouldn't like to call 911 and get help several weeks later.

Realtek certificate

[John+Saffran]

The most interesting aspect of this rootkit was the use of the Realtek private key to sign the drivers. According to Kapersky:

Microsoft malware researchers said on Friday that they had been working with VeriSign to revoke the Realtek certificate, a process that Realtek officials signed off on. The certificate in question actually expired in June. Microsoft oficials also said that they expect other attackers to begin using the techniques utilized by Stuxnet.

In hindsight the vendor certificate is a weakness in the entire process simply because access to the signing key bypasses the controls in place. Hardware vendors aren't likely to be as concious, at least until this incident, of the need to maintain proper security around their singing keys, nor are there requirements enforcing such security. In comparison keys used for financial transactions are generally held in HSMs with strong access controls around them to prevent the revealing of the private key. This particular rootkit was specifically confined to SCADA so the impact was always going to be small, but the malware could've easily been targetted to attack general windows installs .. who knows how much damage it could've caused then?

Luckily this specific certificate was going to expire soon so there was probably less resistance from the vendor in revoking it than there might've been, but if such revokation was going to invalidate significant numbers of drivers then that would've posed the problem of either leaving the certificate valid to be used for other types of malware or revoking it and invalidating however many drivers had already been signed by that key. Unfortunately it's not very likely that hardware manufacturers will ever submit to using HSM-type devices or the processes necessary to ensure key secrecy, so it looks like this will just have to be yet another potential attack vector that's caused by vendor negligence.

Re:Realtek certificate

[Calydor]

Hardware vendors aren't likely to be as concious(sic), at least until this incident, of the need to maintain proper security around their singing keys

Damn those karaoke bars streaming live to the net!

Re:Realtek certificate

[icebraining]

Can't Microsoft remove the certificate from Windows through a patch? Then they could say "secure your signing certs or we'll delete your certs from Windows and you'll have a shitstorm of angry clients who can't use your drivers to deal with".

Re:Realtek certificate

[vadim_t]

Certificates don't work like that.

Micorosft runs a Certificate Authority. This has a public and private key. The public key is part of a Windows install. They use the private key is kept safely somewhere at MS, and used to sign certificates for other companies like Realtek.

Then at install time, there is a check: this driver is signed by the Realtek key, which itself is signed by the Microsoft key. Therefore it's trusted, and it's okay to install.

For revocation, MS will public a revocation list somewhere, which the installer hopefully fetches before giving the go ahead, to make sure Micorosft hasn't changed their mind on that signature.

Re:Realtek certificate

[TheLink]

The part I'm wondering about is are those Realtek signed components actually Realtek components?

e.g. Did Realtek screw up on the cert handling or the components were actually made by realtek but were flexible enough to be abused by hackers?

Re:Realtek certificate

[icebraining]

Right, I was thinking about something closer to browsers, which include a large list of CA Certs, but you can remove on of them and then all the certs signed by that CA would not be trusted.

I thought Windows included a large number of HW manufacturers' certs, not a single "Microsoft cert" with which HW certs were signed against.

Re:Realtek certificate

[gad_zuki!]

Its incredible that MS doesnt force a UAC check on signed drivers install. That's really the fix, not this patch. These companies will never be able to properly secure their keys. Its time we started admitting that the trust in signed code is forever broken.

Re:Realtek certificate

[sjames]

Fine then, the question is why doesn't MS REVOKE the Realtek cert?

The USEFUL answer is that they did.

Re:Realtek certificate

Hindsight? Are you fucking retarded 95% of slashdot could have told them (and did) that Verisign certificates are useless and junk.Prior!

As did I'm sure ever security analyst in the world that didn't have their head stuff up MS's ass.

Michelangelo wrote to your MBR

What's that Ring -1? Shit, this is terrible, but so is allowing anything that can house it's own driver signature file to be inserted into a SCADA system in the first place. Hell even the army gets this one right. You can buy the answer at any drugstore. And vendors, the nature of USB is such that we NEED to have secure interfaces (or at least dumb ones) like PS2 on our motherboards still.

Is copy-and-pasting"writing"?

[Two99Point80]

This is just a copy (minus links) of the article at Threatpost. How about at least crediting the source?

what is this .lnk flaw anyway?

[rduke15]

I still haven't understood what this .lnk flaw actually is, or what fun things it might be used for (and how).

The previous discussion about this talked about SCADA systems, so I read the wikipedia article about SCADA but still don't quite get what it really is. And the vulnerability seemed to only be exploited on one particularly stupid system which used a hard-coded password.

And it seemed to also require the use of Autorun/Autoplay which should obviously be disabled anyway. I have 2 files to take care of that on all my USB drives:

Autorun.inf:

[AutoRun]
open=autorun.cmd
shell\open\Command=autorun.cmd
shell\explore\Command=autorun.cmd

And autorun.cmd:

@ECHO OFF
ECHO ALERT: You have autorun enabled on this drive (%~d0)!
ECHO.
ECHO Trying to disable it:
@ECHO ON

REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun" /ve /t REG_DWORD /d 255 /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /ve /d "@SYS:Autorun-Disabled" /f

@ECHO OFF
ECHO.
ECHO You may need to reboot.
ECHO.
@pause

Re:what is this .lnk flaw anyway?

Not bad. Although the side effect of turning off autorun on any machine in which the USB device is inserted might not be desirable (e.g., if it's someone else's machine). Also, if a worm blindly writes it's own autorun.inf file, then your modified one will get overwritten. Make sure you at least write-protect the file.

My strategy is simpler. Besides having autorun correctly disabled on all the machines I own, I have a read-only directory that's called "autorun.inf" with a readme.txt file in it on any external device. Any worm that attempts to write over it would have to figure out that it's a directory and delete it and the files within it first. From testing on infected machines, none of them have been that smart (yet).

I still like your idea that actively purges the scourge of autorun from each machine.

Re:what is this .lnk flaw anyway?

Note: On XP you need to install a bugfix before the registry settings actually do what they where supposed to do.
(I'm not sure if this is already included in SP3)

Re:what is this .lnk flaw anyway?

[alexhs]

From what I've understood, it is a buffer overflow in the way .lnk are handled that has been exploited.

It doesn't require autorun, just the reading of the .lnk (which happens when you're displaying the .lnk in the explorer)

The flaw has been discovered from Stuxnet, a virus that happens to target specific systems, but is in no way limited to these systems.

By the way, does anyone know if it is possible to put a noexec on USB keys like you can on unices ? Although it wouldn't help about this flaw, it is usually better practice (as long as you're not using portable apps).

Re:what is this .lnk flaw anyway?

[noesckey]

Stuxnet functions even if autorun is disabled: http://www.sophos.com/pressoffice/news/articles/2010/07/stuxnet.html

Re:what is this .lnk flaw anyway?

Please mod this down, the bug in the lnk handling does in no way require autorun, just browsing the folder will do. This btw also works with webdav shares (have fun ie users).

Re:what is this .lnk flaw anyway?

I still haven't understood what this .lnk flaw actually is,
...
And it seemed to also require the use of Autorun/Autoplay.

Than please do not comment upon it that way. And no, it does not need Autorun/Autoplay.

Just getting the shortcut displayed in your file-browser window is enough to trigger the "exploit". And as most installations are "helpfull" enough to open the root-folder of the removable media you put into the machine that "looking at" is fully automated.

Even if not, simply clicking on the USB-sticks icon in the file-browser will open that root-folder for you and it happens anyway. Other sub-folders can be infected the same way.

The crux of the matter is that when the shortcut references a specific target that target gets activated to be able to get a specific icon from it (which the shortcut than displays).

This is designed behaviour (one of the many "by design" blunders MS has made).

The only work that needs to be done is to edit the target stored in the shortcut to point to another target (the malicious program) located on the removable/remote/anywhere else media. Even a script-kiddie can do that it.

P.s.
I removed some too-specific information, as MS did not yet make the patch available ...

Re:what is this .lnk flaw anyway?

[rduke15]

the side effect of turning off autorun [...] might not be desirable (e.g., if it's someone else's machine)

For me, it is the desired side-effect, because these people will usually call me for help when they get a virus. I do tell them that I disabled it though, and try to explain why if they seem willing to listen.

Also, if a worm blindly writes it's own autorun.inf file, then your modified one will get overwritten. Make sure you at least write-protect the file.

The files do have the read-only attribute.

autorun correctly disabled

One of my 2 reg entries is actually what is recommended in your link.

What I don't know yet is if it works on Win7 or if something else is needed. I'm not so much into fixing Windows any more, since I switched to Ubuntu. There's enough to do to try to fix/customize that now ... :-)

Re:what is this .lnk flaw anyway?

Ok, here's the deal (since I work in a company that has an active utility SCADA network, and our IT staff went bonkers)

Some people figured out that there is a bug not in AutoRun, but in the Control Panel Library that actually draws icons for LNKs. Just plugging in the device to a Windows machine then opening Explorer will make Windows crawl through all of the executables on the root folder, and Explorer will try to draw the correct icon for each LNK file... throw in a specifically badly formed icon, and Windows will crash simply viewing the files in the folder. Or in the case of Stuxnet, be made to execute malicious code that (in a fraction of a second) installs a rootkit and masks its presence on the USB drive.

What made this doubly dangerous was this was discovered packaged on a USB device that had a payload attached to it to take advantage of the Explorer crash... the payload contained a specific attack against a Siemens SCADA library (attacking a system account with a hard-coded password, bad Siemens!). SCADA describes a protocol for "supervisory control and data acquisition", it's the protocol by which large-scale industries remotely control assets... for example, from a local control center, a electric utility company could remotely open circuit breakers, potentially cutting whole towns off from the transmission network. SCADA gives utilities to manage geographically disperse assets in near real-time, and it's essential to manage the complexity of our country's infrastructure. SCADA is usually implemented on private fiber networks, but in the last 10 years, utilities are becoming more comfortable giving Windows machines VPN access to these networks.

Problem #2 is we don't know how widespread this hidden system account was in use, and Siemens isn't talking. Siemens' problem is that almost everything they do as consultants in the electric industry is one-off custom projects, so IMHO even Siemens doesn't know how large this problem could be.

Now imagine a scenario where a utility employee is walking through their parking lot in the morning, finds a USB flash-drive lying on the ground, person says "cool free drive", goes back to their computer, plugs it in to do a virus check, and the virus executes at the first drawing of the folder. The payload executes, discovers that there's a Siemens SCADA network accessible, and triggers its attack to send bad commands to the SCADA server to crash the network. Yes, lots of stupid security-policy-violating stuff needs to happen, but that's what a social engineering attack is all about.

Re:what is this .lnk flaw anyway?

This is why Windows will never be ready for the desktop.

On my Debian box, I click System > Preferences > Removable Drives and Media > un-tick Auto-run

All this command-line stuff in Windows is just too geeky for the normal user.

Re:what is this .lnk flaw anyway?

[rduke15]

Thanks for the detailed explanations. I got it at last.

Re:what is this .lnk flaw anyway?

[jroysdon]

SCADA systems are the type of things that control nuclear reactors, power generation, power distribution, water distribution, and many more.

For this reason the Siemens attack used a USB method, as typically SCADA systems are either heavily firewalled and/or air-gapped. Sneaker-net should be the only way to get into those networks when done right, and even then sneaker-net methods should be very restricted.

Siemens HMI/SCADA.

The really interesting bit

[HangingChad]

Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer.

How do you suppose the crackers got a hold of Realtek's digital certificate? Seems to imply a level of sophistication that goes beyond most virus writers, many of whom are industry professionals these days. A government-backed organization maybe or well-funded industrial espionage.

Behold the true face of cyberwar!

Re:The really interesting bit

[alphatel]

Agreed, who cares what the vulnerability is - exploits are never-ending. The digitally signed certificate is a sure-fire method of defeating a number of defense mechanisms and penetrate the MS core even further. As always, the benefit to the code writer is that any MS OS can be fooled, including server systems.

Re:The really interesting bit

Virus authors aren't script kiddies anymore. They're trained software engineers. Remember Conficker? It had an implementation of MD6 only a few weeks after the specifications were release(It even contained a buffer overflow which was a fault in the specifications). However, to get a digital certificate signed, I'm guessing some bribery was in order. I'm guessing spam pays a lot these day, when it's done right.

Re:The really interesting bit

How do you suppose the crackers got a hold of Realtek's digital certificate

They probably didn't. All they did was write some kind of "driver" and payed Realtek some administration fee to sign it.
The problem here is that you never now exactly what you sign, unless you wrote it.
Even if you get the source code, and compile the binary yourself, you can't check all the code in a big driver.

Re:The really interesting bit

[v1]

How do you suppose the crackers got a hold of Realtek's digital certificate?

My best speculation on that is an actual hacker (or hacker group) managed to extract the private key through nefarious means, possibly via a botnet-controlled or similarly zombified computer inside realtek, and then it was sold on the underground malware market.

It's very unlikely the makers of Stuxnet were actually the ones that stole the key in the first place. Does make one wonder how much such a key would go for? I would expect it to be very expensive, it's at least as good as a zeroday.

You'd think MS would have some very tight restrictions and conditions on how vendors agree to protect their signed keys. I wonder what MS's response to realtek is going to be? Things like this are really damaging to MS's reputation. Even though MS is not generally known for security in the first place, users expected Vista/7 to be better, and afaik it's at risk here also. MS needs to give realtek some smackdown.

But the real irony here may be that MS's standing security issues were probably a factor in realtek losing the key in the first place, so to some degree, MS contributed to this problem.

"Effective August 2010, MS will require all driver signing keys to be stored exclusively on macintosh computers. Use of windows computers, unencrypted backups hosted on windows-accessible networks, and especially usb thumbdrives, will not be allowed." lol... wonder if that will help them?

Re:The really interesting bit

[symbolset]

Start with the obvious assumption that the certificate was stored on a Windows computer. Now assume that most of the rest of them are too. Calculate the likelihood that a particular Windows computer will be rooted.

Are you scared yet?

Re:The really interesting bit

[AmberBlackCat]

So, if they had acquired the signature for Red Hat's online repository, Fedora wouldn't be vulnerable? If the user clicks yes to accept a Fedora key, that's less risky than clicking to accept a key on Windows?

Windows 2000 users

[trifish]

A friendly warning to all Windows 2000 users out there, your OSs will remain vulnerable (unless you have a private agreement with MS).

Support for you ended two weeks ago.
http://support.microsoft.com/lifecycle/?LN=en-us&x=17&y=3&p1=3071

Re:Windows 2000 users

[Mhtsos]

This is especially important to anyone actually using the SCADA software this virus attacks. Some versions of WinCC are incompatible with XP (as in "only certified to run on windows 2000" i'm sure nothing technical prevents running in XP). So actually quite a large portion of the target group remains unpatched.

Re:Windows 2000 users

The city of Munich? Do they still run NT 4.0?

Re:Windows 2000 users

[gad_zuki!]

This attack can only use the credentials of the logged in user. Running as limited user limits its ability to do anything outside of your profile. That and basic AV means Win2000 is usable for a long time in the future.

Re:Windows 2000 users

That and basic AV means Win2000 is usable for a long time in the future.

You must be kidding me. Windows gets a new unpatched vulnerability (often exploited zero-day style) every month. You just need to wait another month for yet another vulnerability and then another for another, etc. Antiviruses may detect some of these but not all. In the following months your Windows 2000 will be turning into rotten pile of insecure shit. Face the reality or be pwned.

Re:Windows 2000 users

[antdude]

Is the free version of the latest Avast AV enough for updated Windows 2000 SP4 users?

Re:Windows 2000 users

The first rule of security:

Do not use an operating system that contains known unpatched vulnerabilities. Especially if it's connected to the internet.

Thank %DIETY%

[thegarbz]

This virus made it's rounds through my work (Fortune 50 company). Man the clean-up was disruptive. Mcafee was quick with a patch to clean our computers, but I there were petabytes of storage to clean world wide.

The real flaw on 3 different OS won't be fixed

[Ilgaz]

For some reason, MS will shy away from mandadory CRL/OCSP checks. Bandwidth issues for 1 kb traffic?

Realtek drivers, as they are software/hardware hybrid (more like softmodem) with unneccesarry junk like an extra control panel weights around 40 MB. Everyone knows it since we have to deal with their aspx powered weirdo site when vendors, including Apple Inc. installs old version of drivers. What kind of harm would Windows do asking certificate vendor (Verisign in this case) if the certificate is real?

This is also a mistake by Apple too, they don't enable ocsp, at least to "best attempt" in fresh OS X install. You gotta do it in keychain utility preferences. Sad that, on OS X way of doing things, that would mean an instant security boost since native OS X apps uses the same framework for SSL comms.

Funny is, this is also a problem on Symbian which doesn't rely on "app store". For example, on Nokia E71, one must live a complete usability hell if he/she enables "online certificate revocation check". They just couldn't fix the freaking UI and disabled online certificate check for signed symbian apps. So what happens if some dumb shareware vendor loses their certificate or they actually freely sign malware? You install AV. All this for saving (!) 1 KB of traffic.

So, even if Verisign revokes it (or hurries, whatever), it won't have any effect until MS/Apple/Symbian (don't know others) wake up and enable certificate revocation checks by default in these days even your heater is connected to the internet.

Re:The real flaw on 3 different OS won't be fixed

So, even if Verisign revokes it (or hurries, whatever), it won't have any effect until MS/Apple/Symbian (don't know others) wake up and enable certificate revocation checks by default in these days even your heater is connected to the internet.

So some hax0r can automatically disable nation-wide heaters with revoking one cert? Nice idea for cyberwar...

Realtek is a IC design house, not software

http://www.realtek.com.tw/
That site would explain a lot of things to you, especially their way of handling things. Stupid Creative and other vendors made them (!) the emperor of sound with their policies. If you find about their marketshare, it will likely surpass Intel vs. AMD.
Companies like Apple, who thinks it is wise to pack up old versions of drivers so "maccie" won't have a decent experience on Windows also adds to the problem.
If Microsoft did their job fine, told Realtek "just don't ship drivers, we will handle it with windows updates as fast as you would post to website", there wouldn't be a need for third party realtek driver site to begin with. It became a common thing to go to realtek site and get/update to latest drivers.
Realtek is an advanced hardware design (IC) house, this is what happens if you force them to do software things. One day, they lose the certificate.

It is MS to do it

[Ilgaz]

Your fix doesn't matter as 99% of people out there will wonder around with autorun enabled.

MS have to copy Apple's way of doing things. How long it took for Apple to fix the "startup items" flaw? They changed the scheme of doing things, did couple of permission tricks and prompted user with a complete non nerd window saying "Wrong permissions in Startup Items" like thing, with 2 options "fix" "don't fix", "fix" selected by default.

Or, they figured Input Manager functionality which allows running from user's own "Input managers" directory (in $HOME) is flawed, about to get expolited. In next OS X, they made it ignore the Input Managers in Users home dir and allowed only Admin installed input managers. Didn't it create problem on a OS which is advertised as "it just works"? of course it did but it saved a lot of users who otherwise wouldn't have clue how powerful Input Managers can be.

What MS have to do is, tell big vendors of boxed software/drivers/devices "this is it folks, talk to your DTP department to add instructions of installing your software to the box, we are disabling autorun by default". They can also add Windows 95 "install applications/drivers" control panel to a easy to reach place. E.g. right under their precious "Internet: Internet Explorer" start menu item :)

Hotfixes, AV software, reg hacks won't cut it.

If they listened to Gibson,Blaster wouldn't happen

[Ilgaz]

I remember everyone laughing at GRC.com for alerting about port 135 being wide open to net. While it can be blamed on his kind of language (nano somethings etc.) to blame, nobody listened to him and Blaster happened.
Funny thing is, even a non computer geek can be convinced that autorunning programs in this age is a bad thing in 10 seconds and yet MS doesn't disable it.
You know one of the most dangerous and destructive viruses on MacOS (not OS X) is actually named "autorun"? So, the vendor (Apple) did what? Released "hotfixes", called Verisign? They simply disabled the functionality all together and added a kinda undocumented bit to removable media HFS to "display contents in finder whenever it is inserted" (still works in OS X). So, user could double click thing saying "double click me to install". There, problem fixed. No harm done. MacOS software industry didn't collapse, people didn't look to their newly purchased devices without clue...

Win2K users not running AV?

[Ilgaz]

As a person in TV industry, I can really relate to "people still running windwos 2000" but, trust me, it is absolutely suicidalif one doesn't run a commercial quality AV actually doing heuristics like Kaspersky or F-Secure.

I am not a shareholder in these companies of course, it is just that they are running way deeper security checks and actually watching what really happens on the OS. People blame them for being heavier than "freeware av" for that reason.

If you can live with pro-active way of doing things, Comodo AV which is freeware, in case it works under Win2K is a good choice too. It is like eSafe end user version (which has been abandoned) which really figures the threats even if it has no clue about them.

While on it, OS X 10.4.11 Tiger doesn't get security updates too. I can only (unfortunately) suggest Intego Virusbarrier which is a bit pricey to them. There is a cost of having to use older commercial operating system. Obviously, I don't think there is a black hat dumb enough to specifically target some poor guy being forced to run 10.4.11 and spend time on it.

The 1 click wonder?

[poptones]

An ipad? ROTFL. Let's see you develop SOFTWARE for that ipad... on your ipad.

Apple users need to learn to speak without steve's hand up their anus...

Re:The 1 click wonder?

[Jesus_666]

You mean Apple fanboys. I own a Mac and I don't see the iPad as revolutionary, merely a previously-unexplored market niche. No, it doesn't fill the Tablet PC niche; those are essentially graphics tablets with built-in notebooks while the iPad is a scaled-up PDA. Of course it's never going to displace real PCs.

Re:The 1 click wonder?

[RulerOf]

No, it doesn't fill the Tablet PC niche;

Ain't that the truth.

I've got a Viliv S5, and for what I bought it for (portable MKV/h264 playback and general nerdiness), it function[ed] well (I add the past tense because there's an issue with the Windows 7 wifi driver for it that makes it damn near impossible to stream anything). I have though for the most part stopped using it in favor of AirVideo on my iPhone. Mostly because the phone fits in my pocket. While I find myself watching a TV show or something in bed and think "Hrmmz this would look better on an iPad," I can't really justify buying one because I know I'd never use the damned thing. Hell, my boss has bought half a dozen iPads and I'm not sure that more than one or two of them get any kind of regular use... he's a bit of a fanboy. I digress.

What I'd really like to see is a tablet--any tablet--that runs any OS, be it Windows, [Insert favorite flavor here] Linux, iOS, OS X, even Windows CE or Windows Phone 7, that will act as a Windows Media Center Extender. There aren't any software MCE's currently available (other than in the bowels of Microsoft), but if I could have that experience on a tablet, when I'm away from home I can use the thing for what-the-hell-ever I please, but when I am home I can watch my entire media collection and live TV and DVR all on a single, wireless device. That would be worth $500. My guess is that Ballmer doesn't care though.

[rant]
Hrm, while I'm talking about shit that won't exist in a relavant time frame, I'll say again: Perhaps we can have ISP's that solve the bandwidth problem by capping bandwidth instead of capping transfer. I love being considered as the poster boy for the problem in spite of the fact that I download shit at one fifth of my pipe's speed... in the middle of the night. Really fucking it up for everyone else, I am.
[/rant]

Re:The 1 click wonder?

Can't you just use a media player that properly buffers files on networked storage? The KMPlayer and I think VLC can do this. I don't understand why you need some "Media Player Extender". Just a tablet or netbook with wifi, a share on the PC or storage device with the media and you should be set.

Re:The 1 click wonder?

[h4rr4r]

How about not using Windows media center?
Better more interoperable solutions exist. Heck you could even use vlc on your current setup and stream to whatever device you wanted so long as it can handle normal video streams.

Re:The 1 click wonder?

[RulerOf]

There's a bunch of reasons. First and foremost really is the sharing of TV tuners and centralized configuration brought by extending WMC rather than replicating it. Second, extenders do all the heavy lifting on the back end via DXVA and whatnot, which would mean better battery life. Also, it'll optimize any video source, no matter what it is, to run over that network connection.

It's neat stuff, but it's really waiting for a breakout to the mainstream. Windows 7 has made it vastly more powerful, but it'll be a couple more years (or Windows versions) before the average folks start digging into it... though perhaps those people will be more interested in Hulu Plus or whatever at that point :P

Re:The 1 click wonder?

[RulerOf]

Heck you could even use vlc

There's a small problem centered on VLC really, really, really, extra-super-holy-fuck-it's-a-pile-of-shit sucking. Sure it "plays everything," but until they drop FFMpeg on Windows and embrace directshow or Media Foundation (and by extension, DXVA) it's going to continue to be a heaping pile of shit until the end of time. Not to mention the shitty interface. I've never gotten optical output to work correctly on it, it eats CPU, and it wasn't until just over a year ago that you could even change the volume with the mouse wheel.

Don't get me wrong, it always works, and that's important, but it lacks the polish that just about everything else including other FOSS projects like MPC-HC have had for a VERY long time.

And why Windows Media Center and not MythTV? Three reasons: DXVA, Media Center Extenders (XBox 360's are cheaper and more compact than any computer that would fit the bill, and they have a nice remote), and CableCARD support. There's no other platform that offers that set of features. Also, it's really, really slick :P

Re:The 1 click wonder?

[AnEducatedNegro]

XBox 360's are cheaper and more compact than any computer that would fit the bill, and they have a nice remote

You're welcome.

Re:The 1 click wonder?

That makes sense then. I wasn't aware that by streaming you meant that the Media Center PC was doing all of the video decoding and sending raw video ala PC Anywhere. I was thinking "Youtube streaming video".

Still, you might look into something based on Nvidia's Tegra. From what I've seen, it's really good with video decoding (h.264 at least) and even has good battery life while doing that. Maybe something like this or this.

Re:The 1 click wonder?

[RulerOf]

Very nice, but in the absence of a software WMC extender, it's still lacking a game breaking feature :(

getting things done

[poptones]

Black hats everywhere would like to thank you for aiding them in their quest to own the internet...

Re:getting things done

Except for the fact that I've never had a Windows box that got compromised or infected with any kind of virus, trojan or malware. Most "vulnerabilities" in Windows are user initiated. Practice a little common sense (ie. don't run things that come from questionable or unknown sources) and you are unlikely to ever see a problem.

In addition, if you think that a Linux OS is impervious to attack by hackers, then you are naive. The main reason Windows gets attacked more is because it's a much larger and more worthwhile target. The instant any Linux OS pulls ahead, I guarantee that you'll start seeing tons of vulnerabilities for it popping up everywhere.

Re:getting things done

[basscomm]

Except for the fact that I've never had a Windows box that got compromised or infected with any kind of virus, trojan or malware. Most "vulnerabilities" in Windows are user initiated. Practice a little common sense (ie. don't run things that come from questionable or unknown sources) and you are unlikely to ever see a problem.

Baloney. Let me guess, you don't have any antivirus installed either, because you don't need it? Either you haven't been using Windows for very long or your only Windows box is turned off in the corner. Back in the 90s I got a disk from my school that was infected with Stoned, and a few years later bought a CD-ROM game that came with Michelangelo on the disc itself. Even more recently, hardware from (more or less) reputable sources come preloaded with malware. Heck, part of my job is removing malware from PCs on a near-daily basis, and even though I know better, my USB key got hit by the Autorun worm last Summer. So yeah, common sense and safe browsing habits are wonderful things, but they're not a panacea. There are so many attacks coming from so many vectors, that if you use a Windows box you will get some kind of infection eventually.

Re:getting things done

Of course I use antivirus and have done so for decades. I also use spyware scanners and run behind two firewalls. When it comes to my PC, I've always exercised extreme caution in regards to computer viruses, trojans and vulnerabilities. It's better to be safe than sorry.

I have had PCs since 1982 and have connected to everything from bulletin board systems of old on a 300 baud modem to our modern internet without issue. I've found viruses and trojans on systems before, but never got infected because I caught them before they were executed. Actually, there was even a time that I purposely collected viruses and distributed them, with full documentation/descriptions of what they were, via my own "elite" BBS. Stoned and Michelangelo? Check. Had those and about two hundred more available for download. Still, never had a problem.

I really don't care if you don't believe me. Your ignorance doesn't change the fact that I've never had a compromised or infected Windows box. Perhaps you are simply more careless about these things than you think.

Re:getting things done

I agree. My home machines have never gotten a virus, and I use them probably 80-85 hours a week. My office machine, however, has been infected twice, and I caught it both times myself, as they were 0-day exploits. Anti-virus at work has not caught anything other than slowing my already slower than crap work PC down even more.

Re:getting things done

Windows is more secure now than ever before, but at the same time the userbase has also grown. Back when Windows 95 came out, far fewer people had computers. These days, you'd be hard pressed to find a household that doesn't have one. Just because the percentages look the same doesn't mean the numbers are the same.

Overall, Windows is much better now than it used to be. You'd have to be blind not to see that. Also keep in mind that software can improve in many ways, not just one.

Linux's primary security mechanism is not running unnecessary task, not opening ports unnecessarily and not running with admin privileges by default. These are all things that Windows has gotten better with, but ultimately the most dangerous part of the equation is the user. Give an average user a Linux box and the first time he/she comes across something that needs admin privileges, they are going to want to run with those privileges all of the time, thereby opening up a gaping security hole. The same is currently true in Windows.

So far the success rate of this Stuxnet worm has been extremely low and the majority of the attack attempts have been isolated to areas where people were downloading illicit and questionable material to begin with. Was it too much for you to actually read about it before posting? You'd also do well to present a real argument instead of blindly screaming "FUD" at everything that you don't understand or agree with.

Re:getting things done

Getting a virus in Windows almost always means you're a computer illiterate tard. Sad but true.

Re:getting things done

It was because I called yall fucktards right?

The real problem is who to trust...

[leuk_he]

They can revoke keys but then there is a new problem:

-What if the system becomes unusable without a certain driver ( maybe even because the rootkit kills the system deliberate in that case). Who is responisble.
-If the user gets prompted, what are his options? (e.g. in the simple case his system clock is wrong, but the error message is not clear).
-What if revoking disables the sound of 66% of the windows machines and ONLY disable 0,001% the rootkit (but not even the actual virus).

If you think this over, you realize how much issues there are with revoked/expired certificates. The math behind them is correct, but the consequences are much more complicated.

"have been exploiting for several weeks now..."

[euyis]

Why is this called an "emergency" fix? Just curious.

Re:"have been exploiting for several weeks now..."

[Shados]

because for various reasons (some that are even good), Microsoft only normally release patches once a month. When they can't wait, they call it an emergency fix. Simple enough?

LNK is an Open Specification

[kingdominic]

The .LNK Binary File Format is an Open Specification provided by Microsoft via the following document:
http://msdn.microsoft.com/en-us/library/dd871305(PROT.13).aspx
~ king

Re:LNK is an Open Specification

How does that do us any good though? It's not like Microsoft's implementation can be easily replaced is it? Do they use a well documented stand alone library for working with .lnk files? One that I could just plug in an alternate implementation of by exporting the same symbols? Probably not. Its probably lumped in with hundreds of other unrelated functions in some binary that can't be replaced without a significant amount of reverse engineering.

In the end you're still at Microsoft's mercy. Hope their fix works.

Windows XP SP2 will not be patched

SP2 support ended earlier this month. You know what that means. No patch unless you have a custom support contract. Hasta la vista.

Re:Windows XP SP2 will not be patched

[UnknowingFool]

Or you could just update to SP3. That hasn't ended yet.

Re:Windows XP SP2 will not be patched

[antdude]

Not everyone can upgrade though like IT, weird software issues, etc. Oh well, their losses. :)

Re:and hten any device needing that driver

[icebraining]

Yes, the drivers would stop working, which would bring the shitstorm against the HW manufacturer. That was my point.

But according to your "sibling" post Windows HW certs don't work like that, so there's nothing Microsoft can do.

While they are at it

[JimboFBX]

While they are at it they should remove the functionality to open a .lnk file in media player. My wife had media player as the default player, and she had some .mp3 files on her system. I'm guess she got these from limewire or something. They wouldn't play in itunes, so I tried opening them in media player and it said it was a filetype that didn't match it's extension, open anyways? So I said yes, thinking that it might of been a wma that was renamed by a dummy, and then instantly a web browser window opened up to some website. The file itself was 5 megs, so I'm guessing it had a .lnk header and then either padded the rest with the original mp3 or just dummy data.

time to exploit XPSP2 installations!

Since many Corps still refuse to upgrade to SP3, get ready for swath of news with IT failing to quell SP2 only rootkits and worms.

Re:time to exploit XPSP2 installations!

[Kaenneth]

I could see putting off migrating to Vista/Seven... But not installing a service pack?, that's just dumb...

Re:and hten any device needing that driver

[Korin43]

I suspect it wouldn't work that way anyway. More likely, Microsoft would revoke the certificate, and then everyone would blame them because "My computer doesn't work". Seriously, think of normal people having this problem.

works about as well as windows ever did

[poptones]

Years ago I bought a CD of American McGee's Alice. This was the only game cd I ever actually paid for, and I even installed XP just to run it. Guess what? It never worked. I tried tracking down support info, I tried several tricks and patches and the goddamn thing never worked. The closest I ever got that damn disk to working was under wine. Oh, the irony.

A 360 does what it does. A 360 is not a desktop with access to all my email and shit. A 360 may be a walled garden but that's fine just so long as it plays a fucking game CD when I bring it home. Why anyone would want to fuck around for hours with making a desktop play games is beyond me.