Tag Archive for Microsoft

| May 11, 2010
Comments Off on Microsoft Security Report

Microsoft Security Report

Microsoft Security ReportMicrosoft (NASDAQ MSFT) released the latest Microsoft Security Intelligence Report (SIRv8) on April 26, 2010. Data for SIRv8  came from 500 million PCs across the globe between July and December 2009 and for the first time separates enterprise user and consumer user malware trend data. The data included in the 250-page report says that enterprises and consumers each suffer from different types of malware threats.

Microsft security goog news

Microsoft logoThe good Microsoft security news from the SIR 8 report is that newer operating systems and up-to-date applications are the most secure. Windows 7 and Vista Service Pack 2 have the lowest infection rates per 1,000 executions of the Microsoft Malicious Software Removal Tool (MSRT) in the second half of last year. (pg. 85). Microsoft runs the Malicious Software Removal Tool before installing Windows updates.

Windows OSPC's cleaned/1,000 MSRT
XP SP121.7
XP SP214.5
Win 7 32-bit2.8
Vista SP2 32-bit2.2
Vista SP2 64-bit1.4
Win 7 64-bit1.4

The report shows that the more recent versions of Microsoft Windows are less vulnerable to attack. Cliff Evans, Microsoft UK’s head of security and privacy says only about 5% of the vulnerabilities are in Microsoft software. This has led to a shift in emphasis to targeting third-party programs and utilities. In XP, around 45% of attacks exploited third-party (i.e. non-Microsoft) code, with Vista and Windows 7 it’s around 75% according to an article in the Guardian.

Application attacks continue to increase. Running updated software decreases the attack surface and increases Microsoft security robustness. The report shows that attackers target Internet Explorer 6 (IE 6) up to four times more often than the newer version IE 7 (pg.33). Matt Thomlinson, general manager of product security in Microsoft’s Trustworthy Computing group told DarkReading, “With Internet Explorer, IE 6 is four times more targeted in drive-by attacks.” Thomlinson says SIR 8 provides the first real results to illustrate this.

Browser attacks

The Microsoft security report says that nearly 75% of the browser-based exploits encountered in 2H09, were third-party applications, including Adobe Reader, RealPlayer, Apple QuickTime, and AOL software (pg.26). This means Windows Update is not enough to protect users, who must also install updates from Adobe, Apple, and other software suppliers.

Attacks against Microsoft Office make use of older vulnerabilities that have mostly been fixed and can easily be avoided by keeping the software suite up to date. The majority of Office file format attacks can be avoided by applying service packs (pg. 43). For example, 75.8% of the attacks on Microsoft Office files exploited a single vulnerability (CVE-2006-2492, the Malformed Object Pointer Vulnerability in Microsoft Office Word), which was found in 2006.

The report found that enterprise users contract more worms, “In the enterprise, worms are more of a problem, which is not a surprise in that you have networks with trusted file shares and USB devices, and they are more susceptible to those transmission mechanisms,” Thomlinson told DarkReading. “This is the first time we’ve had data allowing us to separate [enterprise and consumer machines] and show differences [in malware prevalence.]” Worms were found in 32 percent of enterprise PCs.

ThreatPresent %
Worms32
Miscellaneous Trojans18
Unwanted software16
Trojan down-loaders and droppers13
Password-stealers and monitoring tools7
Backdoor programs 5
Viruses 4
Exploits 3
Adware3
Spyware1

Rogue anti-virus attacks

Windows in both the enterprise and the consumer markets were hit hard by rogue anti-virus attacks last year. Rogue security software was found on 7.8 million up 46% from 5.3 million in the second half of last year. The most detected rogue security software family, Win32/FakeXPA, was also the third-most prevalent overall threat detected by Microsoft worldwide in 2H09. Three other rouge software families were also widely detected:

  • Win32/Yektel,
  • Win32/ FakeSpypro, and
  • Win32/Winwebsec.

MSFT claims that attacks are now motivated by financial gain, with a “black economy” of malware authors, botnet herders, and other criminals working together to exploit vulnerabilities in Windows PCs. “We’re seeing that the criminals are more professional and organized,” Thomlinson says. “This is really about criminals in shirts and ties, not with tattoos.” Criminals are becoming more specialized in different aspects of cybercrime. They are then coordinating with criminals with other specialties. He says. “Threats are being packaged together and sold as commodities and kits,” he says. “It struck us as we looked at botnets that this is an early version of cloud computing: There is computing available for whatever use they have in mind, and they are taking advantage of many machines to do that. This is the ‘black cloud’ of computing.

rb-
The next report will be interesting as attackers focus their attention on Win7 as it becomes wider deployed. The takeaway from the report is:
  • Keep your installed software patched to current levels.
  • Running old versions of operating systems, browsers, and application software exposes companies to additional unnecessary risks (Ask Google).
  • Invest into initiatives that get systems upgraded to the newest technology available.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , ,
| March 4, 2010
Comments Off on A New Problem Caused by IE

A New Problem Caused by IE

A New Problem Caused by IEThe Microsoft Security Response Center (MSRC) Engineering team is reporting a vulnerability involving VBScript and Windows Help files.  In Microsoft Security Advisory 981169, the MSRC says that hitting the F1 Help key can activate a vulnerability in VBScript enabling Remote Code Execution. The new Microsoft threat involves any version of Internet Explorer (IE) on Windows 2000 and Windows XP.

MicrosoftThe US-Cert Vulnerability Note VU#612021 says that any file displayed by the  Internet Explorer (IE) engine can trigger an attack. IE’s engine is often used to render HTML for other applications, even if you don’t see the usual IE program window.

Trigger the execution of arbitrary code

This issue makes it possible for a malicious web page, an HTML e-mail or an e-mail attachment, or any file to display a dialog box that will trigger the execution of arbitrary code when the user presses the F1 key. The prompt can reappear when dismissed, nagging the user to press the F1 key. MSFT calls the Windows Help files are an “inherently unsafe” file format. That means these files can run arbitrary code, thus the browser must prevent remote Windows Help files from executing automatically.

MSFT suggests that as an interim workaround, users avoid pressing F1 on dialogs presented from web pages or other Internet content. If a dialog box repeatedly appears trying to convince the user to press F1, users should log off the system or use Task Manager to kill the Internet Explorer process.

It is possible  to mitigate the threat from the command line to lock down the legacy Windows Help system by  typing:
cacls “%windir%\winhlp32.exe” /E /P everyone:N
and to undo the change type:
cacls “%windir%\winhlp32.exe” /E /R everyone

Windows Server 2003 is affected as well, but the default IE configuration mitigates the threat. Windows Vista, Server 2008, and Windows 7 are not affected.

Steve Balmmer

The MSRC post also describes how to change IE’s Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones a move that can also help protect against potential attacks.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| February 14, 2010
Comments Off on New Disk Drives Degrade XP

New Disk Drives Degrade XP

IBM 350 disk storage unit The International Disk Drive Equipment and Materials Association (IDEMA), the industry group which promotes the technological, manufacturing, marketing, and business needs of the disk drive industry, is leading the Big Sector initiative to update computer hard disk drives from 512 bytes to 4,096 bytes (4 Kilobytes) sectors.

IDEMA claims the need to change the hard drive sector size which has been consistent for thirty years, developed as hard disk sizes grew. 4 Kb sectorThe old 512-byte sectors limited the amount of error correction required to handle more data on the newest drives.  Dr. Martin Hassner of Hitachi GST said: “(The) increasing areal density of newer magnetic hard disk drives requires a more robust error correction code (ECC), and this can be more efficiently applied to 4096-byte sector lengths” in a 2006 TechWorld article.  According to the trade group, the change to 4 Kb sectors will allow hard drives to continue to grow to 2 Tb in size.

Western DigitalWestern Digital (WDC) is the first manufacturer to release products under this initiative. WD calls these drives Advanced Format. According to an article at AnandTech, In order to reach the 2 Tb size Western Digital and other drive manufacturers have developed a 512 b emulator which resides on the drive controller for the Microsoft (MSFT) Windows 5.x family (Windows 2000, XP, 2003, Windows Home Server) which are unaware of 4 Kb sectors.

AnandTech says the emulators will allow Windows 5.x systems to continue to think they are seeing 512 b but there are still problems. The article reports that the Windows 5.x family has a habit of misaligning the first disk partition under the new system which will result in poor default performance. The Windows 6.x family (Vista, 2008, Win7) and later are programmed to take into account the alignment issues. This also creates issues for imaging software. Drive imaging software like Norton’s Ghost needs to be 4 Kb aware. Otherwise, it may inadvertently create misaligned partitions with any Windows product.  The article claims that all current imaging products will write misaligned partitions and/or clusters.

Linux and Apple (AAPL) Mac OS X are not affected by this issue. Western Digital has tested modern versions of both operating systems and officially classifies them as not-affected. They also found that Linux and Mac OS X drive imaging products are also unaffected.

Western Digital is offering two solutions to solve the misalignment issue. The first solution is specifically geared towards Win 5.x. The first option is to use an offset created by jumpering pins on an Advanced Format drive. This will force the drive controller will use a +1 offset. This crude hack means the operating system is no longer writing to the sector it thinks it’s writing to. Jumpering is simple to activate and effective in solving the issue on a PC with a single partition. If multiple partitions are installed this hack cannot be used because the offset can damage later partitions. The offset can not be later removed without repartitioning the drive, because that would break the partition table.

The second method of resolving misaligned partitions is through the use of Western Digital’s WD Align utility available online from WD. The utility moves a partition and its data from a misaligned to an aligned position. This is the recommended solution for using multiple partitions under Win 5.x, along with correcting any misaligned partitions generated by imaging software. The utility also serves as the only way to find an Advance Format drive without physically looking at it.

AnandTech calls the WD Align utility the recommended solution for single-partition drives being used under Win 5.x too since it prevents breaking the partition table. The amount of time needed to run the utility depends on the amount of data that needs to be moved and not the partition size (it simply ignores empty space), so it’s best to run the utility immediately after creating a partition or installing Windows, as there’s less data to move around.

WD Green Cavier HDDThe first Advanced Format drives are WD Caviar Green drives using multiple 500GB platters which are now available. There are two ways to identify these drives:

1) They all have 64 Mb of cache – the first WD Caviar Green drives to come with that much cache; and

2) They all have EARS in the drive model number, e.g. WD10EARS.

It seems that WD is not pushing these drives as part of any major product launch. The new drives are quietly entering the marketplace. The IDEMA plan called for everyone to have 4 Kb sector drives by 2011, so there will be similar soft-launches from the other manufacturers over the next year.  It is reasonable to expect all the HDD manufacturers to have similar problems with Win 5.x,  All of the vendors will have to support WinXP, in one way or another until at least 2014, when extended MS support for WinXP ends.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| January 28, 2010
Comments Off on Privacy Day 2010

Privacy Day 2010

Privacy Day 2010Data Privacy Day is January 28, 2010.  Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information according to its sponsors. In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it – with whom are they sharing it?

For its part, Google (GOOG) has released a video highlighting the ways it uses some of that personal data it collects about you to make your life easier and then explains that you can opt-out of some of Google’s data collection policies.

Nicrosoft logoMicrosoft (MSFT) has released the results of a study on data privacy.  According to the Microsoft survey, the results illustrate how we, as a society, are still grappling with the intersection of privacy and online life. For example, 63 percent of consumers surveyed are concerned that online reputation might affect their personal and/or professional life, yet, less than half even consider their reputations when they post online content.

Finally, Fewer than 15%  of consumers in any of the countries surveyed believe that information found online would have an impact on their getting a job.  The Microsoft study found 70% of surveyed HR professionals in the U.S. have rejected a candidate based on online reputation information. Reputation can also have a positive effect as in the United States, 86% of HR professionals stated that a positive online reputation influences the candidate’s application to some extent; almost half stated that it does so to a great extent.

Electronic Frontier FoundationFor its part, the Electronic Frontier Foundation (EFF) has published, “The E-Book Buyer’s Guide to Privacy ” which outlines six elements of Ebook readers’ privacy policies:

The EFF surveyed the policies and found that Google Books and Amazon Kindle will monitor what you’re reading. The EFF also found that all the E-book readers will keep track of book searches and book purchases.  The Kindle, Nook, and Reader shared information collected on your book selections, searches, and purchases is shared outside the company without your consent. The good news is that the a free, open-source FBReader (for Windows/Linux) does not collect data on your book selections or searches.

Google Books and Amazon Kindle will monitor what you're readingThese privacy issues are important for citizens and businesses. Firms have to consider whether they are complying with laws and regulations requiring consumer privacy protections. They know that customers have to trust their technologies and services before they will use and pay for them.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Data protection | Tags: , , , , , , , , , ,
| December 9, 2009
Comments Off on Which Anti-Malware is Best?

Which Anti-Malware is Best?

Which Anti-Malware is Best?In a report, AV-Comparatives compared the base performance of some of the top anti-malware products on the market. The objective of these tests was to identify how well antivirus scanners can detect new malware using their base functions.

Base anti-malware functions included their proactive scanning and heuristics methods, without the advantage of downloading the latest signatures. Forcing a test without the latest virus signatures makes it possible to evaluate the strength of the heuristic-or proactive, technology of the anti-malware engines.

ArsTechnica summarizes that the tests were run on two sets of malware. Set A, which contains malware from December 2007 to December 2008 (of which most products could detect over 97%). Set B, contained 1.6 million samples of malware collected between August 11 and August 17, 2009. This set included the following categories of malware: Trojans (69.5%), Backdoors/Bots (20.7%), Worms (6.1%), other malware (1.5%), and Windows viruses (0.4%).

Results

Ars reported these proactive detection results (rounded to the nearest percent):

After taking these results into consideration and adjusting for false positives, AV-Comparatives rated the security companies from best to worst in three categories:

  • Advanced+:
    • G DATA,
    • Kaspersky,
    • ESET,
    • F-Secure,
    • Microsoft,
    • Avast,
    • eScan.
  • Advanced:
  • Standard:

In September of 2008 NetworkWorld reported on Gartner claims that enterprises are paying too much for security software. Gartner says vendors simply aren’t doing enough to keep up with the prevalence of threats on the Internet. Neil MacDonald, a research vice president at Gartner says that security vendors are “maintaining high-profit margins on firewalls and antivirus software despite these products being nothing more than commodities.NetworkWorld says that during his presentation at the Gartner’s 2008 IT Security Summit in London, Mr. MacDonald was vociferous in his condemnation of how security products are actually increasing their prices over the years across a backdrop of lowered effectiveness, contradicting pricing schemes across the rest of the IT industry.

Anti-malware pricing is broken

Security vendors have maintained a pricing scheme that contradicts the rest of the IT industry, Mr. MacDonald said. Typically with software or hardware, prices go down year after year with the introduction of new and better products. In some cases, however, security software often loses its effectiveness as new threats emerge, while prices stay high. “Why in antivirus year after year do we pay more for something that gives us less?” MacDonald asked. “It’s insanity. Why is information security immune from the trends of the IT industry?

Gartner recommends that firms use the commodity status of security software to their advantage, “I know it’s hard to switch but you have to seriously enter the negotiations,” MacDonald said. “Let the vendors know that you are not afraid to switch.”  And he recommends that buyers should aggressively negotiate for better prices.

rb-

While most malware writers are script kiddies with an affinity to making minor modifications to existing malware there are some very good black hat hackers out there that are not dummies.  These tests are important for buyers to understand which product’s core functionality is more efficient against new threats and not rely on constant updates to augment their capabilities. In the face of new threats, superior heuristic capabilities are crucial to anti-malware software? The weekly, daily, or even multiple times a day, definitions updates are the lifeline of the anti-malware industry. The need for constant updates is what drives the annual payments for subscriptions.

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
« Older Entries   Recent Entries »