Your best source of information and news about drivers, drivers and vista on the internet

August 14th, 2007

You are currently browsing the articles from MS Windows Vista Compatible Software written on August 14th, 2007.

Write programs with notepad

I have been using the EICAR test virus to test different anti-virus products.

The EICAR test virus is a simple string that you can paste into notepad and save as test.exe…then if all is working properly your AntiVirus will popup and tell you it found a virus.

This is what it looks like:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

To be honest I hadn’t really looked carefully at this file. I have been using it for years to verify that anti-virus was working properly.

Until today - I accidentally ran the test. I had my anti-virus turned off and I executed it from the command line. I thought it was just a random string of characters…but it is a functional program! It echoed back to me “EICAR-STANDARD-ANTIVIRUS-TEST-FILE!”

So I researched and discovered it was a carefully crafted assembly language program. It was designed to only have assembly language op-codes that could be represented by standard ASCII characters. If you are interested…here is the assembly code:

POP AX
XOR AX,214F
PUSH AX
AND AX,4140
PUSH AX
POP BX
XOR AL,5C
PUSH AX
POP DX
POP AX
XOR AX,2834
PUSH AX
POP SI
SUB [BX],SI
INC BX
INC BX
SUB [BX],SI
JGE 0140

45 49 43 41 52 2D 53 54 41 EICAR-STA
4E 44 41 52 44 2D 41 4E 54 NDARD-ANT
49 56 49 52 55 53 2D 54 45 IVIRUS-TE
53 54 2D 46 49 4C 45 21 24 ST-FILE!$

INT 21
INT 20


Now here is the fun (And totally useless ;) ) part. You can make the program say other stuff too…and once you do that it will no longer be detected by any anti-virus programs.

Lets try it.

Cut and paste this:

X5O!P%@AP[4\PZX54(P^)7CC)7}$——–====Hello World====——–$H+H*

Small Program

Into notepad, and save it as test.exe somewhere on your hard drive. Now if you run it at the command line you get…

——–====Hello World====——–

The trick is…if you want to make your own you need to keep it the exact number of characters. *OR* recalculate the “JGE 0140″ assembly code and convert it back into ASCII…I will leave this as an exercise for the reader :)

Check out our Windows Admin Tools

Written by Steve Wiseman on August 14th, 2007 with no comments.
Read more articles on software.

ITsVISTA Web Links: August 14th, 2007

Written by Joe on August 14th, 2007 with no comments.
Read more articles on DRM and PR and RAM and Review and Drivers and ATI and Security and Video and News and software.

Windows Media Player Flaw Lets Attackers “Skin” You

Severity: Medium

14 August, 2007

Summary:

Today, Microsoft released a bulletin describing two security vulnerabilities affecting Windows Media Player. By enticing one of your users into viewing a maliciously crafted skin file for Windows Media Player, an attacker could execute code on your user’s computer, potentially gaining complete control of it. If your users listen to or view media via Windows Media Player, you should download, test, and deploy the appropriate Microsoft patches as quickly as possible.

Exposure:

Windows Media Player (WMP) is the popular multimedia playback application that ships with Windows. WMP supports the use of skins, sets of scripts, art, media, and text files that create a new appearance for the media player.

In a bulletin released today as part of Patch Day, Microsoft describes two vulnerabilities that affect WMP 7, 9, 10, and 11. Though the vulnerabilities differ technically, they both involve WMP skin files, and have the same scope and impact. If an attacker can entice one of your users into viewing a maliciously crafted WMP skin, he could exploit either flaw to execute code on your user’s system, with your user’s privileges. If that user had local administrative privileges, the attacker gains complete control of that user’s machine.

MIcrosoft’s bulletin contradicts itself about whether an attack requires the victim merely to view the skin, or if the user must open and install the skin for the attack to work. WMP prompts users before allowing them to view skins. So this sort of attack requires user interaction to succeed, which is probably why Microsoft only gave it an “Important” severity rating. However, we often see attackers attaching their malware to desirable applications in order to entice victims, and users often click “OK” without thinking. Attackers could easily inject their malicious code into a popular or cool skin, which might lure one of your users into viewing it. We recommend that you patch this flaw as soon as you can.

Solution Path

Microsoft has released patches correcting these Windows Media Player vulnerabilities. You should download, test, and deploy the appropriate patches as soon as possible.

For All WatchGuard Users:

You can mitigate the risk of these vulnerabilities by configuring your WatchGuard Firebox to block WMP skins (.WMD and .WMZ files) using its SMTP and HTTP proxies. Keep in mind, blocking skin files will prevent your users from downloading any WMP skins, whether legitimate or malicious. For most organizations, media player skins are not needed to accomplish the corporate mission, so you should apply the patches.

If you want to block .WMD and WMZ files, follow the links below for instructions:

  • Vclass
    • SMTP Proxy. You’ll have to create or adjust a custom proxy action based on SMTP-Incoming in order to strip .WMD and .WMZ files. If you have created your own Proxy Action based on SMTP-Incoming, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Content Checking tab, change “Category” to Attachment Filename and click either the Add to Top or Insert After button (only one or the other will display). Next, type “WMD_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.WMD” and select Strip as the Action. Repeat these steps for .WMZ files as well. Now you can apply this new Proxy Action to your SMTP rule to ensure your Firebox blocks .WMD and .WMZ files.
    • HTTP Proxy. You’ll have to create or adjust a custom proxy action based on HTTP-Outgoing in order to strip .WMD and .WMZ files. If you have created your own Proxy Action based on HTTP-Outgoing, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Request General tab, change “Category” to URL Paths and click on Add. Next, type “WMD_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.WMD” and select Strip as the Action. Repeat these steps for .WMZ files as well. Now you can apply this new Proxy Action to your HTTP rule to ensure your Firebox blocks .WMD and .WMZ files.

Status:

Microsoft has released patches for Windows Media Player, correcting these issues.

References:

Written by bardissi on August 14th, 2007 with no comments.
Read more articles on Network Infrastructure and Windows Media Player and Microsoft and Non-Profit Technology and Home Computer Support and Windows XP and Business Computer Support and Windows Vista.

Critical MS Excel Vulnerability Affects PC and Mac

Severity: High

14 August, 2007

Summary:

Today, Microsoft released a security bulletin describing a vulnerability affecting Excel for Windows and Mac. If an attacker can entice one of your users into opening a maliciously-crafted Excel document, he can execute code on your user’s machine, possibly gaining complete control of it. If your company uses vulnerable versions of Microsoft Office or Excel, you should download, test and deploy Microsoft’s patches as soon as possible.

Exposure:

Microsoft’s security bulletin describes a new flaw affecting Microsoft Excel 2000, XP, and 2003 for Windows; and Excel 2004 for Mac. Excel doesn’t properly validate a particular index value in an Excel Workspace. Opening a specially crafted Excel worksheet could trigger this flaw and cause memory corruption vulnerability.

By enticing one of your users into opening a such a maliciously crafted Excel document, an attacker could exploit this flaw to execute code on your user’s system, with your user’s privileges. If your user has local administrative privileges, an attacker would gain complete control of his or her computer. To get your user to open the booby-trapped Excel file, the attacker might host it on a web site or send it via e-mail.

Solution Path

Microsoft has released patches correcting this Excel vulnerability. You should download, test, and deploy the appropriate patches as soon as possible.

This vulnerability does not affect 2007 Office System

For All WatchGuard Users:

While you can configure some of WatchGuard’s Firebox models to block Excel (.XLS) documents, most organizations need to allow these file types in order to conduct business. Blocking them could bring your business to a halt. Therefore, the patches are your best recourse.

However, if you still want to block .XLS files, follow the links below for instructions:

  • Vclass
    • SMTP Proxy. You’ll have to create or adjust a custom proxy action based on SMTP-Incoming in order to strip .XLS files. If you have created your own Proxy Action based on SMTP-Incoming, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Content Checking tab, change “Category” to Attachment Filename and click either the Add to Top or Insert After button (only one or the other will display). Next, type “XLS_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.XLS” and select Strip as the Action. Now you can apply this new Proxy Action to your SMTP rule to ensure your Firebox blocks .XLS files.
    • HTTP Proxy. You’ll have to create or adjust a custom proxy action based on HTTP-Outgoing in order to strip .XLS files. If you have created your own Proxy Action based on HTTP-Outgoing, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Request General tab, change “Category” to URL Paths and click on Add. Next, type “XLS_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.XLS” and select Strip as the Action. Now you can apply this new Proxy Action to your HTTP rule to ensure your Firebox blocks .XLS files.

Status:

Microsoft has released patches correcting these issues.

References:

Written by bardissi on August 14th, 2007 with no comments.
Read more articles on Network Infrastructure and Microsoft and Mac and Apple and Non-Profit Technology and Home Computer Support and Office 2007 and Windows XP and Business Computer Support and Windows Vista.

Internet Explorer Update: Two Patches Plug Four Critical Holes

Severity: High

14 August, 2007

Summary:

Today, Microsoft released two security bulletins describing four vulnerabilities in Internet Explorer. By tricking one of your users into visiting a maliciously crafted Web page or into opening a maliciously crafted HTML email, an attacker could exploit any of these new vulnerabilities to execute code on your user’s computer, with your user’s privileges. In the worst case, the attacker could gain complete control of the victim computer. If you use Internet Explorer in your network, you should download, test, and deploy the appropriate Internet Explorer patches immediately.

Exposure:

In two security bulletins (MS07-045 and MS07-050) released today as part of their monthly patch update, Microsoft describes four vulnerabilities in Internet Explorer (IE) versions 5.01, 6.0, and 7. Microsoft rates all four of the vulnerabilities “Critical” and each vulnerability affects all current versions of Windows, including Vista, to some extent.

The vulnerabilities fall into two general categories:

  1. Problems with interpreting .css files
  2. Improper input validation on several ActiveX controls

All of the vulnerabilities share the same repercussions. If an attacker can trick one of your users into visiting a specially crafted web page, he can exploit any of these flaws to execute code on your user’s computer, with your user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker could gain complete control of their machines. This alone should convince you to install the IE patchs immediately. However, if you’re curious about what each flaw is, we summarize them briefly below:

From MS07-045

  • CSS Memory Corruption Vulnerability. Internet Explorer doesn’t properly handle specially malformed .CSS files. Under certain circumstances (which Microsoft doesn’t detail), if an attacker can entice a user to visit a malicious web site, the attacker can use this vulnerability to execute code as the user who is logged in. If the user has administrator priviledges on his or her computer, the attacker will too.
  • Improper Input Validation in tblinf32.dll (also called vstlbinf.dll). IE doesn’t properly validate input passed to the .DLL. In fact, Microsoft goes so far as to say that the .DLL was never intended to be supported by Internet Explorer at all. If one of your users visits the attacker’s specially crafted web page, the attacker can gain the same level of permissions on a vulnerable system as the logged in user has. If that user has administrator priviledges, so does the attacker.
  • Improper Input Validation in pdwizard.ocx. IE doesn’t properly validate input passed to the ActiveX control associated with Visual Basic, named pdwizard.ocx. In this case, an attacker can manipulate the memory corruption resulting from an exploit to execute his own code on the system. If one of your users visits the attacker’s specially crafted web page, the attacker can gain the same level of permissions on a vulnerable system as the logged in user has. If that user has administrator priviledges, so does the attacker.

From MS07-050

  • Improper Input Validation in vgx.dll. IE doesn’t properly validate input passed to vgx.dll, an ActiveX control responsible for interpreting web pages with Vector Markup Language (VML) encoding. In this case, an attacker can manipulate the resulting memory corruption to execute his own code on the system. If one of your users visits the attacker’s specially crafted web page, the attacker can gain the same level of permissions on a vulnerable system as the logged in user has. If that user has administrator priviledges, so does the attacker. If you’d like to see a demonstration of a similar type of attack that also targets VML, check out the WatchGuard Wire video blog from last September.

Solution Path:

These patches fix serious issues. You should download, test, and deploy both of the appropriate IE patches as soon as possible.

MS07-045

MS07-050

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you need to allow so your network users can access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

Written by bardissi on August 14th, 2007 with no comments.
Read more articles on Network Infrastructure and Microsoft and Non-Profit Technology and Home Computer Support and Office 2007 and Business Computer Support and Windows Vista.

From Graphics to Gadgets, Critical Flaws Affect Windows

Severity: High

14 August, 2007

Summary:

Today, Microsoft released four security bulletins describing vulnerabilities that affect Windows and components shipping with it. A remote attacker could exploit the worst of these flaws to execute code on your Windows PC, potentially gaining complete control of it. For a table briefly summarizing which vulnerabilities affect which versions of Windows, see Microsoft’s Security Bulletin Summary for August and expand the section, “Affected Software and Download Location.” If you manage a Windows network, you should download, test, and deploy the appropriate Windows patches throughout your network as soon as possible.

Exposure:

Microsoft’s four security bulletins detail vulnerabilities found in, or affecting, components of Windows. Each vulnerability affects different versions of Windows to a different extent. The summary below lists the vulnerabilities from highest to lowest severity.

MS07-046:Graphics Device Interface (GDI) Remote Code Execution Vulnerability

The Graphics Device Interface (GDI) that ships with all current versions of Windows suffers from an unspecified “code execution vulnerability” involving the way the GDI handles specially crafted images. By enticing one of your users into opening and viewing a malicious image (for example, one from a web site or attached to an email), an attacker could exploit this vulnerability to execute code on your user’s machine, with your user’s privileges. If your user has local administrative privileges, the attacker gains complete control of your user’s machine. Microsoft’s bulletin doesn’t specify exactly what sort of image file triggers this vulnerability. We have to assume that every image type that GDI handles (BMP, JPG, GIF, etc.) could potentially trigger this flaw.
Microsoft rating: Critical.

MS07-042: XML Core Services Memory Corruption Vulnerability

Microsoft’s XML Core Services (MSXML) provide a higher degree of support for XML standards in Windows. Though the XML Core Services do not ship with all versions of Windows, they do ship with a variety of popular Microsoft products and software updates, including some versions of Internet Explorer. You’re likely to find the XML Core Services on most of your Windows workstations. (For a complete list of products that include the XML Core Services, scroll to the bottom of this Microsoft Knowledge Base article.)

Microsoft warns that a specially crafted script could cause a memory corruption vulnerability in the XML Core Services. By tricking one of your users into visiting a malicious Web page, an attacker can exploit this memory corruption vulnerability to execute code on your user’s computer, inheriting your user’s privileges. As usual, if your user has local administrator privileges, the attacker gains full control of the computer. This flaw affects all current versions of Windows and also affects Office.
Microsoft rating: Critical.

MS07-043: OLE Automation Memory Corruption Vulnerability

According to Microsoft, Object Linking and Embedding (OLE) Automation is a Windows protocol that allows an application to share data or control another application. Microsoft warns that a specially crafted script could cause a memory corruption vulnerability in the OLE Automation component. By enticing one of your users to a specially designed Web page, an attacker could exploit this vulnerability to execute code on that user’s computer with that user’s privileges. Since typical Windows users have local administrative privileges, attackers can usually exploit this flaw to gain complete control of Windows machines. This vulnerability also affects Office 2004 for Mac and Visual Basic 6.
Microsoft rating: Critical.

MS07-048: Three Remote Code Execution Vulnerabilities in Vista Gadgets

Windows Vista features a Sidebar with little mini-programs called Gadgets. Gadgets are designed to offer information at a glance, or to perform common tasks quickly. They’re very similar to OS X’s Dashboard Widgets. Vista’s Feed Headlines, Contacts, and Weather Gadgets all suffer from remote code execution vulnerabilities. An attacker can exploit any of these three vulnerabilities to run arbitrary programs on one of your Vista user’s computers, with that user’s privileges. Say it with us: If your users have local administrative privileges, the attacker gains complete control of their machines. How the attacker exploits these vulnerabilities depends on which Gadget she attacks. For instance, to exploit the Feed Headlines Gadget vulnerability, the attacker needs to entice your user to subscribe to an RSS feed, and then to download a specially crafted RSS post. In short, all three of these attacks require significant user interaction to succeed.
Microsoft rating: Important.

Solution Path

Microsoft has released patches for Windows to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

Note: Microsoft no longer officially supports Windows NT 4.0, 98, ME or XP with SP1. If you manage any of these operating systems, Microsoft suggests you migrate to supported versions to prevent potential exposure to vulnerabilities. You can learn more about Microsoft’s extended security update support at their Product Support Services Web site.

MS07-042:

MS07-043:

MS07-046:

Doesn’t affect Vista.

MS07-048:

For All WatchGuard Users:

WatchGuard Fireboxes, by default, reduce the risks presented by many of these vulnerabilities. However, attackers could exploit some of these flaws via normal Web or email traffic. Because of the diversity of attack scenarios these vulnerabilities present, and the possibility of local (internal) attacks that do not pass through the firewall, we urge you to apply the patches above.

Status:

Microsoft has released patches correcting these issues.

References:

Written by bardissi on August 14th, 2007 with no comments.
Read more articles on Network Infrastructure and Microsoft and Non-Profit Technology and Home Computer Support and Office 2007 and Business Computer Support and Windows Vista.

« Older articles

No newer articles