January 19th, 2010 by Hescominsoon

Computer Security Research – McAfee Labs Blog.

This is an expansion of the most recent IE exploit.  Now comes the analysis.

Allowing a system level file for windows(in this case a dll) be executable without any kind of security context is a really bad idea.  That’s really all  Activex is but there are several other DLL’s inside of IE that allow other DLL’s to be executed.  In this case it was mshtml.dll.  Mshtml.dll was the source of hte exploit and now a further analysis of the malware shows it uses it’s own dll to leverage this vulnerability.

ECC HIGHLY reccomends you do one of two things:

1.  Simply don’t use IE at all

2.  If you can’t(or won’t) at least get your security setup to wholesale blacklist dll’s at the firewall.  This will break some sites that are coded for IE.  Many of these sites will work under Firefox as well.

January 15th, 2010 by Hescominsoon

This was an exploit form back in ie6.  It is present in all version up to 8.  mshtml.dll once again has a major issue that allows remote sites to take over your machine.  If you are running ie6, ie7, or ie8 you are vulnerable.  HOWEVER if you have DEP turned on for ie 7 or 8 then the threat is reduced but not eliminated.  This is also why you NEVER surf on a server.  Frankly I am going to extend Microsoft’s advice.  Raise ALL security levels to high except trusted sites…leave it at medium(for windows updates) then never launch IE again.  I am being dead serious.

VIDEO OF EXPLOIT IN ACTION.  Blow the video up to full screen then watch for a list that shows up at around 1 minute.  Notice how notepad is running nicely.  At around 1 minute 50 seconds the “hacker” issues a kill command followed by a number.  That number is the notepad.  watch as notepad goes boom..no warning..no notifications.  This person has full control of your system..all because of a badly designed OS and browser.  Notice the users on the right.  Those are system processes..processes even the administrator does not have direct access to.  I have said it over and over having a web browser tied so closely to the kernel is a bad idea.  As long as IE exists in it’s current form Windows will NEVER be remotely secure.

Here’s the backstory.  Apparently some Chinese folks(possibly the gov’t) started using this unknown security hole in IE to start trying to get into various activists that are opposed to the vast range of Chinese gov’t controls.  They targeted Google because this is where these targeted activists had their mail.  Google detected this activity and began a backtrace.  They found out that multiple large companies had also been attacked using this issue.  The story is continuing to unfold.  The only fix available right now is to put all of your IE settings up to high.  This has the effect of making IE unusable on the internet.

My recommendation:  Use either google chrome or firefox.  Don’t bother with IE anymore…at all.  There’s so many links with full information I am not going to embed them into this post.  The list follows.

*UPDATE* there are quite a few programs that idiotically use IE to operate.  Now various exploit writers and researchers are hitting these as well.  Many other programs are now falling over after being hit either with IE exploits or ones similar that are now being found in a rash of other software.

Google’s Initial Response disclosure of what was targeted and revelations of other companies hit

Microsoft’s confirmation and advisory.

Other companies also hit.

(This list will continue to grow)

Mcafee has multiple postings:

1 2 3(twitter feed) 4

*UPDATE*  Itworld has much the same opinion of IE as I have had for a long time.

January 7th, 2010 by Hescominsoon

{ED7BA470-8E54-465E-825C-99712043E01C}

{00C6D95F-329C-409a-81D7-C46C66EA7F33}

{0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}

{025A5937-A6BE-4686-A844-36FE4BEC8B6D}

{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}

{1206F5F1-0569-412C-8FEC-3204630DFB70}

{15eae92e-f17a-4431-9f28-805e482dafd4}

{17cd9488-1228-4b2f-88ce-4298e93e0966}

{1D2680C9-0E2A-469d-B787-065558BC7D43}

{1FA9085F-25A2-489B-85D4-86326EEDCD87}

{208D2C60-3AEA-1069-A2D7-08002B30309D}

{20D04FE0-3AEA-1069-A2D8-08002B30309D}

{2227A280-3AEA-1069-A2DE-08002B30309D}

{241D7C96-F8BF-4F85-B01F-E2B043341A4B}

{4026492F-2F69-46B8-B9BF-5654FC07E423}

{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}

{78F3955E-3B90-4184-BD14-5397C15F1EFC}

via The Other 16 “GodModes” For Windows 7 – Tom’s Hardware.

here is how you activate them:

Step 1: Right click.

Step 2: Click create folder.

Step 3: Name your sparkly, new folder this, “<whatever you want>.{ED7BA470-8E54-465E-825C-99712043E01C}” and press enter.

so you could clal this ultimate shortcut number 1.(guid) or whatever you wanted it to be..:)

This is not for you  XP folks but it is for Vista.

November 30th, 2009 by Hescominsoon

Microsoft looking into Windows ‘black screen of death’ problem.

I have not run into this with any of my clients.  Will keep a lookout though and will update this if things change.

*UPDATE*  The black screens are caused by the machines already being infected with malware BEFORE the security updates are installed.

November 29th, 2009 by Hescominsoon

Windows 7 – Performance Improvements.

Wayne gets overenthusiastic though saying it’s faster than XP.  There’s no way that’s true as i have run both on my notebook and my quad core desktop.  XP is still quicker than 7 but ANYTHING is faster than vista.

November 24th, 2009 by Hescominsoon

Windows 8 by 2012 as Shown on Microsoft Slide – Tom’s Hardware.

Otherwise there would be no need for another “major release” in 2012.  Which means now I am going to be holding off on buying new operating systems until that if my clients can.

October 31st, 2009 by Hescominsoon

I was presenting a seminar on data encryption and security and I got caught now knowing some commercial FDE products other than what is built into Vista and 7.  As per my word here are some vendors I would reccomend simply based on either their security reputation or personal experince with other products:

1. Mcafee Endpoint Encryption  (I have used other Mcafee products in the past with good results)

2.  Checkpoint Full Disk Encryption  (The checkpoint compny has one of the best security reputations in the industry)

3.  Symnatec Endpoint Encryption  (Symantec may have lowered detection rates on their a/v but several of their other products including this one are top notch)

 I have migrated away from Truecrypt not because it was bad security but the Bitlocker built into certain Vista and 7 editons just makes it easy…and it just works.

September 10th, 2009 by Hescominsoon

Microsoft Confirms SMB2 Flaw, Heightens Severity

By Ryan Naraine

Microsoft has issued a formal security advisory to confirm the remote reboot flaw in its implementation of the SMB2 protocol, going a step further to warn that a successful attack could lead to remote code execution and full system takeover.

via Microsoft Confirms SMB2 Flaw, Heightens Severity | threatpost.

Ugh.  This is an issue from 9x and 2k.  Sounds like some of the same old mistakes are still being committed int he latest iterations of Windows.

September 8th, 2009 by Hescominsoon

How to Run Vista Sidebar in 32-bit Mode on 64-bit Vista.

I’ve been running 64-bit Vista for some time now and for the most part it has been a very good experience. Today I was attempting to install a 3rd party sidebar gadget recommended to me by a friend, only to discover the gadget required Flash. And since Flash does not currently support 64-bit browsers nor does Silverlight the gadget’s simple, but handy, help message directed me to a set of instructions on how to configure my system to run the 32-bit version of the Vista sidebar. As more and more people shift to 64-bit, I thought this useful piece of information may come in handy in the future.Here are the steps for 64-bit Vista users only:

1. Right-click the Windows Sidebar and select Properties.

2. Un-check the “Start Sidebar when Windows starts” option and hit OK.then

3. Click the green Windows Start Button in the lower left of your screen.

4. Click “All Programs”

5. Scroll down until you see the “Startup” folder

6. Right-click the “Startup” folder and select “Explore”

7. In the window that pops up, right-click the empty white space and select New->Shortcut

8. Copy the following text, including quotes:
“C:\Program Files (x86)\Windows Sidebar\sidebar.exe”

9. Paste that copied text into the Shortcut’s “Location” field.

10. Click “Next.”

11. Click “Finish.”

12. Restart Windows Vista 64.

Until a 64-bit version of Flash, and for that matter Silverlight, ships for 64-bit Windows, I suspect this issue may present itself time and again to end-users. Hopefully this simple workaround will help you to easily resolve your problem.

via John McClelland’s Blog : How to Run Vista Sidebar in 32-bit Mode on 64-bit Vista.

August 15th, 2009 by Hescominsoon

HCS and Gen’s Place » Blog Archive » Looking Deeply Into the Mess That is Windows Vista.

This needs to be refreshed as well as moved to this blog.  This paper was written 3 years ago and detailed the various drm infestations inside of Vista.  Wile some of the assertions(such as HDCP not being available inside of modern video cards) are not valid due to hardware revisions the basic points about DRM inside of Vista standard regardless.  Instead of posting the whole text of the previous post(which is linked above) i am going to link to the pdf he posted on his site.  He has also posted a response to various attacks and attempts at debunking here.