What’s old is new again
Yesterday, Microsoft put out an advisory to a security vulnerability specific to the Windows Vista, Windows Server 2008 SP2, and Windows 7 RC operating systems. No other Windows operating systems, including Windows 7 RTM are impacted.
Holy cow, once again the older systems (you go XP) are more secure then the new systems. Why is that you say? Well this exploit was first found a decade ago. Yes, you did read that correct, in 1999 this was discovered and patched for the operating systems at the time. Yet no one thought to put that into the: Newest, Most Secure, Latest and Greatest operating systems.
So what is this vulnerability?
According to Microsoft:
What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system. Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart.
I like the last four words, “stop responding and restart”. We had an acronym for that back in the day. BSOD. But out of all of this, the thing that bothers me the most is Microsoft’s response:
Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed? Excuse me what? It’s not new, it was disclosed properly the first time. Why do others become responsible for your oversight?
With that said Microsoft has issued two do it yourself resolutions until they can get a patch pushed.
The first is to Disable SMB2 in the registry:
Impact of workaround. Host will not be able to communicate using SMB2.
- Click Start, click Run, type Regedit in the Open box, and then click OK.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services - Click LanmanServer.
- Click Parameters.
- Right-click to add a new DWORD (32 bit) Value.
- Enter smb2 in the Name data field, and change the Value data field to 0.
- Exit.
- Restart the “Server” service by performing one of the following:
- Open up the computer management MMC, navigate to Services and Applications, click Services, right-click the Server service name and click Restart. Answer Yes in the pop-up menu.
- From a command prompt and with administrator privileges, type net stop server and then net start server.
The second is to Block TCP ports 139 and 445 at the firewall:
Impact of Workaround: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below:
- Applications that use SMB (CIFS)
- Applications that use mailslots or named pipes (RPC over SMB)
- Server (File and Print Sharing)
- Group Policy
- Net Logon
- Distributed File System (DFS)
- Terminal Server Licensing
- Print Spooler
- Computer Browser
- Remote Procedure Call Locator
- Fax Service
- Indexing Service
- Performance Logs and Alerts
- Systems Management Server
- License Logging Service
Personally, I would block those on your internet facing firewall of you broadband router.
Categories: Windows Tags: acronym, age, Alert, application, are, as, attack, attacker, attackers, attempts, back in the day, Blocking, Blogs, broadband, bsod, can, color, comp, complete control, computer, computer users, data, disclosure, Find, fire, Firewall, FREE, fun, gem, Great, holy cow, Internet, mail, malicious attackers, Micro, microsoft, Old, oversight, ports, print, quality updates, Read, REG, registry, resolutions, rtm, Security, security vulnerabilities, security vulnerability, sp2, START, system, test, the, title, Updates, use, Vista, vulnerabilities, Window, WINDOWS, windows operating system, windows operating systems, windows server, word, you
When is an antivirus really a virus?
Today I received a call from one of my external users that was unable to access any websites because some new antivirus was saying he was unprotected and every website had malicious code.
Since I know that we have McAfee 8.5 deployed to our users, I knew that this was not a McAfee issue. As we discussed it a little further he was mentioning that the Antivirus wanted him to purchase the software.
This isn’t the first I have heard of this. There is a software company Innovagest 2000 that is producing this software. They advertise it as an antispyware application, but it is the spyware. On some less then savory websites you will get a pop up that says that your computer maybe infected and they offer a free scan.
The fear of being infected motivates a lot of people to run this free scan. Unknown to them this application installs underneath and now you are stuck. On that note, I do recommend only doing the online scans from reputable sites. I personally recommend the following: Symantec, Panda, and McAfee.
This application is extremely hard to get rid of. It reregisters and installs if it is not completely uninstalled correctly.
I hate programs like this. But it is a fact of life out there. The modern day snake-oil salesman.
While the program is running you will see the following undesirable behavior:
- A “Windows Security Center” stating that you should purchase Personal Antivirus.
- Numerous alerts stating that your computer is under attack or that you have malware running on your computer. If you click on these alerts, Personal Antivirus will be installed, or you will be brought to the purchase page for the program.
- Your Internet Explorer browser will be hijacked to show security warnings when browsing the web that stop you from reaching your desired page.
As I mentioned before this bugger is very hard to get rid off. But not impossible. I found these instructions at BleepingComputer.com.
Categories: Malware Tags: age, Alert, antivirus, application, are, as, bugger, can, comp, computer, Download, downloads, external users, fact of life, fear, Files, fix, FREE, free scan, inpost, Installation, internet explorer, internet explorer browser, launch, malicious code, Malware, mcafee, online, panda, Personal Antivirus, print, program, quick, REG, registry, Review, Security, security warnings, snake oil salesman, Software, software company, spyware, symantec, the, undesirable behavior, View, virus, warning, Web, website, Welcome, WINDOWS, windows security center, you
Malware Alert — Yellowsn0w
Attention iPhone Users
ZDNet News is reporting the following Alert for iPhone Users:
Researchers from Malware-database.net are reporting on a newly discovered malware posing as a bogus iPhone unlocker, promising a working Firmware 2.2.1 yellowsn0w exploit as a social engineering tactic.
If you have an iPhone and are looking to unlock your device, please be aware of this alert. If you find a site that offers this file, please leave the site immediately and perform a virus scan. The last known address of the site yellowsn0w221.wordpress.com (now down) was full of viruses geared to turn your PC into a spambot.
Thanks to Dev-Team Blog for the information.
Categories: Malware Tags: Alert, blog, iphone, last known address, Malware, social engineering, spambot, tactic, virus, viruses, Yellow Sn0w, Yellow Snow, ZDNet
