Virtual PC Vulnerability

17 03 2010

For those thinking that Windows 7 plus XP mode was going to offer additional security – guess again. Apparently some applications that are not vulnerable, are *made vulnerable by Virtual PC. Check out this article.

Reblog this post [with Zemanta]

Close Unexpected Pop-ups with ALT-F4

15 03 2010

Many malicious programs are using various techniques to try infect your computer. While we are actively pursuing new ways to defend your computer, an inadvertent mouse click may be all that stands between you and a major problem.

Consider the graphic. If you were to click the red ‘X’ to close the window, you would have ended up installing the virus instead of closing it, clicking anywhere on that window will actually cause the payload to hit – the whole thing including the title bar is a linked graphic. The mouse cursor may even change to the active link pointer, which would be a clue that there is something sneaky going on.

How can you safely close these unexpected windows without messing up your computer? By simply holding the ALT key and then pressing the F4 function key, you would safely close the window.

The key point is to train yourself to use ALT+F4 to close open windows.

Why installing a bunch of stuff on a Windows computer is a bad idea

9 10 2009

So I get an email from someone with XP and Office 2007 that both Excel and Outlook are unable to work properly (links are messed up, unable to move email around, etc) with the error “this operation has been canceled due to restrictions in effect on this computer”.

After verifying that they indeed had local admin privileges, I went to my best friend ‘Google’… Google didn’t help me much, so I asked the person if they had installed anything – and of course they had. When in doubt, blame the last thing you messed with.

What had they installed? Google Chrome – and not only had they installed it, they reinstalled it. When will people learn? Anyway with this new information, they changed the default browser and it works – for now anyway. Of course after that happened I found an article talking about how a corrupt registry entry at HKEY_Local_Machine\Software\Classes \htmlfile\shell\open\command can cause this problem and that Chrome can break Outlook.

Moral of the story? Quit installing junk on your computer!

Patch Tuesday Fun – Blue Screen your Vista, 2008 and maybe even Windows 7 boxes

8 09 2009

Hole in Windows Vista and 7 allows remote reboot

A vulnerability in Microsoft’s implementation of the SMB2 protocol can be exploited via the net to crash or reboot Windows Vista and Windows 7 systems. The root of the problem is an error in how the srv2.sys driver handles client requests when the header of the “Process Id High” field contains an ampersand. The attack does not require authentication; port 445 of the target system merely has to be accessible, which in the default Windows local network configuration, it usually is. SMB2 is an extension of the conventional server message block protocol.
An exploit written in Python is already available. A test at heise Security, The H’s German associates, confirmed that the exploit enabled a remote reboot of a Vista system. However, in the test, the exploit had no apparent effect on a computer running Windows 7. According to the report written by Laurent Gaffie, who discovered the vulnerability, Windows Server 2008 might also be affected, since all of the systems named used the same SMB2.0 driver. Windows 2000 and XP were not affected, however, since they do not support SMB2.
Microsoft has yet to release an official update for the issue. Presently, the only remedy is to close the SMB ports by un-ticking the boxes for file and printer access in the firewall settings.

It was so easy even I was able to do it…

Windows, Clamwin and trojans – oh my!

20 07 2009

ClamWin serious F/P again

ClamWin has developed 2 new F/P’s in the latest sig update, one not so serious, and one very serious. If you’ve still not got ClamWin set to report only, I strongly urge you to do so;

C:\Program Files\NetMeeting\cb32.exe: Trojan.Waledac-389 FOUND
C:\WINDOWS\system32\dllcache\cb32.exe: Trojan.Waledac-389 FOUND
C:\WINDOWS\system32\dllcache\userinit.exe: Trojan.Agent-119464 FOUND
C:\WINDOWS\system32\userinit.exe: Trojan.Agent-119464 FOUN

As before, if you do have ClamWin quarantine these instead of reporting, you can restore them from the quarantine folder (just rename the file to remove “.infected” and put them back where they’re supposed to be). If you have ClamWin automatically delete them (NO! NO! NO!), you’ll need to restore them from the Service Pack files (you did download the ISO’s for the SP’s, right?).

These F/P’s are occuring in this case, on Windows XP (all versions) and Windows Server 2003 (all versions), ClamWin hasn’t shown the same F/P’s on my Vista machine yet.

I am running into the same sort of issue, on one machine (so far) malwarebytes shows an actual infection – not much to add

BlackBerry update bursting with spyware

17 07 2009

An update pushed out to BlackBerry users on the Etisalat network in the United Arab Emirates appears to contain remotely-triggered spyware that allows the interception of messages and emails, as well as crippling battery life.

Sent out as a WAP Push message, the update installs a Java file that one curious customer decided to take a closer look at, only to discover an application intended to intercept both email and text messages, sending a copy to an Etisalat server without the user being aware of anything beyond a slightly excessive battery drain.

The only thing saving us from these sorts of mindless click to install exploits is that many users are too dumb to figure out how to do an install in the first place…

Hack Your Database Before the Hackers Do

16 07 2009

Hack Your Database Before the Hackers Do

Always a good idea to check with the powers that be before you do this…