Tuesday, November 22, 2005

Major Internet Explorer threat 

This affects fully patched versions of Windows, bad guys can copy published examples of how to take advantage of the vulnerability, and the impact is just about the worst possible, allowing attackers to take over your computer if you just visit their web sites.

Microsoft has confirmed the problem They say you're safe if you run Windows Server 2003 with Enhanced Security Configuration turned on, but you're vulnerable even with fully patched XP or Windows 2000. eWeek has an article.

Firewalls don't help with problems like this. Antivirus software may start helping soon but it's iffy. You could try visiting only trusted web pages but that doesn't really work because bad guys will sneak their poison into the advertising that shows up outside the direct control of the web page owner.

If you're a new reader (welcome!) my advice is to import your bookmarks and whatnot into a different web browser program. If you like clean interfaces with just a few nifty features, Firefox could make you happy. If you're a knobs-and-dials-and-bells-and-whistles person you'll be thrilled by Opera,which also has a superb security record.

If someone's forcing you to use "the blue E", your only real option is to turn off Javascript, which Microsoft calls "Active Scripting". Go to Tools, Internet Options, choose the Security tab, click the "Internet" icon, click the Custom Level button, scroll to the bottom of the very long options list and then move one or two screens up to a section called Scripting and a subsection called Active Scripting, and choose the Disable radio button. I am not making this up. You will lose functionality on many web pages. Gmail will stop working. Tough. This is a really bad problem -- the only way it could be worse would be if zillions of bad guys were all using this security hole, and that's going to happen within hours.


Friday, November 11, 2005

Run Windows Update. Dangerous images, AGAIN 

Microsoft's announced a critical security vulnerability in the handling of WMF and EMF files. Those are picture files, not too common on the web but often used for Windows clip art.

Open a picture, lose control of your computer:

If you've got a version of Windows which has this bug (you probably do) and if a nasty person can trick you into opening a booby-trapped file ("bin Laden captured.WMF"? "Pamela Anderson.EMF"?) then the nasty person can take over your computer.

Last I heard the bad guys weren't using this yet, at least not on a large scale. This will probably change.

UPDATE 12/31/2005:
It's changed. Toxic WMF files are in the wild. Hundreds of web sites are distributing them. Reports are that the exploit can take over your computer if you so much as click a file in Windows Explorer, which automatically opens the file to create the thumbnail view. Even worse: Windows will do the right (in this case the wrong) thing even if the file has been renamed to have a different extension. That file "puppy.jpg"? It could be a .WMF file inside and could carry a toxic payload.

For once, using Firefox or Opera to browse the web won't help you.

Microsoft released patches last month. Make sure you've run Windows Update.

UPDATE 1/1/2006:

It's not just web pages, bad guys could use this vulnerability to attack you via instant messaging. This is already happening in the Netherlands (http://www.viruslist.com/en/weblog?discuss=176892530&return=1). Be careful of links in instant messages. As usual.

At least one antivirus product, Kaspersky, is now scanning incoming files for anything that looks like an exploitation.

UPDATE 1/1/2006:

Sorry to confuse you, there are two separate vulnerabilities in how Windows handles .WMF files. Microsoft has already patched the first of the two, the problem reported in November. What's going around now is the second, a new one for which there is no official patch.

I found a trustworthy summary of the .WMF vulnerability. The article gets technical at the end but you can skip that part if you're not trained in that direction. Bottom line, this problem is scaring some levelheaded people.

Watch out for email with a subject of Happy New Year and text that says "picture of 2006". It's an attack. Delete it permanently.

I'm going to cross my fingers and recommend installing the unofficial patch (see link above). I believe it fixes the right thing, based on what I know of Windows programming.


Wednesday, November 02, 2005

Play a CD, compromise your computer 

Have you ever wondered why it's such a huge production to remove spyware and viruses, when you'd expect it's just a matter of deleting files?

Part of the answer is that spyware and viruses sometimes reprogram your computer so that it's not your friend any more. Your computer may even refuse to show you that the bad software is installed. The most dangerous kind of concealment is when the bad software changes the core Windows system machinery so that even if you wrote your own program to remove bad software, Windows wouldn't let it work.

Tinkering with Windows like that is dangerous to your system's health. First there's no way anyone can test the altered Windows the way Microsoft tested the original. Second, what happens when you need to update or patch Windows? The updater will open up the insides of Windows and transplant vital organs. If the bad software has been rearranging vital organs then the update will be a disaster.

Software that tampers with the operating system to hide its existence is an old tool of computer intruders and for historical reasons is called a "rootkit".

You can get a rootkit installed by playing a CD. It's part of the "copy protection" on a CD from Sony Music. Sony Music has apparently been doing this since March, according to security firm F-Secure, but it wasn't until just now that someone caught them. According to expert Windows programmer Mark Russinovich's technical analysis, Sony Music has left openings that virus writers could crawl through. Any malicious software could hide inside the cloak of invisibility that Sony Music is sneaking onto people's computers.

I disapprove, if you haven't noticed. If anyone tried to hire me to do what Sony BMG has done I would refuse on ethical grounds.

What can you do if you're infected? There's no convenient removal technique yet for a nontechnical or semitechnical person. Sony offers a removal program which allegedly installs additional software of unknown purpose. You can wait for a removal program from a reputable security firm, or reinstall Windows (ouch!), or try to get your technical friend to tackle it. Hint: don't try to get away with offering a beer, this is at least a beer-and-pizza job.

UPDATE 11/10/2005:

It didn't take the lawyers long to catch on to what was happening. Sony's now on the wrong end of class-action suits in California and New York. Before you say "that's America for you", there's reportedly legal action in the works in Italy. If you read Italian, you might check out the links to the complaint and the press release from The Inquirer.

The Electronic Frontier Foundation analyzes what you "agree" to when you buy one of the Sony CDs. They also have the list of infected CDs.

The security division of Computer Associates has announced a removal tool but I haven't heard how well it works. CA claims that the Sony software reports back what CDs you're playing and interferes with making legal copies of tracks from normal CDs.

How's Sony handling all this? Owning up to their mistake and promising never to do it again? Here's Mr. Thomas Hesse, president of the global digital business division, on NPR via Ars Technica: "Most people, I think, don't even know what a rootkit is, so why should they care about it"?

UPDATE (same day):

Mr. Hesse's question got an answer today. The Register reports that there's already a Trojan Horse program which uses the Sony software to hide itself.


Betanews.com has a list of antivirus software that removes the Sony rootkit.

UPDATE 11/15:


If you run Sony's "uninstaller" it reportedly leaves behind a backdoor program which allows any web site you visit to install and run any program on your computer without your awareness or permission. Here's the Washington Post article about Sony's software. Don't underestimate this problem. Bad guys who run sleazy web pages are almost certainly preparing to crawl in through the back door Sony is cutting into people's computers.

If you've already run Sony's uninstaller, you're only at risk if you use Microsoft Internet Explorer. If you have to use IE and if you don't have a way to uninstall the uninstaller then you could try going into the options dialog and turning off "run controls marked safe for scripting".

Network expert Dan Kaminsky has a map of the Sony infection. He prepared it by looking for traces left by the CD copy protection software "phoning home" without your permission.

UPDATE 11-17-2005:

Here is Sony's list of infected CD's. They say they'll offer exchanges sometime in the future. You might prefer to refuse the exchange and stay in a class action suit instead. Sony has not even hinted at paying for repairs to people's computers.

Some companies and universities have banned Sony CDs from their computers.


Security guru Bruce Schneier asks, why didn't the antivirus companies catch Sony's malware during the year it was shipping? He raises another point I've been wondering about. How many more things like this are there that we simply haven't heard about?

UPDATE 11-21-2005:

Cary Sherman, President of the Recording Industry Association of America, just commented on the scandal in a press conference. Sherman said that Sony's conduct "Seems very responsible to me". The state of Texas is filing suit officially. There's now a web site with information about how to sue Sony yourself in small claims court.


This page is powered by Blogger. Isn't yours?