You may already be protected from the WMF exploit

Over at the Sunbelt Blog, Alex Eckelberry has some good news. Your computer may already protect you from the WMF exploit:

Based on preliminary research, we’re finding that systems with software-enforced DEP will get the WMF exploit, but systems with hardware-enforced DEP will not.

Alex includes a link to a Microsoft TechNet article that explains how DEP works:

Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.

As Alex explains, DEP is installed by default with Service Pack 2. To get the full capabilities of DEP, you need to combine the software protection with a processor that supports these advanced features.

This is big news, because it means that one of the most common attack vectors for malware has been effectively blocked, without requiring any third-party solutions like firewalls or antivirus software.

We wrote about DEP in Windows XP Inside Out, Second Edition. At that time, it was mostly a theoretical feature. To my knowledge, this is the first time the concept has been proven to work in the real world.

Read Alex’s post for details on how to see whether your computer is already protected.

Update: In a follow-up post, Alex casts serious doubt on the effectiveness of DEP as a protective strategy.

The big Windows Vista Launch Contest

Want to win fabulous prizes for your insider knowledge of Microsoft beta schedules? Guess the exact date when Windows Vista will ship, and you could win one of 10 prizes in the MSDN Betaexperience Launch Contest.

There’s a catch, though. The contest is only open to residents of Belgium, Croatia, Denmark, Finland, Germany, Hungary, Ireland, Italy, Norway, Pakistan, Poland, Portugal, Romania, Spain, Switzerland, or the UK.

Grand prize is an all-expense-paid trip to the U.S. for the launch event. Nine runners-up win Xbox 360 consoles.

Hmmm, I’ve been looking for an excuse to move to Italy…

(Via The Unofficial Microsoft Weblog)

“Really bad” security exploit arrives

The Sunbelt Software Blog has details on a new security exploit that blows by fully patched Windows XP systems:

Any application that automatically displays a WMF image will cause the user’s machines to get infected. This includes older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.

This is a zero-day exploit, the kind that give security researchers cold chills. It works by exploiting a weakness in the Windows engine that views graphics in the Windows Metafile (WMF) format. You can get infected by simply viewing an infected WMF image.

Another report from F-Secure says so far it’s being exploited by a handful of sites in Russia, but it will spread. You’re most likely to get directed to one of these sites via a spam message offering dirty pictures, free software, and other forms of bait.

I expect that all major antivirus companies will have detection and prevention for this by the end of the day. I don’t know of any workarounds, but will update this post if I hear any more. For now, use the most recent version of Firefox rather than any other browser and steer well clear of unknown/untrusted sites.

Update: One way to prevent this exploit from working is to disable the Windows Picture and Fax Viewer component. To do so, click Start, Run. In the Open box, type the following command:

regsvr32 /u shimgvw.dll

Press Enter to make the change.

This measure isn’t without side effects. Disabling this component eliminates the capability to view thumbnails of all image types (not just WMF files) in Windows Explorer folders, and it zaps the Preview command for images as well. You can work around these limitations by using a graphics viewing/editing program.

To re-enable the Windows Picture and Fax Viewer, issue this command:

regsvr32 shimgvw.dll

Is Windows Vista too protective?

Update: Over at ZDNet, I’ve put together a visual representation of UAC as it exists in Windows Vista Build 5365.

One of the most intriguing new features in Windows Vista is a major change in the way user accounts work. Windows XP allows accounts to reside in either the Administrators group (where they have full control over the system, including the ability to install a piece of spyware or a virus) or in the Users group, where their capabilities are so limited as to be practically unusable.

Windows Vista adds a feature called User Account Control (UAC), which until recently was called User Access Protection (UAP) and grows out of research into least-privileged user accounts (LUA), a drum that Microsoft Senior Consultant Aaron Margosis has been banging for some time on his Non-Admin blog.

The theory behind UAC is sound: When you’re about to do something that requires an administrator’s privileges, you need an administrator’s consent. For a regular user, that means typing in a set of credentials (username/password) that belong to a member of the Administrators group; if you’re already an administrator, you just have to click a Permit button. This option allows you to see when a program or process is trying to do something that can have an impact on your system’s stability, and it’s an effective way to block untrained or naive users from accidentally screwing up their system.

(The UAC team has a new blog where they’re sharing some of the technical details behind this feature.)

UAC in the current build of Windows Vista is working, but not well. Some programs fail when they can’t get full system access or when they try to save a file to an area where the current user doesn’t have write privileges. The barrage of dialog boxes is annoying, especially during the initial phases of setting up a system. And those permission boxes can be confusing – at this early stage of the beta, some key Windows Vista components are still unsigned, leading to dialog boxes like this one, which appears when you try to run a Control Panel applet:

The annoyance factor is even higher when you factor in the steady stream of warnings from Windows Defender and Internet Explorer.

It’s possible to disable UAC so that you can run with administrator privileges full-time. But as Josh at Windows Connected argues, doing so means you’re not giving this feature the testing it needs. From a personal point of view, I have no choice but to grit my teeth and figure out how to work with UAC, because I have to document the inner workings of this feature for Windows Vista Inside Out.

I’m hoping that this feature will work much more smoothly in future beta versions. If it doesn’t, the UAC team had better be prepared for some caustic reviews.

What do your clothes say?

Fun from J-Walk:

What Do Your Clothes Say?

Examine the clothes you are wearing right now, and then tell us what words, if any, are printed on them. External words only (i.e., no need to transcribe the tag on your underwear).

The answers so far are in the comments, which are always pretty fun reading at J-Walk. Go add your own.

Entering Double Beta Land

Yesterday, Microsoft released the December Customer Technology Preview (CTP) release of Windows Vista. I’ve just installed it on my test computer, and so far it’s the best build I’ve seen. Setup went without a hitch, I’ve established user accounts, connected to the network, installed a few programs, and confirmed that IE7 works.

I also installed Office 12 on this computer. Alas, that’s all I can say on that subject.

I’ll keep adding things for the rest of this week. If all goes well, I’ll start using Windows Vista and Office 12 for everyday work beginning next week.

Bloglines admits: “We suck”

Well, it’s about time the Bloglines blog got updated. The new post acknowledges what any Bloglines user already knew:

We’re not going to beat around the bush about this. Bloglines performance has sucked eggs lately. Why? In short, Bloglines has been busting at the seams like the Incredible Hulk.

All of us here at Bloglines have been foregoing sleep and social lives over the past several months to keep Bloglines running and preparing for our move to a new access center (with bigger britches and a very elastic waistline).

So hang tight because there’s a light at the end of the tunnel. The move will happen soon; we’ll keep you posted.

Gee, that sounds great. Except that’s exactly what the people who run Bloglines were saying more than four months ago. Here’s the text of a post that appeared on the Bloglines announcement page on August 9:

Bloglines is experiencing some slowing in posting new blog and news feed articles during busy blogging hours. This is a temporary issue — we’ve simply outgrown our current facility. To fix it, we are moving our computer operations to a larger location that will give us plenty of room to grow. The slowdown doesn’t put any user accounts or subscriptions at risk, and everything will be back to speedy once our move is complete. We apologize for the inconvenience, and thank you for your patience during this process.

Sound familiar? (And don’t go looking for that August 9 post. It was deleted – “accidentally,” according to a response I got via e-mail from a Bloglines spokesperson.) I had a reasonably civil e-mail exchange with Bloglines’ media relations rep back in August, but when I asked how long the move to a new server center would take, my questions were pointedly ignored. I sent four separate e-mail messages to Bloglines representatives asking for an update. They ignored every one. I also sent e-mail messages to Bloglines founder and ~~CEO~~ General Manager Mark Fletcher. Apparently, he was too busy counting the shares of stock he received in the sale of Bloglines to respond.

Last August, Bloglines promised more “transparency” and committed itself to updating the Bloglines announcement page more frequently. (For the record, yesterday’s post was the first one since October 27. What other online business can get around to posting a progress report to their customers every seven weeks? CEO Fletcher hasn’t updated his personal blog since October 31, so I guess the Bloglines team is following their leader’s example.) Those were obviously empty promises. The company has apparently been unable to deal with technical issues and is either unwilling or unable to communicate with its customers honestly.

I used to recommend Bloglines enthusiastically. Today, I encourage people to use NewsGator, which blows its competitor away in every conceivable measure – most importantly, NewsGator knows how to communicate with its customers, offering frequent status updates, a lively discussion forum, and first-rate support.

Bye-bye, Bloglines.

Scoble can talk about Office 12, but I can’t

Scoble had this to say today:

I’ve been using Office 12 for the past few days and, I can’t go back. The Excel pivot table feature alone is worth paying hundreds of dollars. Alone.

And tables are finally really cool. PowerPoint is actually something I’ll use again. Creating a chart there is sure a lot nicer than I’ve been able to do on any Web site.

Steve also hasn’t been paying attention to our secret weapon: workflow. Try to stick that in your Linux server and smoke it!

And now I see there’s new extensibility in OneNote 12.

I’m a card-carrying member of the Web 2.0 Working Group, but there isn’t anything as cool as OneNote coming out yet. Sorry. Not even close.

I’d love to say the same, except I can’t. As I pointed out yesterday, the terms of the Office 12 confidentiality agreement prohibit me from discussing any aspect of the product. This information blackout applies to everyone except Microsoft employees, apparently.

Now, I know some very senior members of the Office group read this blog, so this is addressed to them: Loosen up! Give us a chance to give you some feedback in public. Sure, you’ll hear a few criticisms, some of which might make you want to change the product. You’ll also get a priceless boost in public awareness of a product that has the potential to be very, very popular.

And one orange icon shall rule them all

The announcement at the Microsoft Team RSS Blog has a picture of the new RSS icon that will be standard in IE7.

RSS icon

Look familiar? If you use Firefox, you’ll recognize it instantly. In fact, those who want to see all-out war between IE and Firefox might be disappointed by this report:

I’m excited to announce that we’re adopting the icon used in Firefox. John [Lilly] and Chris [Beard] were very enthusiastic about allowing us (and anyone in the community) to use their icon. This isn’t the first time that we’ve worked with the Mozilla team to exchange ideas and encourage consistency between browsers, and we’re sure it won’t be the last.

We’ll be using the icon in the IE7 command bar whenever a page has a feed associated with it, and we’ll also use it in other places in the browser whenever we need a visual to represent RSS and feeds. Look for more details on the look and feel of IE7 when we post the public pre-release build next year.

A little more background here.

Symantec shows how not to do security

This post is from guest blogger Carl Siechert, my co-author on Windows XP Inside Out and Windows XP Networking and Security Inside Out:

A coworker recently bought via Symantec’s online store a copy of Norton Internet Security 2006 for her home computer. (This wouldn’t have been my recommendation, btw.) After making the payment, the last page of the order process includes a download button. She clicks the button (and was flummoxed by the Run/Save security dialog) and eventually screws up the courage to save the file to disk. (She’s not particularly at ease with computers.)

It downloads a 156-KB file called Setup.exe (or Norton Upgrade Setup.exe, depending on the target folder), which turns out to be Norton Internet Security Download Manager–a program to download the real application installer. But here’s the kicker: the download manager program is not signed. So, of course, when she opens it Windows pops up an ominous warning about an unknown publisher. Contravening standard security advice, she forges ahead. (Looking at the file properties imparts no useful information either. The Version tab shows a product name of “xDM” and no publisher name.)

Without any warning that the 40-MB download is going to tie up her phone line for a considerable time, it eventually completes, depositing on her desktop a file called NIS06900_2YR.exe. (Examining the properties of this file is even less helpful; it doesn’t even have a Version tab.) Because it was placed there by a program other than Internet Explorer, running the program doesn’t display any sort of warning.

There’s no way to confirm that either of these files came from Symantec, nor any way to confirm that they haven’t been altered by someone else (or that they aren’t a different potentially malicious program altogether).

This kind of sloppy work by one of the major players in security software makes it difficult to explain to unsophisticated users how to determine which programs are safe to run. How many warnings have we seen about malicious programs that purport to be a security program or update from Symantec and its competitors? And what’s our usual advice? If it’s not signed by the publisher, it’s probably bogus. Nice work, Symantec.