You may already be protected from the WMF exploit

Over at the Sunbelt Blog, Alex Eckelberry has some good news. Your computer may already protect you from the WMF exploit:

Based on preliminary research, we’re finding that systems with software-enforced DEP will get the WMF exploit, but systems with hardware-enforced DEP will not.

Alex includes a link to a Microsoft TechNet article that explains how DEP works:

Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.

As Alex explains, DEP is installed by default with Service Pack 2. To get the full capabilities of DEP, you need to combine the software protection with a processor that supports these advanced features.

This is big news, because it means that one of the most common attack vectors for malware has been effectively blocked, without requiring any third-party solutions like firewalls or antivirus software.

We wrote about DEP in Windows XP Inside Out, Second Edition. At that time, it was mostly a theoretical feature. To my knowledge, this is the first time the concept has been proven to work in the real world.

Read Alex’s post for details on how to see whether your computer is already protected.

Update: In a follow-up post, Alex casts serious doubt on the effectiveness of DEP as a protective strategy.

“Really bad” security exploit arrives

The Sunbelt Software Blog has details on a new security exploit that blows by fully patched Windows XP systems:

Any application that automatically displays a WMF image will cause the user’s machines to get infected. This includes older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.

This is a zero-day exploit, the kind that give security researchers cold chills. It works by exploiting a weakness in the Windows engine that views graphics in the Windows Metafile (WMF) format. You can get infected by simply viewing an infected WMF image.

Another report from F-Secure says so far it’s being exploited by a handful of sites in Russia, but it will spread. You’re most likely to get directed to one of these sites via a spam message offering dirty pictures, free software, and other forms of bait.

I expect that all major antivirus companies will have detection and prevention for this by the end of the day. I don’t know of any workarounds, but will update this post if I hear any more. For now, use the most recent version of Firefox rather than any other browser and steer well clear of unknown/untrusted sites.

Update: One way to prevent this exploit from working is to disable the Windows Picture and Fax Viewer component. To do so, click Start, Run. In the Open box, type the following command:

regsvr32 /u shimgvw.dll

Press Enter to make the change.

This measure isn’t without side effects. Disabling this component eliminates the capability to view thumbnails of all image types (not just WMF files) in Windows Explorer folders, and it zaps the Preview command for images as well. You can work around these limitations by using a graphics viewing/editing program.

To re-enable the Windows Picture and Fax Viewer, issue this command:

regsvr32 shimgvw.dll

Q&A: Getting into a Microsoft beta program

In the comments to an earlier post, Carl asks a good question:

Microsoft’s Windows beta programs have always been a mystery to me. I’ve worked with Windows as a Sysadmin for 9 years, and I still don’t know how to get into the Windows Beta program. I’m aware that the Vista beta is available to Technet Plus and MSDN customers, but I don’t need MSDN and don’t see the value of Technet Plus at the price Microsoft charges. I’d really like to test Vista, but don’t know how to do so legally. Any insight?

The secret is to think way ahead and to nominate yourself. Microsoft sent out the original invitations for the Windows Vista beta program last July, and the list was probably put together months before that. The team that runs the beta test program tries to put together a diverse group that represents a broad cross-section of potential customers, so having enthusiasm and a willingness to participate is more important than technical chops.

How do you get considered for a future beta program? Watch news sites to see when beta nominations open. Typically, you visit a Web site and log in with a publicly available user name and password. You fill out a questionnaire, and then you wait.

Don’t limit your request to just Windows, either. If you can get yourself invited into a related program and then actively participate in it by filing quality bug reports, you’re more likely ot get invitied to a future beta program.

IE7 for XP? You’ll have to wait some more

Over at the IE Blog, this news flash just appeared:

We’ll post an updated pre-release build of IE7 for Windows XP publicly – no MSDN membership required – during the first calendar quarter of 2006.

At first I didn’t understand why this is taking so long. Then it dawned on me: The feature set of IE7 has to be in perfect sync between Windows Vista and Windows XP. And now that Windows Vista Beta 2 has been pushed sometime into the New Year, that means IE7 has to lag as well.

Good news for the Firefox folks, who just shipped version 1.5.

Windows Live gets bigger

Wow. A lot of really interesting stuff on the Windows Live Ideas page.

I’ve been using the Windows OneCare Live beta for a couple months. It’s been exceptionally stable and unobtrusive – enough so that I’ve completely dropped my previous favorite, Trend Micro PC-cillin.

If you’re looking for an antivirus/firewall/backup package, this is a good one to try. It’s free now but will be a paid service (no hints of ultimate cost) eventually.

I’m also planning to sign up for the Windows Live Mail beta today.

Microsoft says Firefox is OK

The Windows Genuine Advantage Plug-in is an interesting addition.

What to do when your PC locks up

The PC Doctor has excellent advice on what to do when you PC locks up. It’s an excellent eight-point checklist, which is well worth reading and remembering right now, when your computer is working just fine. When you’re confronted with a mysterious lock-up, it helps to fall back on training like this. You might even want to print out the advice!

Oh, and he echoes one of my favorite pieces of advice in the “What I don’t do” section of the same piece: Don’t just start randomly pounding on the keyboard in the hopes that you’ll hit the magic key. If Windows is temporarily locked by a process that is refusing to give up control, you’ll fill the keyboard buffer with those random keystrokes, which will be executed in horribly annoying fashion when the misbehaving app finally surrenders control.

A clever way to get multiple monitors

Matrox has just announced an interesting hardware idea called DualHead2Go . According to the press release, it’s:

… a palm-sized box that connects to the existing single monitor output (i.e. external VGA output) of a computer and appears to the system as a single ultra-widescreen monitor with native support for resolutions up to 2560 x 1024, which are twice as wide as standard resolutions.

Clever idea, and Matrox claims it will work with notebooks and desktops alike. Instead of adding a second video card (with the attendant hassles of getting multiple video drivers to play nice with each other), you just plug your current video output into this box and let its embedded graphics hardware do the work.

In my experience, adding a second monitor is one of the best ways to increase your productivity. This seems like a pretty hassle-free way to do it.

I’ll see if I can get a review unit and try it out.

Boycott Sony

Tim Jarrett says: “We are at war, and Sony fired first. Boycott Sony.”

To that end, he’s set up The Sony Boycott Blog. Tim picks up on my four (now five) things Sony should do right away and adds this perceptive observation:

I think that’s a start. But to do that, Sony has to understand why what it did was wrong. And to do that, it has to stop the spin and the press releases and start talking—and listening—to customers, and understand why they want to put music that they purchased on their iPods, and why Sony shouldn’t view that as a threat but instead as an opportunity.

Both of us are too optimistic, I fear.

My hope is that this is the act of overreaching that will finally push the public and lawmakers to rein in the out-of-control media industry. Suing 14-year-olds is bad, but in those cases an observer could say, “Well, the kids were illegally downloading music files…” Here, the people who are actually buying the product and following the rules that the music industry insists on are the ones being punished. That’s insane.

Sony’s hired guns: incompetent, dishonest, or both?

This morning, Mark Russinovich offers the latest installment in the Sony “rootkit” saga. I’ll cut straight to the bottom line:

Instead of admitting fault for installing a rootkit and installing it without proper disclosure, both Sony and First 4 Internet claim innocence. By not coming clean they are making clear to any potential customers that they are a not only technically incompetent, but also dishonest.

First 4 Internet is the company that actually wrote the code that gets installed on your computer unwittingly if you play a “protected” Sony CD and click OK on the innocuous-sounding license box. A First 4 Internet spokesperson responded to Mark’s last post with comments that betray how dangerously clueless the company is.

In this post, Mark rips F4I’s self-serving responses to shreds. Mark proves, conclusively, that the Sony software can cause a Blue Screen of Death crash. (Check out the screen shot for yourself.) He also establishes that the company is either deliberately lying or technically incompetent. (Maybe both.) Do you want a clueless, dishonest programmer writing secret code that hooks directly into your computer’s kernel-level functions?

It’s almost time for Congressional hearings.

Background:

Sony wants to hijack your PC

Sony’s even sleazier than I thought

Sony tries to stop the bleeding

Sony’s phony patch

Is Sony violating the law?

Sony: screwing up Windows PCs since 2002

Dear Microsoft: Please clean up the Sony mess