antivirus windows 95 free

Today we released MS08-020 to address a weakness in the Transaction ID (TXID) generation algorithm in the DNS client resolver.  The TXID is a 16-bit entity that is primarily used as a synchronization mechanism between DNS servers/clients; in fact, you can think of it as an Initial Sequence Number (ISN) for DNS query/response exchanges.  Consequently, the TXID is intended to be somewhat random and difficult to predict.  If both the TXID and hostname are predictable, an attacker can forge malicious DNS replies which the DNS client resolver will believe to be from the legitimate DNS server.  The client would then use the spoofed information to make an outbound connection to a (potentially) attacker-controlled IP.

We wanted to explain a little more about the weakness to help you recognize potential attacks on the wire.  Remember that an attacker needs to match the request TXID exactly in the spoofed response before the legitimate DNS server replies with a valid response.  This was facilitated by our previous implementation of this PRNG algorithm being weak and hence vulnerable to prediction attacks.  Given the previous consecutive TIDs, x_n, x_{n+1}, x_{n+2}, the attacker may be able to determine the PRNG state and predict x_{n+3}, x_{n+4}, … with a high degree of confidence.  The old TXID generation algorithm was as follows (revised pseudo-code for technical accuracy):

      GlobalSeed++;
      SomeNumber = (WORD)GetTickCount()+(SomeRandomAddress>>6)+GlobalSeed;
      SomeNumber = (SomeNumber%487)+1+GlobalLastTXID);
      GlobalLastTXID = SomeNumber;
      XID = SomeNumber^XIDMask;

Below is a log of sequential TXID’s sent from the old client resolver.  Notice the predictable patterns that develop in bit positions 4,5,6,7 and 8.

As you can see, attackers cannot predict a guaranteed, known-next TXID exactly even with this weakness.  But limited entropy in those middle bits does cut down the search space substantially to predict the next TXID.  If you are watching for attacks on the wire, continue to look for the same pattern as previous DNS spoofing attacks: a steady flood of DNS “replies” with thousands of different TXID’s targeting a client lookup for a single host. 

To address this weakness, we simply replaced the algorithm with a cryptographically secure PRNG: CryptGenRandom().  You can read about how it works at http://msdn2.microsoft.com/en-us/library/aa379942(VS.85).aspx.

Blog Update - April 29: Revised pseudo code above for technical accuracy.

- Security Vulnerability Research & Defense Bloggers

*Postings are provided “AS IS” with no warranties, and confers no rights.*

By noreply@blogger.com (hitech-leiza)

Tue, 01 Jul 2008 16:56:17 GMT

Copyright 2008 Weblogs, Inc. The contents of this feed are available for non-commercial use only.

Well, in case you haven’t heard, AppleInsider now believes that Apple will indeed carry on with the Mac mini

By noreply@blogger.com (hitech-leiza)

Tue, 01 Jul 2008 16:56:17 GMT

Copyright 2008 Weblogs, Inc. The contents of this feed are available for non-commercial use only.

Filed under: Developer, Internet, Utilities, Productivity, Web services, Symantec

Symantec has collected evidence of an attack in progress from a new bot that is exploiting multiple bugs that have been around for a few months. Including a bug in Symantec’s very own antivirus scanning engine. There have been seven exploits for seven different vulnerabilities from Spybot.acyr that were found in Microsoft Windows and in Symantec’s antivirus application. The vulnerability has been around since May 2006, and customers that have updated their applications since then will remain unaffected. Symantec is monitoring a spike in traffic recently with activity mainly lying in .edu domains. Symantec is asking that all customers update their products to the latest available security updates to prevent against any possible attacks.

Read | Permalink | Email this | Comments

By noreply@blogger.com (hitech-leiza)

2008-06-27T03:00:00-08:00

Copyright 2008 Weblogs, Inc. The contents of this feed are available for non-commercial use only.

Apple today announced the release of Safari 3.1 for Mac and Windows.

By noreply@blogger.com (hitech-leiza)

2008-06-27T03:00:00-08:00

Copyright 2008 Weblogs, Inc. The contents of this feed are available for non-commercial use only.

I’ve been at several recent conferences where virtual machine (VM) and security “experts” were telling audiences how VM technology can be used to improve computer security. Wow! They are either drunk on the marketing Kool-Aid, misinformed, or simply trying to misrepresent VM capabilities to sell more product. VM technologies are very cool, and great at saving money (and space, electricity, and more), but in all but a small minority of cases, they will not improve your overall security posture. Most of the time, using VM technology will increase overall risk. In a large percentage of the cases I’ve been involved… READ MORE

By scriptingnewsmail@gmail.com

Thu, 21 Feb 2008 11:31:33 -0700

(c) 2008 Janco Associates, Inc. — ALL RIGHTS RESERVED

So I am reading a lot of stories that seem to have confused, or incorrectly aligned, Windows Vista driver signing and Kernel Patch Protection technologies. Whilst driver signing and KPP are complimentary, they are not conjoined.

Driver signing provides a method to better identify the author/creator of a piece of software or code so that the author/creator can be approached in the event a reliability issue, vulnerability, or malware is discovered. Signing is not designed to confirm the “intent” of signed code (i.e. good or bad), or whether exploitable bugs or malicious code is present.   Malicious or exploitable kernel drivers can lead to system compromise beyond disabling of code signing controls, since kernel driver code has access to hardware as well as all programs running as the user. 

 

Kernel Patch Protection (KPP) helps protect code and critical structures in the Windows kernel from modification.  Microsoft updates KPP periodically, based on internal and external research.  You can read more about KPP here:

 

http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx

http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx

 

Perhaps the mix up is due to a confluence of events, or – put another way – the fact that we released an update to KPP at the same time that news about an ATI Driver issue appeared.  The update to KPP has no relationship to the ATI driver issue or recent topics related to code signing.

 

These are unrelated events!

 

1: Microsoft issued a non-security update for Kernel Patch Protection (KPP), and an accompanying security advisory: Microsoft Security Advisory (932596)

 

2: Microsoft was made aware of an issue reported in an ATI driver that is potentially vulnerable. Microsoft was in contact with ATI to help address this issue and ATI have posted a fix in the v7.8 Catalyst Package that can be found here:  

 

http://ati.amd.com/support/drivers/vista64/common-vista64.html,

 

http://ati.amd.com/support/drivers/vista32/common-vista32.html

 

I would like to highlight that the driver in question was not shipped ‘in-box’.

 

 

              Russ Humphries

By scriptingnewsmail@gmail.com

Thu, 21 Feb 2008 11:31:33 -0700

(c) 2008 Janco Associates, Inc. — ALL RIGHTS RESERVED

Apple today announced it sold its one millionth iPhone yesterday, 74 days after its introduction on June 29.

By brent@ranchero.com

Tue, 01 Jul 2008 16:56:17 GMT

Copyright 2008 Weblogs, Inc. The contents of this feed are available for non-commercial use only.

Twenty years ago I was at the San Diego super computer center. Their mega-machine of the day was a twenty foot long three ton flashing light box that looked stunning like the “whopper” from War games. Anyway, what’s interesting is that the demonstration they showed me was how the 1000 or so processors in the whopper could work together to create a 3D rendering of a person’s face and head from a photograph. To prove this point, they had a sealed lathe type machine connected to the whopper that cut small pieces out of a block of paper for 9 hours until a bust of W.C. Fields became apparent. I can remember how cool I thought that was. At the time, forward looking animation companies such as Disney rented time on the whopper to do cool stuff like that at a zillion dollars an hour.

Last week I went to the dentist to have my 84^th (or so) crown shoved into my mercury filled mouth. A crown is a fake tooth made from ceramic. I was stunned when the dentist (Dr. Guyle Morris, dentist to the stars – and one of those guys who absolutely insists on asking you questions – mostly about cars – while you have 14 things jammed into your mouth along with a totally numb face) took some funky pictures and started “crafting” my tooth on a 3D workstation. Ten minutes later, a water cooled gizmo the size of a microwave oven starts cutting up a block of ceramic – exactly like the W.C. Fields bust. Ten minutes after that, I had a new crown.

It was a good example of the lifecycle of technologies and how eventually they end up in the dentist office. The whopper probably cost $50,000,000. The 3D workstation and water tooth lathe gizmo probably cost $200,000. The fact that I was able to get my crown in one appointment vs. two – priceless. More interesting perhaps is that there was most likely more CPU power inside the dentist workstation by an order of magnitude then in the whopper. I wonder if he could have made a W.C. Fields face on the crown. You know that will be the next “bling” thing. It will be like scrimshaw on your teeth – pictures of Tupac and Biggie on your choppers. Sweet.

Speaking of high-tech advancements that take way too long, I finally got to see and hear the Steve Sicola story. Sicola was a DEC storage engineer from the Mark Lewis, Richie/Ellen Larry genre who went to Compaq and ended up at Seagate. Sicola and team wanted to build a bigger “brick” than just a disk drive – a sled of disk drives where failure of one (or more) became a “who cares?” moment and where all lower level function could occur autonomically (like RAID). Surprisingly (I say mockingly, as I told him et al 53 years ago that OEM’s would barf on the idea), OEM’s barfed on the idea. Seeing how Seagate makes roughly 100% of its revenue and profit on those OEM’s, it didn’t take a genius to figure out a new play was required. Enter Xiotech, who was owned by Seagate and subsequently spun out for pretty much the exact same reasons, as a perfect place to take the Sicola project to some commercial level.

Now the stuff is out and it’s way cool. The brick has 12 disks (I think, might be 10) – and they have figured out all the vibration, airflow, etc. problems that plague SATA disks, internal error checking, etc. They stripe across all the disks so they can get the performance consistency and linear scale folks like, in a pretty much disposable package (you chuck it after 5 years or so). A package like this ends up being even cheaper when you consider that you almost always will toss out your investment well before it’s depreciated, and as such you have to write it down. This method makes it kind of time-proof since you know the exact expected performance/availability capabilities on day 2000 that you do on day 1. In the wild and wacky Web 2.0 world, that’s a good thing to know.

I think I’ll be attending the Trusted Infrastructure Technologies Conference in October in China. Cloud computing and data infrastructure is a way cool wave right now – but I’ve been wondering how it ever really garner true corporate success without the ability for those using it to be able to prove the security and integrity of the data assets that exist in the cloud. This initiative is built around that concept – how do you prove multi-tenancy infrastructure outside of your control is doing what it is supposed to be doing? Even in internal/intranet based cloud initiatives, you should still be concerned about being able to prove that your multi-tenancy utility is meeting all the assumptive functions it should. When you can do that the entire issue of “I want my own infrastructure” can go away finally. If we can prove it in the cloud, we can certainly prove it on our intranet. At that point, we can really start building utility infrastructures and stop stove piping everything. It may not matter to us if someone can hack into the pictures of my kids pet turtle, but it will if you want my 401K data housed out on your shared site……

The categories displayed in research for the last 25 years or so that help us delineate between “customer types” are another example of “things we still use because that’s the way we’ve always done this” – that no longer makes any sense. In a recent internal research review our team presented their finding by “accepted nomenclature” – i.e. companies with more than 5000 employees = X and companies with more than $1B in revenue = y.

The reality is those are meaningless metrics today. If you are trying to understand and categorize a market for IT products or services, the only company who cares how many employees someone has is a company who sells individual seat licenses or products – so it might be good for Microsoft or Dell, but it doesn’t tell you jack about 98% of the things I care about. There are plenty of companies with less than 100 employees and little to no revenue who are massive consumers of storage and servers. How does one characterize MySpace or FaceBook in the old way of looking at things? Is Google considered the same type of IT shop as the rest of the Fortune 500? I think not. If you are going to sell IT stuff to the world, then the only legitimate way to make comparisons is to get very basic – and I suggest that means servers. It doesn’t even really matter if it is physical or virtual (as more and more will become virtual) – servers support applications that support users, processes, and other applications. If you understand server growth, you get a better picture of the company’s growth. We know when a company goes from 25 servers to 200 over two years that that should be a company on our radar screen. If their employee count went from 50-200 in that time frame you probably wouldn’t pay attention.

By brent@ranchero.com

Tue, 01 Jul 2008 16:56:17 GMT

Copyright 2008 Weblogs, Inc. The contents of this feed are available for non-commercial use only.

Security bulletin MS08-023 addressed two ActiveX control vulnerabilities, one in a Visual Studio ActiveX control and another in a Yahoo!’s Music Jukebox ActiveX control.  The security update sets the killbit for both controls.  For more about how the killbit works, see the excellent three-part series (1, 2, 3) from early February in this blog.

One interesting thing you might notice about this bulletin is the diversity of severity ratings between different platforms.  Windows 2000 and XP are rated Critical.  Windows Vista is rated Important.  Windows Server 2003 is rated Moderate.  And Windows Server 2008 is rated Low.  The same bug on different platforms got four different security bulletin ratings!  We thought this might raise some questions so we decided to explain a little more about how the rating system works for browser-based vulnerabilities.

We rate browser-based vulnerabilities Critical when they allow drive-by code execution.  Internally, we refer to them as “browse-and-you’re-owned”.  Simply browsing to the website (or being redirected there via iframe) is enough to trigger the vulnerability – no prompts, no gold bar, nothing but browsing is necessary.  In this specific case of MS08-023 on Windows XP SP2, users who have the ActiveX control installed are vulnerable to drive-by attack.  And even if the ActiveX control is not already installed, an attacker can serve it to the browsing user.  Because this control was signed by Microsoft, if a user had previously chosen to always install software from Microsoft, they will not be prompted.  The security warning dialog below shows how a user could choose to always install software from Microsoft.

IE7 on Vista requires a user to “opt-in” to ActiveX controls they want to run.  If an ActiveX control is not included on the opted-in list, it will not run.  We do not expect users will have opted-in to use this Visual Studio ActiveX control (most of you probably have never even heard of it), so the Vista MS08-023 rating is Important.  You can see what the ActiveX opt-in gold bar looks like below.

Windows Server 2003 ships with the Enhanced Security Configuration (ESC) enabled. Browsing with the ESC enabled prevents any scripting or ActiveX controls from being run (and also enables other browser hardening suitable on a server).  With the ESC enabled, the MS08-023 vulnerabilities are not reachable.  You’d have to explicitly turn this security setting off, and so we’ve rated this issue Moderate. You can see the Enhanced Security Configuration dialog below.

Windows Server 2008 includes both the above mitigations.  It ships with IE7 so it gets the IE7 ActiveX opt-in by default.  And it also ships with the Enhanced Security Configuration feature enabled.  The ESC drops the rating from Critical to Moderate.  The IE7 ActiveX opt-in drops it one more notch from Moderate to Low.    

- Security Vulnerability Research & Defense Bloggers

*Postings are provided “AS IS” with no warranties, and confers no rights.*

By brent@ranchero.com

2005-12-13T05:20:36Z

Copyright 2008 Weblogs, Inc. The contents of this feed are available for non-commercial use only.

Apple has released the Mac OS X 10.5.4 Update via its Software Update utility and on the Web.

By brent@ranchero.com

2005-12-13T05:20:36Z

Copyright 2008 Weblogs, Inc. The contents of this feed are available for non-commercial use only.

LaCie today announced the “Hard Disk, Design by Neil Poulton”, a new external USB 2.0 hard drive available in capacities of 320GB, 500GB, 750GB and 1TB.

By brent@ranchero.com

Thu, 21 Feb 2008 11:31:33 -0700

Copyright 2008 Blogsmith, LLC. The contents of this feed are available for non-commercial use only.

The Sapphire Browser Beta 4 has been the talk of the Mac mini HTPC forum for the last few days.

By brent@ranchero.com

Thu, 21 Feb 2008 11:31:33 -0700

(c) 2008 Janco Associates, Inc. — ALL RIGHTS RESERVED

Three weeks after the release of the Alpha 1, here is a debugged version that correct compilation failures, bugs, crashes and add some help to enhance usability. Last but not least, import from other softwares are back. You can import again from KNotes, KJots and GNOME Sticky Notes (in the future, you will be able to import from other softwares as well, but that’s not the priority: the next priority is to make export to HTML work again and also re-enable keyboard navigation). You can see what’s new and download it here: the development page, as usualy

By noreply@blogger.com (hitech-leiza)

2008-06-27T03:00:00-08:00

Creative Commons Attribution-ShareAlike License

Twenty years ago I was at the San Diego super computer center. Their mega-machine of the day was a twenty foot long three ton flashing light box that looked stunning like the “whopper” from War games. Anyway, what’s interesting is that the demonstration they showed me was how the 1000 or so processors in the whopper could work together to create a 3D rendering of a person’s face and head from a photograph. To prove this point, they had a sealed lathe type machine connected to the whopper that cut small pieces out of a block of paper for 9 hours until a bust of W.C. Fields became apparent. I can remember how cool I thought that was. At the time, forward looking animation companies such as Disney rented time on the whopper to do cool stuff like that at a zillion dollars an hour.

Last week I went to the dentist to have my 84^th (or so) crown shoved into my mercury filled mouth. A crown is a fake tooth made from ceramic. I was stunned when the dentist (Dr. Guyle Morris, dentist to the stars – and one of those guys who absolutely insists on asking you questions – mostly about cars – while you have 14 things jammed into your mouth along with a totally numb face) took some funky pictures and started “crafting” my tooth on a 3D workstation. Ten minutes later, a water cooled gizmo the size of a microwave oven starts cutting up a block of ceramic – exactly like the W.C. Fields bust. Ten minutes after that, I had a new crown.

It was a good example of the lifecycle of technologies and how eventually they end up in the dentist office. The whopper probably cost $50,000,000. The 3D workstation and water tooth lathe gizmo probably cost $200,000. The fact that I was able to get my crown in one appointment vs. two – priceless. More interesting perhaps is that there was most likely more CPU power inside the dentist workstation by an order of magnitude then in the whopper. I wonder if he could have made a W.C. Fields face on the crown. You know that will be the next “bling” thing. It will be like scrimshaw on your teeth – pictures of Tupac and Biggie on your choppers. Sweet.

Speaking of high-tech advancements that take way too long, I finally got to see and hear the Steve Sicola story. Sicola was a DEC storage engineer from the Mark Lewis, Richie/Ellen Larry genre who went to Compaq and ended up at Seagate. Sicola and team wanted to build a bigger “brick” than just a disk drive – a sled of disk drives where failure of one (or more) became a “who cares?” moment and where all lower level function could occur autonomically (like RAID). Surprisingly (I say mockingly, as I told him et al 53 years ago that OEM’s would barf on the idea), OEM’s barfed on the idea. Seeing how Seagate makes roughly 100% of its revenue and profit on those OEM’s, it didn’t take a genius to figure out a new play was required. Enter Xiotech, who was owned by Seagate and subsequently spun out for pretty much the exact same reasons, as a perfect place to take the Sicola project to some commercial level.

Now the stuff is out and it’s way cool. The brick has 12 disks (I think, might be 10) – and they have figured out all the vibration, airflow, etc. problems that plague SATA disks, internal error checking, etc. They stripe across all the disks so they can get the performance consistency and linear scale folks like, in a pretty much disposable package (you chuck it after 5 years or so). A package like this ends up being even cheaper when you consider that you almost always will toss out your investment well before it’s depreciated, and as such you have to write it down. This method makes it kind of time-proof since you know the exact expected performance/availability capabilities on day 2000 that you do on day 1. In the wild and wacky Web 2.0 world, that’s a good thing to know.

I think I’ll be attending the Trusted Infrastructure Technologies Conference in October in China. Cloud computing and data infrastructure is a way cool wave right now – but I’ve been wondering how it ever really garner true corporate success without the ability for those using it to be able to prove the security and integrity of the data assets that exist in the cloud. This initiative is built around that concept – how do you prove multi-tenancy infrastructure outside of your control is doing what it is supposed to be doing? Even in internal/intranet based cloud initiatives, you should still be concerned about being able to prove that your multi-tenancy utility is meeting all the assumptive functions it should. When you can do that the entire issue of “I want my own infrastructure” can go away finally. If we can prove it in the cloud, we can certainly prove it on our intranet. At that point, we can really start building utility infrastructures and stop stove piping everything. It may not matter to us if someone can hack into the pictures of my kids pet turtle, but it will if you want my 401K data housed out on your shared site……

The categories displayed in research for the last 25 years or so that help us delineate between “customer types” are another example of “things we still use because that’s the way we’ve always done this” – that no longer makes any sense. In a recent internal research review our team presented their finding by “accepted nomenclature” – i.e. companies with more than 5000 employees = X and companies with more than $1B in revenue = y.

The reality is those are meaningless metrics today. If you are trying to understand and categorize a market for IT products or services, the only company who cares how many employees someone has is a company who sells individual seat licenses or products – so it might be good for Microsoft or Dell, but it doesn’t tell you jack about 98% of the things I care about. There are plenty of companies with less than 100 employees and little to no revenue who are massive consumers of storage and servers. How does one characterize MySpace or FaceBook in the old way of looking at things? Is Google considered the same type of IT shop as the rest of the Fortune 500? I think not. If you are going to sell IT stuff to the world, then the only legitimate way to make comparisons is to get very basic – and I suggest that means servers. It doesn’t even really matter if it is physical or virtual (as more and more will become virtual) – servers support applications that support users, processes, and other applications. If you understand server growth, you get a better picture of the company’s growth. We know when a company goes from 25 servers to 200 over two years that that should be a company on our radar screen. If their employee count went from 50-200 in that time frame you probably wouldn’t pay attention.

By brent@ranchero.com

Tue, 01 Jul 2008 16:56:17 GMT

Creative Commons Attribution-ShareAlike License

Our annual report on malware evolution in 2007, published a few months ago, contained forecasts on how the threat landscape would evolve in 2008

By brent@ranchero.com

Tue, 01 Jul 2008 16:56:17 GMT

Copyright 2008 Blogsmith, LLC. The contents of this feed are available for non-commercial use only.

(IDG News Service) — The outlook for IT spending in the new year is
“unusually bad,” according to ChangeWave Research LLC, which said its latest
quarterly tracking survey of corporate users shows that an increasing number of
companies are looking to hold down their purchases of technology products and
services.

Rockville, Md.-based ChangeWave reported that 20% of the 1,964
users who responded to the survey said that in the first quarter of 2008, they
plan to spend less on IT products and services than they’re spending in the
current quarter — and in some cases, nothing at all. The 20% figure is up three
percentage points from the last survey, conducted in August, and is the highest
recorded by ChangeWave in surveys dating back to September 2003.

In its report, which is dated Nov. 26 (download
PDF), ChangeWave said that 24% of the respondents said they plan to
increase their IT purchases in next year’s first quarter compared with the
current one. However, that percentage is much lower than the corresponding
figures for the first quarters of the past four years, when the level of
respondents planning to increase spending ranged from 34% to 43%.

Fifty-one percent of the respondents to the latest survey said
that their spending levels will remain the same in the first quarter, while the
remaining 5% said they didn’t know what their budgets would look
like.

By brent@ranchero.com

Tue, 01 Jul 2008 16:56:17 GMT

Copyright 2008 Blogsmith, LLC. The contents of this feed are available for non-commercial use only.

WD today introduced its new My Book Mirror Edition dual-drive storage systems in capacities of 1TB and 2TB.

By brent@ranchero.com

2005-12-13T05:20:36Z

Copyright 2008 Weblogs, Inc. The contents of this feed are available for non-commercial use only.

Adobe Systems today announced the latest update for Adobe Flash Player 9 software, code-named Moviestar, which includes H.264 standard video support and High Efficiency AAC (HE-AAC) audio support, as well as hardware accelerated, multi-core enhanced full screen video playback.

By brent@ranchero.com

Tue, 01 Jul 2008 16:56:17 GMT

Copyright 2008 Weblogs, Inc. The contents of this feed are available for non-commercial use only.

I’ve previously written about how traditional anti-virus programs are finally outliving their usefulness as a preventative measure. Server-side polymorphic malware programs and malicious programs using custom, unscannable packers are making static anti-virus scanners less and less accurate. Using all sorts of tricks, malware writers are making millions of seemingly “unique” (although they aren’t) programs a year. I’m not sure we have millions of legitimate program executables in a given year. When unique malicious programs outnumber unique legitimate programs, it makes sense to have a whitelisting program. A whitelist is a collection of legitimate approved values (for example, DNS entries, program… READ MORE

By noreply@blogger.com (hitech-leiza)

2005-12-13T05:20:36Z

(c) 2008 Janco Associates, Inc. — ALL RIGHTS RESERVED

Macessity today announced the availability of the SlimKey Stand, a new monitor stand designed specifically for owners of the Apple aluminum keyboard.

By noreply@blogger.com (hitech-leiza)

2005-12-13T05:20:36Z

(c) 2008 Janco Associates, Inc. — ALL RIGHTS RESERVED