Garden Burst - Yes; VirusBurst - No!

A burst of color in the garden is a welcome surprise. Conversely, VirusBurst is not! In fact, it was only a few days ago that I provided background information on Rogues including VirusBurst, the latest rogue software. Based on the Google hits to that writeup, VirusBurst has not taken long to spread its curse among computer users.

As reported by Bleeping Computer today, VirusBurst is picking up steam:

"Two new variants of the VirusBurst infector have been discovered today. These files when run on a computer will issue the fake security alerts and download/install VirusBurst onto your computer. The two new infectors are:
* C:\Windows\System32\gtpbx.dll
* C:\Windows\System32\duxzj.dll"

The good news, however is that help is available for removing VirusBurst and other rogues of a similar nature. As indicated in the Bleeping Computer blog, Beamerke's RogueScanFix was already updated to remove the new infectors.
Apparently, it isn't taking long for the new variants to make the rounds. No sooner had I finished providing removal instructions at Freedomlist than I discovered a log with that latest variant.

Microsoft Security Advisory 925059 Released

The following is a Security Advisory from Microsoft regarding a Vulnerability in Microsoft Word.

Please follow the usual warnings. Do not open any email attachments from an unknown source. Also, be wary of unexpected or unusual attachments from someone you know. A telephone call or confirming email may save you from a lot of grief.

Security Advisory (925059) - Vulnerability in Word Could Allow Remote Code Execution - 06 September 2006.
========================================
Summary
========================================
Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Word 2000. In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker.
|
Opening the Word document out of email will prompt the user to be careful about opening the attachment.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

========================================
Recommendations
========================================
Do not open or save Microsoft Word files that you receive from un-trusted or that are received unexpected from trusted sources. This vulnerability could be exploited when a user opens a file.

Review Microsoft Security Advisory 925059 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQ) and links to additional resources.

Customers who believe they have been attacked should contact their local FBI office or report their situation to www.ic3.gov. Customers outside the U.S. should contact the national law enforcement agency in their country.
Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.

========================================
Additional Resources:
========================================

Scarecrow for Your Garden, WinPatrol for Your PC

A scarecrow may help protect your garden, but it certainly won't do much for your computer. However, it has just gotten a bit easier to protect your home computer with WinPatrol. Bill Pytlovany made the PLUS knowledge base freely accessible for the month of September.

As indicated in Bits from Bill: New Students Need Protection:

No download or software change is required.

No Email registration, or your mothers maiden name required.

As of today, anyone with the free version of WinPatrol can access PLUS information.Over the years we’ve built quite the database which has now grown to over 13,000 program files. Our success/request ratio is at 93%. I’ve always tried to make sure the free version of WinPatrol remains valuable and I hope this helps. If we continue to get such great support it could be a permanent feature.

Have you ever opened Windows Task Manager and looked at the long list of running processes on your computer? Did you wonder what those names represented and if they were necessary? No need to wonder with the PLUS Knowledge Base. See a sample of the "plain English" explanation of ctfmon.exe

Microsoft Security Bulletin Advance Notification

Tuesday, September 12, is again "Patch Tuesday". Before Tuesday comes along, there's time to do some cleanup preparation. Nellie2 has a nice set of instructions on "How to Prepare for Patch Tuesday".

On 12 September 2006 Microsoft is planning to release:
Security Updates

•	Two Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Important. These updates will be detectable using the Microsoft Baseline Security Analyzer. Some of these updates will require a restart.
•	One Microsoft Security Bulletin affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

Mozilla Adds Window

I read with interest this morning the writeup from Bleeping Computer on "Potential security vulnerability in Firefox?"

"Klocwork’s K7 static analysis tool was used to analyze the programming code for the latest version of Firefox 1.5.0.6. The tool reported that there are 655 defects and 71 potential security vulnerabilities. This analysis was then sent on to Firefox where they can determine what will be fixed or left alone."

Defects seem to be inherent in software. However, that is not always the fault of the software. After all, as soon as a computer is taken out of the box, we add our own personal fingerprint, usually in the form of other software. No software can be tested against all possible interactions with other software programs.
As to the 71 potential security vulnerabilities, it appears that Mozilla.org has leadership to address security issues in Firefox. From eWeek:

"Ex-Microsoft Security Strategist Joins Mozilla By Ryan Naraine
September 6, 2006

Former Microsoft security strategist Window* Snyder is joining Mozilla to lead the company's effort to protect its range of desktop applications from malicious hacker attacks. Snyder, who was responsible for security sign-off for Microsoft's Windows XP Service Pack 2 and Windows Server 2003, will spearhead Mozilla's security strategy, eWEEK has learned.
The group has seen its flagship Firefox Web browser chip away at the market dominance of Microsoft's Internet Explorer, largely because of high-profile security flaws in and attacks on IE, and the addition of Snyder is sure to help beef up Mozilla's security process and improve its communications with bug finders."

*Emphasis added. Window really is Ms. Snyder's name. It is rather ironic that someone with the name "Window" has left Microsoft and will now be working for a competitor.

Opposing Vista View

It seems that every time there are shrubs to be moved in our garden, my husband and I have opposing views on where they should be placed. It always takes us longer to pick out a location than to do the actual planting.
Most of the comments I have seen regarding the long-awaited Vista operating system have been positive. However, John Naughton certainly centerered on sensationalism in his article, "Why Vista will mean the end of the Microsoft monolith" in The Observer, published September 10, 2006. Some examples, the first being particularly irresponsible:

. . . Security vulnerabilities come free with all versions.

. . . But in Redmond, Washington, the Microsoft campus, the only sounds to be heard are of people muttering 'Never Again'. For the Vista story has turned out to be an interminable corporate nightmare.

{snip}

It has left behind it a trail of corporate wreckage and prompted a major reorganisation of the company's senior management.

{snip}

. . . while Microsoft engineers were trudging through their death march

While Mr. Naughton provided the pricing for the various Vista versions, he neglected to provide the upgrade prices. Thus, while the suggested retail price for the full package of Windows Vista Home Premium is $239.00 USD, the suggested upgrade retail price is $159.00 USD. (See Official Windows Vista Pricing).

Changing Places -- A New Star for Vista

Sometimes we need to step outside the garden to see what else is "out there". Inevitably, we return to our roots, to what gives us the most satisfaction.
Stephen Toulouse has been a program manager on Microsoft's Security Response Center team, dealing with security response for the past four years. In a manner of speaking, "Stepto"is now moving back to his roots, although at much higher level than his early days with Microsoft and Windows 95!
With the emphasis on security in Vista combined with Stepto's background with the MSRC, it sounds like a perfect match. The improvements he made while with the MSRC will likely flow over to Vista. Read about it in his own words at Stepto.com.

Microsoft Security Bulletins - September 2006

It does not take much effort on your part to update your home computer. After all, we're only talking about Microsoft updates once per month and always on the second Tuesday. That is easy enough to keep track of. But don't worry. If you forget, I'll be sure to remind you.

For September, Microsoft released 3 new bulletins (1 critical, 1 important and 1 moderate), 2 re-released bulletins and 2 security advisories today. For more detailed information see this month’s bulletin summary.

Critical:

• MS06-054: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)

Important:

• MS06-052: Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution (919007)

Moderate:

• MS06-053: Vulnerability in Indexing Service Could Allow Cross-Site Scripting (920685)

Re-Released Bulletins:

• MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (Originally released August 8. This addresses a critical security problem)

• MS06-042: Cumulative Security Update for Internet Explorer (918899) (Originally released August 8 and updated on August 24.)

Additionally note that Microsoft issued two security advisories today:

• Microsoft Security Advisory (922582) -- announces the availability of an update that addresses errors trying to update a computer that has a minifilter-based application installed.
  
• Microsoft Security Advisory (925143) -- provides awareness of Adobe Security Bulletin: APSB06-11. This bulletin provides guidance to users of Macromedia Flash Player from Adobe - version 8.0.24.0 and earlier which is redistributed with Microsoft Windows XP Service Pack 1, Windows XP Service Pack 2, and Windows XP Professional x64 Edition.

Fox Update

Although Firefox 2 is in the Beta2 stage, Mozilla.org jumped ahead and released version 1.5.0.7. This release fixes several critical security vulnerabilities. Anyone using Firefox is strongly encouraged to be sure to get the update.

The same security issues were also addressed in Thunderbird, Camino and Seamonkey (both based on Gecko 1.8.0.7).

These are serious issues that have been addressed. Stay safe, surf safe. Update now.

Fixed in Firefox 1.5.0.7

MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
MFSA 2006-62 Popup-blocker cross-site scripting (XSS)
MFSA 2006-61 Frame spoofing using document.open()
MFSA 2006-60 RSA Signature Forgery
MFSA 2006-59 Concurrency-related vulnerability
MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
MFSA 2006-57 JavaScript Regular Expression Heap Corruption

Microsoft Security Advisory 925444 Released

Below is a Security Advisory from Microsoft regarding an AxtiveX control that could allow remote control execution. The code, if installed could result in browser hijacking of Internet Explorer to malicious websites.

Workarounds are provided in the Advisory, two of which should be set for regardless of this advisory. In particular, see the instructions for configuring Internet Explorer to prompt before running Active Scripting or AxtiveX controls.

Security Advisory 925444 – Vulnerability in the Microsoft DirectAnimation Path ActiveX Control Could Allow Remote Control Execution - on 14 September 2006.

========================================
Summary
========================================

Microsoft is investigating new public reports of vulnerability in Microsoft Internet Explorer on Windows 2000 Service Pack 4, on Windows XP Service Pack 1, and on Windows XP Service Pack 2. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly but we are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. We will continue to investigate these public reports.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs.

========================================
Mitigating Factors
========================================

• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.

• By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted Sites zone. Additionally, Outlook 2000 opens HTML e-mail messages in the Restricted Sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted Sites zone if Microsoft Security Bulletin MS04-018 has been installed.

• By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because ActiveX and Active Scripting are disabled by default.

========================================
Additional Resources:
========================================

Non-Microsoft Patch for Unsupported MS Systems Against VML Exploit

As this blog post was possible because of information from Freedomlist, it is only appropriate that the image used to accompany it also be from Freedomlist. The original image is worth checking out. See long-time Freedomlist member Curious John's original image of his favorite wild persimmon tree .

~~~~~~~~~~~~~~~

Ordinarilly, I do not recommend using a patch for a Microsoft Operating System that was not created and tested by Microsoft. The reason is that Microsoft has tremendous resources at hand for testing in countless environments that others do not have available. Even then, there is no way possible for Microsoft to test every possible configuration or software interaction. However, in this instance, I decided it is a good idea to at least let readers know of the availability of this particular unofficial patch.

As background, on October 10, Microsoft released Security Bulletin MS06-055 as a critical update. The purpose of the update was to fix a security issue identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. The problem is that there are still a fairly large number of Windows operating systems in use that have reached the end of "Life Cycle" where Microsoft will provide updates. (The information for all Microsoft software, games, tools, hardware is available in Product Life Cycle, which Microsoft reviews and updates regularly.)

ZERT (Zeroday Emergency Response Team) created a patch for Windows 9X, ME, 2000 (to SP3) and XP systems that have not updated to SP1, 1a or SP2 for the VML exploit. Hat Tip to "Lost" at Freedomlist for the link to c|net News in "Security pros patch older Windows versions", By Joris Evers which reports:

"The vulnerability, first reported last week, lies in a Windows component called "vgx.dll." This component supports Vector Markup Language (VML) graphics in the operating system. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable PC when the user clicks on a malicious link on a Web site or an e-mail message."

Of course the standard warnings of keeping antivirus software updated and and using caution when browsing the Internet applies, as does not clicking on a link in an e-mail from an untrusted source. If you still do not feel your computer is secure, check to see if the version of your operating system has been tested, see ZERT's Libraries Tested.
Here are the instructions for those downloading the file for the older computers, by Plodr:

1. Grab the download from here: http://isotf.org/zert/download.htm
2. Unzip it and you'll get a ZPatch folder. Make sure you close IE and OE before you try to apply the patch.
3. Click on the ZVGPatcher.exe which brings up a window
4. Click on patch and close the window
5. Open IE and go to http://www.isotf.org/zert/testvml.htm

ewido anti-spyware 4.0 Now AVG Anti-Spyware 7.5

One of the most popular tools used in the anti-malware community to help users clean their computers of trojans, worms, dialers, hijackers, spyware and keyloggers is ewido. When ewido became part of the Grisoft family, no one was sure what to expect.
As the leaves change colors in the autumn, so it appears is ewido changing. However, this change looks to be for the good. The first is a name change. The product is no longer known as ewido anti-spyware. The announced name change is AVG Anti-Spyware 7.5.

ewido anti-spyware 4.0 will now continue under the new product name AVG Anti-Spyware 7.5. AVG Anti-Spyware 7.5 contains the same ewido technology, but with some further enhanced features:

Highly improved cleaning
Lower resource usage
Additional languages supported

All current licenses for ewido anti-spyware 4.0 will continue to be valid, and users can change over to the new AVG Anti-Spyware 7.5 for free.

Features of AVG Anti-Spyware

	NEW Completely renewed user interface
	NEW Possibility to create exceptions
	NEW Shredder for secure file deletion
	NEW XP Antispy
	NEW BHO Viewer
	NEW LSP Viewer
	Heuristics to detect unknown threats
	Scanning and cleaning of the Windows registry
	Support for NTFS-ADS scanning
	Daily database updates
	Patch proof by using strong signatures
	Analysis tools (startup, connections and processes)
	Intelligent online-update
	Scan inside archives
	Secure detection and deletion of DLL-Trojans
	Generic crypter detection through emulation
	Generic binder detection
	Free E-Mail Support
	Automatic Clean Engine
	Quarantine for suspicious files
	Multilingual User Interface

Additional features of the Plus-Version

	NEW Scheduled scans
	Real-time monitoring of the entire system
	Memory Scan detects active threats
	Self-protection at kernel layer guarantees gapless monitoring
	Automatic online-update

Firefox Zero-Day Vulnerability . . . Apparently Not

It was reported over the weekend in c|net News that two hackers claimed the Firefox Web browser is critically flawed in the way it handles JavaScript. According to the report in "Hackers claim zero-day flaw in Firefox":

"An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.
"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it."

As reported in by Robert Lemos for SecurityFocus in "Mozilla flaws more joke than jeopardy", Spiegelmock has apologized, indicating that the presentation was intended mainly as a joke:

"The main purpose of our talk was to be humorous," the 19-year-old researcher said in the statement. "As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has."

Although it is reported that there were those at the presentation who recognized it as an attempt at humor, it is refreshing to read the comment by recently hired Window Snyder at the Mozilla Developer Center:

"Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously. We will continue to investigate."

Advance Notice Microsoft Security Bulletin

On Tuesday, October 10, Microsoft will release the Security Updates listed below. In addition, it will be the last update for XP SP1 and SP1a. The details are here.

The following suggestions on what you can do before “Patch Tuesday” are from Calendar of Updates:

• Undo any 3rd party work-around or any work-around that you did on affected system or components in Windows that is going to be patched
• Create a backup of your good system (see also: System Back-up) and/or ensure that System Restore service is enabled, actually running, working and not corrupted or in the good state. Note: System Restore is available in Windows Millennium (Me) and the Windows XP (Home and Professional) Operating Systems.

To check whether System Restore is enabled and actually running:

• Type services.msc
• Click OK button
• Locate System Restore Service in the list of services and verify that the status is “Started”.

Note: You may also access the Services Console by going to Control Panel>Performance and Maintenance>Administrative Tools>Services.

Microsoft Technet has complete details of today's Microsoft Security Bulletin Advance Notification.
that Microsoft is planning to release on 10 October 2006.

=================================================
Security Updates
=================================================

• Six Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool (EST). Some of these updates will require a restart.

• Four Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

• One Microsoft Security Bulletin affecting Microsoft .NET Framework. The highest Maximum Severity rating for this is Moderate. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. These updates may require a restart.

Microsoft MVP Awardee Stuns the Security Community

Yesterday evening, I saw this at the SunbeltBLOG:

“Patchou” (aka Cyril Paciullo) has just been given Microsoft MVP status. Worthy of congratulation, except… Patchou got his fame through a program called Messenger Plus!, which has the option of installing LOP (a not-so-pleasant piece of adware).

That led me to Paperghost's Vital Security post. Paperghost has never been hesitant to tell it the way he sees it and isn't shy in his presentation.
Today the news has "hit the wires". So before you run off to read what everyone is saying, let's take a look at a description of LOP from Sunbelt Research:

C2.Lop:

Type	Adware
Type Description	Adware, also known as advertising software, displays third-party advertising on the computer. The ads can take several forms, including pop-ups, pop-unders, banners, or links embedded within web pages or parts of the Windows interface. Some adware advertising might consists of text ads shown within the application itself or within side bars, search bars, and search results. Adware is often contextually or behaviorally based and tracks browsing habits in order to display ads that are meant to be relevant to the user.
Category	Hijacker

Background information is available at Sandi's Site and you can find additional information on what happens when the sponsor link is accepted when installing Messenger Plus! at Spyware-Free.

As posted by Ed Bott in "Microsoft gives adware pusher an MVP award",

"Around this time every year, Microsoft publishes its new list of Most Valuable Professionals (MVPs). MVPs are unpaid volunteers, not Microsoft employees, and the official criteria for being named an MVP are based on their willingness to participate in technical and product communities."

Consider Mr. Bott's comment in conjunction with this from Security Ticker:

"Microsoft's MVP program supposedly rewards "outstanding members of Microsoft's peer-to-peer communities, and is based on the past year's contributions those members make in those communities online and offline." So why have they given the creator of Messenger Plus an MVP Award, when he bundles the notorious LOP Adware in with his creation?" {emphasis added}

Mozilla Releases Firefox 2 Release Candidate 2

While the temperature in my area reached the low 30's last night, the folks at Mozilla were uploading uploading Release Candidate 2 (RC2) to the servers. Should you decide to give it a test run, please keep in mind that RC is not final and bugs and incompatabilities may exist with installed extensions.
For enhancements and changes to Firefox 2 RC2., see the Release Notes. Please read the Installation Instructions. I also recommend backing up your profile, bookmarks and cookies before installing a new version as well creating a restore point if using Microsoft XP.
Also released for testing is Firefox Portable 2.0 Release Candidate 2. Firefox Portable can be run from a USB flash drive, iPod, portable hard drive, CD, etc and used on any computer. It can also be run from a local hard drive or your desktop. This would be a handy way to test Firefox 2 RC2 without affecting the version installed on your computer.

Microsoft Apparently Rescinds MVP Award

It certainly has been an interesting week. It began with the sharing of the excitement and thrill of the newly awarded and re-awarded Microsoft MVPs. Shortly thereafter, everything seemed to go on a downward spiral over the awarding of MVP to the developer of Messenger Plus!.
Messenger Plus! in and of itself is a well-designed add-on to Messenger. The problem the members of the security community (myself included) have is with the "optional" sponsor program. Unfortunately, that sponsorship leads to some not-so-pretty additions. It has been well documented what the results are when accepting the sponsor install with Messenger Plus! so I won't go into that here.
The understandable argument is that the sponsorship itself does not need to be accepted in order to install the software. Although this is true, unfortunately, Messenger Plus! is extremely popular with teen and preteens. With adults known to not read (and freely admit not understand) EULAs (end user license agreements), how would 11-17 year-olds be expected to do so? In addition, those under 18's are anxious to install the software that their friends have on their computers. Taking it a step further, accepting sponsorship (read advertisements) is certainly not the same as the actual end result.

Would those involved in the MVP selection process even realize the severity of the effects of the documented sponsorship? Not likely as they are adults who are familiar with EULAs and would not have been checking the sponshorship box. Remember, Microsoft is a huge corporation with multiplie disciplines.

Did this and perhaps other information that we have no way of knowing about result in a mistake being made by Microsoft? It appears so, at least based on the the apparent necessity for Sandi and Paperghost to post, respectively, "The saga of Patchou and his short lived MVP award" and "Caught in a Crossfire Hurricane" with links to a msghelp.net forum thread entitled "Patchou Lost MVP Status :(". (Note: Registration is required to access the referenced link at msghelp.) Sadly, those supporting Patchou have resulted to mud-slinging and bad-mouthing others.

Edit Note: The thread at msghelp.net has apparently been deleted (or relocated to a private location since portions of it have been quoted elsewhere.) A better action would have been moderating the foul language and locking the thread.

A new week has begun. I hope that the turmoil of the past week can be put behind us.

9SEP06 Update Note: The following was reported at Microsoft Informer:

"Cyril Paciullo was awarded with MVP status this year on the basis of his technical expertise and strong community contribution. However, his active MVP Award status was revoked as soon as the extent of the connection between his application and spyware was made apparent to the MVP Program," the company said in a statement.

It was published at Mess.be (which I understand is the official site for Messenger Plus!) :

dwergs says:

When Patchou last week proudly announced his freshly acquired Most Valuable Professional (MVP) status, the news spurred so much criticism from fellow MVPs and security experts that Microsoft decided to take back the award on Friday. The whos, whats and whys can be found eg. here and here.

It needs to be clearly understood that the Microsoft MVP Program is wholly managed by Microsoft, not the MVPs. There are approximately 2600 MVPs worldwide. Out of those 2600 MVPs only about 145 are WIndows Security MVPs. I hardly think that small a minority could have such an effect.

Suzi Turner posted an excellent summary and reflection of my opinion in "MVP awards, Messenger Plus! and adware -- a good combination?" at ZDNet.

WinPatrol Update

Bill Pytlovany issued a maintenance release version of WinPatarol 10. Unless you have had the problems addressed, updating to 10.0.5 is not required.

• WinPatrol registry functions enhanced to handle over-zealous registry cleaners.

Improper use of Registry Cleaners can cause Scotty to repeatedly ask permission for system changes.

• Build Tools updated to Microsoft Visual Studios 2005.

In theory, this shouldn't break anything. Adds a few KB to the program size but so far benchmarks indicate faster performance.

• PLUS Tab Search available on Free versions to support future promotions.

When you click on the PLUS tab there's a input box that allows you to search on any program name. This is now displayed on Free versions so it will be available in the future.

• Our alternate Installshield Setup program is now used as our default setup. This version is slightly larger than our original default setup but is more compatible with newer systems.

Product Info: WinPatrol 10
Direct Download: Download WinPatrol 10.0.5

If you don't have WinPatrol on your computer, check out the great features here. You won't be sorry you have Scotty on Patrol!

New Anti-Phishing Tool by TippingPoint

No, I don't need a spell-checker. Phishing is pronounced the same as "fishing" and could be compared to the common American usage of "fishing for information" but on a much more dangerous level. People deceived by phishing scams provide personal and financial information, including credit card information, Social Security Number, bank account number, PIN numbers, etc.

Both soon-to-be-released popular browsers, IE7 and Firefox 2 have anti-phishing filters included in the new versions. Knowing about and avoiding phishing scams is one thing, but not all computer users will be able to update to IE7. Besides, it is much better to report phishing scams and have the sites taken down. This is precisely what Castle Cops and Sunbelt Software have been doing with the Phishing Incident Reporting and Termination (PIRT) anti-phishing community since it was formed in March. As Paul and Alex explained in the original Press Release:

"The reason this group was formed is to give consumers direct access to a dedicated task force that will take immediate and aggressive action to shutting down phishing sites," said Paul Laudanski, president of CastleCops.

"While there is a very active professional security community performing outstanding research and forensics on phishing sites, it's our experience that many of these phishing sites themselves aren't immediately reported to the ISP, or in the case of compromised sites, to the domain owner. This effort adds one more layer to the fight against phishing, making it increasingly more difficult for the criminals to perpetrate their scams on innocent users," said Alex Eckelberry, president of Sunbelt Software.

Where is all that taking me and how does it relate to the title of this post? We are right back to the necessity to take the phishing sites down. With the creation of Monkeyspaw, TippingPoint, a division of 3Com, has taken anti-phishing a step further than identification. In addition to checking Web sites for legitimacy, Monkeyspaw reports fraudulent sites. As Business Wire reports:

". . . Monkeyspaw checks Web sites for legitimacy and reports fraudulent sites. “TippingPoint is contributing Monkeyspaw to the public to help investigators analyze and report phishing and other malicious Web sites,” said Tod Beardsley, Monkeyspaw creator and lead counter-fraud engineer at TippingPoint. “By enabling security professionals and end users to easily validate Web sites and report fraudulent sites, we hope to make the Web a safer place.”
Monkeyspaw is unique in that it works with other open source tools like Mozilla’s Firefox, an open source Web browser. Monkeyspaw is used to determine the owner of a particular web server, collect web server configuration information, determine the location of the site, and finally, report fraudulent sites to nearly 50 international organizations through CastleCops. CastleCops reports malicious activity directly to groups including the Federal Bureau of Investigation, Anti-Phishing Working Group, Korea Information Security Agency, and the Australian Computer Emergency Response Team. For full list of organizations that are notified regarding phishing sites, please visit: http://www.castlecops.com/pirt."

After all the Microsoft/Linux Hoopla . . .

I must say that after all the recent postings about the Microsoft asserting their patent portfolio, I found the report at Blink.nu and the "Total Cost of Ownership" (TCO) being lower with Microsoft servers than Linux servers.

"Many total cost of ownership (TCO) studies have reaffirmed that TCO of a large enterprise infrastructure based on Microsoft® Windows ServerTM 2003 is lower than one based on Linux. But what about TCO in a Web hosting environment? Few rigorous studies have examined the economics of ownership among service providers. To understand TCO in a shared hosting environment and to understand what service providers could do to lower the TCO of Windows–based hosted services even more, Microsoft offered to perform an in-depth TCO study at Hostbasket, one of the leading hosting service providers in Europe. The results of the analysis showed that the TCO of Windows–based shared services can be as much as 55 percent lower than the TCO of analogous services offered on Fedora Core. Moreover, the study revealed how service providers can lower the TCO of their Windows–based offerings even more."

Take a look at the chart reproduced at Bink.nu and see the difference, particularly with .NET Framework 2.0 SQL Server 2005. Go, MS!

The Vista Defrag Controversy

Ok, so it isn't much of a controversy but it will be missed. What's that? I am referring to the display when using the Windows Defrag.
Thinking back to the days of Windows 95, an operating system that definitely benefited from the occasional defrag process, it was mesmerizing watching the squares fill across the screen as the system was defragmented. With a Win95 system, the best way to get a real benefit from the process was to close all programs and, with everything else closed, what else was there to do but watch the colorful process?
Although I soon realized that it was not necessary to watch the process, which could take a considerable amount of time in Win95, as evidenced by the comments in Ed Bott's "Adios, Defrag display" and Robert McLaw's discussion in "Vista's Powerless Power Users: Someone Neutered My Defrag!"
For the Microsoft explanation, see the Disk Defragmenter FAQ.
Personally, I have been using Diskeeper for too many years now to be concerned about the lost of the display in Vista.

Microsoft.com, A New Look

Have you seen the prototype for the new Microsoft.com? It isn't final yet, but an obvious improvement. These are the issues Microsoft web designers are currently aware of:

Known Issues:

• Throughout the user interface we are still working on “fit and finish” adjustments that will improve the look and feel of the pages.
  
• On the home page the spaces between lines of text are wider than they should be. These will be tightened up before the final release of the page.
  
• If you are running Internet Explorer 6 and are in high contrast mode, some typefaces appear larger than they should.
  
• When text size is set to Largest in Internet Explorer, parts of the page layout become broken, and content at the bottom of the page may not be viewable.
  
• When your browser is in high contrast mode, the container that displays secondary navigation links has a transparent background, which makes the thumbnail graphics and links difficult to see. The container should have an opaque background that makes the graphics and links stand out clearly.
  
• The container that displays secondary navigation links does not scroll with you as you move down a page, as it should.
  
• When you reduce the size of your browser window, the container that displays secondary navigation links does not adjust itself accordingly as it should. As a result you may need to scroll to view all links.

With those issues aside, I think you will appreciate the updated look and feel of the new home page. Interestingly, displaying the current home page in side-by-side tabs in IE7, the Zune image doesn't display on the old page on my computer yet is beautifully displayed on the new page.
I like the cleaner, less cluttered look and hope the final transformation takes place soon.

Microsoft removes IE7 for Windows XP from WSUS

Fortunately, it is a long holiday weekend in the U.S. so there is time to adjust if IE7 was recently downloaded via WSUS for their network from the IE7.0 update rollup package released on 21 November 2006.

From the report at Bink.nu the problem with the 21 November 2006 is a resulting error dialog in Spanish after installation.
A replacement update rollup package will be available for synchronization early next week. For a work-around if this update has been scheduled for installation or via Automatic Update (AU), see the instructions at Bink.nu.

Microsoft Goes After Phishers

At a European Union conference on identity theft in Brussels, Microsoft announced that they are helping law enforcers hunt down phishers and has has initiated 129 lawsuits in Europe and the Middle East. According to ITWire.com:

Microsoft has involved itself because all of the 129 cases use either phony Hotmail or MSN.com pages to trick users into handing over their private information.

That would make sense since both Hotmail and MSN.com are Microsoft entities. Reuter's provides much greater detail in Microsoft brings 129 lawsuits against phishers, further explaining:

"Microsoft can initiate civil lawsuits even when it is not the target of identity theft, because legal systems in many countries allow anyone suffering from attacks to claim damages.
"There are damages to our ability to conduct business. There are damages to our trust with the consumer," Anderson said.
The U.S. company has an investigative team at its headquarters in Redmond, Washington, which uses Web-crawling software and customer complaints to find out where attacks are taking place. Old-fashioned investigative techniques are then used to discover the identity of the phishers.
Before legal action was taken, 253 cases were investigated. Most of the investigations and 50 of the criminal complaints were filed in Turkey. Germany was second with 28 criminal complaints and France third with 11."

That helps, but considering the true number of phishes, it is rather "small potatoes". It certainly raises the question as to why the banks and other targets of phishers are not doing more considering that it is their customers who are the targets.The volunteers of CastleCops PIRT Squad are also working diligently to terminate active phishes. To view a Power Point presentation with 150+ slides discussing phishing, Rock Phish and how the volunteers of CastleCops PIRT squad tackle them download the Pirt.ppt. (The presentation also includes slides about CastleCops and CastleCops services.
Microsoft has a website devoted to anti-phishing. After submitting any "phishing emails" you receive to pirt@castlecops.com learn more about the Anti-Phishing Filter in IE7, go to Microsoft's Anti-Phishing Technologies website.

Are Vista and Office 2007 Aimed at Business Users?

Since I work in an office, the headline "Microsoft's latest upgrade aimed at its business users" in the Delaware Online News Journal caught my attention and so I read on:

"Bill Hartnett got accustomed to the screaming. As Microsoft Corp.'s manager of software sales to financial services companies, Hartnett used to get pelted with complaints about the security and reliability of Microsoft's products.

Hartnett speaks openly about those dark days because he's sure they're well past. He and his colleagues contend the company is about to give businesses compelling reasons to not just tolerate Microsoft, but to be thrilled with it.
The occasion is the launch of crucial upgrades to Microsoft's most widely used and most profitable products. All at once, Microsoft is releasing a new Windows operating system, known as Vista; an update of the Office "productivity" package, which includes Word, Excel, Outlook and PowerPoint; and server software that handles behind-the-scenes functions."

Mr. Hartnett and others expecting a massive run by businesses to upgrade to Vista and Office 2007 will most likely be in for a disappointment. Although I expect I would find the enhancements to Office 2007 exciting and more productive, I wonder if I will even see them installed on my office computer before I retire.
The standard operating system where I work is Windows 2000. It is only as hard drives fail that they are replaced with Windows XP. Because the majority of the staff in the area where I work have W2K (new in 2001), that is what is on my office desktop, with XP on the test box.
There is a valid reasons for delays in the work place. In addition to "off-the-shelf" software programs, there are over 3000 custom applications in the company where I work. Testing each application for compatibility and making changes is a daunting challenge, particularly when those applications are tied to manufacturing and other critical processes in the work place.
Another reason for delays in upgrading is that having older computers in a large company means that more than just an upgrade is required. Rather, a complete replacement would be necessary since the older computers will just not be able to run Windows Vista. Replacing thousands of computers and operating systems can take years.
Thus, even though Windows Vista and Office 2007 may be aimed at business users, I expect it will be closer to two years after release before larger companies start the replacement process.

Microsoft's AntiSpyware Tool Removed IE

According to a report at BBSpot.com, a recently released Microsoft AntiSpyware software apparently detected Internet Explorer as spyware, and removed the program from their systems, according to a report at BBSpot.com. Oops!
Of course the report by BBSpot was intentionally not specific, with no indication as to whether the software was from Windows Defender or from the Malicious Removal Tool. From that alone the reader would realize it is a parity. Reading on, however, the reported quote made for a further chuckle:

"Elias Weatherbee, a Microsoft representative, said the program was "only in beta" and that "a fix was forthcoming." "It shows how powerful our AntiSpyware program is," said Weatherbee. "Not only is it able to remove spyware from the system, but also the source of most spyware. Our competitors can't match that."
A representative from Lavasoft, which sells Ad-Aware another spyware removal program, complained that Microsoft was using its monopoly and knowledge of the operating system to 'offer features that others can't match.'"
"Tough shit," said Weatherbee.

Although a joke, can you imagine a competitor complaining about Microsoft using their knowledge of the operating system that others cannot match? Seems like truth and fiction do often run hand-in-hand.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Looking at the picture realistically -- joke aside -- the writing has been on the wall since Microsoft entered the anti-spyware detection and removal field. With real-time protection free, we may see a change in business swing away from smaller companies like Lavasoft. Customers are going to question the need to pay a license renewal fee for real-time protection such as Ad-Watch when such protection is free from other sources.

VIsta Compatible Antivirus Software

Update 25 February 2007: See Vista Compatible Antivirus Software in Windows Vista Bookmarks for the most current information.

Although the list at Windows Vista RC1 Antivirus Providers is for Vista RC1, it is a starting point to determine whether the antivirus software you use on your computer is compatible with Windows Vista. Of course it is expected that most of the major companies are working hard to get to that point.
Sophos has joined the growing list of antivirus software programs that are Vista-compatible and joins Avast, shown below.
From the Sophos website in "Sophos protects Microsoft Windows Vista":

Sophos Anti-Virus for Windows 2000/XP/2003/Vista, version 6.5 includes:

• Protection against viruses, spyware, adware and PUAs
• Application control, which allows businesses to set their own policies regarding whether user groups are allowed to run software such as IM clients, VoIP, peer-to-peer file sharing and distributed computing projects
• Behavioral Genotype™ Protection to guard against unknown threats
• High performance scanning with Decision Caching
• Central management and update features, using Enterprise Console
• Automatic updates against the latest threats every 10 minutes

Customers using Sophos Anti-Virus for Windows 2000/XP/2003, version 6.0 will be updated to support Vista automatically, without any user intervention.
"While other security vendors aren't happy with how Vista has implemented its increased security, Sophos has been working closely with Microsoft and fully supports new functionality, such as Kernel Patch Protection (also known as PatchGuard)" said Richard Jacobs, CTO at Sophos. "Sophos Anti-Virus running on Vista provides unprecedented protection."

Here is the information on Avast

"With the public release of RTM version of Windows Vista in November 2006, ALWIL Software anticipates massive deployment of this new platform, especially among home users. These users appreciate new features of Windows Vista such as the new Aero interface, enhanced support for mobile computing, and improved full-text search, and now, thanks to avast! antivirus, users can also be thoroughly protected against malicious threats.
Note: The minimum version of avast! Home/Professional Edition compatible with Windows Vista is 4.7.892."

Microsoft Security Tips & Talk Blog

A relative recent addition to Microsoft activities is blogging on the various software programs and systems. I subscribe to quite a few of the MSDN blogs. Now there is a blog specifically created for the home computer user.

Security Tips & Talk provides guidance on how to protect your computer, laptop, PDA, etc. from spyware, viruses, etc. Learn about identity theft and protection from spam and phishing. Should you miss it here at Security Garden, you will also be able to keep track of Microsoft security updates. The blog is hosted by the Microsoft team that publishes the Security at Home site.

Stolen Microsoft XBox 360's & Video Marketplace Difficulties

Unless the thieves are caught, there will be quite a supply of Microsoft XBox 360's on the black market in England for Holiday shopping! From Express and Star:

"More than one million pounds worth of Xbox consoles have been stolen from a Lichfield depot over the last four days, it was revealed today. Police believe thieves are stealing the games machines to sell ahead of Christmas when they are in high demand. Thieves hijacked a lorry load of £750,000 worth of Xbox consoles on the A38 after it left a distribution depot in Fradley yesterday.
Police revealed today that another theft took place at the Hellmann Worldwide Logistics depot on Thursday morning when a £40,000 trailer containing £260,000 of Xbox consoles was taken.
Staffordshire Police spokesman Peter Stevens said: “They are in high demand and cost between £200 and £300."

This follows the technical difficulties experienced with the new Microsoft Video Marketplace for the favorite game machine. If you have run into similar problems, keep tabs on the official XBox Forums:

"As you know, we have been experiencing technical difficulties associated with the extremely high number of downloads from the Video Marketplace service over the past 24 hours. We understand these technical issues have resulted in a very unpleasant experience for our members, including extremely slow downloads or not receiving the content they purchased.
We’ve made progress over the past 24–hours, and the team is dedicated to fixing the issues and continues to work as fast as they can around the clock to get the service running as seamlessly as you have come to expect.
We strongly encourage all folks who have experienced an error message or did not receive a download they purchased to call customer support at 1-800-4MYXBOX."

Adobe Flash Player Update

Adobe has released updates for Adobe Flash Player for Windows, Macintosh and Linux. 

The "Release Notes", indicate that there are no impacted deliverables in the update. Both Flash Player and AIR updates include new functionality and important bug fixes. 

With today's Windows Update, Internet Explorer 10 and 11 in Windows 8 and Windows 8.1 Preview are also updated.  Windows RT must obtain the update from Windows Update.

Update Information

The newest versions are as follows:

Windows and Macintosh:  11.9.900.117
Linux: 11.2.202.310

Adobe AIR:  3.9.0.1030

Flash Player Update Instructions

Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install Google Drive.

It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

• Non-IE (Opera, Firefox, Etc.):  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
   
• Windows XP, Vista and 7:
  Flash Player For Internet Explorer 7, 8, 9, 10:  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe
  
  Windows 8 and 8.1:
  Flash Player for Internet Explorer 10 and 11: Microsoft updated Security Advisory 2755801.  If you do not have Automatic Updates enabled, the Flash Player update can be downloaded from Microsoft Security Advisory: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10: July 9, 2013.
  
  
• Flash Player Uninstaller:  http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

Notes:

• If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
• Uncheck any toolbar offered with Adobe products if not wanted.
• If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
• The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

Advance Notice - Microsoft Updates for May 2007

On Tuesday, 8 May 2007, Microsoft is planning to release updates affecting Microsoft Windows, Office, Exchange, CAPICOM and BizTalk.

Of important note, there has been no change since the update provided recently with regard to Security Advisory 935964. (See Update on Microsoft Security Advisory 925964, including consolidated list of update links.)

Security Updates

• Two Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.

• Three Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.

• One Microsoft Security Bulletin affecting Microsoft Exchange. The highest Maximum Severity rating for these is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.

• One Microsoft Security Bulletin affecting CAPICOM and BizTalk. The highest Maximum Severity rating for these is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool.

Microsoft Windows Malicious Software Removal Tool

• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
  
  Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS

• Microsoft will release 1 NON-SECURITY High-Priority Update for Windows on Windows Update (WU) and Software Update Services (SUS).

• Microsoft will release 6 NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

No Charge for Windows Genuine Advantage

I learned from fellow MVP, Donna Buenaventura, that Symantec has identified as Trojan.Kardphisher. The Trojan is installed when the PC is restarted. A window appears that has been designed to look like the Windows Genuine Advantage (WGA) Activation Form.

There are two options presented on the form -- activate now or later. According to Symantec, it isn't possible to run Task Manager or any other applications. Choosing no results in immediate shutdown of the computer. Selecting yes presents an activation window, but not quite what is provided by Microsoft.

The trojan window requests credit card information. Microsoft does NOT request credit card information for WGA Activation. Do not be tricked into providing credit card information. Instead, update your antivirus software and run a full system scan. If you need assistance, visit one of the ASAP Member Sites.

Security Tips To Keep You Safe While Traveling

Do you travel for business or have a family holiday approaching?
Do you plan on taking your laptop with you to complete a project?
Will you be logging in on a public computer to check your personal email?
Will you need access to your company's network?

As "The Gonz" indicates in his article, Security Tips To Keep You Safe While Traveling,

"It is easy to be complacent when traveling. And, unfortunately, there are plenty of people out there willing to take advantage of this fact. By taking a few extra moments to think about what needs to be protected, take inventory of your technology rich possessions, and take the extra time to protect your data, you will ensure a more worry-free travel experience."

See the complete article, chock full of suggestions to protect both personal and business data, at Gonzo's Garage - Computers and One-Liners: Security Tips To Keep You Safe While Traveling.