Blog Archives

Easy Cracking of Microsoft Crypto

Another day, another set of cracking tools.

Cryptography specialist Moxie Marlinspike released tools at Defcon today for easily cracking passwords in wireless and virtual private networks that use a popular encryption protocol based on an algorithm from Microsoft called MS-CHAPv2, news that will no doubt worry many a network administrator.The tools crack WPA2 Wi-Fi Protected Access and VPN passwords used by corporations and organizations running networks that are protected by the PPTP Point-to-Point Tunneling Protocol, which uses MS-CHAPv2 for authentication.ChapCrack captures the MS-CHAPv2 handshakes, or SSL Secure Sockets Layer negotiation communications, and converts them to a token that can be submitted to CloudCracker.It takes less than a day for the service to return results in the form of another token that is plugged back into ChapCrack where the DES Data Encryption Standard keys are cracked. With that data, someone can see all of the information traveling across the Wi-Fi network, including sensitive corporate e-mails and passwords, and use passwords that were revealed to log in to corporate networks.The tools are designed for penetration testers and network auditors to use to check the security of their WPA2 protected networks and VPNs, but they may well be used by people who want to steal data and get unauthorized access to networks.

Source: Tools boast easy cracking of Microsoft crypto for businesses | Security & Privacy – CNET News.

Yet another reason for businesses that haven’t done so yet to move beyond PPTP and Windows XP

Flame malware incident causes Microsoft to revamp Windows encryption keys

Granted it’s reactive instead of proactive but looks like a good move by Microsoft.

Starting next month, updated Windows operating systems will reject encryption keys smaller than 1,024 bits, which could cause problems for customer applications accessing websites and email platforms that use the keys.

Image representing Windows as depicted in Crun...

Image via CrunchBase

The cryptographic policy change is part of Microsoft’s response to security weaknesses that came to light after Windows Update became an unwitting party to Flame Malware attacks, and affects Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems, according to the Windows PKI blog written by Kurt L. Hudson, a senior technical writer for the company.

“To prepare for this update, you should determine whether your organization is currently using keys less than 1,024 bits,” Hudson writes. “If it is, then you should take steps to update your cryptographic settings such that keys under 1,024 bits are not in use.”

Source: Microsoft to revamp Windows encryption keys in face of Flame malware | Microsoft Windows – InfoWorld.

Windows 8 Pro Upgrade: Your FAQs Answered

Looks like Microsoft is making a big push to get users to upgrade later this year.

When Windows 8 launches later this year you’ll be able to upgrade to the pro version of Microsoft’s newest desktop OS for just $40 for a limited time. The deal will apply to a broad base of current Windows users including those running Windows XP, Vista and Windows 7. Microsoft had a similar offer during the launch of Windows 7 but this one is cheaper than its predecessor. (Windows 7 upgrades ranged from $50-$100 at launch.)

Another big difference between the Windows 7 and Windows 8 upgrade deals is that you get the pro version instead of the base version of Windows 8. And if you’re a Windows Media Center fan, Microsoft’s Windows 8 upgrade deal will let you download the entertainment center program for free (more on that later).

If you plan on upgrading to Windows 8, here’s what you need to know about Microsoft’s limited-time upgrade deal.

Source: Windows 8 Pro Upgrade: Your FAQs Answered CIO.com.

Report: Full Upgrades to Windows 8 Only From Windows 7

Some beneficial information if you’re planning to upgrade to Windows 8.

Microsoft has not yet set a release date for Windows 8, but most analysts expect it to go on sale this fall, most likely in October.

The upgrade paths that Foley’s sources spelled out were the same that Microsoft revealed in February when it released Windows 8 Consumer Preview, the first public beta.

Microsoft said then that only Windows 7 PCs are eligible for a full upgrade to Windows 8, one that retains applications, data files, user accounts and Windows settings.

Windows Vista and Windows XP machines can be upgraded to Windows 8 — assuming the hardware meets the system requirements of the new OS — but cannot bring along all the bits. Vista users who upgrade will retain user accounts and files, as well as Windows settings, but not already-installed applications. XP-to-Windows 8 upgrades preserve the least amount in a move: User accounts and files only.

Read the rest:  Report: Full Upgrades to Windows 8 Only From Windows 7 CIO.com.

Critical Windows bugs to be patched next week

Microsoft today announced it would release just two security updates next week to patch three vulnerabilities in Windows.

One of the two was tagged with the “critical” label, Microsoft’s highest threat ranking, while the other was marked “important.” Microsoft typically assigns a critical rating to vulnerabilities that can be exploited with little or no action on the part of a user.

Both updates will patch flaws in Windows.

What Microsoft pegged as “Bulletin 1” in the advance notification it published today will affect only Windows Vista, while “Bulletin 2” will affect all still-supported versions of the OS, with the client editions — XP, Vista and Windows 7 — labeled critical and the server software rated important.

“The Vista one is confusing,” said Andrew Storms, director of security operations at nCircle Security. “It’s either something introduced in Vista but doesn’t exist in Windows 7, or the component was rewritten for Windows 7.”

Storms speculated that the flaw might be in a part of operating system that’s little used, such as the task scheduler.

As for Bulletin 2, Microsoft’s bare bones write-up — typical of its advance warnings prior to Patch Tuesday — also doesn’t offer many clues.

“It’s critical in all the desktop clients and important in the server, and consistent in the whole stack,” said Storms, talking about Microsoft’s threat ratings. “The difference in the criticality is confusing, and Microsoft’s not giving us much to go on.”

The bug(s) patched by Bulletin 2 are most likely in an operating system DLL (dynamic-link library), said Storms, perhaps a driver or database connector, that’s crucial to the OS. (Source: ComputerWorld)

Go to the source to learn about two known vulnerabilities that will not be patched next Tuesday.

Powered by ScribeFire.

Enhanced by Zemanta

 

Widespread attacks against IE flaw

Internet Explorer Mobile
Image via Wikipedia

If you haven’t applied the patch yet beware.  If your still using IE 6, upgrade.

The first widespread attack to leverage a recently patched flaw in Microsoft‘s Internet Explorer browser has surfaced.

Starting late Wednesday, researchers at antivirus vendor Symantec‘s Security Response group began spotting dozens of Web sites that contain the Internet Explorer attack, which works reliably on the IE 6 browser, running on Windows XP. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec.

Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a U.S.-based, free e-mail service that Symantec declined to name.

As of midday Thursday, Symantec had spotted hundreds of Web sites that hosted the attack code, typically on free Web-hosting services or domains that the attackers had registered themselves.

The IE flaw being leveraged in these attacks was also used to hack into Google‘s corporate network last December. It has been linked to similar incidents at Adobe Systems and 33 other companies. Microsoft patched the vulnerability in an emergency security update Thursday morning.

The Google attack hit IE 6 on Windows XP, but over the past week hackers have found ways to exploit the flaw on more recent versions of the browser as well. These latest techniques do not appear to be used on the Web sites Symantec has uncovered. They use the IE 6 exploit code, Talbot said.

Still, with IE 6 still being widely used, the move to more widespread attacks is worrying. “It may be an indication that attackers have finally ramped up their attack toolkits and are now ready to launch widespread attacks,” Talbot said.

Phishing is being used to gain victims.

He believes that the criminals are tricking victims into visiting their Web sites by sending spam e-mail or instant messages with links to sites.

On Thursday, Websense published some sample e-mails used in targeted attacks that exploit the IE bug. A typical subject line is “Helping You Serve Your Customers.” The e-mail reads, “I just heard the news: Helping you serve your customers” and includes a link to the malicious Web site.

The e-mails contain spoofed e-mail addresses, designed to fool victims into thinking that they were sent by a colleague. The malicious Trojan used in the attack is not the same one that was used in the Google attack, however.

Websense has seen these e-mails sent to targeted companies in the U.S. and the U.K., said Patrik Runald, a security research manager with Websense. “These attacks are actually continuing; they happened today; they happened yesterday and they happened the day before.”

However, Websense believes that the e-mails it has tracked are part of a small-scale targeted attack, similar to those used on Google and Adobe in attacks that are ongoing. Websense has counted only about 25 malicious Web sites to date, but the number is rising fast, Runald said. (Source: InfoWorld)

Reblog this post [with Zemanta]

You may have had problems …

Windows 7
Image via Wikipedia

installing Windows 7 if you got through a promotion.

College students who took advantage of a “deal too sweet to pass up” have run into a bit of trouble.

The $29 electronic version of Windows 7 Home Edition sold for Microsoft (MFST) through Digital River (DRIV) doesn’t seem to install properly on some 32-bit Vista machines.

Apparently the download files weren’t properly packaged and when some users tried to “unload the box” they got an error that read:

“We are unable to create or save new files in the folder in which this application was downloaded

If you were one of the unlucky ones there is a fix available that can be found here.

Kudos to Microsoft for acknowledging there was an issue.  Kudos as well for a fix being provided, though some would claim the fix is difficult.

Microsoft acknowledged the problem Thursday evening and by Friday was reportedly offering refunds. Meanwhile, however, Microsoft technicians are pointing users to a five-step Download Squad workaround (pasted below the fold) that might be enough to send students screaming to the nearest Apple Store. (Source: Windows 7 student upgrade hell – Fortune Brainstorm Tech)

But in all seriousness making an ISO really isn’t that hard.  Unless you’re Microsoft apparently.

Reblog this post [with Zemanta]

PC demand strong …

in advance of Windows 7 release.

People are snapping up new desktop and laptop PCs long before the launch of Windows 7, a sign of strong demand in the market, analysts say.

Demand for PCs improved in July and August, which is “something special, because the expectation was that many people would delay purchases until after Windows 7 came out in October,” said Manish Nigam, head of technology research in Asia for Credit Suisse, at a technology conference in Taipei.

Microsoft marketing in advance of the release may have played a role.

Consumers often wait until after the launch of a major new operating system to buy a new PC for fear of having to pay for the upgrade and to avoid the hassle of loading the new software themselves. This time, strong marketing for free or discounted Windows 7 upgrades for new PC buyers ahead of the official launch of the OS on Oct. 22 appears to have worked.

The advertising blitz for Windows 7 “will be a major positive for the PC industry,” iSuppli said.

Hype for the new OS, which won solid reviews from many people who tested it, and lower prices for PCs are already drawing buyers.

The big question – when will corporations get back into the game?

The big question mark for the PC industry is when corporations, which account for nearly 60 percent of PC shipments, will start replacing aging fleets of computers.

Executives in charge of replacing PCs are more finicky about major OS upgrades than consumers. Decisions they make about new software will affect thousands of computers that they have to maintain. Many are also mindful of how unpopular Microsoft’s last OS, Windows Vista, was. The OS launched in early 2007 to great fanfare that quickly turned to disappointment. Customers complained about a number of issues, from clunky performance to missing hardware drivers. Some people even opted to downgrade back to Windows XP.

The problems Vista faced make the transition to Windows 7 potentially slower among corporate users. Analysts expect them to wait until Windows 7 has been on the market for at least several months and Service Pack 1 has been published before adopting the new OS.

That means PC purchases by corporations probably won’t begin until the middle of next year.

Which could mean of all things a possible PC shortage and/or higher prices.

Credit Suisse’s Nigam believes U.S. corporations may lead the rebound in PC buying next year, noting capital spending hit its lowest level in years at the depths of the financial crisis, even worse than after the dotcom bust.

The investment bank forecasts a 12 percent increase in corporate PC purchases next year based on surveys with corporate IT managers. Such an increase would likely make PC vendors happy, but it could hurt consumers through potentially higher PC prices, considering the shortages already hitting some PC parts. (Source: PC demand takes off ahead of Windows 7 – The Industry Standard)

Either way this is positive news for the IT market.

Reblog this post [with Zemanta]

Fixing security vulnerabilities

Image representing Microsoft as depicted in Cr...
Image via CrunchBase

First it was Microsoft Patch Tuesday yesterday with Microsoft addressing a record 31 vulnerabilities.

Microsoft has released 10 security updates fixing a record number of Patch Tuesday holes, including one for a critical hole in Internet Explorer 8 that was exploited as part of a hacking contest at CanSecWest in March.

The bulletin addresses 31 vulnerabilities. “It’s the most since Microsoft started releasing updates on a regular schedule of the second Tuesday of every month in October 2003,” a Microsoft spokesman said.

The June security Patch Tuesday bulletin resolves eight vulnerabilities in IE, the more severe of which could allow remote code execution if a user views a specially crafted Web page. The IE8 vulnerability does not affect Windows 7 RC (build 7100), but does affect Windows 7 beta.

The updates also plug two critical holes in implementations of Active Directory on Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode installed on Windows XP Professional and Server 2003, the worse of which could allow an attacker to take control of a system remotely.

The security update fixes three critical vulnerabilities in Windows Print Spooler that could allow remote code execution if an affected server received a specially crafted RPC (remote procedure call) request.

Several vulnerabilities in Office Word and Excel are addressed in the update that could allow an attacker to remotely run code or take control of the machine using a specially crafted Word or Excel file. The update fixes the PowerPoint vulnerability Microsoft warned in April was being exploited in limited, targeted attacks that was fixed in the Windows version last month.

The update includes a patch for an important hole in its IIS Web server product that Microsoft reported in May.

“We didn’t see any in-the-wild exploitations of the (IIS WebDav) vulnerability but typically when Microsoft releases those alerts they’re doing it because a customer” has alerted them to an exploit,
said Steve Manzuik, senior manager of security research at Juniper Networks.

Also fixed is a critical vulnerability in Microsoft Works Converters, important vulnerabilities in RPC and Windows Kernel. And Microsoft fixed a moderate vulnerability in Windows Search that could allow
information disclosure if a user performs a search that returns a specially crafted file as the first result, or if the user previews a malicious file from the search results. By default, the Windows Search component is not preinstalled on Windows XP and Server 2003.

Products affected by the updates include Windows 2000, XP, XP Professional edition, Vista, Server 2003, Server 2008; Office 2000, 2003, 2007, and XP; and Microsoft Office 2004 and 2008 for the
Mac.

Other affected software includes Office Excel Viewer; Office Word Viewer; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats; Works 8.5 and 9.0; and Office SharePoint Server. (Source: Microsoft issues patches – CNET News-Security)

Second up was Adobe with it’s first quarterly update.

Image representing Adobe Systems as depicted i...
Image via CrunchBase

In the first of its regular security updates, Adobe on Tuesday patched several “critical” vulnerabilities it has identified in Adobe Reader 9.1.1 and Acrobat 9.1.1, and earlier.

In a security advisory, Adobe said that the vulnerabilities would cause applications to crash and potentially enable an attacker to take control of an affected system. None of the flaws are being actively exploited, according to Adobe.

The advisory said that users of  Reader and Acrobat should update their products to versions 9.1.2, 8.1.6, or 7.1.3. The updates apply to Windows and Macintosh, but updates for Adobe Reader on UNIX platforms will have to wait until June 16.

Specifically, the updates address issues such as stack overflow, memory corruption and heap overflow vulnerabilities that could potentially lead to code execution. (Source: Adobe patches Reader and Acrobat for “critical vulnerabilities – SC Magazine US)

If you haven’t already done so it would be wise to apply the released patches.

Reblog this post [with Zemanta]
%d bloggers like this: