|
|
|
|
Windows Secrets Newsletter • Issue 84 • 2006-10-12 • Circulation: over 140,000
|
|
For links to every subtopic in this issue, scroll down to the
Index |
|
ADS
|
|
TOP STORY MS OneCare halts flow of antivirus info
The PowerPoint zero-day smoking gun Before Microsoft started selling antivirus protection, the major antivirus companies (and many of the smaller ones) enjoyed more-or-less equal access to Microsoft's top-secret AV information. When Microsoft found out about a new threat, the AV companies all heard about it at the same time. When MS figured out how certain types of malware worked, the AV companies learned about the holes quite quickly. Then Microsoft announced that it would start competing in the antivirus arena with the product we now know as Windows Live OneCare. AV companies received assurances that the flow of information wouldn't stop — that Microsoft wouldn't use its special position as the provider of the operating system to take unfair advantage with their AV product. On September 26, antivirus researchers at McAfee discovered a new zero-day PowerPoint exploit that goes by the unlikely name of CVE-2006-4694. Like so many other zero-day exploits, this nasty critter was discovered in the wild when it dropped a targeted Trojan that McAfee calls Exploit-PPT.d. There's just one little problem with Exploit-PPT.d. As McAfee antivirus researcher Craig Shmugar points out in his Sept. 26 blog entry, Microsoft already knew about this particular Trojan and, presumably, the zero-day exploit that delivers it. Craig shows a listing that seems to prove that Microsoft had not only identified the exploit, but had updated one of its scanners to detect the dropped trojan three days before McAfee found it. The Microsoft scanner, dated Sept. 23, identifies the trojan as Win32/Controlppt.X. My friends in the antivirus community tell me that, as far as they know, Microsoft didn't bother to mention this particular zero-day exploit, or the Trojan, to any other AV companies. Microsoft simply updated its own AV product and let its competitors pound sand. Microsoft goes public after the fact On Sept. 27, Microsoft finally fessed up to the zero-day hole, issuing security advisory 925984. That advisory not only lists PowerPoint 2000, 2002, and 2003 as being vulnerable, as McAfee had advised. It also lists two versions of PowerPoint for the Mac. Take a look at the advisory and tell me if it looks like it was thrown together in the 24 hours after McAfee posted its warning. The advisory states that Microsoft is "actively sharing information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks." You might believe that statement, but I doubt Craig Shmugar does. The security advisory also says, "Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability." Being the inquisitive cuss that I am, I decided to take a look at the safety scanner and see what I could find. Windows Live OneCare Safety Center revisited In the June 29 and July 13 paid issues of this newsletter, I talked about a remarkable, free, online antivirus scanner from Microsoft called the Windows Live Safety Center. My conjecture then, as now, is that the free Live Safety Center primarily exists to let Microsoft off the antitrust hook: Microsoft sticks antivirus detection updates in the (free) Live Safety Center before they update the (paid) Windows Live OneCare. That way, when a politician or competitor claims that Microsoft has tilted the AV playing field in its favor, Microsoft can point to the Live Safety Center and say, "But we made the fix available, free, days (or hours or weeks) before we put it in Live OneCare." When I wrote back then about Windows Live Safety Center, it was a slow, bloated, poorly-documented and nearly unknown service with one single design objective: to keep Microsoft out of court on antitrust charges. In mid-August, the folks in Redmond morphed the Live Safety Center into the "Windows Live OneCare safety scanner." (Note the lower-case "s"es.) The new incarnation presents itself as a slow, bloated, poorly-documented and nearly unknown service acting primarily as an advertising come-on to get people to sign up for the $50/year Windows Live OneCare. See the difference? The new Web site for the safety scanner leaves much to be desired. The "Top threats" that are listed all date back to May and June 2006. We've seen, ahem, a few threats since then. When I tried to look up the Win32/Controlppt.X trojan, the one dropped by this new zero-day PowerPoint exploit, there was no match. When I searched for Win32/Controlppt, without the .X, I got 24 hits (including three duplicates). All of them advised, "This software threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat." So I have no idea whether or not the Windows Live OneCare safety scanner actually removes the malware. I asked Microsoft to comment on the current dismal state of Windows OneCare safety scanner affairs, and was told by a spokeswoman, "We are unable to participate in this particular opportunity at this time." The Vista kernel lockout and beyond Elsewhere in this issue of the Windows Secrets Newsletter, my co-contributing editor Ryan Russell (below) talks about Microsoft's ongoing efforts to keep antivirus products out of Windows Vista's kernel. Ryan's observations, and particularly his conclusions, speak for themselves. Microsoft has released a white paper called Microsoft Windows Vista: An Inflection Point for Kernel Security and 64-Bit Computing that deals with the controversy. I've gone over that paper, forwards and backwards. Aside from a few marketing platitudes, I didn't see anything worthwhile. At its core, Microsoft is stuck between a rock and a hard place. If Microsoft builds hooks into Vista's kernel so antivirus products can get in, the bad guys will no doubt figure out a way to use the hooks. But if Microsoft lets legitimate AV companies into the kernel using, say, the method that MS employed for its own firewall, the 'Softies will be put in the unfortunate position as gatekeepers over a potentially messy mob of programs that want to get in. Microsoft has to provide some way for AV and firewall manufacturers to intercept traffic coming into and going out of your PC. The white paper says that will be accomplished with the "Windows Filtering Platform" — but gives no details about what that entails, or how it will work. What (or who) is going to keep the bad guys from using WFP? Most troubling of all: the "hypervisor" situation, where a properly constructed hypervisor rootkit could run with absolutely no hope of detection. (Hypervisors use hardware virtualization to run outside the operating system: Blue Pill's demo at the 2006 Black Hat conference took advantage of a hypervisor hole.) The white paper says, "Microsoft is actively building a hypervisor solution." The guys in white hats are waiting with bated breath — and faint hope. If Microsoft holds the keys, how do small companies and startups get in? And... who voted for Microsoft in the first place, eh? Antitrust abuses or unfortunate oversights? Many of you will look at the events I've described and shrug them off — a notification oversight here, a bit of sloppy Web site updating there, with an unfortunate kernel conundrum thrown in for good measure. But I, for one, am getting more and more uneasy about Microsoft leveraging its monopoly in operating systems to unfairly compete with antivirus, antispyware, antiscum, and firewall manufacturers. It currently appears as if the US Department of Justice is going to roll over and play dead. At least, if there are any rumblings at DOJ, I certainly haven't heard them. Whether the EU will take it lying down remains to be seen. There's more than a little irony in the thought that the European Union may represent Americans' best hope for consumer protection. This much I know for sure: If you're paying Microsoft to protect your computer, you're part of the problem, not part of the solution. Woody Leonhard's Web site posts MS-DEFCON reliability ratings for Microsoft patches. His recent books include Windows XP Hacks & Mods For Dummies. |
|
THE SECURITY BASELINE The Security Baseline as it stands
Based on the latest published findings, the best four products to give your PC comprehensive protection against hackers are (1) a Linksys hardware firewall, (2) ZoneAlarm Security Suite, (3) Webroot Spy Sweeper for antispyware protection, and (4) Shavlik NetChk Protect for update management. See details below.
|
|
HERE'S A TIP The best stuff is in our paid version To upgrade, simply make a contribution of any amount you choose. If you do this by Oct. 25, 2006, you'll instantly be sent the full, paid version of today's newsletter. Subscribers to the paid version receive additional information in each issue. Some of the extras this week are:
Make a contribution to support our research into Windows and you'll immediately be able to read and search through scores of valuable articles. In addition, paid subscribers are entitled to download valuable content that we license for you at least once every calendar quarter. To upgrade to the paid version of Windows Secrets, please visit our upgrade page. Thanks in advance. |
|
EBOOKSHELF
|
|
USEFUL LINKS Hundreds of ETFs are heading your way ETFs are the fastest-growing investment vehicles in global markets today. You may not have heard much about ETFs until now — but you'll be hearing much more about them soon. (By Brian Livingston, Datamation) More info How trustworthy Is the TRUSTe logo? Harvard Law School graduate Ben Edelman, a respected antispyware researcher, has published an analysis disputing the trustworthiness of sites that bear the TRUSTe seal. (By Brian Livingston, Datamation) More info |
|
WACKY WEB WEEK Battle of the animated album covers
|
|
YOUR SUBSCRIPTION The Windows Secrets Newsletter is published twice a month on alternating Thursdays. Issues appear 2 days and 16 days after Microsoft Patch Tuesday (the 2nd Tuesday of each month). Only the first issue of the month is published in August and December to allow vacation breaks. A short "news update" is sometimes published between regular newsletters. Publisher: WindowsSecrets.com LLC, 300 Queen Anne Ave. N. #456, Seattle, WA 98109 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editor: Brian Livingston. Contributing Editors: Susan Bradley, Woody Leonhard, Chris Mosby, Ryan Russell. Research Director: Vickie Stevens. Program Director: Brent Scheffler. Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page. WE GUARANTEE YOUR PRIVACY: 1. We will never sell, rent, or give away your address to any outside party, ever. 2. We will never send you any unrequested e-mail, besides newsletter updates. 3. All unsubscribe requests are honored immediately, period. Privacy policy HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
|
