Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • WinDeals
  • E-Books
  • Lounge
  • Polls
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>OneCare halts flow of antivirus info

Windows Secrets Newsletter • Issue 84 • 2006-10-12 • Circulation: over 400,000

Table of contents 
  • Top Story: MS OneCare halts flow of antivirus info
  • Hot Tips: You’ll love IE 7′s tabs or hate ‘em
  • Perimeter Scan: Is Vista locking out security competitors?
  • Over the Horizon: Microsoft skips some critical IE patches
  • Patch Watch: Goodbye old friends, hello Office patches
 
Top Story

MS OneCare halts flow of antivirus info

Woody Leonhard 1 MS OneCare halts flow of antivirus info By Woody Leonhard

When Microsoft announced it was entering the antivirus biz, the usual nattering nabobs of negativism moaned and groaned about unfair competition and unlevel playing fields.

But several recent events seem to confirm the worst: Microsoft may well be using its desktop monopoly to trump its AV competitors. What do you think?

The PowerPoint zero-day smoking gun

 Before Microsoft started selling antivirus protection, the major antivirus companies (and many of the smaller ones) enjoyed more-or-less equal access to Microsoft’s top-secret AV information. When Microsoft found out about a new threat, the AV companies all heard about it at the same time. When MS figured out how certain types of malware worked, the AV companies learned about the holes quite quickly.

Then Microsoft announced that it would start competing in the antivirus arena with the product we now know as Windows Live OneCare. AV companies received assurances that the flow of information wouldn’t stop — that Microsoft wouldn’t use its special position as the provider of the operating system to take unfair advantage with their AV product.

On September 26, antivirus researchers at McAfee discovered a new zero-day PowerPoint exploit that goes by the unlikely name of CVE-2006-4694. Like so many other zero-day exploits, this nasty critter was discovered in the wild when it dropped a targeted Trojan that McAfee calls Exploit-PPT.d.

There’s just one little problem with Exploit-PPT.d. As McAfee antivirus researcher Craig Shmugar points out in his Sept. 26 blog entry, Microsoft already knew about this particular Trojan and, presumably, the zero-day exploit that delivers it. Craig shows a listing that seems to prove that Microsoft had not only identified the exploit, but had updated one of its scanners to detect the dropped trojan three days before McAfee found it. The Microsoft scanner, dated Sept. 23, identifies the trojan as Win32/Controlppt.X.

My friends in the antivirus community tell me that, as far as they know, Microsoft didn’t bother to mention this particular zero-day exploit, or the Trojan, to any other AV companies. Microsoft simply updated its own AV product and let its competitors pound sand.

Microsoft goes public after the fact

On Sept. 27, Microsoft finally fessed up to the zero-day hole, issuing security advisory 925984. That advisory not only lists PowerPoint 2000, 2002, and 2003 as being vulnerable, as McAfee had advised. It also lists two versions of PowerPoint for the Mac. Take a look at the advisory and tell me if it looks like it was thrown together in the 24 hours after McAfee posted its warning.

The advisory states that Microsoft is "actively sharing information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks."

You might believe that statement, but I doubt Craig Shmugar does.

The security advisory also says, "Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability." Being the inquisitive cuss that I am, I decided to take a look at the safety scanner and see what I could find.

Windows Live OneCare Safety Center revisited

In the June 29 and July 13 paid issues of this newsletter, I talked about a remarkable, free, online antivirus scanner from Microsoft called the Windows Live Safety Center. My conjecture then, as now, is that the free Live Safety Center primarily exists to let Microsoft off the antitrust hook: Microsoft sticks antivirus detection updates in the (free) Live Safety Center before they update the (paid) Windows Live OneCare. That way, when a politician or competitor claims that Microsoft has tilted the AV playing field in its favor, Microsoft can point to the Live Safety Center and say, "But we made the fix available, free, days (or hours or weeks) before we put it in Live OneCare."

When I wrote back then about Windows Live Safety Center, it was a slow, bloated, poorly-documented and nearly unknown service with one single design objective: to keep Microsoft out of court on antitrust charges. In mid-August, the folks in Redmond morphed the Live Safety Center into the "Windows Live OneCare safety scanner." (Note the lower-case "s"es.) The new incarnation presents itself as a slow, bloated, poorly-documented and nearly unknown service acting primarily as an advertising come-on to get people to sign up for the $50/year Windows Live OneCare.

See the difference?

The new Web site for the safety scanner leaves much to be desired. The "Top threats" that are listed all date back to May and June 2006. We’ve seen, ahem, a few threats since then.

When I tried to look up the Win32/Controlppt.X trojan, the one dropped by this new zero-day PowerPoint exploit, there was no match. When I searched for Win32/Controlppt, without the .X, I got 24 hits (including three duplicates). All of them advised, "This software threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat." So I have no idea whether or not the Windows Live OneCare safety scanner actually removes the malware.

I asked Microsoft to comment on the current dismal state of Windows OneCare safety scanner affairs, and was told by a spokeswoman, "We are unable to participate in this particular opportunity at this time."

The Vista kernel lockout and beyond

Elsewhere in this issue of the Windows Secrets Newsletter, my co-contributing editor Ryan Russell (below) talks about Microsoft’s ongoing efforts to keep antivirus products out of Windows Vista’s kernel. Ryan’s observations, and particularly his conclusions, speak for themselves.

Microsoft has released a white paper called Microsoft Windows Vista: An Inflection Point for Kernel Security and 64-Bit Computing that deals with the controversy. I’ve gone over that paper, forwards and backwards. Aside from a few marketing platitudes, I didn’t see anything worthwhile.

At its core, Microsoft is stuck between a rock and a hard place. If Microsoft builds hooks into Vista’s kernel so antivirus products can get in, the bad guys will no doubt figure out a way to use the hooks. But if Microsoft lets legitimate AV companies into the kernel using, say, the method that MS employed for its own firewall, the ‘Softies will be put in the unfortunate position as gatekeepers over a potentially messy mob of programs that want to get in.

Microsoft has to provide some way for AV and firewall manufacturers to intercept traffic coming into and going out of your PC. The white paper says that will be accomplished with the “Windows Filtering Platform” — but gives no details about what that entails, or how it will work. What (or who) is going to keep the bad guys from using WFP?

Most troubling of all: the “hypervisor” situation, where a properly constructed hypervisor rootkit could run with absolutely no hope of detection. (Hypervisors use hardware virtualization to run outside the operating system: Blue Pill’s demo at the 2006 Black Hat conference took advantage of a hypervisor hole.) The white paper says, “Microsoft is actively building a hypervisor solution.” The guys in white hats are waiting with bated breath — and faint hope.

If Microsoft holds the keys, how do small companies and startups get in? And… who voted for Microsoft in the first place, eh?

Antitrust abuses or unfortunate oversights?

Many of you will look at the events I’ve described and shrug them off — a notification oversight here, a bit of sloppy Web site updating there, with an unfortunate kernel conundrum thrown in for good measure. But I, for one, am getting more and more uneasy about Microsoft leveraging its monopoly in operating systems to unfairly compete with antivirus, antispyware, antiscum, and firewall manufacturers.

It currently appears as if the US Department of Justice is going to roll over and play dead. At least, if there are any rumblings at DOJ, I certainly haven’t heard them. Whether the EU will take it lying down remains to be seen. There’s more than a little irony in the thought that the European Union may represent Americans’ best hope for consumer protection.

This much I know for sure: If you’re paying Microsoft to protect your computer, you’re part of the problem, not part of the solution.

Woody Leonhard‘s Web site posts MS-DEFCON reliability ratings for Microsoft patches. His recent books include Windows XP Hacks & Mods For Dummies.
 
Hot Tips

You’ll love IE 7′s tabs or hate ‘em

Brian Livingston 1 Youll love IE 7s tabs or hate em By Brian Livingston.

Microsoft’s updated browser, Internet Explorer 7.0, is about to go gold and the debate about its behavior is just beginning.

Besides IE 7, this week I have readers’ comments on Spy Sweeper, NetChk Protect, AVG Antivirus, and how to speed up browsing in the beta of Windows Vista.

How to configure IE 7′s tabbed browsing

My lead article in the free section of the Sept. 28 newsletter, "Readers reveal the secrets of IE 7," reported several reactions to Microsoft’s beta version of its browser. Great minds will differ on whether some of IE’s new features are a benefit or a headache. Reader Peyton Moore writes in response:
  • "Stephen Wolper commented that the tabbed browsing increases the likelihood that you will close all your windows. He then complains that the warning box helping to keep him from doing that is annoying.

    "Tabbed browsing is probably a personal preference issue. I find it much more efficient, but his main complaints of tabbed browsing in general — or the warning message — can both be disabled in the tabbed browsing settings. [See Figure 1.]

    W061012TabbedBrowsingSettings Youll love IE 7s tabs or hate em
    Figure 1. How to turn IE 7′s tabbed browsing and warning windows on and off.

    “It seems a little irresponsible for you to print these types of comments in your newsletter, as readers who have not dealt with the beta might take this as solid information.

    “As a software developer, I have installed every version of the IE 7 beta. I have found the last two (B3 and RC1) to be very stable. Yes, there are some formatting issues on Web sites (mostly those that used IE 6-specific code to begin with). There are also issues with use on some Web sites — like secure financial sites, which require specific versions of known browsers. Those types of problems are to be expected with unreleased software.”

As regular readers know, I recommend not installing beta software on PCs that you depend on. You should use a sacrificial machine that you can wipe clean, if you don’t like the results, and that goes for the beta of IE 7 as well. Fortunately, the gold version of IE 7 is expected to be released within days, and hopefully many of theremaining known issues will have gone away by then. See Susan Bradley’s column, below, for more on IE 7.

Advanced issues with Spy Sweeper and NetChk

 Just to prove that there is no Windows software that doesn’t have issues with one configuration or another, two of the utilities that appear in the Security Baseline are reported to have conflicts with various other applications. Reader Clark Lewis writes:
  • “Since you have recommended Spy Sweeper and NetChk Protect in your Windows Secrets Newsletter for the past few months, I thought you might be interested in a user’s experience. I have been using both since you first recommended them, so I hope you will consider my comments accordingly.

    This article is part of our paid content. Subscribe.

    Already a paid subscriber? Click here to login.

 
Perimeter Scan

Is Vista locking out security competitors?

Ryan Russell 1 Is Vista locking out security competitors? By Ryan Russell

Security vendors are complaining about what they call anticompetitive features coming up in Vista. Are their complaints valid, or are they simply worried about competition?.

I also have additional advice for those of you who are still experiencing Java install troubles.

Security companies question Microsoft’s intentions

If you’ve been reading the tech news lately, or even the Financial Times, you may have picked up rumblings from a number of security vendors. The first complaint I was aware of was on Alex Eckelberry’s blog in June. The seed of the complaint from the Sunbelt Software executive is that Microsoft is now making a big entry into the security business in ways it hasn’t before.

Another vocal critic is Symantec, which publicly claimed that Vista keeps out its product while giving privileged access to Windows Defender.

What else has Symantec been up to? In May, the company sued Microsoft, claiming breach of contract over backup software. I think it’s safe to say that Symantec is keeping a close eye on Vista.

The most recent complaints are from McAfee, which made the same claims as Symantec. Namely, that McAfee’s software doesn’t get to play in the kernel, but Microsoft’s does.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Over the Horizon

Microsoft skips some critical IE patches

Chris Mosby 1 Microsoft skips some critical IE patches By Chris Mosby

The "squeaky wheel gets the grease" seems to be Microsoft’s motto lately, as several patches for Internet Explorer (and components used by IE) were released out-of-cycle last month and on this week’s Patch Tuesday.

Meanwhile, flaws in IE that are equally severe — but were getting less media attention — were left unpatched.

Serious IE ActiveX flaw left unpatched

The so-called SetSlice vulnerability, which had reports of being actively exploited via Internet Explorer, was patched this week with Microsoft’s release of MS06-057 But another IE flaw, which is just as severe, was ignored, perhaps because it wasn’t causing the Redmond company as much trouble.

On Sept. 14, Microsoft released security advisory 925444 to warn customers about a flaw in its DirectAnimation Path ActiveX Control. This advisory stated:

  • “Microsoft is investigating new public reports of vulnerability in Microsoft Internet Explorer on Windows 2000 Service Pack 4, on Windows XP Service Pack 1, and on Windows XP Service Pack 2. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly and we are aware of limited attacks that are attempting to use the reported vulnerability. Customers would need to visit an attacker’s Web site to be at risk. We will continue to investigate these public reports.

    “The ActiveX control is the Microsoft DirectAnimation Path ActiveX control, which is included in Daxctle.ocx.

    “Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs.”

    • Apparently the “limited attacks,” as they were called, were treated as just that. On Sept. 19, Microsoft released a different security advisory, 926043, involving a flaw in how IE handles VML (Vector Markup Language). This hole was already being exploited in a more widespread fashion. After that, not much more was heard from Microsoft on the issue. The company did update the advisory on Sept. 27, one day after an out-of-cycle patch for the VML flaw was released.

    This article is part of our paid content. Subscribe.

    Already a paid subscriber? Click here to login.

 
Patch Watch

Goodbye old friends, hello Office patches

Susan Bradley 1 Goodbye old friends, hello Office patches By Susan Bradley

This month, we say a fond farewell to MS support for Windows XP SP1, pay tribute to Ray Noorda, and get ready for IE 7.
We also find that the servers at Microsoft Update have taken a page out of Woody Leonhard’s "you should wait to patch" handbook and decided to make you do just that.

Microsoft support ends for XP SP1

Before I begin my normal patch analysis, let me just remind you that this month marks the end of support for our dear old friend XP Service Pack 1 (SP1). Only XP SP2 will be patched in the future.

I’d like to also take a moment to pay tribute a gentleman who converted my business from “sneaker net.” That’s when we used to share files around the office by placing them on floppy diskettes. Ray Noorda, who made Novell into a powerhouse back then, passed away recently, as reported by VnuNet. While Novell isn’t the networking player it used to be, we all should pay homage to the man who did more to start us on the road of networking than anyone else — yes, even more than Bill Gates has done. For many of us, it was Novell that first awakened us to the power of networking.

MS06-057 (923191)
One IE zero-day threat patched, one not

I was expecting to tell you about two critical IE patches, MS06-057 (923191) and another related IE/ActiveX patch. But we ended up getting only one of the issues patched.

The patch we didn’t get was for the DirectAnimation Path ActiveX flaw, which was disclosed by Microsoft in security advisory 925444. What we did get was a patch for the so-called WebView hole. Both problems involve ActiveX issues on Internet Explorer.

For workstations, I strongly recommend that you apply MS06-057 extremely quickly. This vulnerability is being used on Web sites in the wild. The recommended mitigation techniques — setting “kill bits” — can cause visual issues on certain Windows Explorer pages.

For the DirectAnimation ActiveX issue, until it’s patched, consider a GPO kill-bits mitigation technique discussed in Dr. Jesper Johansson’s blog. At the present time I recommend this mitigation be deployed as soon as you can and I’ve seen no major issues at this time. Also see Chris Mosby’s comments, above.

MS06-058 (924163)
Death by PowerPoint revisited

Another patch dealing with a vulnerability that we’ve seen some targeted attacks with is MS06-058 (924163). A paranoid network administrator could try to work around this hole by blocking PowerPoint files from being received via e-mail. But there is still the risk of PowerPoint files being opened up on the Web.

If you and your users have the ability to surf the Web, open up or download any files, it would be wise for you to deploy MS06-058 quickly.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.56
  • LizaMoon infection: a blow-by-blow account 4.46
  • RPV: Win7′s least-known data-protection system 4.35
  • Recovery: the last step in total data security 4.31
  • The sorry tale of the (un)Secure Sockets Layer 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Get wired performance from your Wi-Fi network 4.24
  • Caution: Bumps in the road to IPv6 4.23
  • Patch Watch adds problem-patch update chart 4.23
  • ZeuS Trojan reinvents itself as bots rock on 4.22
  • Pros and cons of a ‘keyfile’ password 4.21
  • April brings showers of browser patches 4.20
  • Readers comment on the LizaMoon infection story 4.20
  • Office 2007 gets its final service pack 4.19
  • The advanced system-recover toolkit 4.18
  • Putting Registry-/system-cleanup apps to the test 4.18
  • One year and 99 security bulletins later 4.18
  • Don’t pay for software you don’t need — Part 3 4.17
  • What to do when Windows refuses to boot 4.17
  • Make the most of Windows 7′s Libraries 4.16
  • Keeping you up to date: say no to .NET — again 4.16
  • Internet Explorer gets another round of patches 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Big-time Wi-Fi security for the small office 4.14
  • Office File Validation patch leads to problems 4.14
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb