Obligatory file photo:
Amy, you are absolutely right for many cases, especially for foreigners. I think Canada seems to have gotten stricter with Americans at about the same pace that Americans have started showing utter disrespect for all foreigners coming to this country.
On our trip, it took almost an hour to get back into the US. We couldn't get off the boat (or even out of the cabin) and had to wait for the CBP officer to show up at the dock, even though they knew exactly when we were going to be there.
I have a friend who travels on a diplomatic visa who just tried to get into the U.S. from Canada. The CBP agent on the U.S. side was just about to go rifling through his luggage when he said, I think you should look at my visa first. When shown the A-1 visa, the CBP agent said "wow, I have never seen one of those before. What does that mean?"
Steve, MSI's are tricky. You can run misexec.exe as an admin, or use one of Aaron Margosis' excellent utilities to do it. If you have a domain you can also distribute the MSI using IntelliMirror. If would show up in Add/Remove Programs and install as a non-admin from there.
Interesting thought Dan. I am pretty sure it would violate some kind of merchant agreement for Amazon or the vendor to mark it as such, but it is obviously something the community could do through public feedback mechanisms.
I just discovered that Roxio released a version 9 of their suite. It specifies in the docs for it that it works on Vista, so maybe that version works better? I have not used it yet. We'll see.
Patrick, I am working on just that. Right now there is not as much in it as there used to be though.
Yep. Like I said, I may have been living in a hole for the past six months. :-)
Still, it is pretty cool that most of the IDE is available for free. Of course, there are command line compilers in the SDK, but it is kind of painful to use those for anything really interesting unless you have a big process around it.
Nathan, good catch. No, there is no reason. Both were written using the Security Configuration Editor. I don't know why one uses the environment variable and the other does not. I'd recommend using the environment variable though. It works on more systems, specifically, non-English Systems. I'll see if i can fix it today and post a new zip file.
Sorry about that confusion. I was focusing on getting the ACL right and did not look at how it specified the file name.
Steve, first off, I am not sure whether IE7 is even vulnerable to the exploit. IE7 does ship with VML support but that does not necessarily mean it is vulnerable. The code may very well have changed to stop the problem.
That said, I tested a non-malicious page that shows VML on IE7 RC1 (running on Windows Vista RC1). When you open the page IE will not render it without an ActiveX warning dialog. It is not much as protection goes, but it is something; if IE7 were vulnerable.
The workaround works on Vista as well. However, on Vista the owner of that file is the Trusted Installer. GP should still be able to make the ACL change to it, but to make it manually you have to first take ownership of the file.
K, yes you are right. My bad. The refresh is 90 minutes if things have been changed. If not, then it takes 16 hours if memory serves me right to enforce the policies. I don't know where I got 8 hours from. I'll fix that.
Mike, I presume your error is a 1202 from SceCli? There are some troubleshooting steps in KB 324383: http://support.microsoft.com/?id=324383. See if one of those gets you going.
You can also test it by checking the ACL on %ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll. If it has the Everyone Deny:Read and Execute bits then you are fine.
Let me try to answer all the comments that came in while I was asleep:
Kimmo:
I have no idea what you are saying, but I hope it is good. Terve! :-)
Cypherbit:
The reason I remove Authenticated Users is mostly cosmetic. By default the GPMC will apply all policies to Authenticated Users. However, this policy applies to the system, not to the users. You do not need it applying every time someone logs on, only when the system boots. That is really all. There are no ill effects from leaving it there.
Jochen: Romeo answered your question just above. Sorry, I should have thought of that. Goes to show there are always ways to improve; and also that the Security Configuration Editor was not designed considering non-English systems. I wish I had some to test on, but I do not. The directory name "Microsoft Shared" is not localized is it?
I have uploaded a new archive that uses %CommonProgramFiles% instead of %ProgramFiles%
Catching up again :-)
Jochen: thanks a lot. That confirms that at least on German versions it will work as is now.
Andy: That's great to know. That means that Microsoft must also not have tested their work-around on W2K. I bet you can use the unregistration work-around on W2K though. If I get a chance tonight I'll figure out how to add that to the GPO so you can use GP to unregister the DLL. You cannot do that by running the command, but there may be a way to make the appropriate registry changes using GP.
Doc, what is it that is not working? What steps did you take? I have the .net Framework on all my systems and the workaround was fine there.
Doc, I get it. .net 2.0 is relatively new and the GPMC probably just needs the 1.x version. .net 2.0 is not completely compatible with .net 1.x. I am not an expert on what the differences are, but I'm glad you got your problem resolved.
John, good suggestion to disable user processing. I did not think about that.
Yes, you can apply the template using secedit. That is actually how I developed it. To do that on the command line use the secedit /configure command. You can call that command from SMS too, but if you have SMS, I would suggest using the work-arounds I posted in the new post that just went up. You can actually just call that script in SMS or another EMS if you have one.
Torgeir, I tried that, but it does not seem to work for me. The %0 resolves to the full path name of the script, so let's say that is
\\domain.local\sysvol\domain.local\policies\<someguid>\machine\scripts\foo.bat
When you append \..\ to it you get something entirely wrong:
\\domain.local\sysvol\domain.local\policies\<someguid>\machine\scripts\foo.bat\..\bar.reg
The regedit tool will parse that command and try to add foo.bat to the registry, not the bar.reg file that I want.
Earl, yes, the user running this would have to have administrative rights. That is why I recommend running the script as a startup script instead of a logon script.
Steve, I think the support lifecycle for IE 7 would be the same as for IE 6? It was supported with the usual n-1 support policy where they supported it for five years. I have no evidence to support or refute that expectation, but that seems logical.
Wow! That's a totally different experience from what I had. I got no help at all from their tech support, and all the sales team did was put my name on their advertising e-mail list when I contacted them. That's very interesting that your's was so different.
Torgeir, that's the trick. I had forgotten about the ~d and ~p parameters on the argv[0] variable. Not sure how I could have forgotten those, but I did. Pitiful really...
Romeo, that script rocks! I was initially going down this route, but since it can't be enforced I stopped working on it. Very nice though. The nice part about using ADM templates is you can delete the value, which is more of a true reversal than setting it to null.
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}]
CLASS MACHINE CATEGORY "Microsoft\Advisory\Workaround" POLICY "925444" KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}" EXPLAIN !!help VALUENAME "Compatibility Flags" VALUEON NUMERIC 1024 VALUEOFF DELETE END POLICY END CATEGORY [strings] help="Sets the kill bit on the Daxctle.ocx suggested by microsoft as a workaround in their advisory. see:\nhttp://www.microsoft.com/technet/security/advisory/925444.mspx\nfor details.\n\nCaution:\nTo revert the workaround once a patch is avaible don't delete the policy, but just set it to disable"
Tim, this is great info.
I am particularly disturbed by the issue about Outlook RPC/HTTPS. I'll have to dig into that.
Not being able to enforce the policies was the wrong way to say it. The difference is that settings outside of the policies nodes are "preferences." They are tattooed into the registry and cannot be easily undone. They can be enforced strictly speaking.
John, I am not sure why, but I have had sporadic errors from MS pages lately too. Usually just refreshing the page brings it up. I'm wondering if one of their server farms is missing content?
Oh, and thanks!
Actually, the script works either with or without the braces. At the beginning of the script it checks for them and removes them if they are there.
I did not think to point out that you have to be an admin to log the action since the whole script will fail if you are not an admin as you would not have the right to killbit any ActiveX controls in that case. In hindsight, I could have actually checked for that, but I did not think about it. Maybe in v.2...
Roger, I do not know what happens if you lose the COMPAT_NEVERFOCUSSABLE flag in this case. However, the fact that there may be other flags is one of the major reasons I decided to write the script the way I did.
I was actually struggling to find any documentation at all on what the Compatibility Flags were. Apparently you have found them, and now I did too:
http://windowssdk.msdn.microsoft.com/en-gb/library/ms688755.aspx. I understand that it means the control cannot receive focus, but what that means I do not get. It sounds like it simply puts up an Icon, and that might not need mouse focus I suppose.
Jonathon, that's not a bug, it's a feature! :-)
Seriously, there are no ACEs in the enableVML.inf script. It simply sets the inheritance bits and triggers inheritance propagation. That propagates the parent's permission down to the file.
Malyn and John, I took a very conservative approach to the script in that if the registry key for the particular control does not exist under the Internet Explorer\ActiveX Compatibility key then do not make any changes. That was based on the assumption that if there is no key there, the control probably was not designed to be used in IE at all, and IE may have undefined behavior if I killbit a non-existent control. As it were, I have no idea if those assumptions are correct or not. I have been unable to find any documentation on the behavior of the flags or that key at all. If anyone feels like educating me, I would appreciate it.
It's really great (for those of us at the user level) to be able to follow along in these discussions and learn. Thanks to Jesper and all of you for sharing.
Roger: There have been a few reports about people bypassing PatchGuard, but as far as I know, they have all been blocked now. That does not mean new ones won't come up though. That being said, this is a moving target, like Steve says (I think). If you secure it, it will change.
Al, of course, yes. Microsoft is obviously in it for the money, and don't think for a second that they would do something for the pure goodness of it without at least a remote chance that they would get the money back some way, somehow. That said, I am not convinced that Microsoft is in it to take away revenue from Symantec and McAfee; to compete with the anti-* vendors. It is more likely they are trying to get better at security to avoid having their own revenue stream taken away by someone else. It is not so much a matter of adding revenue in this case as it is not losing it.
Oh, and thanks for the good feedback!
"In a sense, they have built their business on protecting users of Windows from Microsoft, and Microsoft healing the patient cuts into their business doing the same. As Microsoft's Security Chief Ben Fathi said, the security vendors want Microsoft to "keep the patient sick," and by extension, keep customers at risk, so that the security vendors can keep charging for the healing."
An analogy with the medical world is used here. I think in that world it's common that you don't take the opinion of one single doctor. Your regular doctor cannot prevent you from taking the opinion of others. Your regular doctor can't prevent you to choose another doctor, another hospital. You can even take the opinion of a complete consortium of doctors and pick up the best there are to do the job. Do you really won't your life to be in the hand of the one doctor with the bad track record based on his promise that he's now rehabilitated?
The "waterproof to 17 feet" part might cause a bit of a problem.
This is really funny when you think about it. For years, the security vendors have been blasting Microsoft for not securing Windows better. All the while, selling consumers products that they can hardly understand or operate. As a security consultant, both for companies and consumers, I sell and install several different brands of security products (McAfee the most) and services. Once I get my clients accepting of 1) computer security and 2) commit the money, they simply can not relate to the screens, instructions and the whole nine yards of security software. This is no fault of consumers, but more of one for the security vendors! They are at fault for not making security easier by now. How long did they think they would have to build a loyal customer base and to invent something new? How long did they think software would be insecure? And how long did they think they could sell consumers products that they don't understand? Which puts machines at more of a risk, because consumers approve the wrong things or they turn them off or quit updating them. I have come across hundreds of machines over the years that when I open the security programs that they have installed, say "153 days since last updated" or something to the effect. This is crazy. If Microsoft can build a better mousetrap - they should do it! And who is stopping "Norton and the lot" from building their own OS to secure? Just think if we told General Motors not to provide lock & key to their cars 'cause the locksmith companies are depending on them for income. We are suppose to be moving towards advanced technologies, and to do this, we need Microsoft or whoever will do it - to move us forward. Vista is a move forward. And yes, Vista will have flaws and us security people will be needed all the same. Vista is the stepping stone we need to bring us to the true technology of tomorrow.
Nice post Jesper.
I listen to McAfee and Symantec whinging and think that if their products had actually done the job properly over the years then there wouldn't have been a need for Vista! Now that their years of less than effective products, or should that be bloatware, has come back to haunt them, they start to complain when Microsoft does a good job on hardening the operating system.
On a final note, no self-respecting IT professional would ever run any products from McAfee or Symantec! There are far better security products out there that are more effective and in many cases cheaper.
thx a lot too , i couldnt see the file sonic in programm files , i thought it was inside roxio file
"On a final note, no self-respecting IT professional would ever run any products from McAfee or Symantec! There are far better security products out there that are more effective and in many cases cheaper."
Do you really stand by a statement like that, john?
Don't seem to be an easy issue, I'm eager to see the solution.
By the way for the registery key it's allways usefull to have reminder of those. (Now I know why I keep checking your blog ;).
An interesting problem that I have also seen in the past. Generally speaking I've always removed the profile (tried same account / another pc) or simply renamed the profile and it's been resolved. I guess this is just another example of a corrupt user profile causing errors
Seen this too - and fixed the same way (rename the profile folder on teh server); however my suspciions were raised by redirection of appdata - was this being done too?
Yes, I was redirecting the entire profile. I have a hunch that to find out what is going on I would have to selectively remove pieces of the profile. I tried with the Run key in the registry already, but that did not do it. The problem is that you may make your profile invalid when you do that, so you need to be careful.
got the same issue just this day.....
we're approaching the phase of merging the existing forests (4 actually) into a single forest a few days from now and this happened. i love my job!
I agree with Guillaume just one quick iso download of Darik's Boot and Nuke and a burning program with a 5 cent cd rom and you're good to go. Make sure you back up "everything". Once it's gone.....it's gone. Even the expensive so-called $100 "forensic tools" that are splashed all over the net won't be able to retrieve anything....at least on the hard drive. I'm sure the propellor heads out there sitting in labs running government hard drives through powerful magnetic fields would agree. To be on the the safe side though, do what I did..modify a big tree splitter for the task. You get a physics lesson, engineering lesson, and security lesson at the same time! (Added benefit is that it works great on trees too...)
Someone posted this as a comment to my blog the other day... I think it fits here as well...
http://msmvps.com/blogs/bradley/archive/2006/12/19/for-the-record.aspx#433972
desiderata - by max ehrmann
Go placidly amid the noise and haste, and remember what peace there may be in silence.
As far as possible, without surrender, be on good terms with all persons. Speak your truth quietly and clearly; and listen to others, even to the dull and the ignorant, they too have their story. Avoid loud and aggressive persons, they are vexations to the spirit.
If you compare yourself with others, you may become vain and bitter; for always there will be greater and lesser persons than yourself. Enjoy your achievements as well as your plans. Keep interested in your own career, however humble; it is a real possession in the changing fortunes of time.
Exercise caution in your business affairs, for the world is full of trickery. But let this not blind you to what virtue there is; many persons strive for high ideals, and everywhere life is full of heroism. Be yourself. Especially, do not feign affection. Neither be cynical about love, for in the face of all aridity and disenchantment it is perennial as the grass.
Take kindly to the counsel of the years, gracefully surrendering the things of youth. Nurture strength of spirit to shield you in sudden misfortune. But do not distress yourself with imaginings. Many fears are born of fatigue and loneliness.
Beyond a wholesome discipline, be gentle with yourself. You are a child of the universe, no less than the trees and the stars; you have a right to be here. And whether or not it is clear to you, no doubt the universe is unfolding as it should.
Therefore be at peace with God, whatever you conceive Him to be, and whatever your labors and aspirations, in the noisy confusion of life, keep peace in your soul.
With all its sham, drudgery and broken dreams, it is still a beautiful world.
Be cheerful. Strive to be happy.
Max Ehrmann c.1920
----
The new year is just around the corner, tomorrow's a new day...and good (and smart) guys like you are still here and still making us think and not accept the status quo and helping us in our journey.
I'd say that too means something.
I was pleased to read your message, and I agree about the picture of the boy "bathing" in the bucket. Such a powerful image.
With the profile and readship you have, it seems to me you have a prime opportunity to continue to draw people's attention to such important issues... it won't do much for your readership however. Now there's an issue for your conscience...
Seasons greetings Jesper... from an English lad so very miserable about the dire state of humanity (not to mention the ecosystem upon which we rely to survive...)
Hi, thanks for the tip, I was so irritated by a new window opening up from my home page everytime! Nifty little trick ;)
Cheers!
We had a similar problem a few years ago. Only for two users out of approx 1000 (W2003 Citrix Terminal Servers). Roaming profile + folder redirection. In our case the problem came when the attributes of the user object were synchronized from a MIIS. Recreation of the user object resolved the issue but the MIIS sync somehow corrupted the user object.
We investigated all user attributes but did not find anything. GPO simulation failed with the same error. I do not remember but believe that we eliminated the profile as the cause of the problem (we recreated it).
A case was opened with MS but we did not find the problem. They should have most of the data (My reference testuser was named "Sandra Bullock"). Permissions loooked OK but we probably did not go into enough detail here.
Luckily both guys were consultants who left a short while later and we have not seen the problem since.
That's just one of the many things that Vista won't let users do :) Don't throw your PC or curse Bill whenever Vista is giving you a migraine. Chances are is that it's only a driver problem. Just try installing the appropriate driver. If you don't know where to look for them, try this site -- http://www.radarsync.com/vista.
Hear, hear! No anti-virus for me, since 2003.
I'm pleased you've been virus-free since 1992, but the principle "i don't need anti-malware because i practice safe computing" doesn't qualify what safe computing is (beyond "no p2p, no attachments, and least priv").
there are plenty of threat vectors besides p2p and email attachments, and plenty of risks that don't need elevated privs or warez to impact a person's computing.
I use anti-virus only on systems on which it is mandated by corporate policy. With the defenses Jesper listed, along with staying current on patches (which I'm sure Jesper does), the primarily weak points are exceptionally well-crafted social engineering attacks and zero-day browser-based attacks. Jesper is sufficiently paranoid that I will be completely shocked if anyone ever gets him with a social engineering attack; and the kinds of zero-days that Jesper or I might get hit with are not the kinds of things that anti-virus does a particularly good job defending against.
The hardest part (for me) is keeping my and my family's systems current on patches for software not covered by Windows' Automatic Updates. Some non-Microsoft products will automatically update themselves, but they need to run as admin to do so. Adobe Reader is a major pain since if you're a couple of patches behind, you have to install each one in order -- e.g., if you're on 7.0.3 and the current version is 7.0.8, you have to install 7.0.4, then 7.0.5, etc. (Easier just to uninstall the whole thing and fresh-install the current version.) And then Apple just completely sucks ( http://aaronmar.spaces.live.com/blog/cns!141FE4D19847CD5C!255.entry ).
How about a third option. Add just *your* user account to the ACLs with modify permissions. Opening the drive up to all Users with modify perms is a big hammer kind of solution.
Kaspersky and a whole list of others...see http://start64.com/ for more.
Don't forget that even in "Best" mode, you're STILL not immune from malware.
It is perfectly possible to write malware (adware or a botnet client) that will install and run all the time on a standard user account without a single elevation prompt. It's just not worth the effort usually.
As long as there are dancing pigs or cool icons for your email, people will still install this stuff.
So true Larry. You would be mostly impervious to things that compromise your system. That does not of course mean that you would be immune against things that steal your private data, or anything that tries to trick users into giving up information.
I firmly believe that as operating systems and applications get harder to attack we will see more and more attacks on people and the data they have access to.
It should be up to the user, but often malware works either by spoofing the user (e.g. exploiting the OS's poor file type discipline and risk UI information) or bypassing the user completely (e.g. exploiting edge-facing code such as RPC, LSASS etc.)
That, IMO, is the problem UAC attempts to address. If it "encourages" sware vendors to write code that also works in non-admin accounts, that's nice - but IMO, account-based rights are in any case the wrong safety model for consumerland.
Even the most limited account has the right to edit, and thus steal or destroy, user data. Sure, it's nice for Microsoft support that they don't have to handle getting the system back from malware ownership, but if the user's data is most important, the battle's lost.
This still doesnt solve my issue with a similar item. I *AM* running as Administrator and do not need to elevate privileges at all. I am copying images across the network from my old XP to my new Vista install. However, image1.jpg might be allowed, whereas image2.jpg is not, and this is to my own Pictures folder. I just dont get it, why one and not the other?
jimmy.alderson@gmail.com
Jesper, I disagree, I think that UAC, as a whole, is very much a security feature. It's a first attempt that's bound to need some work, it isn't a sandbox, it isn't an anti-virus or anti-spyware feature, it isn't a firewall, and it can never be a perfect solution without seriously inconveniencing users, but it certainly is a security feature:
1. It makes it very difficult for malware to do admin-level stuff without the user knowing somewhere along the way.
2. It includes features like UIPI and MIC
3. It provides a mechanism for processes to run in a restricted mode
4. It provides file and registry virtualization
5. It facilitates protected mode IE7
Even Symantec, who has been so quick to attack Vista's security found that Vista blocked 96% or more of all malware they tested. Of course they said it the other way--that it still lets 4% through--but that's really not bad for what everyone is now claiming as a non-security feature.
Mark, I agree with you. I think UAC is a security feature. However, I also think it is dangerous to believe that it will stop future malware. It stops current malware, and does so well as you point out. However, future malware will certainly find a way around it. Does that make it not be a security feature? No. Does that mean UAC is not useful? No.
BTW, I am just putting the finishing touches on a tool for the new Vista Security book that might make testing UAC easier. It allows you to launch any process elevated from a command line, or to launch any process with a low integrity token. For instance, if you want to launch Firefox low (it currently won't work - firefox that is - but let's pretend it does) you would run "elevate -l firefox.exe". I'm doing final testing on the tool now.
Even a re-worded dialog can be a security feature - changing the text, so that the user can more easily tell which is the most secure option to choose.
What's key here is that UAC isn't a security _boundary_. It's not designed to keep processes "inside" - it doesn't even have an "inside" in which it could keep processes.
Sessions are an example of a security boundary, because it provides a delineation between processes. NTFS permissions are an example of a security boundary, because it provides for a delineation between users who can have access, and users who can't.
UAC is a way for users to choose not to be administrator all the time. It's on by default, because it's the right choice for most users.
I've been a restricted user on Windows XP, and I've been a restricted user on Windows Vista, and I like it better on Vista, because I don't have to figure out how to do "runas" on an admin task whenever I need to do one.
I have the same problem by copying files across the network from XP computers.
blade_vampyrus@yahoo.com
the same thing happened to my c-7070 only to continue diving and spend an hour with a whale shark !
Thanks for the information.
Suggestion...
Use your talents and make money...
Provide fair and unbiased test comparisons on Anti Virus available in the market so the computer nerds like myself can compare them to make informed decision on the best one for them. Generally sites are biased, one site listed software 'X' as #1, the next site apparently not even testing software 'x' in their top 10. This is FRAUD.
Money comes with the advertisers to your site...just do not be tempted by greed like other sites to sell an inferior product over the better one...complete and fair testing.
I also run without antivirus on my system. However I dont agree that you are 100 percent secure. Viruses such as MSBlaster infected machines by exploiting a loophole in windows NT based systems, and a patch was released only after the virus infected thousands of machines.
If you are running 64 bit Ubuntu however...
Norton 360 did you try that out...
I think its 64 bit.
Try it out..
Isaac
antigravitybase-public@yahoo.com
I am verry Disapointed in Roxio,backup mypc.
I asked severaltime for an upgrade thad work under vista.
Still no news
good by roxio It is the last time I buy somtinge from them again.
I am running now Novabackup.
I realy do not understand,why roxio cannot make an decent program.
If you like I can sent your wordless backup program back to you.
I'm using vista for the last few days. I feel, it's more of annoying feature, but, alerts the users before something goes wrong, atleast for time being.
Did you try eTrust Antivirus r7.1 x64?
Patrick, I tried a very early version a long time ago, but not since. Do you have any experience with it?
No, but I'm willing to give it a try as I'm currently testing my Vista Home Premium 64bit environment. I'll keep you posted but drop me an email as a reminder just in case! ;)
Hi
I believe you might have missed Symantec Antivirus Corporate Edition.
The previous version (10.1.5) already supoorted 64bit windows.
The latest version - 10.2 - andds support for windows vista, both 32 bit and 64bit.
The link is here http://www.symantec.com/vista/sav-vista.html
Jesper...congratulations on your luck staying virus free. I've found the problem isn't safe computing on my part, but rather unsafe computing practices on the part of friends and co-workers. While it's gotten better in the past 2-3 years, I can't tell you the number of times I've seen anti-virus software intercept a virus on an attachment someone sent that they thought was just fine. Agree, it sure is nice to run without an AV and the 15% or more tax on system speed it invariably imposes. Thanks for the posting on AV software that's compatible with -64 Vista. Was just what I was looking for to complete my migration from XP.
Short and logical post about UAC and Vista security you can find here : http://www.drdrksa.info/windows-xp-is-safer-then-vista/
purchased t&c v3.5 when i try to load it it gives a message at the beginning of the installation "unble to load plug in library, please rebuild your project and make sure all required plug ins are installed. Action skipped" then goes to installer but comes back with
" could not access network location NOTSET" then quits any help would be appreciated.
That phone number won't work from Australia as it doesn't have the proper international direct dial prefix on it (generally 0011, but could be 001x). (http://en.wikipedia.org/wiki/Australian_telephone_numbering_plan)
But I guess for the people determined enough to get their million euros they may just persist & work out a number that works :^o
My mistake! I thought Australia used 00 as the international direct dial prefix. Guess I got used to using my cell phone every time I was there and did not need to worry about it. Thanks for correcting me!
Sadly, many people throw out their sensibilities when they think they're about to get rich quick. It's just a plain old con moved from the real world to email. People get taken by them all the time - they have had a couple of articles in the local paper here about people that lost a lot of cash from these scams, and they're usually people that think they've just been handed a leg up - they're not so bright, and need the money.
BTW - I am in Australia, and yes, the international dialling code is 0011. 00 is the international code in New Zealand - commonly mistaken for a state of Australia ;).
The phone number is actually correct, but you gave to wonder why a president of a bank would hand out his mobile phone number. In The Netherlands all mobile numbers have area code 06 (+316 for international dialers). Also the fax number will route directly to a voicemail service, since area code 084 is reserved for those services.
Not only do you have to wonder, You also need to think about how "smart" the people looking after your own personal interests are.
http://www.smh.com.au/news/breaking/dumb-and--much-dumber/2006/02/02/1138590592345.html
"Police are staggered by the amount of money gullible Australians are losing to Nigerian investment scammers.
The long-running internet-based rort has netted more than $7 million from Queenslanders alone, and the loss Australia-wide is likely to be far higher, police say.
Among those being duped are financial advisers, lawyers and university professors, and one person had put $2.2 million into the hands of scammers over the past two years."
if you translate laagste bank b.v from dutch to english you get, Lowest Bank Company.
0031616293431 is a dutch cell phone number.
0031847599547 is a faxmail number.
and www.O2.pl is a webmail provider.
The telephone number could be a valid dutch mobile phone number, it's just formatted "weird".
They usually are in the format 06 12345678, and you can leave out the leading 0 when calling from abroad.
Also, the bank's name and contact person are Dutch sounding names.
I guess I’m as amazed as you are that people are falling for these kinds of things. However I have a few other reflections.
Your point number 6. where you say you have to play to win, there are a lot of people who play the lottery. I would presume this type of scam would have a higher success rate in that audience. If someone is playing the lottery and all of a sudden they receive an email notifying them that they had won they might just get too excited and ignore such facts at the reply address, the .pl domain or the fact that the lottery they were entering hasn’t been played yet.
The other group I think would be suckered by this is the kind of people who finds a wallet in the street and keeps the money inside the wallet for themselves. Even if they didn’t play the lottery they might think someone has won and by some freak accident the person who received the email might get away with a million bucks.
All in all I guess greed and stupidity is a dangerous combination.
Ps. It’s great to see that you’re writing a new book. With all the money you won from the lottery, perhaps you will find more time to write?
I'm not convinced of the argument that "It's gotta work sufficiently well to make it worthwhile for the criminals."
I reckon that the stupidity is on the part of the people sending the spam thinking it is going to work. There are some phishing emails that are a lot more sophisticated than the one shown which do catch people. I guess emails like the one shown are sent by copycat criminals that aren't cleaver enough to pull it off, but they keep trying anyway because the risk & cost is low and potential reward is high.
Taking the lottery analogy: I play the lottery here in the UK where I have a 14,000,000 to 1 chance of winning. I didn't win the first week but that didn't stop me I still played on the second week. Even though I haven't won big in the year that I have been playing, I haven't learnt and am still playing. I guess it is the same for the spammers. Even though no one has responded to them they keep trying because they have convinced themselves that if they continue they might just pull it off one day.
There is a counter-argument to the theory that "it must work, or they wouldn't keep doing it", if the real money comes from selling mailing lists. E.g. I will sell you a list of addresses (guaranteed to be valid!), and a program that will send lottery spam to those addresses. You just have to pay me a small amount of money, and then you'll get rich from all the suckers who reply to you. This would be a variant on the old pyramid schemes like the Dave Rhodes letter.
I vaguely remember a scene at the start of the Asimov novel "Foundation" where someone is selling an alchemy machine - he demonstrates that it can turn someone's shoe buckle into gold, so the buyer will easily recoup their initial costs. (It turns out that the machine doesn't really work on a larger scale.)
Under this theory, nobody actually needs to reply to the spam messages; the only people who need to fall for it are the spammers themselves (probably helped by blog posts like this). I'm not sure how realistic this theory is, but I find it vaguely comforting that they'd be the ones getting exploited.
Great post, as usual! Again, it makes one wonder why they call it "Common Sense" when it apparently isn't as common as we would like.
I don't know why people's perception changes so dramatically when they sit down in front of a computer. I used to argue with my father that using a computer was no more difficult than writing technical reports, or building a house with no previous experience (both things he did on a routine basis). I never could get him interested in using one - he claimed they were too hard to understand, while he routinely performed tasks that were many more times complicated...
If people got those ridiculous emails as paper letters in the mail, they would throw them away after reading the first sentence with poor grammar - but looking at in on the computer screen somehow gives it "authenticity" in their minds. If we could better understand how, we might be able to fight against it.
It's like the attitude show in the "If GM ran a helpdesk" emails that have been going around (I linked to one spam-free version in my URL above). We look at that from a car perspective and collectively go "well duh, I would never ask that" and laugh at the absurdity of it. But sit quite a few people down in front of a computer and for some reason a "switch" gets shut off and common sense goes out the window. And the "why aren't you protecting me from myself" attitude you speak to pop's up. We laugh at the GM helpdesk jokes because they are funny, but not when people pull the equivalent (or worse) with computers?
<sigh>
"UAC's purpose is to enable more users to run as a standard user."
so you admit uac is a nagging tool. i tend to agree, and the result will be that users will disable it and gain standard administrator right, which will become the de facto default vista installation.
This one's been running in Europe by snail mail too. Badly photocopied letters have been sent out saying people have been entered into a European lottery and they've won. In order to get their cash, they have to fax copies of their passports and banking details to an office in Madrid. The dude running it has even had the £^$$ to answer the phone and invite people to call into his office :-)
It's been all over our press in Ireland but still you hear of grannies losing their life savings to it every now and then.
I'm having a simliar issue...I am running as an administrator & I have full acces to the drive, but each folder/file is read & read/execute only...this all happened when I updated my laptop to Vista from XP...if I hook the external drive up to my desktop that is still running XP, everything is fine...I need to be able to update these files from the laptop though...HELP!
Nathan, more than likely the ACL on those files has Administrators as the only group with read/write permission. Go through the steps in the post and see if that doesn't solve your problem.
Am I missing where you're restarting the service? The KB says that is necessary as well.
Aah, yes. I did forget to put that in. It is fixed now.
Thanks for the instructions!
Pingback: http://securitygarden.blogspot.com/2007/04/microsoft-security-advisory-935964.html
Got any services that depend on the DNS server service?
I can't think of any off-hand, but anyone doing this - particularly on a large scale - should be aware that any time you stop and restart a service, you automatically stop, and don't restart, services that depend on the service you're cycling.
Obvious to some, but worth pointing out.
I did not see any that did on my test box. There may be something, but I can't think what it would be.
Am I missing something? If RPC is generally open to the internet, isn't your system pretty much owned already?
The KB specifically says that port 53 isn't an attack vector, and that's all that should be exposed to the outside world.
Andy: yes, you definitely have to wonder about leaving RPC open to the Internet in that way. It is a bit much to say the system is owned already, but it definitely has a far larger attack surface than necessary.
Say you've got a windows 2003 SBS running with interfaces configured using RFC1918 space placed behind a firewall (a completely open one, but with no portforwarding enabled but a one-to-one https and smtp to a particular machine), you should be somewhat on the same side of the line as the ones who block the recommended port range, correct? Naturally you still have the internal part of your network to worry about, but not the terrible outside?
Kind regards
Faster list of just DNS servers:
dsquery * -filter "(servicePrincipalName=DNS*)" -attr dNSHostName -l > dclist.txt
Brian: Excellent query. Thanks, I was going to see if I could find that.
Michael: Yes, you would have exposure only to systems on the inside.
Jesper:
I thought so. Thank you for the confirmation, and for the great tip provided above.
You could also use "dnscmd ServerName /config /RPCProtocol 0" to disable RPC on DNS Servers (And combine it with the output from the dsquery command showed earlier)
Good tip! ... Thanks very much!
But, I Would like your opinion on the "Symantec Rapid Release" features ...
Do you think that it could help protecting efficiently against this vulnerability ?
>>How to:
http://entkb.symantec.com/security/output/n2002103012571948.html
>>Self-extracting EXE file or VDB/XDB files:
ftp://ftp.symantec.com/AVDEFS/norton_antivirus/rapidrelease
Sorry thereøs a typo - it's of course "dnscmd ServerName /config /RPCProtocol 4"
List of all DNS servers in the forest (handy if you're an Enterprise admin):
dsquery * forestroot -filter "(servicePrincipalName=DNS*)" -attr DNSHostName -l -scope subtree > dnslist.txt
Hysteria!! If an internal user is an accomplished coder who can manipulate RPC then why is shutting off the DNS remote mgmt server going to keep them from doing harm. Have you enumerated the RPC servers available on a domain controller? There is a large surface for attack.
If you have external DNS servers that dont have port 135 protected then you get whats coming to ya!
Thank you sooooo much Jesper! You have done users worldwide a great service. Two days ago, I upgraded my OS from Vista Business to Ultimate, expressly for the purpose of using BitLocker. After the upgrade completed, I discovered that BitLocker would not install since I had only one partition. Instead, BitLocker insisted that re-install Vista. However, since I had done a Vista Upgrade, the only install option available was a CLEAN INSTALL! I hit the fan. I ran in circles. I prayed. And then.... I read your post. Your solution worked perfectly within minutes. Thank you so very much!
You are so insanely right. I love the text. I haven't been diving in Norway in almost 8 years due to the cold and the weight.
btw, with regards to the script, might not want to stop DNS services across the board prior to starting them.
Angelo
Kaspersky Anti-Virus 6.0 Vista 32/64 compatible
www.kaspersky.com/news
Microsoft has published an official KB article with this workaround. Here is what they have to say about it:
blogs.technet.com/.../new-kb-article-to-help-deploy-dns-remote-rpc-block-workaround-throughout-enterprise.aspx
Herman, here is what I had to say on your question a few years back:
www.microsoft.com/.../sm0704.mspx
If you truly have been hit, the advice still stands.
Is there any other way to get MMC to work when this workaround is put in place?
Gene, not remotely. That's what the workaround prevents. You can use RDP though.
my f12 key is 4 inches away from my delete button, what are you talking about. there is no possible way for a normal person to accidently hit f12 when trying to hit the delete button. you should go to the doctor because you're probly having seizures
I like that they've denied him bail.
I'm glad to have him no longer breaking in to systems and abusing public resources, but I don't like what's been done in Guantanamo and wouldn't wish it even on this guy.
The book is out, terrific! I am really looking forward to getting my hands on that one.
One of my favorites is objsd.exe, which ships in the companion content of Hunting Security Bugs:
www.microsoft.com/.../0-7356-2187-X
However, it needs to be updated for Vista, as it doesn't show the integrity label.
Hi Jesper and thanks for all your valuable insights in information security. I always find your posts very interesting.
This time, however, I find it quite in contrast with what I understood from your presentations with Steve Riley and from your excellent PYWN (e.g. chapter 12, Security Configuration Myths). I've always thought that you are not fond of one-size-fits-all security solutions and that configuration guides were among them. Am I missing something?
You're right. I do not believe in one-size-fits-all security guidance. That is why I comment on the fact that there are only two levels in the guide, and that those two levels will not provide optimal security for all computers.
However, in this case, I think that the drawback of using one (or two) different security configurations for millions of computers is greatly outweighed by the benefits of clear requirements. The current state is that there are hundreds of different configurations used in the U.S. government, most of which have no grounding in realistic threat analysis. Many of these cause the systems to not function properly in some way, and most create unsupported configurations. The free-for-all in the current state means that everyone who fancies themselves a security expert is free to invent their own configuration, far too often without significant experience or understanding of neither the threats nor the operating system itself.
At least this way there will be a known state for all computers, and system administrators, application developers, and support personnel, know what to expect.
You will never get an optimal security configuration from a one-size-fits-all guide, like the one now required in the U.S. Government. You will always get a better configuration if a competent analyst performs detailed analysis on the threats facing the systems and the risks you are willing to accept. The problem is finding those competent analysts. If there is one thing I would like to see it would be what the characteristics of such a competent analyst would be. It is decidedly NOT someone with no more experience than just finishing his first week at a security conference and passing a certification exam.
You need to weigh the one-size-fits-all problem against where else you can spend your time in security. As bad as the one-size-fits-all really is, it frees us up to do more important things. The fact is that most of the interesting attacks are no longer against systems or configurations. They are based on missing patches, users who run as admins and click on everything, and poorly managed networks. My hope is that by removing the arguments about which set of security configurations individual systems should have the focus will shift to those areas instead, which will have a far larger impact on security than one or two additional registry tweaks. In essence, I would say requiring a single guide is good because it has the potential to refocus the discussion to much more important areas.
It was also encouraging that the second memo made specific recommendations regarding least privilege, patches, and how applications should work. Those things are good, and have much more potential impact on security than the arguments about whether the RestrictAnonymousSAM setting should be set to 0 or 1.
Jesper, you make a good point with the two configurations, only having two. Before we were working we had no real guidence other that our network team would run hacking programs against our machines and would send us reports on the vulnerabilities. Working for the government I have a good insight to the different configurations we have to deal with. I am looking at the guideline configuations as a base point to start with to secure the equipment. We setup a machine, apply all patches and security configurations befor applying the application configurations. Any special configurations based on the function of the equipment can then be considered before making the change to the security. Just as our firewall is set up, special applications must have a justification to open ports or protocols and so should we be doing with the security configuration. Sometimes the security settings can be a little tricky, allowing acces to one thing and blocking from another with current settings in place.
Heh ... Hold 'Em was released via WSUS early this year!
:D
Philip
I've also been hit with the "but I installed this twice already!" problem - not with the Windows Live Toolbar though...I believe it was an Office update.
The NetMon 3.1 install did something similar to my Vista Ultimate system. Upon initiating the install, the computer slowed to a complete crawl and disabled my network connection. Twice, my video driver failed and restarted. I ssslllooowwwwlllyyy initiated a shutdown, but after waiting 10 minutes gave up. Did a power button shutdown. After restarting, things were still very flakey and slow, so I did the power button kill again. On the next startup, everything worked fine including NetMon 3.1.
I'm planning on upgrading to WSUS 3 here at my company. Currently I'm on 2.0. Should I do this or not? I've read other comments about it being a memory hog. Not sure what to think. I had enough fun this week with Trunk Monkey. (www.trunkmonkey.com)
The issue with the toolbar being reoffered looks like it's not being installed properly or not being detected properly. WSUS really has nothing to do with that -- it's al done by the Windows Update Agent (WUA) on the client machine.
(Dirty secret -- WSUS doesn't actually _do_ anything. It's an ASP.Net web service that sits and waits for clients.
WUA does all the work from the client side. It checks in to see what updates are available, checks to see what the client needs/already has installed, downloads the updates, and installs them as appropriate.)
Check %windir%\WindowsUpdate.log and see if the toolbar is failing to install.
Neil, yeah, I know the magic is mostly in WUA not WSUS. Howeve,r the combination is what yields such entertaining results.
I looked at the logs, and it sure looks like the update succeeds to me. Although, the log is well past a megabyte, so it is hard to hone in exactly on what is interesting. The system event log seems really clear though:
Log Name: System
Source: Microsoft-Windows-WindowsUpdateClient
Date: 7/6/2007 16:16:10
Event ID: 19
Task Category: Windows Update Agent
Level: Information
Keywords: Success,Installation
User: SYSTEM
Computer: <cleared>
Description:
Installation Successful: Windows successfully installed the following update: Critical Update for Windows Live Toolbar 3.01 (KB926295)
Really, Space Cadet Pinball (for Vista owners) would be a better thing to put out on WSUS as many, many people are disappointed that it was removed and not replaced with another pinball program.
This is an IE/Windows bug in my view - on Linux/Unix, you would use exec with multiple arguments to safely run a sub-process, even if some arguments had been mangled through this sort of trick. I'm not sure if such an API exists on Windows, but clearly IE is running Firefox in this case via CMD.EXE, the Windows equivalent of the Linux shell.
In fact the problem seems much wider - the registry is littered with this sort of command invocation and some of them probably cause security holes like this.
This is one of the oldest tips around for preventing security holes - seems like the IE/Windows programmers aren't aware of it.
This gets a mention in the SANS ISC diary today.
In the meantime, what version of Firefox do you have, because I can only find TWO protocol handlers (the first two) in the registry, not three. (I have v2.0.0.4)
- James
It's worth noticing that Firefox users with NoScript installed have been already protected both from MacManus/Larholm remote code execution and from Rios "Universal XSS" since June, the 22th, see noscript.net/changelog
More in general, they're protected from chrome privilege escalation gained by opening non-chrome URLs in top-level chrome windows (Larholm's PoC) and from BLOCKED SCRIPT URLs being loaded in externally opened browser shells (Rios' PoC), no matter if attempted through the firefoxurl: handler (like in this specific case) or by other yet unknown means.
Either you do not understand the problem, or you are being arrogant here. Firefox was chosen as a target because it has the most powerful URL handler. However any other URL handler could be exploited in this way by passing arguments that are not supposed to be passed. The exploit works by breaking out of the quotes, much as a typical SQL injection attack. This is a problem in Internet Explorer, and should be fixed in Internet Explorer.
Mozilla releasing a workaround for their URL handler is a nice courtesy, but it doesn't stop the vulnerability and the exploit could (and probably will) be rewritten to target other URL handlers.
As long as Microsoft says this is somebody else's problem, Internet Explorer users are at (even more) risk.
Giorgio, good point. There is another way to protect against this issue. Thanks for reminding us.
Thank you Giorgio. Nice to know, but not a problem on my Linux System :))
FUD, maybe I do not understand it. How do you suppose IE should validate input to URL handlers? You mention SQL injection attacks, but that is not a very good analogy since in SQL injection attacks the middleware application is what actually takes input, parses it, constructs a query, and sends it on to the database. That is very different in that in the current attack IE is simply a conduit to pass a command to Firefox. A better example would be a buffer overflow in a command line application. You can type "foo.exe bar blaah" on the command line. The app may only expect one parameter and fail spectacularly, but the fault is still with the application, not with the command shell. The command shell has no idea what input the application expects and simply passes on what it receives to the application. Likewise, IE has no knowledge of what Firefox considers a valid URL and will simply pass on what it gets. Firefox needs to validate that it is not doing something untoward with that input.
The 'fix' so to speak is for people not to allow remote invocation of ShellExecute, however you spell it, or whomever you blame it on. For whoever said that you should just make sure it's 'not doing anything malicious', you should start your own Security/AV company, that's the best idea I've ever heard.
firefox doesn't have control over how the OS invokes handlers, so it shouldn't provide it the opportunity to assert it's randomness by calling the OS to run this thing at the behest of browser content. (that's right, it's browser content that's able to take over your machine... what's wrong with this picture?) The only alternative to abolishing this whole handler crap altogether is to make a 'strapping wrapper program that does the filtering and register the handler to that app instead. Whoever thought it might be a good idea to have this 'feature' in the first place was not quite thinking right.
I know from my experience with web-app development that any attempts to control the browser or the desktop of the endpoint almost always backfire in some way... HTTP is not meant to be sending instructions to your OS, it's meant to be sending rendering details to your browser (which in a perfect world would render them according to the w3 standards). I'd compare attempts to impelemnt such custom url handlers to thinks like trying to disable the browser's back button from within the web-content. Well what did you expect?
There are ways to fake it (with things like url handlers), but these holes are ALWAYS going to pop up when you try. Unless there is a standard browser-to-OS interaction protocol, this kind of tit-for-tat will continue to happen until people stop trying to direct the client host via web content -- and developers keep trying to let them.
jesper, the point is that IE is failing to pass the URL it should be passing, because it doesn't escape quotes correctly, so quotes in the URL can lead to a situation where IE actually passes multiple command-line arguments, not just a URL.
Firefox's handling is suboptimal, and will be fixed, but IE still has a bug here -- it's not passing the right data to other applications.
This reminded me of the old MHTML vulnerability (MS04-013), that was typically exploited through IE, but was considered a critical vulnerability in Outlook Express. It also reminded me of the more recent MHTML issue (MS07-034) with Vista that was also originally (and still is by Secunia) described as a vulnerability in IE7, but is actually a critical (on Vista) update for Outlook Express and Windows Mail. It's not IE's fault, it's merely used as an attack vector.
I haven't seen anyone else mention that the various PoC floating around appear to be stopped by Vista's Protected Mode (on by default), which prompts the user to confirm that they want to launch Firefox (and subsequent remote command execution). If you don't allow it - and why would you if you were browsing a random web page in IE7? - then you should be okay.
see www.securityfocus.com/.../370959
Hi Jesper - how is this NOT a classic example of argument injection, as outlined by FUD? (marc.info is an example).
The exploit includes a leading quotation mark, which IE appears to insert into the command line, which cuts off the "URL" portion of the arguments being passed to firefox. This seems like a problem that could occur with any arbitrary protocol handler, as implied by the post that Labertasche references. This could be tested by creating a custom protocol handler and registering it, then seeing if IE correctly escapes/quotes each %1 or related argument before passing it to the receiving program. I can't do this though, since I'm not an MS developer :)
Now, I can see how this would be difficult if not impossible for IE to fix for arbitrary handlers - or any technology that would use external "templates" for modifying command lines (wouldn't surprise me if other browsers have similar problems) - but that doesn't make it the called application's fault that it's being called with switches that the calling application didn't intend.
The "Open Command Window Here" has been included in Windows Vista anyway (at least it has on Business edition).
All you need to do is hold Left Shift when you right-click on a folder in the right pane of Explorer. Granted this isn't as good as the tweak that allows it to appear without holding Left Shift and in both panes of Explorer.
Vista actually includes "Command Prompt Here", but it's not as easy as one might like (not as easy as I would). It doesn't work in the Folders list - only in the main pane. And you have to hold down "Shift" while right-clicking.
I'm playing with this now and finding that Shift/right-click on files gives you additional context menu items that look interesting -- like "Copy as Path" and "Add to Quick Launch"!
Steve, nice thoughtful comment that I just saw (been getting a lot of mail on this one). I agree, this is really difficult for IE to handle. However, the protocol handler can do it, in a couple of ways, including by not using the simple invocation method that FF is using. See my latest update, above.
Now, one could argue that it would be nice if IE put some more restrictions on what it passed to a protocol handler, but not only is it difficult for IE to make decisions regarding what third-party plug-ins get to see, to put those restrictions on third party developers after the fact is even worse. It also is quite clear in the documentation that IE, or urlmon.dll rather, will pass the entire string on to the application. If the handles will parse parameters that can cause problems, then the invocation method used by FF is unsafe.
BTW, you don't need to be much of a Windows developer to write a protocol handler like the one FF is using. All you need is:
#include <stdio.h>
int main(int argc, char* argv[])
{
// The URL is in argv
printf("\nThere are %d arguments in the URL\n", argc);
for(int i=0;i<argc;i++)
printf("\nArgument %d:\t%s",i,argv);
}
printf("\n");
char c;
c = getc(stdin);
Then you register the app as the protocol handler:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\firefoxURL]
@="URL:FirefoxURL Protocol"
"URL Protocol"=""
[HKEY_CLASSES_ROOT\firefoxURL\DefaultIcon]
@="cmd.exe"
[HKEY_CLASSES_ROOT\firefoxURL\shell]
[HKEY_CLASSES_ROOT\firefoxURL\shell\open]
[HKEY_CLASSES_ROOT\firefoxURL\shell\open\command]
@="\"c:\\test.exe\" \"%1\""
And, out comes what urlmon is passing in:
There are 4 arguments in the URL
Argument 0: c:\test.exe
Argument 1: firefoxurl://larholm.com
Argument 2: -chrome
Argument 3: BLOCKED SCRIPTC=Components.classes;I=Components.interfaces;file=C['
@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);file.initWithPath('C:
'+String.fromCharCode(92)+String.fromCharCode(92)+'Windows'+String.fromCharCode(
92)+String.fromCharCode(92)+'System32'+String.fromCharCode(92)+String.fromCharCo
de(92)+'cmd.exe');process=C['@mozilla.org/process/util;1'].createInstance(I.nsIP
rocess);process.init(file);process.run(true,['/k echo hello from larholm.com'],1
);alert(process)
Firefox gets three arguments, instead of the one that it is expecting. It then goes ahead and actually processes all of them, and therein lies the problem. There are a couple of options to fix this. The simplest is probablynto change the protocol handler to invoke "firefox.exe -protocolhandler" "%1". Then, in main, before you do anything else, do:
if( !(strcmp(argv[1],"-protocolhandler")) && (argc > 3))
exit(-1);
In other words, if you get more arguments than you should for a protocol handler, stop executing it. Alternatively, put the protocol handler in a different executable from the main one that handles only a single argument and exits if it gets anything else. Any protocol handler that parses the passed in URL and executes additional command line arguments would be vulnerable to this problem.
Jesper: under "electronic version of chapter 1." I think there is wrong link
> Now, one could argue that it would be nice if IE put some more restrictions on what it passed to a protocol handler, but not only is it difficult for IE to make decisions regarding what third-party plug-ins get to see,
If we assume that the URL handling mechanism is supposed to be used for handling URLs, then applying URL escaping would seem to be the obvious choice, no?
> to put those restrictions on third party developers after the fact is even worse.
Yes, that's true. Hopefully applications that handle URLs support the proper escaping methods, but that's probably wishful thinking.
> The simplest is probablynto change the protocol handler to invoke "firefox.exe -protocolhandler" "%1".
That's more or less what Mozilla's workaround does: bonsai.mozilla.org/cvsquery.cgi
Indeed it is. That link is broken on the Wiley site too. I've let them know and will update the post as soon as I know where it should point.
I've got to agree with Jesper here - IE laid down the parameter-passing method, and given that there's only one parameter ("the rest of the URL after the scheme and the colon"), there's not much point doing any quoting, encoding, or anything - as long as the end of the parameter is uniquely defined (and if not, what has the attacker done?)
Remember, too, that the parameter parsing mechanism used here is going to be solely dependent on the language and API the protocol handler uses. It's only because most people use C / C++ / etc that we're used to seeing multiple arguments separated by spaces, tabs, etc. What the OS passes in to the executable is the entire command line from start to finish in one long string.
Any other structure that you believe is present in the command line is imposed by the runtime library that the executable starts up before it calls the "main()" or other first developer-level function.
Yes, because the source is a URL, using URL encoding would make sense as well, but that would only make a significant difference if using that encoding prevented ambiguity in parsing the URL. In this case, because there's no special character in the command-line, there's no ambiguity in parsing - every byte of the command-line past the executable's name is _the_ only parameter to the protocol handler.
There is a way for IE to filter this attack out. It should not allow the opening of an http: URL by any other program other than itself.
Of course this would require that the program be apprised of the various alternate browsers. I know that this kind of thing is done with SSL CA certificates.
the shield icon is missing in "elevated command prompt here"
OK; the fact that this behavior is documented puts some of the blame on Mozilla. Fair enough. (The behavior is still incorrect, so I'm still going to put most of the blame on Microsoft.)
In particular note that your statement "The argument could be made that IE should not permit quotes to be passed, but why would quotes be illegal in all custom protocols?" is incorrect.
Quotes are illegal in all custom protocols, because they're illegal in the definition of a URL. No URL may contain a quote mark. If a custom protocol uses quote marks, that protocol is in violation of the standards. (STD66.)
QED. :-)
Blame Microsoft for not following standards (nothing new here)...
RFC 1738:
only alphanumerics, the special characters "$-_.+!*'(),", and reserved characters used for their reserved purposes may be used _unencoded_ within a URL.
Not sure if this is Windows or IE, but it sure as hell is Microsoft's fault! Of course Firefox _can_ fix that in one way or another, but that doesn't mean Firefox is guilty. Any other URL handler can be exploited like this and Firefox fix won't affect others, only Microsoft could fix it once and for all, but they won't - why bother...
This was a very fruitful conversation. I came off MozillZine to here not knowing exactly what to think. So, in summary, it's not Microsoft's fault because Firefox is using a feature in a more advanced way than it's designed to be? Well, I use SeaMonkey in Linux, but still it's good to get things cleared up.
Of course, it is possible to implement URLs correctly (for general idiot-proofing) or make the function's limitations more explicit. I'm not going to be a Microsoft apologist or a Firefox fanboy here, but I'm just saying.
Are there any negative implications to leaving the protocol handlers behind?
No, there should be no adverse impact of leaving the protocol handlers behind since the binary that executes them is missing. There may be an error message about a missing application if the user is redirected to a site using one of those protocols, but that is all. It is merely bad form not to clean up after oneself when one is uninstalled. Firefox is far, far from the only application committing that particular violation, however.
@inkredibl
RFC 1738 has long been superseeded. Try RFC 3986.
@jesper
How does that differ from a SQL injection? The "middleware" application (IE) takes input (the URL), parses it, constructs a query, and sends it on to the shell.
I think this is very different from a SQL injection bug. In the SQL injection case it is the middleware that parses input and constructs a command. It knows all about what is legal and what is not, while the database knows nothing about what is legal.
In the case of the Firefox input validation failure, urlmon.dll is simply passing on a string it received as a command. It does not know what the called application considers legal and has no way to find out. It could potentially attempt to make the URL conform to a legal URL, but as urlmon.dll does no processing on the URL at all, it really ought to be up to the application that processes it to make sure it conforms to whatever conventions and rules that application expects. You cannot blame a web server for a SQL injection bug as it merely passes the input data onto the middleware application. It is the same in the case at hand; urlmon is simply passing on the input data to the protocol handler.
OK if neither IE nor urlmon.dll reads the regkey, substitutes the %1 and passes this constructed command to the shell, which part does it?
"It does not know what the called application considers legal and has no way to find out."
Since the request is passed to shell in the end and you know how it handles quote characters, there is no need know what the target considers legal.
"It could potentially attempt to make the URL conform to a legal URL, but as urlmon.dll does no processing on the URL at all, it really ought to be up to the application that processes it to make sure it conforms to whatever conventions and rules that application expects."
Since the encoding rules are the same for every URI the caller knows what the target expects. Also the caller knows exactly what is part of the URI while the target needs to reconstruct it in this case.
Jester, you are a genius. Shame on Mozilla for their bad marketing practices
Yeah... I agree... a patch that doesn't patch anything, by the words of firefox team :)
I love this post :D
You forgot to mention one thing - that scary looking dialog box has a check-box that allows the user to say "yeah, sure, I trust this URL". So, the scary dialog box that the user sees would probably have already been dismissed by the user on a previous (benign) use.
Such dismissable dialog boxes have few uses:
* a convenience, to warn users the first time through, that something unexpected is about to happen, so that they'll expect it next time.
* Err... that's all I can think of right now.
It's being used in this case to warn users about potentially dangerous behaviour, so that the user can say that yes, in every similar case, they will want the dangerous behaviour to succeed.
The user (or the user's admin) approved this handler (by installing an app that created the associated registry key), so asking the user to approve it again is a bit of redundancy - not always bad in security terms, but in this case, it doesn't really add much of anything. Is an external program more dangerous than an internal plugin? In some cases, it can actually be safer, because (and SAFER is the key word, although SRP will get you more search hits) you can restrict the external application to run with limited rights.
The reason why the original bug is MSIE is simple: It is MSIE that starts the Firefox commandline, and the commandline says firefox.exe -url http://foo.com -chrome BLOCKED SCRIPTdoEvil(), and that's a fully legal way to start firefox, -chrome is just a way to specify the startup/main window, and any URL is accepted, and it has to have system rights. So, firefox just does what it has been told.
The assumption with commandline parameters is that they come from the user, and are thus fully trusted. Consequently, if any application starts another application, the former has the obligation to start the right commandline. Even more so when untrusted content is made part of the commandline. You have to take a lot of care for escaping there, it's very easy to get this wrong. This is a very old problem, lots of exploits a long time ago on Unix which happened that way, and it's always the launching application which is at fault, not the launched app.
It's a shame that MSIE gets this wrong, and it's clearly an MSIE bug.
It's even *more* shame that Firefox gets this wrong - a) because they should have less bugs, and b) because they have been warned by the MSIE bug, we should have checked ourselves.
Labertasche:- the request is (almost certainly) handed to the Windows API, not to the shell; further, the shell doesn't process quote marks at all when passing a command line to an external executable.
(However, the legal characters are defined by STD66 so IE/urlmon should have no difficulty in this regard.)
Ben Bucksch's comment is incorrect - "The assumption with commandline parameters is that they come from the user, and are thus fully trusted."
This is not merely a command line - it is a declared and documented handoff of untrusted data coming from a remote and untrusted third party, not the OS, and not the user, but a potential hacker.
When Firefox registers "firefox -url" as a protocol handler, their programmers have declared that they are aware that anything coming through in "%1" is untrusted and unfiltered data, potentially from a hacker. If they choose to fully trust that, then they are either asleep at the switch, or not aware of security concerns.
I think Labertasche is confused by Jesper's wording. Yes, urlmon.dll processes the registry keys to figure out which protocol handler to call, builds the command line, and executes the handler, but as Jesper says, it does no processing on the URL - it reads it in, and it hands it along, unprocessed - unchanged.
As it turns out, the shell does not handle quote characters in this case. It is the runtime library for the particular language which does.
If you choose C or C++ as your language of choice, for instance, the command line string as a whole is parsed in the CRT library routine parse_cmdline(), which (if you have Visual Studio installed) is in %ProgramFiles%\Microsoft Visual Studio 8\VC\crt\src\stdargv.c
If you use assembler, or write your program for Win32 (with a start function of WinMain instead of main), you'll be given the command line as a single string from first character entered to the final character provided by your caller.
Double-quote processing is a feature of C and C++, NOT of the Windows executable calling mechanism.
To put it another way, double quotes are only special to Firefox because Firefox's programmers chose to treat them specially. As such, it's their responsibility to ensure that they are handled correctly when faced with data provided by untrusted third parties.
Hey Jesper - glad to see you posting again!
Michael Espinola's script here:
www.espinola.net/.../So_you_want_to_fix_all_your_WSUS_clients
is great at resetting WSUS clients - either individually or in a batch. In a large environment it's a real time saver.
Alain Saint-Entienne left a comment on my IE post about this article and I can only repeat my answer from there - you are absolutely correct.
Firefox, and any application built on top of the Mozilla framework, is indeed plagued by the same flaw :)
The 2.0.0.5 security updates fixed the lack of inbound argument validation, but left any outbound arguments untouched.
Cheers
Thor Larholm
Seems it's slightly more complicated than at first it seemed. The relevant Microsoft documentation
<msdn2.microsoft.com/.../aa767914.aspx>
requires URIs to be decoded before being passed to the protocol handlers. That is, you should be able to exploit the reported vulnerability without using illegal URIs.
This changes things. It means that IE (and other browsers) can't fix the problem without potentially breaking third-party protocol handlers that depend on the documented behavior.
Technically, it also means Jesper (and Microsoft) are correct; the bug is in the software registering the protocol handler (Firefox in this case) not in the software calling it.
However, I'm still going to blame Microsoft, because frankly, passing URIs between applications in decoded form was a really really dumb idea. Very few application developers would have spotted this particular trap.
Sure that is possible, but any less dangerous asking a user to download an executable.
So what you learned here is programming 101: pass arguments along cmd in windows.
it's actually a very old trick based upon the telnet:// identifier put into an iframe, what does it do? it launches telnet.
No one in the universe would click yes to that mayhem you present once, let alone twice.
The bug is already fixed, with the update waiting to be deployed.
In the meanwhile, NoScript users enjoy early protection: noscript.net/getit
Let those who have not sinned cast the first stone... Mozilla certainly not entitled to
It figures that this joker Jesper works or did work for Microsuck!! Programming theives that they are . They cannot ever get it right cause all they do is copy and not create!!
A miserable try to let the IE look better that it is
Shame on you
@Paperino: "[...] Shame on Mozilla for their bad marketing practices"
There is the glasshouse again: Mozilla's marketing practices? Take a look at Microsoft's marketing practices and come again...
So in my opinion Firefox is as bad as IE at this failure. And you are proud of that? A product you have to pay for should be BETTER than a free alternative.
Spommel
I agree with Ben Bucksch that the launching application is responsible for escaping command-line arguments, because it has some information to determine whether those arguments are valid that the launched app does not. In this case, the browser (whether IE or Firefox) knows that the URL is supposed to be one argument, and that quotes in it are not valid. If it launches another app with the URL split up as several command-line args, how is the second app to know this? The second app may do further validation of its inputs, but that doesn't relieve the first app of its responsibility--if it can tell that the args are invalid, it should act. Mozilla should fix this bug in Firefox, and then throw some more stones at MS Windows: "We fixed this flaw quickly. Why can't you?"
Those who think it is the calling app's responsibility to perform input validation for the called app should take a few moments to go read what David LeBlanc has to say about this. He has some really great insights on that particular issue:
blogs.msdn.com/.../security-dependencies.aspx
You mean to tell me Mozilla's Chief Security guy is called Window?
Does anybody here think that rm -rf / should do something else than trying to delete / ? Does anybody here think that is is a bug in firefox that firefox -chrome BLOCKED 'BLOCKED SCRIPTsomething()' tries to run the javascript code "something()"? No, of course not. It's not a bug in rm or firefox. If you don't want to delete /, or if you don't want to run "something()", then you shouldn't issue those commands. But IE does. So the bug lies in IE (and Firefox < 2.0.0.6), period.
So what happens when I have a URL with several spaces and quotes? e.g. <test://" asd> (two spaces) and <http://" asd> (one space) Will the parameters given to the url handler be the same, or will they be different? (I don't have Windows, so I cannot test it ;-) )
IMO the handler should always be called with the url as *one* argument, even if it contains spaces.
Ansgar
@multi_io: Truly bizarre assertion there. IE is not issuing the command, nor did Firefox ever issue the command.
@Ansgar: As Alun Jones pointed out, the concept of "one argument" vs. multiple is limited to C/C++ and the way its typical runtime libraries parse command line input. C/C++ apps often end up seeing only argc/argv. Most other languages see input as a single string, possibly containing spaces. Apps written for Windows (including C/C++) can call the GetCommandLine API to see the real command line.
You're a saint... I miss so much the "command prompt here" feat... I've used it since the first release of TweakUI... I love you for this... :)
For the rest... well, there's a lot of funny stuff... I'm only a bit afraid by this massive, huge, doc with all those spec... Hey, 200 pages is GARGANTUAN!
MS is inconsequent, for the url handler hcp the parameter is escaped. perhaps because helpctr.exe can't deal with the unescaped parameters?
Aion, your comment cracked me up! ROFL
As an argument for why web browsers should not perform any validation on arguments they pass to apps they call, I find David LeBlanc's insights far from convincing. If my "CriticalBusinessApp [needed] quotes coming in" when it was being called as an URL handler, I'd ask my programmers what they were smoking. Also, detecting malicious input is more difficult after it's been split into multiple arguments by the command line interpreter. For example, validating an arg that's supposed to be an URL will not detect that the following -chrome arg was supposed to be part of that URL.
If we were talking about general applications, I might agree more with LeBlanc, but we're talking about web browsers. There are rules that all web browsers are supposed to follow (like the spec for what is an URL), and so a browser has more context to determine what would obviously be invalid input for an external app. If what incoming HTML said was an URL does not look like an URL, then it would obviously be poison for any program that expected an URL, so it should be escaped, and quoted to prevent splitting or other misinterpretation by the command line interpreter.
To linuxuser: shame on you! I'm actually sick of this "MS is bad" "Linux/OSS is good" ... this is a technical discussion and Jesper's arguments are totaly OK.
As a software developer (no, I do not use MS development tools) I know, that you can never trust input passed to your app ... and therefore you should allways validate what your app is getting from the outside .... otherwise you are just a fool.
@punissuer: If it's too difficult for you to spot malicious input using argc and argv, then you should stop using argc and argv. As Aaron pointed out, at any stage you can call GetCommandLine to get the command line as a single string and do your own parsing; you can also write your code as a Win32 app, rather than a console-mode app, and it will receive a single string containing the entire command line.
In this case, Internet Explorer is acting as a proxy, not a browser, and should behave that way; the protocol handler is acting as an Internet-facing client, and should behave that way. Asking that the proxy encode or decode stuff for you is not appropriate, because you will lose information about what the original intent was.
@Aaron Margosis
Yes it is issuing the command if you click on a link named something like <a href='firefoxurl://foo.com"%20-chrome%20"BLOCKED SCRIPTsomething()"'>, which is the whole point of the discussion!
(let's see how much of that text is left intact by the broken blog software on this server -- btw: is it any indication for MS's state of confusion when it comes to quoting issues that the server software here replaces every occurrence of "j a v a s c r i p t:something()" with "BLOCKED SCRIPT:something()"? :-P)
Alun, I disagree with your characterization of the situation. The first browser (whether IE or Firefox) is indeed acting as a browser. It downloads, parses, and renders an HTML page. It identifies anchor tags and href attributes, whose values should be URLs. It's irrelevant whether the protocol handler is even aware of the network (file URLs, anyone?) since the problem occurs while it's validating its command-line input. As for validating the command line as a single string, how is the protocol handler in any better position than the command-line interpreter that populated argv and argc? Information about the original intent is lost when the calling browser fails to quote or escape the arguments.
You're right - details of how to parse the protocol are only available to code that knows something about the protocol, and clearly the protocol handler would have no more knowledge about the protocol than the C Run-time library (it's not the command line interpreter, which people typically use to mean CMD.EXE)
How is the protocol handler more able than <i>whatever</i> populated argv and argc even to determine where a maliciously malformed URL begins and ends if the calling app has not relayed this information with quotes, and escaped quotes in the malformed URL? Skimming your blog, I found this statement which seems relevant:
<blockquote>It's vital for the protocol handler to see the "-url" argument as indication that everything following it is suspect. The first double-quote should not be taken as a sign that "%1" is over - the last double-quote before the end of the command line is that indicator.</blockquote>
I would agree with this statement completely if the -url argument were used only by programs calling Firefox as a protocol handler, so the command could have only the form 'firefox -url "%1"'. But users can type the -url arg into CMD.EXE by hand, and follow it with other args, so the assumption that it must be the last double quote that ends the URL is not valid.
Also, the calling browser could use the "known good" principle you mention on your blog while escaping the URL. Only characters which are not valid in URLs (like whitespace and double quotes) would be escaped, so a well formed URL would be unchanged. Who cares if a maliciously malformed URL gets mangled? The protocol handler should throw some kind of exception upon such input, anyway.
Definitions of snake oil usually mention the cure being worthless as part of the definition. As you point out near the end of the post, outbound host-based firewall filtering is NOT worthless. But the sentences mentioning snake oil leave the reader with the wrong impression that such filtering is worthless.
Such filtering is not 100% effective, but neither are antivirus or firewalls or most every other countermeasure. Such filtering 1) raises the bar that malware must surpass and 2) offers an opportunity for the OS to detect and alert when the firewall is modified or bypassed in certain ways, even if it cannot prevent it.
Also, host-based firewall settings can become somewhat more secure from tampering if it is run in a security context other than the current user or some form of user authentication, CAPTCHA, etc. is required to modify settings. If these don't apply to the way Windows Firewall implements outbound filtering, well, maybe they should?
The current Windows architecture lets even malware running as GUEST bind an executable to a listening TCP/IP port, something *nix can prevent. So, at this point I'll take pretty much any kind of user access control on TCP/IP that I can get out of MS Windows, whether it's robust or not.
The first paragraph of the second OMB memo seems to state that it applies not to all Federal computers, but only to those that are running Windows XP or Windows Vista workstations. Other workstation and server OSes are exempt for now.
You mention concern about protecting competent government system owners from incompetent auditors... the reverse is just as often true. Certainly what is needed is more specific guidance to both protect the system owners and to guide them in the right direction. Unfortunately, the NIST guidance such as SP800-68 for XP does not provide enough clarity. Many items are optional recommendations, or the specific settings are left up to the agency to decide. Page 7-18 of this guide seems to suggest disabling TCP 445 as being an unnecessary service, I'm not sure that's sound advice.
Maybe worst of all, Nessus auditors will turn to using the NIST group policy template to audit workstation compliance. Every difference with that template will register as non-compliance, even when settings are more restrictive than required. Nessus at least is more accurate in detection, and it checks for missing patches, which the NIST document and template do not.
Thank you, Jesepr... I was drive crazy to understand what this exploit actually do. And thus who is flawed, too, FF or IE... :)
In your post on the original IE->Firefox vulnerability you said it was Firefox's fault because it registered the URI handler, and it wasn't IE's responsibility to validate the URI before passing it to Firefox.
Now you're saying this vulnerability is Firefox's fault because it hasn't validated the URI it is passing to a URI handler registered by Windows?
You can't have it both ways!
punissuer:
In which case, firefox should define a new command line switch and register its protocol handler like this:
firefox -untrustedurl "%1"
Then regular users using -url would be free to combine it with other switches, while the URL protocol handler would only use the safe switch (which would do all of what Jesper suggests.
By Firefox registering the URI handler, it is staking a claim that it knows how to handle the protocol. If it's calling a piece of code in IE that is not behaving as documented, then I'm sure that Jesper will acknowledge that the flaw is there and needs to be fixed. If, on the other hand, Firefox is passing something to IE that IE is not documented to be able to take, will you be happy to admit that the problem is with Firefox?
@Muffin
I've never seen MS blame Turing for their bugs as Window Snyder just did.
Nice post and informative as usual.
It seems that the many eyeball theory behind open source code security is falling apart nowadays: if many eyeballs looking at the same exact piece of code couldn't get this, having the code is just not useful as having a protected mode browser.
I'm responsible for security in my company. For me it doesn't matter if it's FF or IE or AOL or "WTF" with a vulnerability.... The only thing that matters is having a fix so I can start the system engineers doing the dsitribution of it on all our client and server systems.
I would like to see some cooperation between the different software companies, to think about solutions that benefits for everybody.
Maybe looking in RFC3986 again and optimize it?
Fact: Nobody is perfect. All software have vumnerabilities. It's a matter of when they are discovered.
Greetings.
Process monitoring (Task Manager, firewalls, etc.) has two other generic flaws.
The first is the "glove puppet" effect, when a generic wrapper such as SVCHost or RunDLL is the reported process, or a process is open to plugins and automation as is the case with web browsers.
The second is code within an ADS, which is typically reported as the base file. Because ADS code is not within the base file, an MD5 check of the base file will be meaningless. IMO, code should not be run from ADS and any resident OS service that processes ADS should strip all code when found.
That's confusing - what I get for posting just before bedtime.
What I meant to say is that, in the first case, Firefox is registering as a URI protocol handler, and that means that it knows how to handle the protocol.
In the second case, it's clear from Jesper's later comments that it's far from clear that any component of Windows is causing these other executable elements to be called - in fact, the indications point to Firefox again (although it's distinctly possible that Firefox is passing something that it thinks is innocuous into a Windows DLL).
Jesper hasn't been one to pull his punches or stick to an opinion after he's been proven to be wrong - but I'll let him show that, if he needs to.
My feeling on the whole thing? A pox on both their houses for not looking out for the security interests of the end user. Both Microsoft and Mozilla failed in an extremely important concept, ALL INPUT FROM REMOTE SOURCES MUST BE SANITIZED BEFORE IT IS ACCEPTED FOR INPUT! Microsoft is vile for passing on unsantized data, and Firefox is vile for not sanitizing its input.
Jesper, Firefox doesn't do any additional processing on the schemes in question. It just passes them to ShellExecute, like every other scheme. It's actually Windows that processes them differently, and in particular this processing changed with the IE7 upgrade.
In particular, try the following two URIs in "Start > Run ..." on an XP system with IE7 installed:
mailto:test%../../../../windows/system32/calc.exe".cmd
mailto:test../../../../windows/system32/calc.exe".cmd
The former launches calc.exe, while the latter launches the default mailto: handler.
According to this:
bugzilla.mozilla.org/show_bug.cgi
the same behavior can be observed using "Run" from the Start Menu, which suggests that the fault is indeed in Windows/IE. It also seems that the underlying issue doesn't depend on using illegal URIs, though it may be difficult or impossible to exploit without them. (Note that the embedded nulls in the original exploit were properly percent quoted.)
However the exact situation still seems unclear to me, in particular I'm not sure why IE doesn't seem to be vulnerable. So I'll have to reserve judgement until further information comes to hand. The original exploits don't behave as expected on my computer and I haven't had time yet to explore variants.
No, Firefox don't expect ShellExecute() to do any input validation, it expects it to hand the URL off to the registered protocol the way it was passed. On WinXP with IE7 installed this is no longer the case for a handful of web-related protocols. Please feel free to verify this with your own test program on a machine without Firefox -- the URLs from Billy Rios will have exactly the same effect.
Did anybody read the picture from Firefox?
Just below the scary url that is presented to the user is written:
...it may be an attempt to exloit a weekness in that other program ...
In the case of IE "that other program" is Firefox. No more searching whose fault it is. Mozilla confesses.
It appears that the browser that is immune from this exploit which only occurs on XP is also the browser that once installed creates this exploit is several other applications including XP's Start -> Run due to the fact that when you install it the behavior of shellexecute is changed.
Outsmating each other.
Both have flaws, I think.
Let's see who fixes thier flaws first.
Jesper, your an arrogant douche. Get off your high horse; your opinions are meaningless; do something useful. And btw, that "file photo" is completely gay.
Have fun dissecting this post in your deluded mind.
you can pick exploder which is just about as exciting as the Taco Bell menu. Or - pick Firefx which is the mexican putting your Nachos Bell Grande together. At least homeboy can mix it up!
"But it was from someone I know!"
"We can't have a virus, we use NORTON"
"I don't know what it was, we always just wipe and rebuild"
I've heard that last - "I don't know what it was, we always just wipe and rebuild" - a number of times, and sometimes the perpetrator of the remark points to Jesper's article on "Help: I Got Hacked. Now What Do I Do?" as justification.
The answer, of course, is that this article tells you how to clean the system (by flattening and repaving) - but if you do this, and you clean the system back to the state it was in before it got infected, all you've done is restored the system back to the state that allowed it to get infected.
You'll get infected again, for sure, that way (with the updated version of the same attack - and maybe the updated version is harder to detect).
That's why you can't get away with reading and parroting security articles, no matter how good they might be. You actually have to think about their implications, or your reading is useless.
I still have my old brio train track somewhere, wish I had this as a kid tho!
I recently saw a case where a customer's IIS server had been hacked. The bad guys installed Apache and were apparently serving the pages to go along with this scam.
I still haven't figured out how the compromised took place, but I find it interesting that they'd install Apache on a box running IIS. But there were enough hits in the IIS logs to suggest that this really could be a very profitable venture for the bad guys.
Personally, I'm running MythTV on Ubuntu. It does everything that Windows MCE does, only well, better. To be honest, though, I wouldn't touch LinuxMCE with a 10' pole -- it's just not ready for prime-time yet (the UI is horrible, it has very limited hardware support, etc). And if you don't use the Home Automation stuff that LinuxMCE comes with, there's no point anyway.
I choose MythTV not so much because I was worried about DRM (though that's a factor -- MythTV has excellent commercial flagging features which means I can completely skip commercials: does Windows MCE do that?). The MAIN reason I choose MythTV over Windows MCE is that I'm not going to fork out for Windows Vista Home PREMIUM just so I can run one program all day.
"Don't worry 'bout it, Ballmer'll walk you though it,
Step by step, you'll be restricted
Patch by patch with the new solution.
Transmit bits, with D.R.M. pollution
Claim the contents irresistible and that's how they move it."
slashdot.org/comments.pl
You may want to look at MediaPortal as well.
Due to these and related issues, I no longer buy DVD's or CD's. That may seem extreme to some, but in my case it is not a big deal. I rent DVD's once in a while to play in a DVD player hooked up to the TV, and that is it. When you start playing with this stuff it eats your time and worse is very insulting. I can only imagine how a less technical user would handle this.
Jesper: I'd be interested in your take on LinuxMCE if you go for it. It is _far_ from Windows Media Center, despite the fact that CGMS-A protection is not there it is not polished no matter what most commenter's online say.
Microsoft has been informed time and time again that there are issues with the CGMS-A DRM that Media Center uses and has done little about it publicly.
If you are interested in sticking with Windows, try Beyond TV or Sage TV. Both of which are not going to give you this issue.
Your problem is MCE. Use SageTV or BeyondTV if you want to keep Windows.
These will avoid using Microsoft DRM.
Everybody that has anything to do with TV needs to look at the music industry and make plans now. The grim reaper is on its way and it wont take prisoners.
People like media. People LOVE convenience. If companies wont make purchasing and viewing media easier than getting it on Bittorrent, then they are just counting down to their demise. They need to stop assuming everybody is a thief and realize people don't mind paying as long as you make it easy, and don't rob them.
I believe you're missing something here. First of all, I assume you are using Vista MCE (sorry if I missed this) - if not, you will not be able to view DRM protected content (premium channels, etc.).
If you are using Vista, then you need a device that is able to decode the DRM-protected content...Vista does support this. These devices should be available soon - if they're not out already.
One last thing - this really has very little to do with Microsoft. CableLabs/Cable companies are the ones encrypting the content - Microsoft is bound by very strict rules set in place by CableLabs. This is a very long and complicated issue; way too long for this forum.
You really should do more research into this whole issue before posting something like this.
These are very useful comments. I'm evaluating what I am doing but thanks for the pointers.
Dan, first, I am using XP MCE, not Vista yet as the box I have (one of the HP MCE specialized units) will have problems running Vista.
Second, I obviously have a cable set-top box that does the decrypting. I have had the same setup for two years and it just now stopped working.
Finally, I won't get into the "strict rules set in place by CableLabs" other than to echo Kraemer's comments that DRM is harming legitimate customers as currently designed and pushing people toward engaging in criminal activity because of it.
I truly feel for you Jesper! I have posted on my blog in support of this frustration. I can only hope that Microsoft will finally realize that Cory Doctorow was right when he gave is DRM Talk at Microft backin 1994 which is reprinted at my blog for easy reference:
www.bambismusings.com
Jesper, please allow me to welcome you to the Linux fold. I don't think it's any secret that your conversion is inevitable at some point. The sooner, the better, though, eh? The Linux community values your skills and insights. We will be grateful for any contributions you make.
I too recommned taking a look at MythTV over all others. It was truely fantastic and leaps and bounds better then XP MCE. It is so much better written! Recording info is stored in a database so the screens UI is much snappier. Must faster to run a DB Query then wait for windows to parse the headers for information then sort it and etc, etc. You can distribute encoder cards to various computers and they all work togehter. I could go on and on, but it is really great!
That being said, I am running Media Center now because XBox360's are great, cheap front ends. Additionally I want to record HDTV over Cable or preferably Dish. I don't see this happening with any Linux DRM Solution. At least till the Decoder cards are regularly available and then it be cracked.
Once the DRM is cracked I'll switch back. I am not in to stealing anything, but DRM is unusable in 99% of the solutions and sometimes it is easier to switch to the "Dark Side".
DRM was the straw that broke the camels back for me. I used microsoft products since the early days of DOS not perhaps pleased with it always but it sorta worked. But DRM forced to me to reconsider and I switched to Linux somewhat reluctantly as I knew alot about windows and little about linux. but since i switched I have to admit Linux is far superior and I will never go back. I advise everyone i know to do the same.
DRM is pure filth.
It is high time that tax payers press their politicians for laws that give them some kind of minimum rights.
For instance : if the music and entertainment industry prevents you from creating a backup copy of your CD's and DVD's through copy protection, then they should be forced to swap your scatched copies with a new one for free.
And that is just one example of the battle that needs to be fought.
It is high time that law makers stand up for the general public instead of the "copyright holders", who are permitted to use criminal activities in order to catch other so-called criminals.
Enough is enough.
Hi.
@Jesper
I've had this same issue with MCE.. it took me about an hour to fix it. I'm a tech/programmer guy by trade.. I know this would stump many people that don't have the tech skills.
Eventually, reinstalling WMP 10 and following the KB article, I got everything working again..
FYI, my two cents.. XP MCE 2005 is great. I love it. I use it with two modded XBOX's running MS MCX and XBMC. That way I can play anything.. (Because MCE won't play DivX!)
But you are 100% right that DRM is killing it Microsoft.. I bought my girlfriend a PlayforSure device.. the only thing sure about it was that every month all her licensed media would not play and we would have to reformat the device.. I stopped paying for Rhaspody, and have found it easier to just download MP3's and put them on.. no DRM, no issues *EVER*. I won't again use DRM music. I'll go illegal first, even though I really liked the idea of being legal, and was willing to pay some cash for it, I am not willing to pay in sweat for it.
When I record a show in MCE, if the copy protection is enabled.. Good luck viewing that on other devices that don't support windows media player copy protection.. If you look around, you will be able to find a box that will strip the cdma broadcast flag from the signal before you feed it into your computer.. So you can get around the cdma broadcast flag with some hardware.
So.. I love XP MCE 2005.. it's DRM is not invasive enough to drive me to another product.. BUT..
Vista won't work with my V1 MCE Extenders (old XBox's), one of the reasons it doesn't is because of Vista's DRM.
And Vista's DRM is throughout the system.. I really doubt that my next media machine will be Windows BECAUSE of the DRM. Anytime I mess with it, I get hit with usability issues that only a tech can solve, and when I'm watching TV.. I don't want to be working, I want to be playing..
So I'd like to hear what you think of LinuxMCE..
I myself and looking at MythTV and a (future) Linux port of XBMC to run on a small fanless box for my next media center setup.. I don't have faith in MS dumping DRM.. but I do have alot of faith in me dumping DRM..
@Dean
DVRMSToolbox for Microsoft MCE 2005/Vista does an awesome job of skipping commercials. I think it can use the same Dragon(something) program to analyze the media stream that can also be used on MythTV and BeyondTV. It's 3rd party.. by default, you cannot skip.. but you can add it easy.
@Dan
I think you are the one that needs to do more research. It doesn't sound like you know what you are talking about.
Most people use XP MCE 2005 with a cablebox to decode the cable-encoding, the cdma-a broadcast flag is something different.. XP MCE 2005 does indeed work with protected channels.. cable descrambler vs cdma-a broadcast flag.. look it up and get current.
While no one wants to get into a debate about how to properly diagnose a specific tech support issue, I can appreciate the extreme annoyance of having your system fall down around your ankles.
The more important discussion is around the DRM restrictions that continue to be put in place by content providers. Until those minds can be changed, the only way to have a consistent and acceptable user experience will be to live outside the law.
Dan:
It's guys like you who have made Windows just as annoying as Linux. It doesn't "just work" so give it a rest. As for "research" why the heck should I have to do that?
I don't know that Linux offers a better solution, but at least once it's set up it works, for crying out loud. It just takes longer to get it working. But answers like yours are useless.
I've been using Windows Media Center XP and now Vista since 2003. Right now I do not have any of Media Centers (have two) plugged to a cable box. I used OTA high def and analog cable, with ZERO problems. I'm trying to figure out how to do a cable card Media Center, but its not a super big deal, most of the TV I like comes through the analog and OTA.
How EXACTLY are you connecting your cable box to your Media Center? Blame Microsoft all you want, but its the cable companies that are encrypting the high-def signals out of the cable box. Component should work fine however.
I've tried MythTV and LinuxMCE and they ARE NOT SIMPLE TO SETUP EVEN NOW!!!!!!! I might try to work with them some more, but they STILL wouldn't solve the problem of getting a digital high def singal from the cable box, that's encrpyted, and has NOTHING TO DO WITH THE DVR SYSTEM!
If I'm wrong please correct me.
Bottom line, I've got two Vista Media Centers with a total of four analog cable and for OTA digital tuners. I can copy and burn as much as I like as LONG as the source media is not encrypted.
Yeah, DRM sucks, but tell you cable company that, not Microsoft.
Xigam: thanks, I was not aware of that! But then, with TiVo and they way they handle commersials nowadays, it doesn't bode well for commersial PVR software.
By the way, if you have a modded XBOX, you can get MythTV extenders for it if you ever choose to go the MythTV route. The only limitation is that an XBOX isn't powerful enough to decode HD content...
RE: Yeah, DRM sucks, but tell your cable company that, not Microsoft.
The problem actually lies on three or more sides.
DRM wouldn't work if the hardware didn't have the DRM built in (hardware like DVD players/recorders for computers, video cards, etc., phones, cable boxes, etc.), ~~ AND ~~ if Microsoft (and other OS vendors) didn't enable the content providers, particularly the ubiquitous Microsoft products, particularly the DRM infested Vista. That's why I call Vista, The Enabler.
Without Microsoft's enabling of the content providers with 'control over what YOU BUY' through the operating system and without CE companies providing 'features' CUSTOMERS DO NOT WANT, then, the content providers (entertainment cartels) would have to provide something that works or not make as much money.
Either way, once you get Operating System vendors and Consumer Electronics manufactures to stop giving in to the entertainment cartels, then you only have to deal with one side of the equation...the content providers aka the entertainment cartels.
But there is a fourth side of the equation as well. Customers. What are customers willing to sacrifice to be able to view movies, TV shows, connect with their devices, play their music, etc. on their computers, phones, PDAs, etc.
As customers, I think we all have to think long and hard on that one; not only for ourselves but what our actions -- or inaction -- will mean to our children and grandchildren? Each generation will have to deal with ever increasing restrictions and invasive behaviors by the entertainment cartels and worse. It's the Pavlov's Dog syndrome yet again -- they will never be satisified with what they could get from customers before as technology gets more and more sophisticated.
I think earlier generations realized this. Do we?
I have heard of the MythTV extenders, but have not seen much about it. I _think_ MythTV does work on Windows too .. so there might be a migration path there that still includes Windows.
@Heatlesssun
You are right about the cable DRM.. there is the cable DRM that your box or cablecard has to decode, and they are the ones slowing the standards for PC-CableCARD adapters, and requiring Microsoft to honor their encryption via MS DRM.. Microsoft is trying to play ball with the cable companies, but the cable companies are very restrictive.
The reason that Microsoft MCE has the DRM that obey's the broadcast flag/digitalHD is more because of the content providers than Microsoft.
@ nobody
The broadcast flag that HBO, on-demand, and other preimum channels broadcast over the analog signal is what is triggering the MCE DRM.
But if the DRM is working then you won't notice it until you try to convert the file to another format, or convert/play it on a non-windows-DRM device like an iPod.
Or of course, if your Windows DRM breaks like has happened to many of us, then you will notice too..
MPEG 4, is 10 times more compressed, if you want to record and archive a season of shows, then you can reduce your storage from 3.5 gigs per hour to as low as 350 megs per hour, or maybe you want to convert to watch on your iPod, you'd have to crack the DRM first, or strip the broadcast flag from the analog signal before it enters your computer. Doing that is going to get harder and harder.
If DRM worked, _universally_and_without_fail_. I guess that would be one thing.. but it doesn't. And so the solution is no DRM. Amazon is now selling MP3's, so perhaps sometimes soon you'll be able to stream/download video without DRM..
Netflix offers a video streaming service for movies, but you can't save/view them on other devices, or even pipe it over into Media Center which I would have liked to do. So if I wanted to use Netflix's service, I'd have to view it on a Windows computer because of DRM, and in the browser not MCE. Same with all video services that I have checked out.
Not only that, with DRM it seems that you would often be getting into a situation where you are paying for the media over and over in order to view it on other devices.
Maybe it's a wider problem then Microsoft. Microsoft is just more willing to play ball with the content people on their DRM quest than others.
DRM stops legitimate consumers from having the best possible media experience.
Гореть тебе виста в огне
Its designed to protect content at the cost of end-user. I have no idea when Vista will decide something is premium content and not play it. What a nightmare.
Oh dear Jesper - whatever you do, don't let slip which you prefer, Pepsi or Coke, if you ever change your mind you'll probably get sued!!!!!
I don't think Vista would be any better than your current situation. It would be a lot worse.
Cyrus, I think it would actually. I think what happened was that the DRM components got horked somehow. To make it harder to tamper with them they have been designed to prevent people from doing many modifications, which also prevents me from fixing them. However, if I flatten and reinstall they should go back to normal. That, of course, calls into question whether it is reasonable for a single component like this to necessitate a reinstall?
I haven't had the chance to do much more than disconnect the box yet, but I think I will look into a couple of options. In general, I do like Vista, and if I can stick with that I might.
Just watching the videos of windowsMCE v. LinuxMCE I would definitely pick linuxMCE. The auto detection alone is superior.
video.google.com/videoplay
Hi Bambi, You've almost found a correct term for it.
Here is the stomach, digestion is its function. When a man has a diarrhea, it is called a DISFUNCTION.
So, media playback is called "functionality", so DRM should be regarded a "DISFUNCTIONALITY".
Let us call "DISFUNCTIONALITY (TM)" an operation that requires time and cost to develop, consumes resources AND IS DIRECTED AGAINST END USER NEEDS.
Please use this word in your reviews to distinguish between features and disfeatures to make it clear for everybody.
There is no perfect solution, especially on the PC platform, but the more tightly-welded the OS is to Digital Restrictions Mandate, the less stable and usable it is. There have been many articles and papers written by security professionals such as Bruce Schneier on how DRM in general and Windows DRM in specific are a) impossible to perfect in either theory or practice, b) active security threats to the user system, c) inherently anti-consumer in orientation, even if neither a) nor b) applied. The fact that the Windows-using sheeple don't pull a Howard Beale "I'm as mad as hell, and I'm not going to take this any more!", is testament to the overweening control exercised by companies clearly not acting in their customers' best interests - nor, therefore, in the long run, of their own.
Vista is one of the most egregiously overhypoed and overpriced *update* from MS - yes, an update and quite an unimpressive at it.
WRT DRM Vista is nowhere better except you will ned 2x the amount of your memory and CPU to run the *exact same* software under Vista but with more annoyance and bugs.
All this after 10 motnhs of use, keep in mind.
Vista proved that I suspected for years now: MS has NOTHING to do with invention, period.
No matter how 'honest' guy you are, Jesper, sooner or later you'll reach the same point I did:
SAY 'NO' TO DRM.
That's it, that's all you have to do. When I buy something, that copy is mine, period. I cannot multiply and sell them, it's obvious - however it'ss just as obvious that I can play it on ANY of my device, moreover on my neighbors device if I want to, just like we did with the VHS or tape or CD.
Also since nobody will pay for me if a player will scratch my DVD, I am perfectly entitled to make my own backup and keep it in my safe, digital or legacy, my choice.
These are the things you have to remember and you will say NO to any DRM after few weeks of thinking.
I've been a Windows user for more than a decade and Vista and its utter idiocy was the last straw: I will ditch Windows as soon as I can, most likely around late next year (unless something revolutionary change will happen to Vista which is highly unlikely).
I've seen two dozen of my fromer or current colleagues going down this road; some opted for linux, some for other, others simply ditched the whole electronic entertainment idea and keep separate things instead of giving in for MS or Sony or anybody else when it comes to your living room.
And it's not only good but also FEELS GOOOOOOOD! You finally won. The evil Vole or lying Steve or the uber-dictator SOny and all their coporate BS - makes no difference anymore when you simply trash their idea of restricting your rights even further, ditching the old status quo and forget DRm forever. :)
I wonder how much the adoption of Linux as embedded OS actually has inadvertently rendered security through obscurity less practical? When those devices used the many lesser known embedded OSes much less of potential vulnerabilities and attack points was known.
Just imagine how big the story would be if they were to discover that you actually shop at grocery stores, toy and book shops that aren't owned by your current employer!
Hey, do you think I could get international news coverage next year when I take a flight that I didn't book through my current employer?
I don't think we'll be seeing too many operating system level attacks on embedded firmware running Linux, while the applications themselves frequently have gaping holes.
But yes, one of my fears when I first got a TiVo was that it would become the one box in my house that I couldn't patch or scan reliably. "Runs Linux", said the ad. Not reassuring, because to me that means "is a PC, that you don't know how to administer, and that the manufacturer doesn't want you to configure or patch yourself."
Your having problems and you know what your doing, imagine what it`s like for people with no technical background. DRM infested Vista will never be installed on any of my PC`s, it to would rather go Linux.
Note that this was not Vista that Jesper was having problems with. This was a pre-packaged, consumer-version of XP Media Center Edition.
But I'd love to know whether a Vista install has the same, or similar, issue with Comcast On-Demand. I have DirecTV, so I can't test.
I wonder what those pingbacks from slowfive and yamwool mean... Looks like those are the fake automatically generated blogs which just post references to other blog articles (thousands per months) and show google ads.
Is this a new way to spam comments using trackbacks?
But you do know how to write and just told the world the password. I doubt that was the real password though.
Of course, there are very different security issues around kids posting information about themselves online, especially when associating PII (like their names) with it.
When I was a little girl and Mom and Dad would want to talk about something and not let me know what they were talking about (like Christmas, a birthday, etc), they would spell the word they didn't want me to hear if I happened to walk in the room or be in the room. This "cryptology" of a sorts was done knowing that at that age, even though I was in school, I couldn't put the letters together in my brain fast enough to understand what they were talking about.
Well you can see where this is going... a bit later I realized that if I could remember the letters long enough to go run to a piece of paper to write the letters down, they magically turned into a word. I would then yell out "hey you are talking about ______" ....whatever they were talking about.
Needless to say their rudimentary form of cryptology and "encryption" of private messages only lasted so long.
Jesper you remember me from tech-ed traing back in the day good ol' hacking the M$ gravytrain well since then i've stepped up and moved into the consumer on demand market and it was interesting the DRM issues these folks talked about we've been dealing with on a more legal issue please everybody here and in the wind come join us EFF.org Electronic Freedom Foundation and take your rights back! its the polititians who fear the armed peasants. anyway yes cluge software makes everybodys life miserable but stick a piece of vxworks code into a microprocessor and build a $10 device to do everything you need in an MCE and tell the bloatware what you think about itself. seems everybody else did the talking for me so these are the only 2 cents i have left. pleasure finding your blog whilst looking to solve a mce problem
Meh - I want HD content, and unfortunately all of it is encumbered by some sort of DRM. So I took the path of least resistance - I stuck with my cable company and got a Tivo Series 3. Does all I want, and "it just works" (well, once the inept cable company figured out how to configure my account in their billing system so it would authorize my cable cards).
I like the idea of Media Center or Myth, but dealing with cable labs is just ridiculous. I'm hoping things like video podcasting will tilt the balance back towards us, the consumers.
But, what if the site requires a short password, a six, seven, or eight digit one? No passphrases allowed, of course!
That's why when I was working in Marketing, I told everyone in the building what my password was...
If you read long enough and thoroughly, the answers will be found. The first tip, Microsoft's advice on creating strong passwords answered my question above. Let this be a lesson to me!
Well, actually, it's only part of the word. The full word from Mary Poppins is Supercalifragilisticexpialidocious. And you're right; he will probably have changed it many times before his sibs are old enough to write.
I use a simple program called PWSafe. It's a password protected password database. It's coolest feature is to let you double-click on the account entry to put the password into the paste buffer. You can then paste it into the password field without anyone being able to see it. I've got accounts where I let PWSafe generate a random password. I don't even know what it is! I just cut and paste.
I disagree with the PWSafe feature as being secure if it copies it to the clipboard...I use Roboform at times, which even has a keylogger defeater (pop-up qwerty panel) but even that could be compromised with that proof-of-concept multiple screenshot program.
If I knew anything about programming, I'd write it just to see if it could be done. I love stuff like that.
I like to have fun by telling people "I have the *COOLEST* password EVER!"
If you don't trust the computer you are entering passwords on, then you shouldn't be entering passwords in the first place. Even those so called on-screen keyboards can be logged.
wng
Bruce Schneier's understanding of Windows Vista DRM came directly from Peter Gutmann who'd never seen it. While Schneier is generally great on security he can be, and was, misled.
The point about DRM is this: in order to protect the data, it is encrypted. In order to play back, you have to decrypt. That means you need the key. For convenience, the key is stored on the computer in a way that the user can retrieve. Fundamentally you have both the encrypted data and the key, so you have the decrypted data at your disposal.
All DRM systems do is try to hide or obfuscate or otherwise encrypt that decryption key in such a way that the user can't directly find it. But in the end, code the user is running has to be able to get at the original form of the decryption key to decrypt the protected data. DeCSS was an unauthorised implementation of the CSS decryption algorithm, but on its own it was useless. It needed a key to be obtained. A software player did not protect its key sufficiently, it was extracted, and that key was distributed. Because the number of keys was limited, deactivating that key would have deactivated a lot of other, non-compromised players, so the extracted key continues to work for new DVDs.
For digital media such as digital cable, DVDs, HD-DVD and Blu-Ray, the actual video+audio stream is encrypted with a single key, that key then being encrypted multiple times, with different player keys, and the multiple encrypted keys being placed on the disc or in the stream somehow. In theory that enables compromised players to be disabled without affecting non-compromised players, though of course that seriously affects people who innocently bought the player that someone else compromised.
I don't know where XP MCE DRM keeps its playback key, but I would expect it to be somewhere under DPAPI. The master key for the DPAPI store is derived from your logon password. When you change your password, the DPAPI store is decrypted using the old password then re-encrypted using the new one. If you change a password through the Reset function, you lose access to all your old keys because it doesn't have the old password to decrypt the store.
I have also had programs which managed to break the ACL on the MachineKeys store (C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys), meaning that while it continued to work for administrators, it no longer worked for standard users. support.microsoft.com/.../278381 tells you what the ACL is supposed to be. (Windows Server 2003 doesn't actually have an ACE for LocalSystem, though.)
I was extremely frustrated the other day when trying to find a motherboard with the TPM chipset. I was building an office workstation and wanted to be able to leverage Bitlocker to protect the drive contents. As mentioned in this article I was unable to locate an appropriate motherboard and ended up using a usb drive as my key. It's hard to understand why the TPM chipset hasn't taken off.
I suspect the problem is that TPM was originally promoted as the magic bullet that would solve all computer security problems. Nonsense, of course, as was pointed out numerous times. Unfortunately the upshot is that it makes people uneasy if they don't know any of the useful things it actually /can/ do - which I suspect not many people do.
Personally, the only example I've seen of it being useful is BitLocker. Do you have any others?
... just to provide an example of the reasons TPM is treated with suspicion, I remember hearing that it would allow applications to know whether an input keystroke was really from the keyboard or not. That's not a good thing if you're using a computer remotely, or using scripting to perform a silent installation, so I was left with the impression that TPM had the potential to break essential functionality.
Then there's all the FUD, such as the story that only software authorized by Microsoft would run on TPM computers. I knew that one was wrong, but how do you explain that to the paranoid?
So I guess the summary is that customers needing TPM will probably know enough to go looking for it; customers who don't will probably be worried by it. Doesn't add up to a good advertising point. :-)
Once enabled in BIOS, tpm.msc is a reliable mechanism for determing the specs of your TPM.
You don't have to be paranoid, or lack understanding to be worried about Treacherous Computing. When you think about the implications of the evil features it *does* include, it's normal you want to avoid it like the plague.
I'm talking, of course, about remote attestation.
Hi Jesper,
Did Alan have a brain fart? When was the last time Steve Jobs actually designed a piece of Apple hardware? Ever since he saw the error of his ways and moved to the Intel platform and went to a usable base OS (ie, BSD), he's not designed a bit of hardware - pretty much any current Mac is pretty much any current PC.
Sure, Apple's OS was destined to be found as flawed as Microsoft's latest pathetic attempt at an OS, it is just that the Apple Zealots cannot accept this.
Software is software, coders are coders, and a buggy, poorly written app is a buggy, poorly written app no matter what platform it is. Look at anything Adobe releases, for instance...
Regards,
HiltonT
Its better! Apparently the guy sent the discs through the internal mail (operated by a courier company) to the governments Audit Office, and when they didn't arrive, he allegedly sent them again!!! They are also reported as being "Password protected but NOT encrypted". Are we talking password protected Excel spreadsheets here???
To be fair, having worked for several UK government departments on various contracts, I reckon I'm pretty safe in assuming that the "Junior IT Admin" was really a pimply 16 year old on work experience from school being given vague instructions by a long term civil servant ticking off the days to retirement.
What Jeff Jones did not do was see the number of days each vulnerability was left unfixed, the so called "days of risk". I had done such an analysis for a shorter term of about a year a few months back and had found that IE was more insecure, at least under XP. I will re do the analysis again, and publish the findings in the next few days, but I doubt if the findings will be different.
Jeff has also not mentioned about zero day exploits, which are just more common in IE, so for practical purposes, IE will be more insecure for the user.
However, vulnerabilities are just a part of the story. IE is just more secure under Vista due to privilege separation.
I may be wrong, but the leaving out of "days-of risk" seems like Jeff may be indulging in FUD. At least I think so, simply because he had done a "days of risk" where it was not appropriate (comparison of Linux and Windows) but has not done here,where other than one program being proprietary and the other open source, the vulnerability disclosure and fix model is very similar.
"Well, sure it is. According to the Firefox web site, which must of course be untainted by marketing claims since it is Mozilla"
And a "study" conducted by a Microsoft employee and then cited by Microsoft without acknowledging that the study was conducted by one of their own employees couldn't possibly be tainted.
Hi Jesper, I read carefully the report you suggested, written by Jeff Jones, a Microsoft employee in the Trustworthy computing group. It is just numbers and messy comparisons and it doesn't really help in finding the truth, or sort of...
Mozilla Firefox saw its first 1.0 version in late 2004 and the product came in response to a real need of Internet security. Almost everyone was using IE 6 or 5.x and almost every home pc (and business) was infested with spyware and crapware. IE6 was terrible and Firefox was (and still is) a valid response to this complete lack of security. Moreover, it brought a new browsing experience, inherited from the Mozilla Suite in 2002-2003, and tons of customizations. It gained its popolarity without the marketing power Microsoft has today. We just passed the word and so far hundreds of million people have downloaded a copy of Firefox.
Firefox was definitely better and almost everyone I know could confirm it. Of course there were bugs and security flaws, this is quite normal in software development but no real bug was exploited and generated a widespread infection. On the contrary, IE6 has been targeted by several infections and attacks which all brought to serious damage (you even commented about one of these at msinfluentials.com/.../More-options-on-protecting-against-the-VML-vulnerability-on-a-domain.aspx).What Jones's report doesn't say is the time occurred to prepare and deliver a patch to fix a security flaw. As far as Mozilla is concerned, it often takes less than a week. For IE6 it took weeks or even months!! In the previous example, you suggested a workaround for a mitigation because there was no patch available!
Then, Firefox is not always the same browser. Version 1.5 came just one year later, then came 2.0 and 3.0 is on its way. Jones's comparison is not always consistent.
Wrapping things up, IE7 was published last year to fill the gap and fight the users' mistrust. But it's still years behind Mozilla Firefox (and Opera). Usability and customizations are still embarrassing and this helped Firefox in gaining even more popularity.
People want a real browser, not a a carrier of crapware and nasty things. Yes, IE7 is less prone to malware than IE6 but people just don't trust it anymore and they just have fun with Firefox.Cheers!
Mozilla have published a rebuttal, which can be found here:
blog.mozilla.com/.../critical-vulnerability-in-microsoft-metrics
I think that this sort of thing will get worse
as people get more frustrated with computers.
Wow, I didn't expect to read this double punch from you! First you mention that Mozilla touting it's own browser is biased, but then point to a Microsoft employee on a Microsoft blog touting Microsoft's browser?
Second, I think it is very shallow and misleading (and when not misleading, a dangerous practice!) to call one piece of software better than the other simply due to disclosed vulnerabilities. A script I wrote the other day has no disclosed vulnerabilities, so I can claim it to be pretty darn secure?
I'm not taking a stance either way on which browser is better or more secure or which I prefer (which really is what most people are talking about in their 'scientific' reports). I just find it a bit low and juvenile to base conclusions on this report, and pimp it while poking fun at Mozilla's own biased comments.
I think I can empathise.
There's several examples here of unapproved methods of secure data destruction, along with a clear demonstration of how Digital Rights Management, ostensibly to prevent printing a document, can be overcome simply.
I haven't yet seen a metric in this debate that I would say is a good measure of security.
"Days of risk" is perhaps the most useful.
On the one hand, it seems you've got "numbers of bugs fixed", which doesn't address "numbers of bugs unfixed", and on the other hand, you've got "speed to release a patch", which doesn't address "speed to release the second and third patch for the same problem, plus the patch to fix the problem caused by lack of diligent coding to release the first patch".
I want to see a workaround, or a blocking measure, quickly, using already-available components and tools. Then, I want to see a fix produced with prudent speed that I'm not going to have to re-deploy in a month or two because you introduced another bug, or didn't fully explore the cause of the present one.
As for Mozilla's whining about bugs 'secretly' fixed by Microsoft, get over it.
I fix code as I find it is wrong - and I may not necessarily know what bug it causes, just that the code is wrong. As a result, come the next release, I cannot list all of the bugs that I have fixed, because I don't know all of the bugs that I have fixed. There's no need for a grand conspiracy to secretly fix bugs.
I've heard that these have had some major security issues, though. It seems that some unauthorized users have been writing on paper that can be removed from the company offices.
I'd suggest installing Microsoft's "Invisible Ink Update", which snaps the pen in two and drains all the ink up. Makes it 100% secure, even if the administrator gives permission to install a new cartridge.
It's their Use A Pen (UAP) system.
Only one word:
ROTFL!
Great job with these enterprise grade quick-fixes Jesper, as always. Nice.
p.s. I am always curious on how bugs like this one can pass through quality testing?
Good question Magnus. You can't help but wonder. I have been impressed by the scope of the IE test pass in the past. It covers something like 300 versions of the browser/OS combination. However, in this case, a supported browser crashes when you open the default homepage. It seems something was badly missed in that test pass.
Looks like you hit the nail on the head. We are testing your fix now, and hopefully this is going to save our Desktop technicians some time and headaches!
Thanks Jesper.
Thank you, Jesper. That was most kind.
I opted to write a Group Policy Administrative Template. I think it's a little easier to deploy than an MSI, especially if you don't already have a distribution point setup for those types of thing.
peeved.org/.../19
Warning, the "Pingback from IDThieves.org..." points to the site that is stealing the blog posts.
Evan, the Group Policy templates is definitely an option. The only problem is that those templates are not enforcable in GP since they have to be made outside the policy node. They would also tatoo the registry and be near-impossible to roll-back in a centralized way. That is why I opted for an MSI file instead.
Having now said that, it appears Microsoft just published a work-around of their own to Windows Update: blogs.technet.com/.../ms07-069-cumulative-security-update-for-internet-explorer-post-install-issue-automated-work-around.aspx.
Hey, I did the registry edit and everything seems to be OK now ... however, right as the registry edit finished, my Windows updater downloaded a fix from Microsoft for this problem. I canceled the update because I was concerned about running it right after editing the registry. Should I redownload the Microsoft fix and run it too, or will the edit I did be sufficient? Thanks!
Big G, the update from Microsoft does exactly the same thing as my fix. You can use either, or both. As a general rule, however, you shoudl prefer the fix from the vendor that owns the problem. I wrote mine only to fill a gap for an easy to use work-around as none was available from Microsoft at the time.
Thanks Jesper ... I just tried to download the actual Microsoft update again but it didn't pop up when I manually ran Windows Update. If it should appear again, I will go ahead and run it too. But if it doesn't, the registry edit again appears to have worked, this is the longest I've gone without IE6 crashing on me since 942615 made its way onto my computer, and in fact it appears that my browser is working a bit more sprightly than when it was constantly crashing. Thanks again!
To catch the thieves, just put some strange words in your blog. I sometimes refer to a nopz process.
rich
Seems they have bitten off more than they can chew...
"Bandwidth Limit Exceeded
The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later. "
You give credit where credit is due on who showed you this and how it works at the beginning of the year? You know, the guy who has been using this as a demonstration in his talks for a year now?
I notice many of your writings have a propensity not to do this.
I too am having the ie6 (sp2) crashing problem but ONLY after I'm on the internet (any site) for about 15-20 min., then I get the error msg. some of the info.
under Error Signature:
eventtype:bex P1:iexplore.exe P2:;6.0.29000.2180 P3:;41107b81 P4:matrix.dll P5: 1.0.0.1 P6: 472a8b4f P7:0001809f P8:c0000409 P9:00000000
my MS Windows updates are current & I did try installing the MS patch 946627..did'n work. I've also cleared out my temp files & cookies. Any assistance to resolve would be greatly appreciated...I'm not very 'tech-y' and don't necessarily feel comfortable messing w/the registry manually.
thx, dl
dl, that's almost certainly not the same problem. I would guess that you have a trojan horse (malware) on your computer called WinBudget (www.castlecops.com/tk31094-matrix_dll.html). Are you seeing strange ads on the Internet too? That trojan has been known to do that.
To tell for certain, see if there is a folder called C:\Program Files\WinBudget. If that is there, you have the malware. Your best bet if you are not comfortable doing this on your own is to call Microsoft's free security support line. The phone number for your region is at www.microsoft.com/.../default.mspx.
Unfortunately, this trojan also attempts to make your computer vulnerable to other vulnerabilities as well. That means that simply removing WinBudget may not be sufficient, and it may become a matter of having to reformat your computer. The support folks at Microsoft are best positioned to determine what needs to be done with your computer.
What about the hotfixes that don't write any information to WMI? You should note that this process works nicely for any patches that do write this info, but it doesn't mean it's a complete list. Nor does it mean it's accurate - the patches may have been regressed, but they will still show as installed using this script.
Very useful, thanks!
mrr
Can you do this for a remote machine?
Rico, of course. I just didn't write code to permit that. I did think about it but wasn't sure whether people would find it useful. If you think it is worth doing I can add it.
Rico, check out: msinfluentials.com/.../remotely-listing-all-installed-updates.aspx
If you want a bit more information than just the updates you might be interested in my SYDI scripts over at http://sydiproject.com.
Patrick
The third box from the right is the Privacy Report box that reports when cookies are blocked due to your settings. I have no idea what that other box is for.
I knew they were there because I right clicked one by accident.
Some of those boxes show status icons under particular circumstances. The phishing filter shows an icon as it works, the pop-up blocker icon is visible if a pop-up is blocked when High settings are on, and the add-on manager shows if a page tries to load an add-on that has been blocked or disabled.
I think the certificate display (padlock icon) is now permanently in the status bar.
Jesper, after seeing your post, I just checked my own local copy of IE. I'm still running IE6 on this machine, and I've found that IE6 has the same hidden buttons (except for the Phishing Filter)!
The left-most box (to the left of the pop-up blocker) is for the printer icon (visible only while printing is in progress).
Jesper, you've proven to me again why you and Steve Riley are way up the top of my list of people I trust to discuss security issues wrt Windows. As an IT Manager, you answered the *exact* question I was asking after reading the original report - how do XP SP2 and Vista compare over the last 12 months re patching? The original report was pretty much useless. Who cares how a product performed 6 years ago compared to how a new product performed this year?
Great work and it's a shame we don't get to see you at TechEd Australia any more.
I've been using these for quite a while. I thought everyone knew about them! I can't remember when it was, but when the icons would show up in IE6 I'd click on 'em for more information or to open add-ons. I tried it when the icons weren't there and remember remarking how thoughtful the programmers were to allow the use of these even when the icon wasn't lit (to say that it was active, as Ed Bott says above)
This is the sort of thing that drives less-sophisticated computer users crazy. They accidentally click an unlabeled part of the browser, and suddenly a setting is changed! Whatever happened to usability testing by ordinary people -- before software goes into production?
I just received an email from someone who said that I had instant messaged him with either my password(s) or credit card information. If this can happen due to IE's hidden buttons and someone now has access to that information. What steps can I take (or should I take) to block, investigate or protect myself from this person ... or is this the lowest way to alert a customer to a problem from msninfluentials.com
No Jimbo. That can't happen due to the hidden buttons. Malware could do it, but not the hidden buttons. Please ensure your computer is up to date on malware protection.
Jimbo: It's called phishing. If you reply, you have verified your e-mail address is a valid one.
Then the followup e-mails begin OR *MASSIVE* SPAM.
Craig: If you don't like it, watch where you click!
Most of this quandry is because techs are time poor and can't show everyone everything ( or remember ). I try to educate my clients on all the tricks etc and most of them go to sleep :-(. So, I nag them over the net :-) . No OS is so far user friendly enough for the people that are not "into IT" and until programers et al let go we will be in the dark !. ( OH I could go on n on n on .........
I always thought that they were not hidden, rather that it was just another glitch in IE that prevented the icons from showing :)
You also need to analyze the number of users for Vista in its first year vs XP users in the first year. Seeing as Vista is widely and correctly regarded as a "debacle", the number of security attacks would be proportionally lower as well.
As a programmer, I tend to think that it was probably either functionality that could not be fully implemented on schedule or was later canned, but the programmer forgot to disable the code. It seems more of an accident to me than an actual feature of the browser.
These existed/exist in IE 6 as well. Just double-click any empty box and you'll get those settings.
a- unknown
b- pop-up blocked
c- add-ons
d- privacy report
e- cert status
Wow. I actually can't believe this. What's the big deal? These are NOT 'buttons', these are UI FRAMES (i.e. windows) that are used to display status icons AS APPROPRIATE based on the web site status and/or activity (i.e. SSL, Phishing Filter, Privacy Report, etc.).
They are there purely for the purpose of indicating to the user what's going on with the site they are browsing. For ease of use, the programmers have decided to allow direct (easy) access to the options or more information relative to each specific function.
Like all large programming teams, there appears to be some inconsistency in how the UI was actually implemented. This is not necessarily unusual and is a common occurrance with any Microsoft program (not to single them out) if you pay attention.
These are user interface design decisions, not secret hidden buttons so the all-knowing, all-powerful evil entity can exert control over the user without their knowledge.
Get a life, people!
I think time will solve all these problems. We have been using WinXP for about 5-6 years and Vista for only 1 year. Besides there may still exist many unknown vulnerabilities which are not discovered yet. That is why it does not make any sense comparing Vista to XP.
KeePass is a great tool for that as well. It is MUCH more functional. My favorite part, I can put in alternate names and passwords, and I can actually send them over TS session to log me in. So I can set it up to 'auto-type' just the password (not the username/password -- it's configurable) and have multiple logins and get into any of them with a push of a button. Fantastic.
I highly suggest you check it out, very cool - and a lot of even nicer security features for those that are truly paranoid, although I tend to turn them off (you have to check it out to understand)
http://keepass.info/index.html
I'm a happy user of Passwordsafe, the only issues I've had is that sometimes the passwords doesn't get sent to the clipboard when I click on an entry.
Did you get any instructions for how to create a backup for that book? :)
I use keepass and I find it good.
Do you think that PasswordSafe is better?
What if Mr Bill Greatguy who is the CEO for Rich and Powerful Enterprises, LLC has an evil identical twin brother that was separated from him at birth, and an attacker finds out this information and approaches him.
So, then Mr Steve Nastyguy would have so similar a head and voice that he'd be easily able to walk up to this authentication device, claim to be his good twin brother, and the system would welcome him with open, yet metallic arms.
The only truly successful biometric authentication would be to have a person placed wholly in a machine that vaporised them and measured their entire makeup - lunch, genetic codes, hair dye and everything. The problem is that once this information has been entered into the computer, it is rather unlikely that they would ever need to gain access to the facility protected by such a security system. :)
I've been using Roboform for quite some time now and find it extremely useful. To the point that I purchased the "PDA" version of it so that I can lug my passwords around on my PDA as well - this works better than a secured SharePoint (or other similar) site when you're onsite and a client has no Internet connection, which is why you'd be onsite!
I never really understood the logic of trying to remember more that one password. Even writing down the password seems silly. Just the act of trying to come up with enough unique complex passwords is crazy.
Of course I went through these steps until I ran across a mechanism to generate a unique password for each site I visit, without having to remember or write down the unique password.
Have a look at www.dscoduc.com/pwmaker.aspx for an example of what I am talking about...
Hilton, you are enumerating all the reasons I do not believe in biometrics!
You also have to wonder if such a scheme correctly identifies the user when the person is stressed, or has a cold, bad sinuses, dental work, etc.
Of course, the other problem with biometrics is that whatever measurement you take, there are people who cannot provide it. Iris patterns are unavailable if you have aniridia; carpenters and cabinet makers often have no fingerprints; people with no vocal cords can't demonstrate their head's resonance, except by smacking themselves repeatedly. I can't see that becoming terribly popular.
I find the Microsoft Fingerprint Reader works great for me and all my website logins. Granted it only works on my machine and not out and about but that suits me down to the ground. Nothing like my username and long password like F!ngErPr|n7-Re@der to be written & logged-in less than a second even works with TrueCrypt! And I can create multiple profiles using my other hand or finger. And all my login details can be backed up and placed in my TrueCrypt vault. As you can tell I think it's cool!
I think it's more accurate to call it a "startup script" rather than a "logon script": logon scripts run in the security context of the user logging on, while startup scripts run as System. You need the latter here, since users can't set those kill bits. (The instructions you wrote indicate a "startup script", which is correct, so it's just about terminology.)
Of course Aaron. I meant to say startup script. Fixing now.
I love the line about patching end users vs patching the operating system. While an updated operating system which is developed using an attempt at secure programming practices could possibly provide fewer attack vectors than previous versions of that product, I think it important to always note that this is much like discussions about precision rifles or precision art tools, if you like.
The tools are often far more accurate/secure/faster than the folks who make use of them. In such cases, an organization will be well served by a good WSUS infrastructure and coherent patching practies but may be better served by strong policy and recurring user education.
Sorry for a comment that is a little out of place. What brings me to your website is your article about ACLs and such.
www.microsoft.com/.../sm1105.mspx
There you say strange things like this:
"Power Users are administrators who simply have not made themselves administrators yet.
You cannot remove the ACLs on the file system, or even the registry, and prevent that. Power Users are ingrained in the operating system, and they have sufficient privileges to escalate to an administrator fairly easily."
At the risk of sounding obnoxious I must say, I am baffled by how anyone is expected to know this. Is there some place where this is all written down is a accessible way? Maybe a lattice of builtin users and a lattice of ACL permissions?
I am try to decipher the ACL format of icacls, at it is simply so hard to find any readable and reliable information about this. Would you know where I might find some?
I see from your technet webpage that you left the company. Congratulations.
Jesper, thanks for your work on this.
Thanks!
By strange circumstances and complete chance I spotted this new title about half an hour ago as being out soon, and bookmarked the page on my favourite online book retailer (The Register book shop). Now I know it's going to press I'll get my pre-order in and wait by the door for the postman.
Thanks to you and all the contributors for putting this book together, I'm really looking forward to getting to read it.
Jesper - I agree that keeping a printed copy of your passwords is a good idea. One reason is the dreaded 'hit by a truck' scenario. Do you really want to force your next of kin to learn/use your password manager in order to access important e-mails, bank records, etc.? Nope - life will be stressful enough.
I print my password list a few times per year and keep it in the fire-proof safe w/ my will and other important papers. Of course this safe is locked up and kept in a secure place within the house. The list includes URLs in addition to credentials. Again - the goal is to make accessing my info as easy as possible.
Finally - my choice for password mgmt. tools is Acerose. Conforms to the KISS principle and works great on XP and Vista. Check it out at www.dexadine.com/acerose.html
Cheers --Jeff
Hi Jesper - interesting post. Bruce Schneier also describes writing down password as another 'factor' for authentication - "something you have".
On a separate, but related topic - can you recommend a good password generator? Ideally with a pronounceable password option as well.
A really great report, particularly for the open way in which it is presented, walking through what data was and was not included. A good analysis from JJ of some of the shortcomings and thoughts for future versions.
I'm still not clear why incidents are being referenced against deposits held - surely sheer number of customers would make sense? If Bank of Bigtown has a million customers who receive a phishing mail, there is more chance of some being foolish and falling for it than Smalltown Credit Inc who only have a thousand customers.
And of course, any incident is equally bad for each individual victim who gets cleaned out or left unable to pay their bills, get future credit etc.
Re: 3.
I'm even luckier than you then - I know that last week I was _not_ hacked on at least 7 separate occasions. ;-)
veroblog.wordpress.com/.../using-anti-virus-software-to-keep-the-elephants-away
Pretty lame of the Kaspersky people not to know this.
Hey, at least they require the WEP keys to rotated quarterly - given how long it takes a WEP key, that means that anyone who's trying to hack your credit card data out of a wireless stream has to spend a couple of minutes getting the new key every three months. How much more secure do you want? :)
Don't forget, also, that when a laptop with wireless access to a non-broadcast SSID is out and about, it's spending some of its time shouting "My user wants me to connect to a site called 'SecretSSID'" to any wireless listener in the neighbourhood.
Some additional information and clarification for users getting error 1722:
Error 1722 is coming from the Windows Installer engine, which is part of the Windows operating system. Tools like InstallShield (and several others) create .msi packages that are installed using the Windows Installer eingine. So this error is not specific to InstallShield and could happen with msi files created with other tools, too.
Error 1722 is quite generic, it basically says that "something went wrong" with a custom action. Ususally the error message should include additional information, like the name of the custom action. If this information is not displayed on the error dialog, it should still be written to the event log. Also, you can generate a log file of the install, see www.msifaq.com/.../1022.htm for instructions.
The problem is that a user typically won't know what this custom action is trying to do (sometimes you can guess from its name) and why it failed. And there could be any reason for failure, so the solution described in this article is very specific to the Kaspersky setup package. In general, your best bet is to contact the manufacturer with the error information - and hope they are more helpful than Kaspersky was in this case.
--
Stefan Krueger
Microsoft MVP for Setup & Deployment / Windows Installer
Thanks Stefan. Good clarification. Unfortunately, as in the Kaspersky example, the vendor does not always come across particularly helpful.
Where do they say you can use WEP alone?
LonerVamp: Section 2.1.1 in www.pcisecuritystandards.org/.../pci_dss_v1-1.pdf:
2.1.1 For wireless environments, change wireless vendor defaults, including but not limited
to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords,
and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access
(WPA and WPA2) technology for encryption and authentication when WPA-capable.
Ahh, I can see how 2.1.1. can read that way. I think 4.1.1 is more clear in this subject. It says not to use WEP alone at all, but if you have to, use it in conjunction with another encryption layer.
I think 2.1.1. was worded that way just to give examples of the places that may have default settings/keys/passwords in case you do have them in use.
I think you've managed to find one of the wonderful inconsistencies in the regulation. 4.1.1 requires some things that are technically infeasible, such as using WEP with WPA. It certainly could be argued though that WEP by itself is not permitted.
The interesting thing with the standard, however, is that it specifically applies only to the act of transmitting cardholder data. If you do not actually transmit cardholder data over a wireless network, 4.1.1 does not apply. You can have a WLAN with WEP connecting to a physical infrastructure, as long as no cardholder data is ever transmitted via the WLAN.
It is silly. However I find it equally silly that MS recommends changing then Administrator name when it is a well know SID. Especially when admins usually change it to a name relating to administrator.... joe admin, adm, something like that.
Funny. As luck would have it, I am just putting the final touches on an article where I discuss renaming the Administrator account. Look for it in an upcoming issue of TechNet Magazine.
If all you need to do is lay .mov files, download VLC, it will playthem with no itunes or safari
Thanks for the laugh.
I still don't get why the laws that made Microsoft unbundle, in the US and the EU, not apply to Apple? Is it because Apple is smaller? Or that there just hasn't been any action taken?
I think the bigger problem than a hypothetic Apple monopoly is that they abuse their software update mechanism. It undermines the trust their customers might still have. What now happens is that a lot of iTunes users will switch off the auto-update completely and won't get security updates.
LOL, I'd love to have QuickTime without sound!
I too have made my home environment Quicktime-free recently. There really isn't any compelling content to me in .MOV format anymore. I still prefer Windows Media, but most sites (e.g. YouTube) are moving to Flash video anyways.
There's a reason why I still only buy CDs or listen to streaming radio stations like SOMAFM.com.
In Europe, there are a few countries that have threatened to require competition amongst iPod music services (e.g. France) but I'm not sure what became of the initiative.
Prior to the Zune, Microsoft had a very open system with the "Plays for Sure" initiative. Using Windows Media Player and choosing from a host of possible music services or players. Seemed a good counterpoint to the iPod + iTunes initiative.
One slight difference, Jesper. Apple isn't a convicted monopolist. They aren't using the sales of one division to prop up unrealistic and predatory pricing for another with the sole goal of driving a competitor out of a market space.
The iPod still isn't the cheapest or feature rich media player out there. iTunes isn't the least expensive music store, nor are they the least restrictive when it comes to DRM - there are "better" alternatives out there if those decision criteria are important to you.
What iTunes and the iPod do have is the best all-around user experience out there. Apple offered a product, and people voted with their dollars. Apple didn't use the profits from their computers to prop up the money-loosing iPod division for years on end (*cough* xbox *cough* plays for sure *cough* zune). The iPod stood on it's own, and even eclipsed other Apple revenues for a point in time. It did so on it's own merits.
I expect even more hysteria when the iPhone starts it's inevitable domination of the smartphone market. Heck, that's already started and with the SDK in June things should get even more interesting.
Guess what, folks - it's about the user experience! Deliver an outstanding, geek-free user experience and people will beat down a path to your door! Instead of scorning Apple for their success, I would think folks would be inspired to do it better! Apple may be good, but even they have left lots of room for improvement. The problem is the geeks with the mile long checklists of "features" attack and user experience isn't anywhere on their lists. Regular people (i.e. the vast majority of humanity) have their priorities flipped from us geeks(which is also why Linux will NEVER be a mainstream desktop OS). If the success of the iPod and the iPhone haven't driven that point home, frankly I don't know what will. But I digress...
Anyway, as soon as Apple starts taking iPod revenue and using it to sell iPhone's (or the next big thing) at a loss, call me. Otherwise it's a nice red herring and much ado about nothing.
And for the rest of your commentors, all software update does is install Safari. It doesn't run it. It doesn't put some weird toolbar in your default browser that then executes automatically (google I'm looking at you) it doesn't install a hundred gigabyte office suite when you aren't looking (Sun, I'm looking at you) it doesn't install another plugin/potential attack vector just for visiting a web site and trying to use it (Microsoft I'm looking at you for requiring siverlight). For all the "if this was Microsoft...." comments, I find it funny that people gloss over the above examples-and that list is hardly exhaustive. Indeed, I find it ironic that apparently the only reason this got called out was because it *was* Apple - obviously no one cares about the rest of the industry that does it - or did I just miss those posts in your blog, Jesper?
And lest anyone think I'm giving them a pass, I'm not saying I appreciate any of the above from any of the vendors - including Apple. I think such defaults are slimy and ridiculous. However, if you are going to criticize one and act like the world is coming to an end, then I think it's only fair to expose everyone else at the same time.
Finally - propped up or not, I'm still not giving up my Xbox 360 :)
Great post, I'm still laughing!!! Fortunately Apple is not so powerfull here in Italy, but the European Union is fool enough to offset it.
The worst part of their evil plan is that it is often elegant and has a UI that makes me squeak like a twelve-year-old girl. For someone of my advanced years, that should be an actionable offense. It's much more soothing to have software that takes it's own sweet time to load, much like my bodily functions have slowed as the years have passed.
And services that keep running (like the iron I left on -- I think I did) long after the need has ended. Not to mention an almost continual recounting of my faults and shortcomings. "Grandpa! Your zipper is down and can't re-zip! Please remove your pants, press undies-slide-off and restart your dressing."
I'm much more comfortable in a world where much is promised, and little is expected. In a world where everyone around me talks about my capabilities, while my actual performance continues to decline. A world where even those who love me wish that I'd just shuffle off so they didn't have to tolerate that "old-tech" smell any longer.
You're getting older, Jesper. Soon, you're going to realize that the world is passing you by, and that you've become one of us.
Another problem with funding in Washington State is special education funding. State law sets a cap of 12.7 percent for special education. If you happen to be in a district with more than 12.7 percent of your students in special education (like ours), the district has to fund any excess out of district taxes and levies. According to both state and federal law, school districts must provide appropriate special education for children with special needs. Besides, we can either fund special education and help children with disabilities become contributing members of society or we can not fund special education and wind up with them filling our jails, welfare rolls, and becoming a drain on society.
I'd be interested to see where Washington ranks in "money spent by private school lobbyists." Just curious if maybe someone is taking advantage of the "12th highest personal income per capita in the nation" ranking.
Hi,
Have a look into the EULA.
"This license allows you to install and use one copy of the Apple Software on a single Apple-labeled computer at a time" ....
www.theregister.co.uk/.../apple_safari_eula_paradox
And also look into this
Safari Address Bar Spoofing and Memory Corruption Vulnerabilities
secunia.com/.../29483
Stickan
Don't forget Hyper-V which is one of the big selling points of Windows 2008 which was initially released as a Beta with the RTM Win 2008 and had a significiant redesign with RC0 (released last week). Brings new meaning to "We are all beta testers" if you are a Microsoft user...
And there was the one presenter that has been using SQL 2008 in a PRODUCTION environment for 6 months now - WTF!!!
Good point Robert. I did not manage to get to the Hyper-V presentation unfortunately. It sounds like cool technology though, but, sadly, did not make it for Server 2008.
Using a server in production before it is released is not that unusual, depending on what you mean by "production" and where you work. At Microsoft, they have been running most, if not all, of their Domain Controllers on various builds of what eventually became Server 2008 for a couple of years. They run SQL Server in production too. For those of use whose job is NOT mainly to test pre-release software, doing so would... ill-advised, although I'm very happy someone does it.
I had some conflict of sofware, I do have time or the traing to try & find out why or to fix anything. I just deleat one of the two sides, & live with out the one.
I don't eveon go to blogs much to say anything or to read whats what. Software os so domoit (ms) I just remove it. I look at it like this. This is my computer.
Not some software co.'s computer. The software does what I like & is not the most inportan software on the computer. It maybe,but it does what i like it to do. Its time to update now & I must stop what Iam doing just to go up date. I like it when it ask do you what to do. Do you whate to up date now or later? I now have a choise. If not given a choise on when, how,why, ect... I just do one thing . *** can it.
Thank you allan
ps *** is an acronem (ms) comeing from an old sailing turm for "Ship High In Trancit" in the old sailing days when shipping bat gewono (ms) and bird droppings back to Europ. Verry high in potasum nitra used in making black power that the old cannos uesd lbs of.
The difference is (I'm guessing) is that he may be in a program Microsoft calls the TAP program where people are supported to place it in production.
This is vastly different than downloading from TechNet and going it alone.
As you say, these TAP betas serve a great purpose, they put those beta bits in real networks .... and then there's the added bonus that the marketing folks love 'em as they get deployment stories for events out of them.
I told you, you should have said the SharePoint conference was last week :-)
Thanks for confirming what I'd always suspected about NAP. I haven't had time to play with it at all, but could never figure out how it could be secure while relying on the potentially compromised machine to report its health.
I can see its usefulness for making sure non-admin users of laptops get their machines patched and updated once they get back to the production network. But, I've not seen NAP described that way. Its usually described as a way to make sure vendors get their machines up to your standards before they're allowed on the network. The problem is that they'll never be up to MY standards as long as someone outside of my group has admin rights on them.
More on NAP and "asking the drunk if they are drunk".
Great write up Jesper, I don't know if I ever told you but I gave up on Washington Schools some time ago, to a great extent due to my experiences with Woodin and Hollywood Hills; its very sad - more here: unmitigatedrisk.com/.../187.aspx
Tried this fix. No dice. Other options?? Hotfix from Microsoft?
please come back to MS. we miss you here and heaven knows we could use the sanity.
Do you think that *cough* PS3 is not subsidized by *cough* game revenues. Apple hasn't come under the radar because they don't have the cash that MS has in the bank. The EU hasn't been able to compete in any non-regulated markets so it's time to go after successful American companies.
Thankfully I had very different experiences at the launch event I attended.
The "experts" were giving away discs with powergui and quest's ad commandlets as well as breath mints :)
Nobody talked about windows advanced firewall :)
During the demo of NAP the presenter was VERY clear on the points you've raised and repeatedly reminded those present it was meant to be another tool and/or layer, not the solution.
The Hyper-V stuff was very cool. Seeing the presenter take a snapshot of 20+ VMs simultaneously and having it complete in about 40 seconds was impressive.
The Read Only Domain Controller demo was also pretty slick. It helpfully resets passwords for accounts that were allowed to be cached by the rodc if you remove it from the domain, but it is also smart enough to only reset those that actually were cached.
I assume RODCs are covered in your 2008 security resource kit book, I'm anxiously awaiting my copy so I guess I'll have to wait and see ;)
Jesper, you're always welcome to visit Oz! As far as diving/snorkelling goes, I've just come back from a week on Heron and Wilson Islands http://www.wilsonisland.com/ Fantastic!!
"Anytime they get a dialog like this they should evaluate it and see if they really want to accept that risk or not. If the publisher is unknown, they have no way to tell who wrote the application, and should consider it a higher risk."
In other words, "Anytime they get a dialog like this, they should evaluate it and see if they really want to see the naked dancing pigs."
Yes Scotte. I know I have spoken many times about the naked dancing pigs, but the fact of the matter is that there is no other way to be safe than to think about what you are doing. Rather than trying to pretend there is, and hiding important information from users, we must help them understand that information. There are a lot of dialogs that could be improved, and we need to figure out how. But, we also must start a concerted effort to get users to understand that no technology can ultimately take responsibility to protect them. Just like when you get into a car and chose whether or not to put on the seat belt, opening an application from the Internet is a calculated risk that you evaluate. Users are no more or less capable of evaluating that risk than they are evaluating whether they ought to wear a seat belt or not.
It is possible to do it on a per download basis, just remove the alternative data stream aka the mark of the web (Ofcourse, if you are the app that was just downloaded, this will not work)
What "ac" said. The easiest way to do this is to browse to the containing folder in Windows Explorer, right-click the file, choose "Properties", and on the General tab, click the "Unblock" button. Note that you have to do this to downloaded CHM files if you want the CHMs to work at all. (I run into this all the time with the Sysinternals tools.)
Obviously it is possible to do on a per-download basis. In fact, you can do it much more easily by simply unchecking the "Always ask before opening this file" checkbox on the dialog above. However, in this case, the discussion was more about whether this dialog serves a purpose at all and can be generally removed so it does not recur when someone downloads a new version of the file.
Internet Explorer marks downloaded files with an alternate data stream that indicates from which security zone the file originated. You can find files with these streams with the sysinternals streams tool. When explorer launches a program with the magic alternate data stream, it displays the warning.
File locking would probably prevent the program from removing the stream once it has been launched for the first time, but you could duplicate the exe and remove the ADS from there.
The school district up here in little San Juan County is looking at a $600-800K shortfall in our budget for the next year. This is due largely to the unfunded mandates mentioned above - unfunded special ed costs (this is out of control) and unfunded teacher raises. Plus, the cost of everything is going up and the State revenue is not keeping pace. In the next week or so we have to figure out what to cut as we're not allowed to run over our budget. Gregoire is asleep at the wheel on this one.
Pingback from Olli http://dnn.ebsfaq.com/:
I feel honored! :)
At least you weren't photographed in a comprising position with the 'roo. BTW, isn't it always diving season in Oz ?
I enjoyed the article. I didn't see the phrase 'the law of unintened consequences' in the article. To trite perhaps?
Why not just exclude c:\dev\, c:\pentest\, etc. ?
Of course you can exclude directories, and I have in the past. You have to keep being careful to watch out though because things that weren't considered malicious before could now be, and, if you have a managed computer, the manager could remove the exclusions. Still, it is good advice, and may permit you to run anti-malware on a computer that would otherwise cause problems.
In my opinion, the lesson learned here is more subtle:
Don't let scanners auto-delete things from your computer.
Quarantine is fine. Auto-delete/clean is not.
You can't add mitigation costs to ALE. If you do that, ALE value doesn't work the way it should.
What you can do, is compare ALE with mitigation costs and see if it is worth mitigation risk.
I like it how they dont send any spam originating from there IP address. I guess when there are so many zombies out there they dont need to.
www.dnsright.com/MXBlacklist.aspx
Love reading your blog.
Simon
Simon, do you mean how they can send the e-mail message without getting their mail server black listed? More than likely they are using a botnet to send this stuff. The message I got originated in an address that is part of a huge netblock allocated to Polish Telecom. I have not done any more digging than that, but I'd be willing to get it is just a bot host that was made to send e-mail. That particular address is currently black listed by only three of the mail server black lists: www.dnsright.com/MXBlacklist.aspx.
BTW, it is now 23:07 PDT, and IE still is not detecting this site as a phishing site.
Thanks for saving me some troubleshooting time, Jesper.
Jesper - nice blog. Thanks for your efforts! Cheers!
Plugged in a storage USB. Did F8. Error message stop was 0x o.....24 Yes a presario SR1820NX with and AMD64
I had the same problem as above with the endless reboot loop. Tried the "sc config intelppm start= disabled" now my pc wont go anywhere,not even into safe mode.All I get is error stop 0x......24.
Help !
I've had a custom ASUS A8N32-SLI based PC with XPSp3 at each of the beta levels with a rebuild and reinstall. It's worked fine. The only problem has been when I added a no name bluetooth adaptor into the equation.
i have the ASUS A8N32-SLI Deluxe, had the boot problem, and inserted the usb and it booted fine like you said. Problem is, I dont want to keep the usb in there all the time, should be interesting to see how we can fix this.
I have the ASUS A8N32-SLI Deluxe motherboard with an AMD X2 4400+ cpu and no problems. I also don't have any secondary storage attached.. maybe I'm just lucky :)
Well... THIS explains a lot. Thank you!
I installed SP3 on my Compaq (AMD-based) laptop, and immediately experienced the endless loop - no getting into safe mode either. I was able to restore the Disk Image I created prior to the install, but it still wasted a couple hours. I'll try your 'fix' and reinstall SP3 to see how it works out. Of course, I have made a Disk Image in case I end up in the loop again.
I think i agree with you regarding the ASUS A8N-SLI deluxe and win xp pro sp3, i run XP/SP3, on 2 separate computers and they work perfectly, bios one one computer is uppdated until latest controlled version however the 2nd computer in installed with original manufacturer settings and it also works accualy, i might have missed something but it must almost surtenly have to do with the comstum builds, and their fantstic images ;-P
I installed windows xp sp3 and got the coontinuous reboots. The error code is 0xc0000189 Media is write protected. I cannot boot in safe mode or in any other mode. I can only get the command prompt. I renamed the intelppm file but that did not help. I would deeply appreciate any help. Thanks.
I had the same problem, but I think it was my video driver. Once I removed it, everything worked.
I am using IBM Anyplace Kiosk
Thanks for the advice!
Used 'safe mode' version and it worked!
I got the same problem after sp3, reboots while starting and no clue. safe modes didn't work either. My cpu is a Celeron on an asus p5vd2-vm motherboard. My solution: Installed vista instead.
Interesting, do download managers apply the same ADS, does Firefox, Opera, Safari?
I'd never thought about quite how this worked.
Following my SP3 upgrade I can no longer access my network through VPN
Reverting back to SP2 :>
I have a dell latitude d830 with intel core2 duo. I experienced the same problems, so it's not just AMD.
I think this Problem matches 64-bit Sytems.
An updated Version of the 32-bit Processor Driver <b>amdk7.sys</b> is included in SP3.
omg wish I saw this before I wiped and reloaded my hard drive. I can't believe all I had to do was plug my @#$%ing flash drive in.
very helpful information. thanks a lot.
Here we see how much more difficult it is to make an OS for ANY hardware producer and not just make the OS work for ONLY one type of hardware.
Perhaps I was lucky. I have a Phenom 9600 with a Asus M3A32-MVP Deluxe and installation work just fine. However, I rolled my own, so perhaps there's not Intel stuff lying around. I have an external SATA drive, but it also boots when it's turned off
Matt, as far as I know, there are no other programs that apply that ADS. Firefox certainly does not. I believe it is an Internet Explorer only feature.
I had similar problems on February Beta installation.
The way I resolved two diffrent ways based on this problem thread.
1. On old Desktop AMD processor - After installing SP3 and before rebooting, I changed Reg Key (as suggested in discussion thread) from 1 to 0. I do not remember which one exactly is it. The computer started normally.
2. The second problem resolved AMD Core2 64 HP Laptop. I have rebooted before fixing the problem. Then I moved a small file from patch directory to System 32 folder using Norton utility. That fixed the problem.
I am so sorry that at this time I am unable to give the details of that small file.
THANK YOU, THANK YOU, THANK YOU!
I have had two customers with Dell Precision 390 workstations (new last fall) running xp sp3 32bit, have the constant (reboot) problem and the systems could not be brought up in safe mode.
I had to do a windows repair from the original dell cd.
I was able to start the recovery console, but when I tried to run chkdsk /p it told me there were numerous disk errors and that it couldn't continue.
I then tried to boot up in PXE and I got the same message.
Finally I tried the recovery again with the dell disk and i ran chkdsk with no parameters (also no login) and it fixed some of the errors, and finally I restarted a third time, did have to login to an install and I could run chkdsk /p.
Windows would then start up and allow me to login. Auto updates wanted to install sp3 so i let it after running virus checks etc, and checking logs for errors. I ran a thorough disk scan and it showed no errors. I've had to spend many hours driving across town (west side of detroit to east side) and will have to make a return trip with the pc.
This will cost my customer $$$ and they / me are not happy about it............
This was actually the same exact problem when upgrading WinXP to SP2. XP user encounters stop error message 0x0000007E when installing SP2 on an AMD based computer. Read here:
www.runpcrun.com/0x0000007E
The solutions there for XP SP2 may also help WinXP SP3 users out there.
I'm still trying to figure out how, in an org Microsoft's size, that something as significant as XP SP3 managed to pass QA without a show-stopping bug of this magnitude being caught. Is MSFT internal QA only testing on Intel boards? What's even more surprising is that none of the early beta testers caught this bug; although it's really MSFT's responsibility, more eyes should have revealed this before GA.
Hi there. For me this is another trick from M$ to try to get out XP. For a long time now they was saying a lot of things about Vista and they want to force us to us that piece of crap. So, with this *** called SP3 for XP they show us their real intentions. Is a shame that a company as M$ doesn't have a very good QA staff to detect this things before it's affect consumers.
Long life to Linux!
In my shop, the problem only hit Dell GX620 and Inspiron 9100's (both intel platforms). I had to do a repair install to resolve the problem.
I have XP running on 2 partitions on my PC [at home] with an AMD Opteron 170 CPU and an ASUS A8N32-SLI [not deluxe] mobo. Installed it just on my non-production Win XP and everything went fine. Thinking of waiting for the other partition though. :-)
I had the Boot problem On My AMD Dual core Opteron165/DFI Lanparty Motherboard running Raid 0 with 2 raptors . I ended up formatting My system and tried a fresh install with SP3 and still the same problem.The only way I could get my Computer to boot with sp3 was to Setup on A Single drive. I may have had other issues but (don't have a clue what they might have been though) because everything was Running Great Until SP3. I had the same problem On My AM2 Machine until I went to a Single Drive.Who knows, But thats What I have found that works for me and the only thing at this point in time.
thanks for the intelppm.sys solution.
D Brooks: do you have any additional details? Do you know what error code you were getting? I'm concerned that the RAID setup had something to do with it.
Here we go, ECS Motherboard, AMD 3800+ chip. Won't go into Windows at all, even through Safe Mode. Why do Microsoft get away with it?
Just installed XP SP3 on 2 AMD based CPU's, 1 HP 64 and 1 Gateway 64X2 by using "Run sc config intelppm start=disable" in the Safe Mode prior to installing SP3. Installed SP3 without a hitch. Both systems fully operational. Thank you so much for the help!
Mac
Rick: which specific error code are you getting? If it won't go into safe mode it does not sound like the intelppm.sys problem. The fact that you know what motherboard is in the system makes it sound like the 0xA5 problem too.
Thanks for the instruction..got me up and running again :)
I installed SP3 at work on a new in Feb. Dell Optiplex 330. It is a dual core Intel. I got a BSOD on reboot saying OLE32.DLL (from what I recall) was missing. I believe the error code was 139. I was unable to reboot in safe mode, nor could I use an XP disk to boot as the SATA driver was not found for the hard drive. The box didn't have a floppy so F6 was unavailable. Basically, we had to reinstall the original image to get it running again. Something is very wrong with this service pack. What is strange is other similar computers here loaded fine.
Posting on behalf of my brother above. Does anyone have any recommendations for solving the 0x00000024 issue? This is on I believe an AMD based HP machine having first attempted an SP3 install, got the reboot issue, uninstalled SP3 via safe mode, then tried again and this time had the disabling of intelppm fix done on it which resulted in the 24 error and no access to safe mode.
Using the recovery console which is on one of the HP tools discs, the console it seems can't even find Windows! From what I gather, it just drops into a C:\ prompt and chkdsk just reports unrecoverable errors. Other commands appear to fail as if it can't find the Windows install.
We're looking at a complete system loss here and only option is a destructive recovery with the HP discs (these discs don't find the Windows install either to repair it).
No specific codes anywhere. No BSOD's, just flash screen hangs, blank screen hangs after driver loads in SAFE MODE. Flash USB didn't help. No intelppm file found in recovery (have OEM disc). Resorting to Vista laptop till a fix presents itself. BTW Jesper, you're doing a grand job.
Rick: can you try the advice above to "Disable automatic restart on failure?" That will get you an error code that you can post to us. On my computer I also did not get an error code. The reboot happened too fast to get one.
What kind of computer is it?
I have HP Pavillion A1330n with AMD 3000+ with MCE 2005. I have amdk8.sys in windows\system32\drivers and I have intelppm.sys in windows\i386\sp2.cab, windows\system32\dllcache and windows\drivercache\i386\sp2.cab.
Question do I have to disable the intelppm? since this is not in drivers folder.
Please HELP.
Thanks
Tim, the 0x24 issue is file system related. It is a hard error to recover from.
What does chkdsk tell you? What kind of computer? Do you have a RAID card in that computer?
The best advice if the recovery console does not work is to use a WinPE disk. Sorry. Wish I had better news for you.
Home built, ECS Motherboard, AMD 3800+ chip, ATI AGP GFX, OCZ Ram. Built for gaming and decent computing power about a year ago. Just tried the restart disable instruction (F8) still goes to XP start screen, blue bar move 4/5's across and halts. No BSOD.
Rick: do you have a storage card in that computer, like a RAID card or a SATA PCI card? Your problem sounds different in that the computer never crashes at all. If possible, can you disconnect or disable any storage controllers and see if that helps? Obviously, if your boot volume is on a drive controlled by one you can't.
I've installed XP sp 3 on a HP pavilion with AMD processor. After the first rebootthe error was 0x0000007e; I tried the solution from recovery console, but intelppm wasn't find. I reboot and the new error is the generic 0x0000074, and now I'm blocked, in tilt, please help me....
All I have, is a secondary hard-drive and a card reader with 2 DVD drives. That's all. IDE drives for HDD's. It's getting a bit annoying this lol. PC does NOT reboot, it'll simply hang.
Ashok: Is your computer crashing? If so, what error code?
If the computer boots into safe mode use the advice above to check the status of the intelppm driver by looking at the registry as I document above. Simply having the driver on the disk is not the problem. It is having it running that is.
I Have a Dell Inspiron 8600 with Intel Centrino but had the same problem,no safe mode unending reboots. please advice
Rick: I would start pulling drives out of the computer and see if that helps. I don't know what could be causing your problem. It's not like the others in that you are not getting a crash. Ironically, that makes it much harder to troubleshoot.
rpukra: We will need an error code to help you. If it is an Intel Centrino in an Inspiron, you do NOT have the AMD problem. Can you please follow the advice to disable automatic restart and see if you can get an error code?
Francesco, what did you do when you were in the recovery console? 0x74 means your system configuration is broken somehow. Usually it means the registry is corrupted or y