One researcher publishes exploit, another touts defense for Microsoft's newest zero-day

By: Gregg Keitzer

Computerworld - A security researcher on Sunday published a working exploit of a critical Windows vulnerability, making it more likely that attacks will spread.

According to a security advisory issued Friday by Microsoft, hackers can use a malicious shortcut file, identified by the ".lnk" extension, to automatically run their malware simply by getting a user to view the contents of a folder containing the shortcut. Malware can also automatically execute on some systems when a USB drive is plugged into the PC.

All versions of Windows, including the just-released beta of Windows 7 Service Pack 1 (SP1), as well as the recently retired Windows XP SP2 and Windows 2000, contain the bug.

Sunday, a researcher known as "Ivanlef0u" published proof-of-concept code to several locations on the Internet. Later that day, Belgian researcher Didier Stevens -- who in late March revealed a serious design flaw in Adobe's PDF document format -- confirmed that Ivanlef0u's code could be tweaked to create an effective attack.

Stevens also announced that he'd tested Ivanlef0u's exploit against a tool he'd written a year ago, and said that the utility successfully blocked attacks launched from USB flash drives and CDs. "You can use Ariad if you want to mitigate attacks with these shortcut links until Microsoft releases a patch," Stevens said of the tool in a Sunday blog.

In the blog post, Stevens illustrated how to set up Ariad to block executable files, including .lnk files, from running from a USB or CD drive. He also urged users to read Ariad's online documentation, and warned them that running it could be risky. "Ariad is a mini-filter drive, and as such operates inside the Windows kernel," Stevens said. "Bugs in kernel software can have grave consequences: the dreaded BSOD [Blue Screen of Death]. So please test this software first on a test machine you can miss."

Stevens clearly told rookie users to steer clear of the tool. "I don't want inexperienced users to install this. [Ariad] is not user-friendly," he said.

Microsoft's defensive advice thus far has been limited to recommending that users edit the Windows registry to disable the displaying of all shortcut icons, and to switch off the WebClient service.

Another researcher didn't think much of Microsoft's workarounds. "This is highly impractical for most environments," argued Chester Wisniewski, a senior security advisory with Sophos. "While it would certainly solve the problem, it would also cause mass confusion among many users and might not be worth the support calls," he said. "Microsoft also suggests disabling the WebClient service that is used for WebDav. If you are not a Microsoft SharePoint customer this may be a solution, but many organizations rely on SharePoint so this is limiting as well."

The U.S. Computer Emergency Readiness Team (US-CERT) added an alert of its own Saturday and pointed out that USB flash drives were a likely, and dangerous, attack vector. "Depending on the operating system and AutoRun/AutoPlay configuration, exploitation can occur without any interaction from the user," said US-CERT.

The team also urged Windows users to disable AutoRun and AutoPlay, two Windows functions that have long been used by attackers to commandeer PCs. AutoPlay is disabled by default for removable drives on Windows 7 and Server 2008 R2, but is on by default on other versions going back to Windows XP SP2.

Complicating matters is the fact that Microsoft dropped Windows XP SP2 from support last Tuesday, meaning that when it does produce a patch, it will not deliver the fix to PCs running XP SP2.

Several security experts contended over the weekend that XP SP2 was vulnerable to attack, even though Microsoft did not specifically list it or Windows 2000, the other edition retired from support last week, as affected.

"Noticeably absent from the list are Windows 2000 and Windows XP SP2 as they are no longer supported," said Wisniewski. "They are, however, definitely still vulnerable."

In its advisory, Microsoft stuck to its policy of not naming Windows editions that it no longer supports and so does not test. Instead, the company again pressed customers to upgrade from Windows XP SP2 to SP3, or from either Windows 2000 or XP SP2 to the newer Windows Vista or Windows 7.

Stevens suggested that his Ariad tool might be the long-term solution for XP SP2 users. "As it is expected that Microsoft will not release a patch for Windows XP SP2, Ariad can offer permanent mitigation," he said.

Source: ComputerWorld

Latest brawl between the mobile rivals is 'just business,' says analyst

Computerworld - Google today attacked Apple's apparent decision to ban some third-party ad networks from collecting ad performance data on the iPhone and iPad.

The latest brouhaha between the two rivals stems from new language in the terms iPhone, iPod Touch and iPad developers must agree to.

Ad analytics collection is prohibited unless it is "provided to an independent advertising service provider whose primary business is serving mobile ads," Apple's revised terms read. "For example, an advertising service provider owned by or affiliated with a developer or distributor of mobile devices, mobile operating systems or development environments other than Apple would not qualify as independent."

That seems to bar mobile ad company AdMob, the company Google acquired in late May for a reported $750 million, from Apple's devices.

And that prompted AdMob founder Omar Hamoui to blast back.

"This change is not in the best interests of users or developers," said Hamoui in a blog post on the AdMob site today. "Artificial barriers to competition hurt users and developers and, in the long run, stall technological progress."

According to AdMob, the number of Apple mobile devices -- iPhone, iPod Touch and iPad -- that reached its network in April outnumbered those powered by Google's Android platform by more than 3.5 to 1. Of all the ad requests it served in April, nearly 32% went to iPhones and iPod Touches.

"If enforced as written, [Apple's terms] would prohibit app developers from using AdMob and Google's advertising solutions on the iPhone," said Hamoui. "The terms hurt both large and small developers by severely limiting their choice of how best to make money. And because advertising funds a huge number of free and low cost apps, these terms are bad for consumers as well."

Industry analysts agreed that the new terms -- which were first reported by the MediaMemo blog on Tuesday -- lock out Google's AdMob.

"The new wording could be interpreted as banning non-independent advertising platforms, like AdMob," said Karsten Weide of IDC. "It seems pretty clear: Application developers can't be on the AdMob network."

But Weide also acknowledged that it was possible Apple's intention was different. He has asked Apple for clarification, but has not received an answer. Apple also did not respond to a request for clarification from Computerworld.

"It looks like Apple is choosing to exclude its biggest competitor from the iPhone," Weide said. "That mans more revenue for Apple in the short term, since ads would flow through its [iAd] system rather than through Google's [AdMob.]"

On Monday, Apple CEO Steve Jobs aggressively touted iAd -- Apple's own mobile ad platform -- that he boasted would own 48% of the mobile advertising market by the second half of 2010. iAd, which lets application developers place interactive advertising within their software, is set to launch July 1.

"Apple may be letting others in, but it's tilting the playing field," said Andrew Frank, an analyst with Gartner Research. "But the terms aren't incredibly clear. iAd is going to need some independent analytics, so a ban of everything definitely won't work."

Most analysts, including Weide and Frank, interpreted Apple's revised developer terms as saying that ad analytics are allowed, as long as the firms collecting the data are independent of a rival mobile device or operating system maker, and as long as Apple gives its okay.

"In the long run, I don't think this is very productive," said Weide. "A closed system like Apple's may make a better product, but it dampens competition and technical progress. So it's bad in the long run."

But for Apple, it's all about business -- and money, the two analysts said.

"It all comes down to money," said Weide, who believes that Apple's move is not a direct poke in Google's eye.

"It is just business," Frank agreed. "Google is the biggest competitor Apple has, but it's not the only competitor."

Minus a public clarification from Apple, it's impossible to gauge the Cupertino, Calif. company's true intentions, said Frank, or even the boundaries of the new terms that seem to bar AdMob from the iPhone.

"No doubt, this will be tested at some point," he said. "And then we'll know."

Source: Computerworld

Those who are entering the computer world tend to get a bit nervous; and why not? There is a constant creation of viruses, Spyware and Adware that could potentially sabotage your work and exploit your privacy. Unfortunately, there isn’t always a warning sign upon entering websites, and when there is, you have to beware that that isn’t the virus.

Think of spyware programs like a nasty cold that you just can’t kick. It basically hides in your system, destroying you from the inside-out. It has the ability to watch your every computer-move. What you once thought was your private information can now be a public display to anonymous users. Anything residing on your hard drive can be visible through this Spyware Program.

Common Symptoms: Constant Pop-ups, Unusual changes to your toolbars and/or icons on your desktop.

 If you are experiencing any of the above symptoms, you may want to run a system scan. By doing so, you’ll find out whether or not you have Spyware. If you do, make sure you don’t stumble across more. Here’s what I mean. There are tons of products that will help you overcome this problem, but beware. Before installing the software, make sure it’s credible! There are many tempting offers on the internet for Spyware solutions but they may be scams! If you go forth with what you think is accurate software, you could be digging a deeper whole. Don’t feel bad, it’s happened to most of us.

Have you ever downloaded freeware, and as soon as the download is finished you received multiple pop-ups? They usually read, “There is a problem with your computer, would you like to fix this problem now?” 

Naturally, you press Ok. Now, your computer starts acting up even worse than before. Well, that was not a credible site.

Tip: Don’t press any button they have available to you (Ok, Yes, No, Accept, Fix Now). Just click the little ‘x’ at the top-right corner of the box.

The prescription: AntiVirus on its own is not strong enough to protect your computer from potential threats. Make sure you have all the right software. Software with an auto-update for spyware definitions is ideal because new spyware definitions are being added every day. AntiVirus and a spyware removal program (aside from your existing anti-virus software) would be the perfect prescription to kick that nasty cold.

 As soon as you realize any strange activity with your computer, check it out. The sooner you catch the problem, the easier it is to fix it and after you find out it’s a legit solution, go for it!

NOTE: If more than 2 drives fail, you may have to do an interactive startup to stop the auto alarm posting of the "Iscsi target" service.  The alarm will hamper entering of the command.

If you are trying to use OpenFiler 2.3 as a storage repository for Citrix XenServer and a drive fails or the raid is broken, OpenFiler does not automatically repair the raid if a new drive is added or the issue with the previous drive is resolved and it is reinstalled. You have to re-attach the volume(s) manually to the raid device in Openfiler.

To see the members of the raid device, login to the OpenFiler GIU via your web browser --> volumes --> software Raid, then click on view members.  Here you will see the Raid configurations and which drives/volumes have been detached. Alternative methods would be to view the OpenFiler error email or execute the following command at the CLI (command line interface):

cat /proc/mdstat

The above command prints on the current system raid settings.

To reSync the array device, you must use of the “mdadm” command from the CLI:

mdadm /dev/md0 --add /dev/sdb1

The above example adds the partition/volume sdb1 to the raid device md0.

The status of the rebuilding/syncing of the raid can then be seen from the web interface of OpenFiler:  Volumes --> Software Raid.

Credit to: https://forums.openfiler.com/viewtopic.php?id=1768