Alert: Microsoft DirectShow vulnerability used in 0-Day drive-by-download attacks

The Tech Herald | Jul 6 2009

CSIS Security is reporting the discovery of a new vulnerability within Microsoft DirectShow. The 0-Day attack is a part of a massive website hijacking operation, where exploited domains are injected with code that attempts to exploit the DirectShow vulnerability as well as other known flaws.

According to CSIS, the attacks start by compromising a legitimate website, where malicious JavaScript is embedded into the site’s code. Once the compromised page loads, the injected JavaScript forces the user to visit a sub-domain on 8866.org. At the time this article was published, The Tech Herald could not confirm that the sub-domain listed by CSIS was still malicious, as it was unavailable. However, 8866.org is online, and should be considered suspect if not blacklisted altogether.

The 0-Day vulnerability, which is a stack overflow in DirectShow MPEG2TuneRequest, can be mitigated by setting the kill bit on msVidCtl.dll. CSIS has provided the solution on their site. [Google Translated] However, this is just one of several vulnerabilities the drive-by-download attack is attempting to exploit. Once the system is compromised, a keylogger is installed, as well as a “cocktail of malicious code” CSIS said.

Microsoft Windows 2000, 2003, and XP are listed as vulnerable. No word on if Vista or Windows 7 are at risk. We have asked Microsoft for comment and will update this story as more news comes in.

For now, CSIS is reporting that thousands of sites are using this new attack, and the ultimate landing points are starting to grow in number thanks to the exploit code being published online.

SANS is offering the best advice to IT this morning, “Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available.”

Update: Microsoft have released an advisory for the exploit:

Microsoft Security Advisory (972890)
Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
Published: July 06, 2009

Version: 1.0

Microsoft is investigating a privately reported vulnerability in Microsoft Video ActiveX Control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.

We are aware of attacks attempting to exploit the vulnerability.

Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control. For Windows XP and Windows Server 2003 customers, Microsoft is recommending removing support for this ActiveX Control within Internet Explorer using all the Class Identifiers listed in the Workaround section. Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure.

Customers may prevent the Microsoft Video ActiveX Control from running in Internet Explorer, either manually using the instructions in the Workaround section or automatically using the solution found in Microsoft Knowledge Base Article 972890. By preventing the Microsoft Video ActiveX Control from running in Internet Explorer, there is no impact to application compatibility.

Microsoft is currently working to develop a security update for Windows to address this vulnerability and will release the update when it has reached an appropriate level of quality for broad distribution.

Mitigating Factors:

•  Customers who are using Windows Vista or Windows Server 2008 are not affected because the ability to pass data to this control within Internet Explorer has been restricted.

• By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.

•  By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

•  In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

•  An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

July 6, 2009 Posted by Smokey | Advisories, Alerts, Anti-Spyware, Anti-Virus, General, Malware, Security, Vulnerabilities | 0-Day drive-by-download attacks, 8866.org, activex control, compromising legitimate websites, embedded malicious JavaScript, keyloggers, malicious code installed, Microsoft DirectShow vulnerability, Microsoft Knowledge Base Article 972890, Microsoft Security Advisory (972890), Mitigating Factors, setting kill bit on msVidCtl.dll, stack overflow in DirectShow MPEG2TuneRequest, Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution, website hijacking operations | No Comments Yet

McAfee VirusScan false-positive glitch fells PCs worldwide

TheRegister | 3rd July 2009

“IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan were brought down when the anti-virus program attack their core system files. In some cases, this caused the machines to display the dreaded blue screen of death.

Details are still coming in, but forums here and here show that it’s affecting McAfee customers in Germany, Italy, and elsewhere. A UK-based Reg reader, who asked to remain anonymous because he was not authorized by his employer to speak to the press, said the glitch simultaneously leveled half of a customer’s 140 machines after they updated the latest virus signature file.

“Literally half of the machines were down with this McAfee anti-virus message IDing valid programs as having this trojan,” the IT consultant said. “Literally half the office switched off their PCs and were just twiddling their thumbs.”

When the consultant returned to his office he was relieved that his own laptop, which also uses VirusScan, was working normally. Then, suddenly, when it installed the latest McAfee DAT file, his computer was also smitten. The anti-virus program identified winvnc.exe and several other legitimate files as malware and attempted to quarantine them. With several core system files out of commission, the machine was rendered an expensive paperweight.

A McAfee representative in the US didn’t immediately respond to phone calls seeking comment. Friday is a holiday for many US employees in observance of Saturday’s Independence Day.

Based on anecdotes, the glitch appears to be caused when older VirusScan engines install DAT 5664, which McAfee seems to have pushed out in the past 24 hours. Affected systems then begin identifying a wide variety of legitimate – and frequently crucial – system files as malware. Files belonging to Microsoft Internet Explorer, drivers for Compaq computers, and even the McAfee-associated McScript.exe were being identified as a trojan called PWS!hv.aq, according to the posts and interviews.”

Fix/solution: McAfee Support Forum

July 4, 2009 Posted by Smokey | Advisories, Alerts, Anti-Virus, General, Malware, Security | BSOD, DAT 5664, Engine 5100, false positive, fix, Generic PWS!hv.aq, McAfee VirusScan Enterprise, McScript.exe, solution, trojan, VSE 7.x and 8.x | 1 Comment

Adobe Security Bulletin Advance Notification: critical fixes/patches

Announcement Adobe Product Security Incident Response Team (PSIRT)

June 4, 2009

Adobe expects to deliver security updates for Adobe Reader and Acrobat versions 7.x, 8.x, and 9.x for Windows and Macintosh on Tuesday, June 9. This is the first quarterly security update for Adobe Reader and Acrobat as described in the May 20 blog post, and incorporates the initial output of code hardening efforts.

Adobe considers this a critical update and recommends users be prepared to apply the update for their product installations. Details of where to download updates will be posted to Adobe’s Security Bulletins and Advisories support page on June 9.

Details regarding security updates for the UNIX platform will be communicated when available.

Source: Adobe Blog

June 5, 2009 Posted by Smokey | Advisories, Alerts, Security, Vulnerabilities | Adobe Acrobat, Adobe Product Security Incident Response Team (PSIRT), Adobe Reader, adobe vulnerabilities, Adobe’s Security Bulletins and Advisories, critical fixes, critical patches, critical updates, Macintosh, security updates, UNIX | No Comments Yet

Profound Malwarebytes’ (MBAM) Anti-Malware Scanner Review

Test organization: Softpedia | Ionut Ilascu, Editor, Software Reviews
Date: 2nd of June 2009
Version reviewed: Malwarebytes’ Anti-Malware 1.37

Program description

Malwarebytes’ Anti-Malware is a full-blown anti-malware program that can be considered the next step in the detection and removal of malware. It uses a new technology that was especially designed to quickly detect, deter and destroy any malware that could reside in your computer.

Features

- Malware scanner
- Malware remover
- File unlocker
- Threat quarantine
- Quick and full system scan
- Ignore list
- Logging

The test results

The Good

Easy installation, fast scans, daily updates, detects what other security software misses, ease of use, light footprint on system resources and it can be used free of charge; these are the very attributes of Malwarebytes’ Anti-Malware.

The application can cohabit with other anti-malware products, thus adding another layer of defense against threats. Although there is a paid version that includes real-time protection, the free one does not prevent the user from removing the nasties.

The Bad

Its database contains signatures mostly for threats that evade most of the security products on the market, so it cannot yet be used as the only protection for the system.

The FileASSASSIN tool has not quite reached full maturity and has yet to learn to unlock files before removing them. In our testing Unlocker did a better job.

The interface should be improved aesthetically given the trends soon to be set by the upcoming Windows 7 and even the current Vista.

The Truth

One seldom meets an application that can do what others can’t. In our case Malwarebytes’ Anti-Malware proved that it could discover what others missed. It does not provide the most complete signature database and it may not protect against the largest pool of malware, but it works great as a “wingman” for the security app you decide to use. Thus is enforces better protection and keeps you safe from some of the less known threats on the market.

You can try it for free and scan the system from time to time using the quick option to scan for the most common types of malware. It won’t take long and system resources will be used responsibly.

Extended/full review: Softpedia

June 2, 2009 Posted by Smokey | Advisories, Anti-Spyware, Anti-Virus, Bundleware, Downloads, General, Malware, Phishing, Security, Toolbarware | anti-malware products, file unlocker, FileASSASSIN, freeware, malware remover, malware scanner, MBAM Malwarebytes' Anti-Malware Scanner Test/Review, Softpedia software reviews, system scan, threat quarantine | 1 Comment

Microsoft Update Quietly/Unsolicited Installs Firefox Extension via .Net Framework Service Pack

Washington Post
By Brian Krebs | May 29, 2009

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla’s Firefox Web browser.

Earlier this year, Microsoft shipped a bundle of updates known as a “service pack” for a programming platform called the Microsoft .NET Framework, which Microsoft and plenty of third-party developers use to run a variety of interactive programs on Windows.

The service pack for the .NET Framework, like other updates, was pushed out to users through the Windows Update Web site. A number of readers had never heard of this platform before Windows Update started offering the service pack for it, and many of you wanted to know whether it was okay to go ahead and install this thing. Having earlier checked to see whether the service pack had caused any widespread problems or interfered with third-party programs — and not finding any that warranted waving readers away from this update — I told readers not to worry and to go ahead and install it.

I’m here to report a small side effect from installing this service pack that I was not aware of until just a few days ago: Apparently, the .NET update automatically installs its own Firefox add-on that is difficult — if not dangerous — to remove, once installed.

Annoyances.org, which lists various aspects of Windows that are, well, annoying, says “this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC.” I’m not sure I’d put things in quite such dire terms, but I’m fairly confident that a decent number of Firefox for Windows users are rabidly anti-Internet Explorer, and would take umbrage at the very notion of Redmond monkeying with the browser in any way.

Big deal, you say? I can just uninstall the add-on via Firefox’s handy Add-ons interface, right? Not so fast. The trouble is, Microsoft has disabled the “uninstall” button on the extension. What’s more, Microsoft tells us that the only way to get rid of this thing is to modify the Windows registry, an exercise that — if done imprecisely — can cause Windows systems to fail to boot up.

Txs Brian for spreading the word!
Txs to Tommy, staff on my board Smokey’s Security Forums, for attending me to Brian’s article.

Article source: Washington Post

May 31, 2009 Posted by Smokey | Alerts, Downloads, News, Security, Vulnerabilities | Annoyances.org, dangerous firefox extension, Firefox Add-ons, Microsoft .NET Framework, Microsoft silence security updates, Mozilla's Firefox Web browser, NET Framework 3.5 SP1, security alert, service pack .NET Framework, Windows Update Web site | No Comments Yet

AV-Comparatives Review DefenseWall HIPS: 100% Detection Score

Past week the acknowledged testing organization AV-Comparatives published a comprehensive DefenseWall HIPS test/review.
The program is the most important product of SoftSphere Technologies, a company primarily active in the field of information security and its mission is to develop reliable means of protection against existing and future threats, such as viruses, spyware or rootkits.

AV-Comparatives tested the software on 100 current Malware Samples (Adware, Spyware, Viruses, Trojan Horses, Backdoors, etc.) that were not detected by other major Anti-Virus products at time of testing. All the samples were detected or executed as being untrusted or without compromising the system. Excellent test result: a protection rate of 100%!

My congratulations to SoftSphere Technologies, this result underline again that DefenseWall HIPS is a top-notch Host Intrusion Prevention System.

Please keep in mind that the software should be regarded as being a supplement to an Anti-Virus product and not as a replacement.

The full review is available in English and German language.

Links:

AV-Comparatives Softsphere DefenseWall HIPS Review
SoftSphere Homepage
SoftSphere Technologies Support Forums

May 29, 2009 Posted by Smokey | Advisories, Anti-Spyware, Anti-Virus, Malware, News, Security, Toolbarware | adware, AV-Comparatives, Backdoors, comprehensive review, DefenseWall HIPS review, DefenseWall HIPS test, Host Intrusion Prevention System, SoftSphere Technologies, spyware, threat protection, trojan horses, viruses | No Comments Yet

AV-Comparatives Review IT Security Suites for Corporate Users, 2009

Review: IT Security Suites for Corporate Users, 2009
Test institution: AV-Comparatives
Last revision date: 2009-27-05

Following vendors participated in the review and tests:

Avira, Eset, G-Data, Kaspersky, Sophos, Symantec, TrustPoint.

AV-Comparatives / Reviews Main Page: http://www.av-comparatives.org/comparativesreviews >> click submenu Corporate Reviews *

* For copyright reasons, no direct clickable destination link provided

May 28, 2009 Posted by Smokey | Advisories, Anti-Spyware, Anti-Virus, General, Malware, Phishing, Security | antivirus review, antivirus test, AV-Comparatives, Avira, Corporate Antivirus Reviews/Tests, Eset, G-Data, Kaspersky, Review IT Security Suites for Corporate Users, Sophos, symantec, testing methodology, TrustPoint | No Comments Yet

ESET is Smokey’s Security Weblog 2009 Hall of Shame Awardee

May 28, 2009

To me it is a pleasure to annouce that ESET, a company that develop software protection against computer security threats, is Smokey’s Security Weblog 2009 Hall of Shame Awardee.

The Hall of Shame Award is seldom granted, therefore all Awardees need our unlimited attention. Yesterday I already mentioned in short that ESET is Awarded, but till yet I hadn’t the time make an official announcement.

I will refrain the motivation to Award ESET;

- not reacting in an adequate way regarding Service Pack 2 Windows Vista and Windows Server 2008 issues, like system crashes and BSODs with ESET NOD32 V4.x Antivirus products, this after install of SP2.
- till today no fix available to solve the SP2 related occurances.
- condemnable lack of communication to their customers.
- an incredible attitude of arrogance and ignorance.

It is clear, that ESET really deserve this prestigious Award, my sincere congrats!

Smokey

Update 2009-06-03: ESET removed from the Hall of Shame

With the same pleasure I announced that ESET is Smokey’s Security Weblog 2009 Hall of Shame Awardee, I can annouce that ESET is removed from this Hall.

Before I mention the reasons to remove ESET from the Hall of Shame (and that within such a short period!) I will refrain the purpose of  The Hall:

“The attentive reader of this blog will have noticed the existence of Smokey’s Security Weblog Hall of Shame Awards. Sole purpose of these Awards is, to improve users experiences and interests concerning all security related issues. Experiences that are many times not satisfying and even really disappointing: users are treated in a way that isn’t acceptable, e.g. by (government) instances and institutions, security vendors, aso aso. The list is long.The intention of our “Hall of Shame” is to achieve a change of mind in positive way and approvements in behavior and procedures by the Awardees. This all in such way that users interests are served well with it. Therefore the “stay” in the Hall of Shame isn’t by definition for always, all Awardees will have a fair opportunity to make approvements concerning points of critism and to show their good intentions to learn from mistakes made in the past. At the moment this all is accomplished in a satisfying way, the Awardee will be removed from The Hall. The removal will be announced in public, with motivation for the why. A fresh, clean “restart” and opportuntiy for the former Awardees so to speak. OTOH, Awardees that are not willing to learn or refuse cooperation will be marked with the label “bad” and stay forever in The Hall.”

Motivation to remove ESET from the Hall of Shame

Within an astonishing fast period (1 week!) after ESET was Hall Awardee, they corrected/fixed all issues that were reason to Award this vendor. To me it seem that the Service Pack 2 Windows Vista and Windows Server 2008 noise, present all around in the community, waked them up and forced them to improve fast. To be honest, they improved in a great way.

Congrats ESET!

Smokey

May 28, 2009 Posted by Smokey | Anti-Virus, General, News, Security | BSODs, ESET Awarded, ESET NOD32 V4.x Anti-Virus system crashes, ESET NOD32 Windows Vista - Server 2008 SP2 Service Pack 2, Smokey’s Security Weblog 2009 Hall of Shame Awardee | 1 Comment

Warning: don’t use any ESET NOD32 V4.x Antivirus product together with Windows Vista SP2 or Windows Server 2008 SP2

The story: numerous ESET NOD32 V4.x Antivirus product customers reported severe problems after install of Service Pack 2 Windows Vista and Windows Server 2008. First reports showed up begin of May 2009, and at the moment I write this post these reports still continue. Embarrassing: the total lack of feedback from ESET regarding the issue. Like I today already wrote on DSLReports, looking at all the threads and posts in their own support forums regarding the severe Service Pack 2 related problems, like e.g.system crashes, BSODs aso, and the fact that (apparently) ESET refuse to communicate with their PAYING customers about the SP2 related occurances, it is evident that ESET will lose customers. Even worse, their name and products will be scratched. It is a pity because ESET have fine products.

Finally today an ESET employee made a short statement on their support forum, almost 1 month after the first reports were produced:

“An issue with ESET’s V4 software and Service Pack 2 for Microsoft Windows Vista and Windows 2008 has been identified and the developers are working on a solution for it. Currently, I do not have any information about when it will be available or what form it will take, but as soon as more information is available it will be provided.”

Again, 1 month after the first reports were produced. And, even more embarrassing, Service Pack 2 RTM for Windows Vista and Windows Server 2008 are released and ESET is not able to offer fixed software that will solve the severe problems related to Service Pack 2.

ESET, this is bad, really bad. You can’t treat your customers with such incredible arrogance and ignorance.

Considering all disgraceful facts, to me it is a pleasure to grant you the famous Smokey’s Security Weblog 2009 Hall of Shame Award.

My sincere congratulations with this valuable Award!

Smokey

Update 2009-05-30, additional info provided by ESET

“Just to let you know, the web pages ESET posted on the matter have been revised, problem explanation and FAQ (Newsbulletin): http://kb.eset.com/esetkb/index?page=content&id=NEWS30

Provides workarounds (Knowledge Base article): http://kb.eset.com/esetkb/index?page=content&id=SOLN2254

You may want to bookmark these web pages and check them periodically as they will be updated iwth additonal information as it becomes available.”

Update 2009-06-02: ESET patch available to solve the ESET NOD32 V4.x Antivirus products compatibility issues related to Service Pack 2 Windows Vista and Windows Server 2008

A spokesman of ESET just informed me they have a patch (an updated Anti-Stealth module, v1012, build date 20090526) ready to solve the ESET NOD32 V4.x Antivirus products compatibility issues related to Service Pack 2 Windows Vista and Windows Server 2008. According to ESET, right now it is still being tested but they are not aware of any issues or problems from users who have installed it on their Microsoft Windows Vista/Microsoft Windows 2008 systems with SP2 on them.

To obtain the patch, open the ESET user interface, press F5 to open the Advanced Settings window, select Update in the left pane, then Advanced Update Setup in the right pane and check Enable Test Mode at the bottom of the window.

The next time the client performs an virus signature database update, it will also download the updated Anti-Stealth module. If you are running ESET Smart Security, an updated Firewall module will also be downloaded for testing (it contains some other fixes and updates unrelated to the SP2 issue).

Update 2009-06-04: ESET Smart Security v4 and and ESET NOD32 Antivirus v4.0 compatibility update for Vista/Server 2008 SP2 – The fix has moved into production

Statement ESET

Testing of the new Anti-Stealth module to improve compatibility between ESET Smart Security and ESET NOD32 Antivirus v4.0 and Microsoft Windows Vista / Windows Server 2008 Service Pack 2 has successfully completed and distribution has begun. The updated module will be downloaded automatically when a virus signature database update occurs in ESET Smart Security and ESET NOD32 Antivirus.

After the update is downloaded, the entry for the Anti-Stealth module in the About window for ESET Smart Security and ESET NOD32 Antivirus v4 will appear as Anti-Stealth support module: 1012 (20090526). The update is also installed if your Anti-Stealth module has a newer version or release date.

If Anti-Stealth was disabled as a temporary workaround, re-enable it by opening the ESET Graphic User Interface, pressing the F5 key to open the Advanced Setup window, selecting Antivorus and Antispyware in the left navigation pane and enabling (checking) the Enable Anti-Stealth Technology option in the right pane.

Source: Wilders

May 26, 2009 Posted by Smokey | Advisories, Alerts, Downloads, General, News, Security | 32-bit (x86), 64-bit (x64), BSODs with ESET Anti-Virus v4.x products, DRIVER_IRQL_NOT_LESS_OR_EQUAL, eamon.sys problems, ESET comptability update Vista/Server 2008 SP2, ESET NOD32 Newsbulletin Vista and Winserver 2008 Service Pack 2 issues, ESET NOD32 V4.x Anti-Virus system crashes, ESET NOD32 Windows Vista - Server 2008 SP2 Service Pack 2 Knowledge Base Article, ESET SP2 patch Antivirus v4.x, ESET SP2 patch Smart Security v4.x, ESET V4.x products updated Anti-Stealth module, eset won't work with SP2, ESS - ESET Smart Security v4.x, Hall of Shame 2008/2009 Awardee, Patch ESET Windows Vista and Windows Server 2008 Service Pack 2 SP2, Smokey's Security Weblog Hall of Shame Award, Windows Server 2008 Service Pack 2, Windows Vista Service Pack 2 | 6 Comments

Windows Server 2008 Service Pack 2 and Windows Vista Service Pack 2 RTM Released

Windows Server 2008 Service Pack 2 and Windows Vista Service Pack 2 – Five Language Standalone DVD ISO Released.

This is a DVD ISO image that contains Service Pack 2 for Windows Server 2008 SP2 for x86, x64, IA-64 and Windows Vista for x86, x64. This image is only applicable to computers that have one or more of the following languages: English, German, French, Japanese, or Spanish.

File Name: 6002.18005.090410-1830_iso_update_sp_wave0-RTMSP2.0_DVD.iso
Version: 948465
Knowledge Base (KB) Articles: KB948465
Date Published: 5/25/2009
Language: English, German, French, Japanese, Spanish.
Download Size: 1376.8 MB
Microsoft download page: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9f073285-b6ef-4297-85ce-f4463d06d6cb

Supported Operating Systems:

Windows Server 2008; Windows Server 2008 for Itanium-based Systems; Windows Vista; Windows Vista Business 64-bit edition; Windows Vista Enterprise 64-bit edition; Windows Vista Home Basic 64-bit edition; Windows Vista Home Premium 64-bit edition; Windows Vista Ultimate 64-bit edition.

Non-DVD versions:

32-bit: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=a4dd31d5-f907-4406-9012-a5c3199ea2b3
64-bit: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=656c9d4a-55ec-4972-a0d7-b1a6fedf51a7

Programs that are known to experience a loss of functionality after you install Service Pack 2 for Windows Vista or for Windows Server 2008: http://support.microsoft.com/kb/969707

Warning: ESET NOD32 Anti-Virus v4.x programs can cause severe problems (e.g. BSODs) after Service Pack 2 install. More info on the official ESET Support Forum: http://www.wilderssecurity.com/showthread.php?t=241025

May 26, 2009 Posted by Smokey | Uncategorized | 32-bit and 64-bit versions Service Pack 2 Vista and Server 2008, 6002.18005.090410-1830_iso_update_sp_wave0-RTMSP2.0_DVD.iso, Download Windows Server 2008 SP2, Download Windows Vista SP2, ESET eamon.sys problems, ESET NOD32 Antivirus v4.x cause BSODs after Vista Service Pack 2 install, ESS - ESET Smart Security v4.x cause BSOD's after Vista Service Pack 2 install, Five Language Standalone DVD ISO, KB948465, loss of functionality after install Service Pack 2 Vista or Server 2008, Microsoft download page Windows Server 2008 SP2 RTM, Microsoft download page Windows Vista SP2 RTM, RTM, Version 948465, Windows Server 2008 Service Pack 2 Released, Windows Vista Service Pack 2 Released | No Comments Yet

Reminder: Windows 7 Beta Build 7000 Ready to Be Killed Off on June 1, 2009

“On June 1, 2009, the PC you’re using to test the Beta Build 7000 will begin shutting down every two hours. Rebuild your test PC with a non-expired version of Windows 7, such as the RC or Windows Vista. This will be a clean installation, so be ready to reinstall your programs and data.

If you are running Windows 7 Beta Build 7000 you’ll need to back up your data (preferably on an external device) and then do a clean install of the Windows 7 Release Candidate. After installing Windows 7, you will need to reinstall applications and restore your files.

There’s another expiration date you need to keep in mind: Windows 7 RC will expire on June 1, 2010, and you’ll need to either upgrade to the final release of Windows 7 or a prior version of Windows before then.”

Source: Softpedia
32-bit and 64-bit Windows 7 (Release Candidate) RC Build 7100.0.090421-1700 is available for download here.

May 25, 2009 Posted by Smokey | General, News | 32-bit and 64-bit Windows 7 RC Build 7100.0.090421-1700, expiration date Windows 7 Beta is June 1 2009, Microsoft downloads, Windows 7 Beta Build 7000, Windows 7 RC expire June 1 2010, Windows 7 RC iso download, Windows 7 Release Candidate | 1 Comment

Just released: Windows 7 Upgrade Advisor Beta (Overview & Download)

Overview

Windows 7 Upgrade Advisor scans your PC’s system, programs and devices to check if it’s able to run Windows 7. After a few minutes, the report will let you know if your PC meets the system requirements, if there are any known compatibility issues with your programs and devices, and will also provide guidance on your upgrade options to Windows 7.

System Requirements

- Supported Operating Systems: Windows 7; Windows Vista; Windows XP Service Pack 2
- .NET 2.0 Framework or higher if running on Windows XP

Beta Release Notes

- The upgrade paths are currently not given for N, K, and KN editions of Windows.
- Any language packs you have installed on your PC will have to be reinstalled after upgrading to Windows 7.
- If you’re running Upgrade Advisor inside Virtual PC or Remote Desktop, Windows Aero capability may not be detected properly.

Remarks Windows Client Communications Team

Windows 7 Upgrade Advisor examines a PC’s processor, memory, storage, and graphics capabilities, identifies known compatibility issues with installed software and devices and finally provides guidance on how to resolve those issues if possible. Please also note: Windows XP users are required to do a clean install of the Windows 7 RC as well as the final product. Only PCs with Windows Vista can be upgraded to Windows 7.

The Windows 7 Upgrade Advisor measures a PC’s ability to upgrade to Windows 7 based on the following final system requirements for Windows 7: 1 GHz or faster 32-bit (x86) or 64-bit (x64) processor; 1GB RAM (32-bit) / 2GB RAM (64-bit); 16GB available disk space (32-bit) / 20GB (64-bit); DirectX 9 graphics processor with WDDM (Windows Display Driver Model) 1.0 or higher driver.

Download the Upgrade Advisor: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=1b544e90-7659-4bd9-9e51-2497c146af15

May 8, 2009 Posted by Smokey | Downloads, News | compatibility issues, Download Windows 7 Upgrade Advisor Beta, Microsoft Windows 7, System Requirements Windows 7, upgrade options windows 7 | No Comments Yet

Watch your steps: Leaked copies of Windows 7 RC contain Trojan…..

By ComputerWorld – Gregg Keizer 05 May

Pirated copies of Windows 7 Release Candidate (RC) on file-sharing sites contain malware, according to users who have downloaded the upgrade. Some of the pirated builds include a Trojan horse, numerous users said in message forums and in comments on BitTorrent sites such as Mininova.org.

“Just a warning for anyone downloading the new RC builds of windows 7. Quiet [sic] a lot of the downloads have a trojan inbedded [sic] in the setup EXE,” said someone identified as Frank Fontaine on a Neowin.net discussion thread. “The Setup EXE is actually a container, it appears to be a self-extracting EXE. There are 2 files inside, Setup.exe and codec.exe.”

Source:  ComputerWorld

Get the official Windows 7 RC download:

The 32- and 64-bit versions of Windows 7 RC are available in five languages: English, German, Japanese, French, and Spanish. Just choose the version that fits the system you’ll be using, pick your language, and click go to register for and download the RC.

Downloading the Windows 7 RC could take a few hours. The exact time will depend on your internet provider, bandwidth, and traffic. The good news is that once you start the download, you won’t have to answer any more questions – you can walk away while it finishes. If it gets interrupted, it’ll restart where it left off. (txs NICK_ADSL_UK!)

Official downloadlink Windows 7 RC: Microsoft

May 6, 2009 Posted by Smokey | Uncategorized | bittorrent, falder trojan, Malware, Microsoft, Mininova.org, msdn, official microsoft downloadlink, official Windows 7 RC download, pirated copies Windows 7 RC, rootkit, trojan | No Comments Yet

Matousec’s New Moves to Recapture the label “Trustworthy”

The faithful reader of my blog will probably remember the critical article I wrote about Matousec and his Firewall Challenges, “Matousec’s Firewall Challenge wrinkle: conflict of interests?” and the honor I granted him to add his Challenges to “Smokey’s Security Weblog Hall of Shame”.

Matousec’s Firewall Challenges are continiuos subject of critism, not only be me but by many other people also. It was clear that Matousec was looking for ways to control reputation damage. We also remember well the possibilty of a re-test of vendors product by Matousec, of course after paying for such favor. In this way, a “bad” test could be curved into a “good” test.

Apparently Matousec is opinion to shut the mouth of criticasters by renaming past month his “Firewall Challenges” into “Proactive Security Challenges”. Almost at the same time he surprised us with the announcement that DIFINEX acquired Matousec.

I have my own ideas about DIFINEX and this sudden move of Matousec. According to Matousec, “DIFINEX is a new company with an interest in Internet projects and online services. DIFINEX focuses on creating, financing and covering projects with medium-sized and large Internet audience”. Matousec is always yelling about “Transparent security”. This is in contradiction with his mysterious explanation about DIFINEX. To earn the label “Trustworthy” it is a must to be open and honest about everything, not only tests and methodics but also about the people that finance these tests: DIFINEX. At the moment this is a Ghost Company.

To me it is obvious that Matousec’s recent moves confirm my negative feelings about him and his tests. More questions raised instead of satisfying previous ones. His tests wrinkle even more than before.

May 3, 2009 Posted by Smokey | General, News, Security | conflict of interests, Different Internet Experience Ltd, DIFINEX, Matousec's Firewall Challenges, Matousec’s Firewall Challenge wrinkle, Proactive Security Challenges, Smokey's Security Weblog Hall of Shame, Transparent security | 1 Comment

Comodo Software Removed from Softpedia due to Adware/Spyware issues with CIS

Kudos to Softpedia! After reading their statement concerning Comodo Software, I can only tell Softpedia from this place: you have my full support. Pre-ticked boxes that will provide the user with crapware (adware/spyware) during the install of software is simply not done. It is sneeky behavior. Even worse, CIS – Comodo Internet Security install third-party software (SafeSurf), irrelevant to the main product’s functionality, without leaving room for option. Very indecent, especially because CIS is security software. This kind of software should protect the user, not to fool them with premeditation.

Excerpt of the Softpedia article:

Stefan Fintea, Software News Editor
28th of April 2009

As all our regular users know, programs awarded by Softpedia with the 100% Clean and 100% Free awards have been thoroughly checked by our team of editors and passed several tests. Aside from the fact that all programs on Softpedia are scanned with world-renowned security products, all awarded programs are installed by our team and checked for any spyware or adware components.

We make sure the program doesn’t fall under any of the six cases mentioned on our adware definition page. Please be advised that this definition is our creation and has not been “borrowed” from an online or offline source. It was created by our team of specialists to ensure that it covers all cases that may result in the legitimate dissatisfaction of our users. Therefore, if we find adware in a program it will be listed accordingly, regardless of the license it’s listed under on the producer’s website.If the application has been found free of viruses/spyware and neither the installation process nor runtime experience reveal any unpleasant surprises, the program receives the 100% Clean award or, if it’s free for both personal and commercial use, the 100% Free award.

A program will not receive any award (or even be published on Softpedia) if it’s impossible to successfully pass through all of the above steps. But if it is possible, as you can see, the rules are very strict and no exception will ever be made. If a program fails to pass the adware test, it will be immediately marked as Adware, regardless of its popularity, developer or current user rating on Softpedia.

Now that we’ve cleared this up, you might be asking yourselves “OK, but what does this have to do with Comodo?” Well, if you had searched Softpedia for Comodo in the past week, you would have surely noticed that the company’s flagship programs were no longer listed on Softpedia. This was not our decision, of course, but let’s start with the beginning.

On April, 15th, Softpedia received an official cease and desist letter from the Comodo legal team requesting us to “discontinue all references on Softpedia identifying CIS as adware” within seven days, because Comodo Internet Security is not adware.

The first thing we did was, of course, to double-check the license, but, as we’ve tried explaining to the Comodo team, CIS is indeed adware. Why? Well, for starters, because the installer attempts to change both the browser’s homepage and search engine. As if that wasn’t a good enough reason, the setup also offers to install SafeSurf. Here’s what the official Comodo letter states: “SafeSurf is optional and does not display unsolicited advertisements on a user’s computer, nor does it hijack browser settings or perform search overriding or home page changing without the user’s consent.”

Aside from the fact that SafeSurf is a component that the program (CIS) does not require to fully function, therefore it alone would be a good reason to mark CIS as adware, this utility also installs Ask Toolbar without asking for the user’s permission. This type of behavior is clearly not the one described in the Comodo email and could be easily classified as spyware (since adware would imply prior user consent).

Update: It was brought to our attention that users installing SafeSurf are informed in the utility’s EULA regarding the inclusion of Ask.com software in their browser. Informing the user that third-party software irrelevant to the main product’s functionality will be installed without leaving room for option is not, by far, normal behavior. That would practically imply that producers can force users into installing any third-party software or changing their homepage or search engine and get away with it, because a notification was made in the EULA. Furthermore, the graphic provided in the setup window is clearly deceiving as it does not show the Ask.com toolbar that is installed along SafeSurf.

Well said Softpedia, I have nothing to add.

Interesting read: “Current Practices of IAC/Ask.com Toolbars by Benjamin Edelman”

Softpedia invite you to provide their article with your opinion here.

April 30, 2009 Posted by Smokey | Anti-Spyware, Anti-Virus, Bundleware, Downloads, General, Malware, News, Security, Toolbarware | Adware/Spyware, Benjamin Edelman, BHOs Browser Helper Objects, CIS Comodo Internet Security, crapware, hijacking browser settings, Practices IAC/Ask.com Toolbars, SafeSurf, Softpedia statement, third-party software | No Comments Yet