Smokey’s Security Weblog

About this article

- Complete destruction and restoration of dead TCP/IP stack
- Recovery from fatal failure or partial or complete corruption of TCP/IP

Related error messages / occurances

- IP Driver Error Code 2.
- TCP/IP network transport is not installed error message from active sync.
- TCP/IP driver missing from devmgmt.msc showing hidden devices.
- Ipconfig produces immediate failure message.
- An Internal error occured: The request is not supported.
- Unable to query host name.
- The specified device instance handle does not correspond to a present device message regarding DHCP service in services.msc
- Net start tcpip >>> fails with system error 2, The system cannot find the file specified.
- Ping error: Unable to contact IP driver, error code 2.
- Repair Local Area Connection: Failed to query TCP/IP settings of the connection. Cannot proceed.
-TCP/IP Protocol Driver Service Failed To Start, system cannot find the file specified.
- The TCP/IP Protocol Driver service failed to start due to the following error:The system cannot find the file specified.

Failed repair methods

- Netsh int ip reset resetlog.txt >>> no effect
- Non-full reinstall of TCP/IP using only the have disk method. >>> no effect
- Netsh Winsock reset >>> no effect
- Winsockxpfix >>> no effect
- Reinstalling network card >>> no effect

Solutions

Repair install

1. Insert and boot from your WindowsXP CD
2. At the second R=Repair option, press the R key
3. This will start the repair
4. Press F8 for I Agree at the Licensing Agreement
5. Press R when the directory where WindowsXP is installed is shown. Typically this is C:\WINDOWS
6. It will then check the C: drive and start copying files
7. It will automatically reboot when needed. Keep the CD in the drive.
8. You will then see the graphic part of the repair that is like during a normal install of XP (Collecting Information, Dynamic Update, Preparing Installation, Installing Windows, Finalizing Installation)
9. When prompted, click on the Next button
10. When prompted, enter your XP key
11. Normally you will want to keep the same Workgroup or Domain name
12. The computer will reboot
13. Then you will have the same screens as a normal XP Install
14. Activate if you want (usually a good idea)
15. Register if you want (but not necessary)
16. Finish

Hardcore method when nothing else is working

Step #1

1. Locate the Nettcpip.inf file in %winroot%\inf, and then open the file in Notepad.
2. Locate the [MS_TCPIP.PrimaryInstall] section.
3. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0×80.
4. Save the file, and then exit Notepad.
5. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
6. On the General tab, click Install, select Protocol, and then click Add.
7. In the Select Network Protocols window, click Have Disk.
8. In the Copy manufacturer’s files from: text box, type c:\windows\inf, and then click OK.
9. Select Internet Protocol (TCP/IP), and then click OK.
Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.
10. Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
11. Restart

Succesfull uninstallation of TCP/IP will remove numerous keys from the registry including:

HKLM/system/CurrentControlSet/services/tcpip
HKLM/system/CurrentControlSet/services/dhcp
HKLM/system/CurrentControlSet/services/dnscache
HKLM/system/CurrentControlSet/services/ipsec
HKLM/system/CurrentControlSet/services/policyagent
HKLM/system/CurrentControlSet/services/atmarpc
HKLM/system/CurrentControlSet/services/nla

These represent various interconnected and interdependant services.

For good measure you should delete the following keys before reinstalling TCP/IP in step #2:

HKLM/system/CurrentControlSet/services/winsock
HKLM/system/CurrentControlSet/services/winsock2

Step #2

Reinstall of TCP/IP

Following the above substep #3, replace the 0×80 back to 0xa0, this will eliminate the related “unsigned driver” error that was encountered during the uninstallation phase.

Return to “local area connection”> properties > general tab > install > Protocol > TCP/IP

You may receive an “Extended Error” failure upon trying to reinstall the TCP/IP, this is related to the installer sub-system conflicting with the security database status.

To check the integrity of the security database
esentutl /g c:\windows\security\Database\secedit.sdb

There may be a message saying database is out of date
First try the recovery option
esentutl /r c:\windows\security\Database\secedit.sdb

If this don’t work for you, you needthe repair option
esentutl /p c:\windows\security\Database\secedit.sdb

Rerun the /g option to ensure that integrity is good and database is up to date.

Now return to the “local area network setup”
Choose install > protocol > TCP/IP and try again

Reboot.

Source: Hublerb - Tech Support Guy

A new kind of malicious software could pose a danger to Windows users who download music files on peer-to-peer networks.

The new malware inserts links to dangerous Web pages within ASF (Advanced Systems Format) media files.

“The possibility of this has been known for a little while but this is the first time we’ve seen it done,” said David Emm, senior technology consultant for security vendor Kaspersky Lab.

If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page which asks the user to download a codec, a well-known trick to get someone to download malware.

The actual download is not a codec but a Trojan horse, which installs a proxy program on the PC, Emm said. The proxy program allows hackers to route other traffic through the compromised PC, helping the hacker essentially cover their tracks for other malicious activity, Emm said.

The malware has worm-like qualities. Once on a PC, it looks for MP3 or MP2 audio files, transcodes them to Microsoft’s Windows Media Audio format, wraps them in an ASF container and adds links to further copies of the malware, in the guise of a codec, according to another security analyst, Secure Computing.

The “.mp3″ extension of the files is not modified, however, so victims may not immediately notice the change, according to Kaspersky Lab.

“Users downloading from P2P networks need to exercise caution anyway, but should also be sensitive to pop-ups appearing upon playing a downloaded video or audio stream,” Secure Computing said.

Trend Micro calls the malware “Troj_Medpinch.a,” Secure Computing named it ” “Trojan.ASF.Hijacker.gen” and Kaspersky calls it “Worm.Win32.GetCodec.a.”

Source / full article: PCWorld Business Center

Published: June 10, 2008 | Updated: July 16, 2008

This security update resolves two privately reported vulnerabilities in Microsoft DirectX that could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

The security update addresses the vulnerability by modifying the way that DirectX handles MJPEG and SAMI format files.

Microsoft recommends that customers apply the update immediately.

Source / full article / download: Microsoft TechNet

Https connections are often used to transfer important data, such as passwords, PINs, or credit card numbers. The browser ensures that the sender can be identified with a valid certificate and that the transferred data are encrypted. An error in the Debian Linux distribution has generated numerous certificates that are child’s play to crack. Many servers still use these weak certificates, even though it is impossible to establish a secure connection using them. The heise SSL Guardian checks the SSL certificates and warns you when it detects a weak one.

All Windows applications that use Windows CryptoAPI will be protected by SSL Guardian. This includes Internet Explorer and Outlook Express, as well as Windows Mail. However, SSL Guardian does not protect Firefox and Opera as these use their own crypto libraries and not CryptoAPI. In order to protect Firefox, the Firefox SSL Blacklist extension is needed, as this has a similar function.

The Guardian support Windows 2000, XP and Vista Operating Systems and is free.
There are two versions with different sized lists. The first is for users that have adequate bandwidth and time. The second is a third as large, but still detects more than 98% of the weak certificates.

More info and download: heise Security

This service release fixes issues from the previous version of the product. For details, please see the Release Notes.

What is new in 7.1x release:

-Windows Vista support
-F-Secure Client Security 7.1x supports Windows Vista 32-bit versions.
-Improved real-time scanning performance on removable drives
-Enhanced logic of scanning to enable faster scanning for large files that reside on removable drives.
-Updated scanning report to elaborate what happens
-Scanning report has been updated to explain in more detail why certain files have been skipped.
-Faster spyware removal
-Spyware removal is significantly faster with this release. While previously the spyware scan was reinitiated with removal, now the scanning maintains information about its state.
-Reduced memory consumption
-The product has now been optimized to use less memory. There is a significant decrease in the amount of memory consumed. This shows as improved overall performance.
-Internet Shield IPv6 support
-IPv6 support in Internet Shield is now two-fold: the minimal Internet Protocol version 6 support enables user to block all IPv6 traffic if needed. This has been extended with ability to create firewall rules and handle IPv6 alerts in application control for IPv6 addresses. This extension is limited to Vista only, while the minimal support is available on all supported platforms.
-Updated identification and removal of conflicting programs (sidegrade)
-Sidegrade has been updated to include more common conflicting products, and cleaned from the unnecessary removals that would not cause conflict with our software.
-New manual database installation tool
-A new tool for updating protection databases manually, called fsdbupdate, installs all the latest database updates for customers with a valid subscription.
-Improved System Control with DeepGuard for latest malware types
-System Control with DeepGuard has been updated to protect from the very latest types of malware attacks.
-Remote Application List for System Control
-Administrator can configure System Control to deny or allow applications remotely with Policy Manager.
-Includes all previous hotfixes

This release is for the following operating systems:

-Windows Vista 32-bit, SP1
-Windows XP Home Edition with SP0 /SP1 / SP2 /SP3
-Windows XP Professional Edition with SP0 /SP1 / SP2 /SP3
-Windows XP Media Center Edition with SP1
-Windows 2000 Workstation with SP4 Rollup 1 or higher

Note: when F-Secure Client Security 7.1x is taken into use, F-Secure Policy Manager needs to be version 7.1x or later.

Product home page: F-Secure

Some highly critical vulnerabilities have been reported in vBulletin, which can be exploited by malicious people to conduct script insertion attacks.

Input passed via “PHP_SELF” or via the “do” parameter when requesting a missing page is not properly sanitised before being logged. This can be exploited to insert arbitrary HTML and script code, which is executed in an administrator’s browser session in context of an affected site when the malicious logs are being viewed.

Reportedly, the vulnerabilities can be exploited to inject and execute arbitrary PHP code on an affected system.

It affect version 3.7.2 and 3.6.10 PL2. Prior versions may also be affected.

Solution: update to version 3.7.2 PL1 or 3.6.10 PL3.

Sources: Secunia and vBulletin.

Past 2 days Smokey’s Security Forums was down, cause: an unsual and fully unexpected combination of happenings all at the same time, lastly solved past morning.

My apologises for the inconvenience.

Smokey

Apple has released Mac OS X 10.5.4, the fourth update to Leopard since it was released last October.

The new version contains the usual mix of bug fixes and security updates, with iCal getting the most attention. iCal won’t delete events without telling you as a result of the latest update, for example, and Apple said the update “improves overall iCal reliability.” Airport and Spaces & Expose also received some updates.

There are also a couple of security-related fixes for Safari and other issues.

Source: Crave
Download: Apple Downloads

Published: July 3, 2008

Microsoft Security Bulletin Advance Notification issued: July 3, 2008
Microsoft Security Bulletins to be issued: July 8, 2008

This is an advance notification of security bulletins that Microsoft is intending to release on July 8, 2008.
This bulletin advance notification will be replaced with the July bulletin summary on July 8, 2008.

Executive Summaries

Important (4)

Bulletin Identifier: SQL Bulletin
Impact of Vulnerability: Elevation of Privilege
The update may require a restart.
Affected Software: Microsoft Windows, Microsoft SQL Server. For more information, see the Affected Software section.

Bulletin Identifier: Windows Bulletin 1
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows. For more information, see the Affected Software section.

Bulletin Identifier: Windows Bulletin 2
Impact of Vulnerability: Spoofing
The update requires a restart.
Affected Software: Microsoft Windows. For more information, see the Affected Software section.

Bulletin Identifier: Exchange Server Bulletin
Impact of Vulnerability: Elevation of Privilege
The update may require a restart.
Affected Software: Microsoft Exchange Server. For more information, see the Affected Software section.

Non-Security, High-Priority Updates on MU, WU, and WSUS

For information about non-security releases on Windows Update and Microsoft update, please see:

• Microsoft Knowledge Base Article 894199: Description of Software Update Services and Windows Server Update Services changes in content for 2008. Includes all Windows content.

• New, Revised, and Released Updates for Microsoft Products Other Than Microsoft Windows.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Source / Full Bulletin: Microsoft TechNet

How-to for fixing missing icons in the Windows Vista system tray:

1. Back up the Registry by creating a restore point.
2. Go to Start > Run (or Windows-key + “R”), type in “regedit” and hit “OK”.
3. Navigate to the key “HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion \TrayNotify”.
4. Delete the values “IconStreams” and “PastIconsStream”.
5. Open up the Task Manager (Ctrl + Shift + Esc), go to the “Processes” tab, select “explorer.exe” and click “End Process”.
6. Open the “Applications” tab and click “New Task…” at the bottom-right of the window.
7. In the message box that pops up type in “explorer.exe” and hit “OK”.
8. Explorer.exe will reload, and the missing icons should now be back in the system-tray where they belong.

Enjoy yourself!

-July 3, 2008: Opera 9.51 released, this is a recommended security and stability upgrade. Several highly critical vulnerabilty issues were present in all previous versions, we recommend you upgrade asap!

Changes since Opera 9.5

User Interface

- Fine-tuned the new Opera skin.
- Improved drag/drop of tabs.
- Fixed problems with search engines when upgrading from Opera 9.2x.
- Fixed a stability issue when printing or when in print preview.
- Added an option to toggle mouse flips in opera:config (User Prefs - Enable Mouse Flips).
- Textarea inputs now clear when no-cache is set.
- Saving of images is no longer recorded in transfers.

Mail/News

- Feeds now show the first time when you subscribe.
- Corrected a stability issue that could occur when clicking the drop-down to switch views.
- Adjusted thread expanding in Mail when receiving new messages.
- Corrected a problem where multiple views (access points) show for the same account.

Display and Scripting

- Corrected a stability issue with User JS.
- Style sheets now load when navigating in history.
- window.close() now functions after invoking a context menu and when closing Opera Dragonfly.

Security

- Fixed an issue where < canvas > functions could reveal data from random places in memory, as reported by Philip Taylor. See the advisory.
- Fixed an issue that could be used to execute arbitrary code, as reported by Billy Rios. Details will be disclosed at a later date.
- Security status is now correctly set when navigating from HTTP to HTTPS.
- Corrected an issue related to OCSP and CRLs that would lower security.
– Note: This will take effect with the weekly update, or when checking manually for an update (Help > Check for Updates).

Miscellaneous

- Corrected a stability issue with Yahoo! Mail.
- TinyMCE 2.1.x editor now works properly.
- Printing of chat items has been improved.
- Reconnection of the IRC client has been adjusted and improved.
- Menus on deviantart.com now work properly.
- Eliminated unwanted line breaks in rich text editors.

Windows-specific changes

- Fixed a resource leak in the transfer window that could cause visual paint problems and other related problems.
- Command line parameters must now be specified before any URLs on the command line.

Source: Opera Software
Download Opera v9.51: Opera Software Download Section

Published: June 24, 2008 | Updated: June 25, 2008

Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.

Mitigating Factors:

This vulnerability is not exploitable in Web applications that follow generally accepted best practices for secure Web application development by verifying user data input.

Purpose of Advisory: To assist administrators with identifying and correcting vulnerable ASP and ASP.NET Web application code which does not follow best practices for secure Web application development.

Advisory Status: Microsoft Security Advisory and associated tools were released.

Recommendation: Review the suggested actions and configure as appropriate. It is also suggested that server administrators evaluate the effectiveness of the discussed tools and utilize them as needed.

This advisory discusses the following software: Microsoft ASP and ASP.NET technologies.

Suggested Actions

Microsoft has identified several tools to assist administrators. These tools cover detection, defense, and identifying possible coding which may be exploited by an attacker.

• Detection – HP Scrawlr

Hewlett Packard has developed a free scanner which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at Finding SQL Injection with Scrawlr at the HP Security Center.

Detailed description:
The tool will be a black-box analysis tool (i.e. no source code required). The user will input a starting URL, and the tool will:

• Recursively crawl that URL for hyperlinks in order to build up a site tree.

• Test all discovered links for verbose SQL injection by sending HTTP requests containing SQL injection attack strings in querystring parameters.

• Examine the HTTP responses from the server for SQL error messages that would indicate a SQL injection vulnerability.

• Report any pages found to be vulnerable to the user, along with the associated input field(s). For example, the tool might report that the fields “username” and “password” on page “foo.asp” are vulnerable.

• Defense – UrlScan version 3.0 Beta

UrlScan version 3.0 Beta is a Microsoft security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from reaching the Web application on the server. UrlScan 3.0 will install on IIS 5.1 and later, including IIS 7.0. UrlScan 3.0 can be found at URLScan Tool 3.0 Beta.

Detailed Description:
UrlScan version 3.0 is a tool that will allow you to implement many different rules to better protect Web applications on servers from SQL injection attacks. These features include:

• The ability to implement deny rules applied independently to a URL, query string, all headers, a particular header, or any combination of these.

• A global DenyQueryString section that lets you add deny rules for query strings, with the option of checking un-escaped version of the query string as well.

• The ability to use escape sequences in the deny rules to deny CRLF and other non-printable character sequences in configuration.

• Multiple UrlScan instances can be installed as site filters, each with its own configuration and logging options (urlscan.ini).

• Configuration (urlscan.ini) change notifications will be propagated to worker processes without having to recycle them. Log settings are an exception to this.

• Enhanced logging to give descriptive configuration errors.

• Identifying – Microsoft Source Code Analyzer for SQL Injection

A SQL Source Code Analysis Tool has been developed. This tool can be used to detect ASP code susceptible to SQL injection attacks. This tool can be found in Microsoft Knowledge Base Article 954476.

Detailed Description:

The Microsoft Source Code Analyzer for SQL Injection is a standalone tool customers can run on their own ASP source code. In addition to the tool itself, there is documentation included on ways to fix the problems it finds in the code it analyzes. Some key features of this tool are:

• Scans ASP source code for code that can lead to SQL Injection vulnerabilities.

• Generates an output that displays the coding issue.

• This tool only identifies vulnerabilities in classic ASP code. It does not work on ASP.NET code.

Full Advisory/source: Microsoft TechNet

Note: these SQL Injection Attacks have to be considered as extremely dangerous.
Smokey

Microsoft will ship Windows 7 sometime in or near Jan. 2010, according to a letter company senior vice president Bill Veghte sent to Microsoft customers Tuesday.

The letter, sent to enterprise and business customers, will eventually be publicly posted on Microsoft’s Web site.
In the letter sent to “Windows Customers” and titled “An Update on the Windows Roadmap,” Veghte said “our plan is to deliver Windows 7 approximately three years after the January 2007 general availability launch date of Windows Vista.”

Veghte wrote, “You have told us you want a more regular, predictable Windows release schedule” and he said that was the impetus for setting the 2010 the ship date.

Source: NetworkWorld

Computer users should be aware of the importance of scanning all web traffic for malware following the discovery that webpages on the Association of Tennis Professionals (ATP) website have been infected with malicious code.

Pages on the ATP website are just some of the thousands on the internet to have been injected with a malicious script called Mal/Badsrc, according to Sophos experts. The script downloads another malicious script triggering an infection process which ultimately infects the victim with spyware.

Web security experts at Sophos note that by infecting pages on the website the hackers may capitalise on excitement surrounding Wimbledon 2008, one of the four grand slams in the tennis calendar making up part of the ATP tour, as tennis fans will be likely to visit the website keen to find out the latest news.

“The hackers responsible for this attack don’t care what sites they infect, so long as there is a stream of potential victims likely to surf across the net, straight into their trap. The ATP website is just one of many sites to have been exploited by hackers trying to steal information from innocent internet users,” said Fraser Howard, principal virus researcher at Sophos. “With the Wimbledon tournament taking place at the moment, the ATP website will be receiving a spike in visitors - but any tennis fan visiting the infected pages on the site risks being served straight into a crook’s criminal racket.”

Source: SecurityPark

June 27, 2008 (Computerworld) Turkish hackers yesterday defaced the official sites of the international organizations that oversee the Internet’s critical routing infrastructure and regulate domain names, researchers said today.

A group calling itself “NetDevilz” claimed responsibility for the hack, which Thursday morning temporarily redirected visitors to the sites for IANA (Internet Assigned Numbers Authority) and ICANN (Internet Corporation for Assigned Names and Numbers).

Users who tried to reach iana.com, iana-servers.com, icann.com and icann.net were shunted to an illegitimate site, said researchers at zone-h.org, a group that collects evidence of site attacks, including page defacements and redirects. According to a screen capture of the defacement snapped by zone-h.org, the bogus site simply displayed a taunting message: “You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us?”

The hackers redirected IANA and ICANN traffic to the same IP address that they used last week when they broke into Photobucket Inc.’s image-sharing site and pushed its users to a server operated by Atspace.com, a German hosting service, said Bulgarian security researcher Dancho Danchev in a blog post today.

A spokesman for ICANN contacted Friday morning wasn’t aware of the hack, and declined comment until he found find out more.

Source / full article: ComputerWorld Security