Smokey's Security Weblog

veritas odium parit

Windows Vista / USB device detection problems: How-To-Fix


During the initial installation of a USB device (most often external drives, although not always), Windows Vista does not locate or install drivers for the device.

Windows Vista might report that there is “no driver found for you device” and/or will not display the pre-installed Vista OEM drivers. Even by manually selecting the driver, you will still get the “no driver found…” error. This is most likely caused by a corrupted INFCACHE.1 file. This file stores the location of drivers and their INF files. This file is hidden, has restricted access, and can be found in “c:\windows\inf”.

Delete the INFCACHE.1 file and it will force Windows to rebuild the INFCACHE.1 file the next time Windows searches for drivers. To delete this file, you have to set the security permissions of it to allow Full Control for the User Group Administrators or full control for your user account. Please follow the directions below:

1. Open a Windows Explorer window by right clicking on Start and then clicking on Explore.
2. In the address bar, type C:\windows\inf and press Enter.
3. Find and then right click on the file named INFCACHE.1.
4.Select Properties.
5. Click on the Security tab.
6. Click on Edit to edit the permissions of the file.
7. Click on Add to add User Groups.
8. Type Administrators in the User Groups field and click on OK.
9. Set Administrators to Full Control and click on OK.
10. Move or delete the file INFCACHE.1.
11. Reinstall a device to force Windows to rebuild the INFCACHE.1 file (DO NOT reinstall the same external hard drive that you were having issues detecting before. Please connect another USB device other than the one that Vista had an issue detecting).

This detection issue can happen several times in a row, but repeat the steps 1-11 and try again until this works.


May 31, 2008 Posted by | Advisories, Friends, Uncategorized | , , , , , , | 38 Comments

Microsoft Security Advisory (953818): Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform

Published by Microsoft: May 30, 2008

Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.

At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers needs.

Mitigating Factors:

• Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.

More: Microsoft TechNet

Apple, please fix your homework in a proper and decent way asap!

Added: May 31, 2008

For reason of the information provided in the original advisory provided by Nitesh Dhanjani on May 15, 2008 this blended thread have to be considered as being Highly Critical.

Excerpt original advisory:

1. Safari Carpet Bomb. It is possible for a rogue website to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed).

2. Sandbox not Applied to Local Resources. This issue is more of a feature set request than a vulnerability. For example, Internet Explorer warns users when a local resource such as an HTML file attempts to invoke client side scripting. I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower).

3. [Undisclosed]. The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user’s file system.

Remarkable and not  understandable: Apple let Nitesh Dhanjani know that they will fix only 1 of the issues he reported.

My advice: as long Apple haven’t fixed all the three issues mentioned in the original advisory, for security reasons don’t use Apple’s Safari (anymore).

May 31, 2008 Posted by | Advisories, Alerts, Downloads, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , , , | Leave a comment

ING Introduces Tool for Safe E-Banking on Infected PCs

ING Direct, the nation’s largest online-only bank, said this week that it was giving away a software tool that would allow customers to bank online safely at ING, even if the user’s PC was already infected with data-stealing malicious software.

ING made the somewhat bold claim in partnering with an Israeli company named Trusteer, which offers an installable program called Rapport. Trusteer’s main invester is a man named Shlomo Kramer, co-founder of Check Point Software, the company that makes and markets the ZoneAlarm firewall products. Kramer is now CEO of Imperva, an application data protection company, which he co-founded with Mickey Boodaei, who is CEO of Trusteer.

Boodaei said Rapport creates a “secure pipe” within the user’s computer that encapsulates data as it flows to the ING Direct Web site. Boodei said the software works by assuming control over the application programming interfaces or APIs in Windows, the set of tools which allow software developers to create programs that interact with key Windows functionalities.

Some of today’s nastiest data-stealing malware works by hijacking these Windows APIs. For example, keyloggers simply hijack or “hook” the Windows API that handles the transmission of data from user interfaces, such as the keyboard and mouse. A more advanced type of malware – known as a “form grabber” – hijacks the “WinIntet” API – which sets up the SSL (think https://) transaction between the user’s browser and the encrypted Web site. By hijacking this API, a form grabber can rip out usernames and passwords even when the user is submitting them into a site that encrypts the data during transmission because it grabs that information at the lower level of the operating system, before it is encrypted.

Trusteer’s software examines these and other vital Windows APIs to see if any other process is trying to intercept sensitive data. It then blocks those that do.

Source and full article:

May 24, 2008 Posted by | Friends, Malware, News, Recommended External Security Related Links | , , , , , , , , , , , , , , , , , , , , | Leave a comment

Bogus Grand Theft Auto IV Contains Trojan

Hundreds of Grand Theft Auto IV fans eager to get their hands on a free copy of the game have been targeted by a Trojan virus, according to DriveSentry.

Hackers planted the virus in bogus game files, which are being illegally downloaded from P2P networks by those keen to experience the game without purchasing it.

John Safa, chief technical officer of DriveSentry, said: “People are exploiting the popularity of GTA IV in a way which could bring mayhem to the internet.”

“Hackers are increasingly sophisticated in the way they disrupt the web. They will piggyback on anything popular to wreak havoc. The only thing that many gamers can think of at the moment is GTA IV and hackers are using that interest to try to generate chaos as quickly as they can,” he added.

Former hacker Safa highlighted that within two minutes of logging on to P2P network Limewire he found evidence of Trojan viruses disguised as GTA IV files.

“Such computer viruses have the potential to wipe out or steal sensitive information such as a user’s bank details or wipe out important files. Some of these links were offering free downloads for the PC version of Grand Theft Auto IV even though it is not available yet.”

“I would urge anybody to tread very carefully around these links, as some links are designed to look official — or even better invest in a good anti-virus package that is capable of protection from the latest threats for their computer.”

Source: PCWorld

May 24, 2008 Posted by | Advisories, Alerts, Downloads, Friends, Malware, Recommended External Security Related Links | , , , , , , , , , , | Leave a comment

The ongoing tragedy of a country with it’s suffering population: Myanmar (Burma)

Probably we all can’t remember the free and prosperous Burma from the fifties anymore, because already since 1962 is Burma, renamed by the dictators into Myanmar, a country ruled by cruel and merciless generals. They keep down the suffering and defenseless Burmese population with all (un)imaginable cruelty and power they possess.

The magnitude of the devastating disaster that has met Burma, as result of Cyclone Nagris on Saturday, 3 May 2008 provoke every descriptions. Big pieces of land have hit absolutely barren. Where once villages were, state now literal completely nothing more upright. The number of killed people increase still, at the moment ten thousands of Burmese people are killed. And the Burmese dictators refuse almost all help offered by other countries…….

To give an impression what at the moment is going on in Burma here a full, original BBC News article from today.

France angered by Burmese delays

BBC News –  05:01 GMT

France’s ambassador to the UN has accused Burma’s government of being on the verge of committing a crime against humanity by not accepting foreign aid.

Jean-Maurice Ripert made the comment during a General Assembly session, after Burma’s UN ambassador accused France of sending a warship to region.

France says the ship is carrying 1,500 tonnes of food and medicine for survivors of Cyclone Nargis.

State TV has put the official death toll of the 2 May storm at 78,000.

Another 56,000 people are thought to be missing according to the latest official estimates, which nearly double the figures released on Thursday, raising fears the final human toll may be enormous.

UK Prime Minister Gordon Brown has said a natural disaster has been turned into a man-made catastrophe because of the negligence of the Burmese generals.

“The responsibility lies with the Burmese regime, and they must be held accountable,” Mr Brown told the BBC.

Refusing aid by sea

Mr Ripert angrily rejected Burmese allegations the French ship in international waters off Burma’s coast was a warship.

The French UN ambassador warned that the Burmese government’s refusal to allow aid to be delivered to those who needed it “could lead to a true crime against humanity”.

“Hundreds of thousands of lives are in jeopardy and we think that the primary responsibility of the government of Myanmar (Burma) is to help and open the borders so that the international aid could come into the place,” he said.

A US naval task force is also waiting off the Burmese coast for permission to deliver large consignments of aid, including drinking water, but so far the Burmese military government has refused relief aid arriving by sea.

Foreign aid agencies, too, are frustrated at the slow progress of aid to areas worst hit, especially in the Irrawaddy Delta.

However, a team of 50 Indian medical personnel is being flown into Rangoon on Saturday, equipped with medical supplies.

The BBC’s Sanjoy Majumder says the government is making an exception to its reluctance to accept foreign aid, because India has close ties to the Burmese junta.

Heavy rain

A BBC reporter in the delta this week saw little sign of official help and foreign aid workers have been barred from the area.

Natalia Antelava saw muddy river banks lined with white, swollen bodies, and found survivors with barely enough rice to live on.

The Red Cross is seeking more than $50m (£26m) in aid to help survivors of the storm which struck on 2-3 May.

Heavy rain has been lashing the region, compounding the misery of cyclone survivors.

The UN Humanitarian Co-ordinator, John Holmes, is due to visit Rangoon, Burma’s main city, on Sunday in a bid to persuade the military government to grant more access to UN relief workers and expand its aid effort.

Earlier, the EU’s top aid official, Louis Michel, was denied permission to visit the delta region. He said he was given no explanation why disaster emergency experts were being refused visas.

But Burma’s authorities have promised to take foreign diplomats on a tour of the region this weekend, although it is not clear how much access the group will have to areas outside the official tour route.

‘Beggars for miles’

Burma blamed its sudden increase in the estimated death toll on difficulties in confirming the extent of damage in the worst-affected areas.

The difficulty in getting accurate figures is inevitable bearing in mind the scarce resources there are on the ground to assess the needs of survivors, says the BBC’s Chris Hogg in Bangkok.

A Reuters team travelling to Kunyangon, around 100km (60 miles) south-west of Rangoon, found rows of beggars stretching for miles on either side of a road.

Men, women and children stood in the mud and rain, hands clasped together in supplication at the occasional passing aid vehicle.

Many relief workers are awaiting visas and most of those who have been allowed into the country remain confined to Rangoon.

‘Time is life’

Speaking in Bangkok after his visit to Burma, the EU’s Louis Michel said the world needed to impress upon Burma’s rulers the urgency of survivors’ needs.

“Time is life,” he said.

“Every possible pressure – all rhetorical and diplomatic means – must be used to get them to understand that they must help us help them.”

At this stage it is not clear who he will be able to talk to given that Burma’s leader, Thein Sein, has refused to answer calls from UN Secretary General Ban Ki-Moon.

In the last few days, Burma has agreed to allow a few experts from neighbouring countries in to help.

While this may not be as many as the international community thinks are needed, UN officials believe this is an opportunity to show the military government that aid-workers’ motives are humanitarian, not political.

According to the Red Cross, aid agencies have been able to reach less than a third of cyclone victims and hundreds of thousands of people are at risk of diseases such as dysentery because of lack of clean water.

The Association of South East Asian Nations (Asean) is due to hold a high-level meeting in the coming days that is expected to lay the framework for a broader aid donors’ conference.

Burma’s military leadership, meanwhile, has warned that those who hoard or sell aid on the black market will be prosecuted, amid international reports of misuse of some aid shipments.

May 17, 2008 Posted by | Friends, News, Uncategorized | , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

PayPal XSS Vulnerability Undermines EV SSL Security

A security researcher in Finland has discovered a cross-site scripting vulnerability on that would allow hackers to carry out highly plausible attacks, adding their own content to the site and stealing credentials from users.

The vulnerability is made worse by the fact that the affected page uses an Extended Validation SSL certificate, which causes the browser’s address bar to turn green, assuring visitors that the site – and its content – belongs to PayPal. Two years ago, a similar vulnerability was discovered on a different page of the PayPal site, which also used an SSL certificate.

Harry Sintonen discovered the vulnerability and announced it to other web application security specialists in an Internet Relay Chat (IRC) channel today. Sintonen told Netcraft that the issue was critical, adding that, “you could easily steal credentials,” and, “PayPal says you can trust the URL if it begins with,” which is not true in this case.

While SSL certificates do indeed provide a higher level of assurance when it comes to site ownership, they cannot guarantee that a site is free from other security problems – including cross-site scripting. There are concerns that hackers may exploit misunderstandings in the significance of the green address bar for their own benefit, piggybacking off the trust that is instilled by EV certificates. Users need to be aware that a green address bar does not guarantee the origin of a page’s contents if there is a cross-site scripting vulnerability on that page.

Source: Netcraft

May 17, 2008 Posted by | Alerts, Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , | Leave a comment

Zero-day code execution exploit in IE7 and 8 beta

0-day Internet Explorer “Print Table of Links” Cross-Zone Scripting Vulnerability

By Aviv Raff


Internet Explorer is prone to a Cross-Zone Scripting vulnerability in its “Print Table of Links” feature. This feature allows users to add to a printed web page an appendix which contains a table of all the links in that webpage.

An attacker can easily add a specially crafted link to a webpage (e.g. at his own website, comments in blogs, social networks, Wikipedia, etc.), so whenever a user will print this webpage with this feature enabled, the attacker will be able to run arbitrary code on the user’s machine (i.e. in order to take control over the machine).

Affected version

Internet Explorer 7.0 and 8.0b on a fully patched Windows XP.
Windows Vista with UAC enabled is partially affected (Information Leakage only).
Earlier versions of Internet Explorer may also be affected.

Technical details

Whenever a user prints a page, Internet Explorer uses a local resource script which generates an new HTML to be printed. This HTML consists of the following elements: Header, webpage body, Footer, and if enabled, also the table of links in the webpage.

While the script takes only the text within the link’s inner data, it does not validate the URL of links, and add it to the HTML as it is. This allows to inject a script that will be executed when the new HTML will be generated.

As I said in a previous post, most of the local resources in Internet Explorer are now running in Internet Zone. Unfortunately, the printing local resource script is running in Local Machine Zone, which means that any injected script can execute arbitrary code on the user’s machine.

Proof of Concept

The following is an example of a URL which executes Windows Calculator:<script defer>new ActiveXObject(“Wscript.Shell”).run(“calc”)</script>

A live proof-of-concept can be found at milw0rm.

Solution / Suggestion

I’ve contacted Microsoft last Tuesday. Their last response was that they are looking at an appropriate fix.
Until a patch is available, I suggest not to use the “print table of links” feature when printing a webpage.

Source: Aviv Raff On.NET

With thanks to Cabal/DSLR for drawing my attention to this 0-day exploit.

May 16, 2008 Posted by | Advisories, Alerts, Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

OMG! My past is public! – Smokey the Bear Arrested For Arson

OMG! What i always feared is now sad reality: my dark past is uncensored public to everyone!
I accept this shocking fact with dignity and will take the only appropriate consequence: outing myself.
Here the truth about my past:

By recipher – 11/18/05: Smokey the Bear Arrested For Arson

Smokey the Bear, known for his plight and propaganda against wildfires and carelessness, was taken into custody this morning. Sources have discovered that Smokey is the main suspect in an arson case. Smokey’s lawyers have gone on record stating that he is innocent and was framed by Roger Rabbit, adding subtle irony to the case. Roger Rabbit, who has recently been battling with a horrific herion addiction and chronic depression, has denied all charges.

The target of the arson was, of course, Yogi the Bear. From what our investigators have uncovered, the motive was a very underground river dancing / log rolling competition that went awry earlier this week. Yogi was rumored to have been tormenting Smokey with the evil eye and phrases like, “only you can prevent your FACE from starting fires.” The heated match went down to a double, bonus round with Yogi prevailing. This greatly angered Smokey, and, he always bottles everything up inside anyway. If convicted, Smokey could wind up spending 5+ years in a cartoon penitentiary right outside the Los Padres National Forest. Yogi the Bear was unavailable for comment.

Source: BlueDamage

May 16, 2008 Posted by | Alerts, Friends, News, Recommended External Security Related Links, Uncategorized | , , , , , , , , , , , , , , , , , , , , | Leave a comment

Ubuntu and Debian: extremely serious openssl vulnerability

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems. (CVE-2008-0166)

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

== Who is affected ==

Systems which are running any of the following releases:

* Ubuntu 7.04 (Feisty)
* Ubuntu 7.10 (Gutsy)
* Ubuntu 8.04 LTS (Hardy)
* Ubuntu “Intrepid Ibex” (development): libssl <= 0.9.8g-8
* Debian 4.0 (etch) (see corresponding Debian security advisory)

and have openssh-server installed or have been used to create an OpenSSH key or X.509 (SSL) certificate.

All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied.
This includes the automatically generated host keys used by OpenSSH, which are the basis for its server spoofing and man-in-the-middle protection.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 7.04:
libssl0.9.8 0.9.8c-4ubuntu0.3

Ubuntu 7.10:
libssl0.9.8 0.9.8e-5ubuntu3.2

Ubuntu 8.04 LTS:
libssl0.9.8 0.9.8g-4ubuntu3.1


May 13, 2008 Posted by | Advisories, Alerts, Downloads, Friends, News, Recommended External Security Related Links, Uncategorized, Vulnerabilities | , , , , , , , , , , , , , , , , , , , | Leave a comment

Photobucket are not cleaning up their act: continuous malvertizements on their website

Photobucket has been mentioned several times because of malvertizements appearing on the site. The most recent outbreak is proving to be problematic, to say the least.

They have been advised several times that there are malvertizements appearing on their web site. Photobucket have been given sufficient information to enable them to quickly identify and remove the malvertizements. Email acknowledgements have been received from Photobucket advising that the malvertizement reports would be forwarded to the “advertising team”.

The malvertizements have also been reported to the advertising networks being used to host and distribute the malvertizements.

Why, then, are the malvertizements cited here still appearing on the Photobucket web site? were able to get rid of the malvertizements reported to them. were able to get rid of the malvertizements that were reported to them. Why is it so hard for to clean up *their* act???

For reason of the condemnable ignore attitude/tactics of Photobucket and to protect the user against malware the strong advice:

nobody should visit unless they have software in place that will prevent any advertisements on that site from being displayed on their computer.

This advice stands unless and until the malvertizements are removed AND can reassure that:

1. Photobucket have improved their investigative processes when checking advertisements offered to them to minimise the possibility of this happening again; and
2. Photobucket have put in place new procedures to ensure that reports of malvertizements are identified and acted upon immediately.

Source: SpywareSucks

May 13, 2008 Posted by | Advisories, Alerts, Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , | Leave a comment