PaulSpoerry.com

A 17-year-old bug in Windows will be patched by Microsoft in its latest security update.

The February update for Windows will close the loophole that involves the venerable DOS operating system.

First appearing in Windows NT 3.1, the vulnerability has been carried over into almost every version of Windows that has appeared since.

The monthly security update will also tackle a further 25 holes in Windows, five of which are rated as “critical”.

Home hijack

The ancient bug was discovered by Google security researcher Tavis Ormandy in January 2010 and involves a utility that allows newer versions of Windows to run programs that date from the DOS era.

Mr Ormandy has found a way to exploit this utility in Windows XP, Windows Server 2003 and 2008 as well as Windows Vista and Windows 7.

The patch for this vulnerability will appear in the February security update. Five of the vulnerabilities being patched at the same time allow attackers to effectively hijack a Windows PC and run their own programs on it.

As well as fixing holes in many versions of Windows, the update also tackles bugs in Office XP, Office 2003 and Office 2004 for Apple Macintosh machines.

The bumper update is not the largest that Microsoft has ever released. The security update for October 2009 tackled a total of 34 vulnerabilities. Eight of those updates were rated as critical – the highest level.

In January 2010, Microsoft released an “out of band” patch for a serious vulnerability in Internet Explorer that was being exploited online. The vulnerability was also thought to be the one used to attack Google in China.

Following the attack on Google, many other cyber criminals started seeking ways to exploit the loophole.

Also this week, a security researcher has reported the discovery of a vulnerability in Internet Explorer that allows attackers to view the files held on a victim’s machine.

Microsoft has issued a security bulletin about the problem and aims to tackle it at a future date. At the moment there is no evidence that this latest find is being actively exploited online.

The Evil Maid Attack is an attack type against whole system disk encryption in a form of a small bootable USB stick image that allows to perform the attack in an easy “plug-and-play” way. The whole infection process takes about 1 minute, and it’s well suited to be used by hotel maids.

The Invisible Things blog goes into great detail on how most whole disk encryption is vulnerable in a relatively simple way. The scenario we consider is when somebody left an encrypted laptop e.g. in a hotel room. Let’s assume the laptop uses full disk encryption like e.g. this provided by TrueCrypt or PGP Whole Disk Encryption. Many people believe, including some well known security experts, that it is advisable to fully power down your laptop when you use full disk encryption in order to prevent attacks via FireWire/PCMCIA or ”Coldboot” attacks.  So, let’s assume we have a reasonably paranoid user, that uses a full disk encryption on his or her laptop, and also powers it down every time they leave it alone in a hotel room, or somewhere else.

Now, this is where our Evil Maid stick comes into play. All the attacker needs to do is to sneak into the user’s hotel room and boot the laptop from the Evil Maid USB Stick. After some 1-2 minutes, the target laptop’s gets infected with Evil Maid Sniffer that will record the disk encryption passphrase when the user enters it next time. As any smart user might have guessed already, this part is ideally suited to be performed by hotel maids, or people pretending to be them.

So, after our victim gets back to the hotel room and powers up his or her laptop, the passphrase will be recorded and e.g. stored somewhere on the disk, or maybe transmitted over the network (not implemented in current version).

Now we can safely steal/confiscate the user’s laptop, as we know how to decrypt it. End of story.

Read the rest of this entry »

Geoff Chappell published an article explaining how the 4GB memory limit for 32-bit Windows (he is writing mainly about Vista) is more of a licensing preference than an architectural limit. The article outlines how Chappell unlocked his system to use all the memory that is present, but cautions that such hackery is ill-advised for several reasons, including legal ones.

“If you want [to be able to use more than 4GB in Vista] without contrivance, then pester Microsoft for an upgrade of the license data or at least for a credible, detailed reasoning of its policy for licensing your use of your computer’s memory. … [C]onsider Windows Server 2008. For the loader and kernel in Windows Vista SP1 (and, by the way, for the overwhelming majority of all executables), the corresponding executable in Windows Server 2008 is exactly the same, byte for byte. Yet Microsoft sells 32-bit Windows Server 2008 for use with as much as 64GB of memory. Does Microsoft really mean to say that when it re-badges these same executables as Windows Vista SP1, they suddenly acquire an architectural limit of 4GB? Or is it that a driver for Windows Server 2008 is safe for using with memory above 4GB as long as you don’t let it interact with the identical executables from Windows Vista SP1?”

Read the full article here.

The legendary L0phtcrack password cracker is returning and in the form of a new version 6. L0phtCrack disappeared from the market after @stake, a company which was formed by L0pht Heavy Industries and others, was taken over by Symantec. At the beginning of this year the original L0phtCrack team bought back the software rights from Symantec and have now upgraded the tool.

L0phtCrack 6 is packed with powerful features such as scheduling, hash extraction from 64 bit Windows versions, multiprocessor algorithms, and networks monitoring and decoding. Yet it is still the easiest to use password auditing and recovery software available. Available in in L0phtcrack 6 is:

Password Scoring
L0phtCrack 6 provides a scoring metric to quickly assess password quality. Passwords are measured against current industry best practices, and are rated as Strong, Medium, Weak, or Fail.

Pre-computed Dictionary Support
Pre-computed password files is a must have feature in password auditing. L0phtCrack 6 supports pre-computed password hashes. Password audits now take minutes instead of hours or days.

Windows & Unix Password Support
L0phtCrack 6 imports and cracks Unix password files. Perform network audits from a single interface.

Remote password retrieval
L0phtCrack 6 has a built-in ability to import passwords from remote Windows, including 64-bit versions of Vista, Windows 7, and Unix machines, without requiring a third-party utility.

Scheduled Scans
System administrators can schedule routine audits with L0phtCrack 6. Audits can be performed daily, weekly, monthly, or just once, depending on the organization’s auditing requirements.

Remediation
L0phtCrack 6 offers remediation assistance to system administrators on how to take action against accounts that have poor passwords. Accounts can be disabled, or the passwords can be set to expire from within the L0phtCrack 6 interface. Remediation works for Windows user accounts only.

Updated Vista/Windows 7 Style UI
The user interface is improved and updated. More information is available about each user account, including password age, lock-out status, and whether the account is disabled, expired, or never expires. Information on L0phtCrack 6’s current session is provided in an “immediate window” with a reporting tab providing up-to-the-minute status of the current auditing session.

Executive Level Reporting
L0phtCrack 6 has real-time reporting that is displayed in a separate, tabbed interface. Auditing results are displayed based on auditing method, risk severity, and password character sets.

Password Risk Status
Displays risk status in four different categories: Empty, High Risk, Medium Risk, and Low Risk.

Password Audit Method
Displays the completion of all four methods L0phtCrack 6 uses: Dictionary, Hybrid, Precomputed, and Brute Force.

Password Character Sets
Reports the completion of the various character sets being audited, including, Alpha, Alphanumeric, Alphanumeric/Symbol, Alphanumeric/Symbol/International.

Password Length Distribution
Reports the overall length of the discovered password by account.

Summary Report
Password Statistics as Locked, Disabled, Expired, or if the password is older than 180 days. Audit Summary
Number of Accounts cracked and the number of Domains audited.

Foreign Password Cracking
L0phtCrack 6 supports foreign character sets for Brute Force, as well as foreign dictionary files. Pull down menus change for language and character set. L0phtCrack 6 ships with several foreign dictionaries.

Visit L0phtcrack to read more or download the latest version. You can also read my previous article “Ophcrack Live CD – Crack Windows passwords in minutes“.

April Fool’s Day passed with much angst over and little action from the Conficker worm, but that doesn’t mean it’s not a threat or that you don’t have it. Joe Stewart from SecureWorks has put together an “eye chart” that sources its graphics from sites that Conficker would block. Click here to view the chart. If you can’t see one or more of the images, you’re either infected or image loading in your browser has been disabled. It’s a test based on the fact that Conficker blocks legitimate security Web sites. The logos are sourced remotely so if they can’t load, then the sites are also likely to be blocked.