 |
| | |
Brian's Buzz on Windows has changed its name to the Windows
Secrets Newsletter. Get the latest high-tech tricks with a free
subscription. Click here to subscribe
|
|
|
 |
|
|
|
OCTOBER 2, 2003 - Issue 15
A bonus for subscribers
Every three months, paid subscribers to Brian's Buzz are invited
to download bonus content at no additional charge. This month, the bonus
is my first PDF e-book: Spam-Proof Your E-Mail Address. This report
describes a no-cost way to eliminate 97% of your spam without filters or
block lists. The book will soon go on sale to the public. But every
Brian's Buzz reader who's upgraded by Oct. 8 to the paid newsletter (via
contributing an amount of your choice) will receive a free download code for
the book on Oct. 9. For details, see the "Here's a Tip" section below, or simply
use this link
to upgrade now. Thanks. --Brian Livingston
TOP STORY - info you need to make Windows work
Exploit of broken MS patch is 'in the wild'
By Brian Livingston
I wrote in the Sept. 18 issue
of Brian's Buzz on Windows that a critical Microsoft security patch does
not actually close the hole it was intended to correct. Now virus attacks
that take advantage of this flaw have appeared "in the wild," on Web pages
that infect Windows PCs without warning.
Unbelievably, Microsoft still doesn't have an update that corrects the faulty
patch - despite the fact that the company acknowledged the error almost
one month ago on Sept. 8.
The problem affects the patch found in security bulletin
MS03-032
and Knowledge Base article
822925.
This patch was designed to correct a problem in Internet Explorer 5.01, 5.5,
and 6.0. (IE 6.0 on Windows Server 2003 is vulnerable only if you've
turned active content "on" to view Web sites that use plug-ins, which includes
most large sites. The IE 6.0 default in Server 2003 is "off.")
Whether or not the MS03-032 patch is installed, the flaw allows an attacker
to silently install and run a malicious program on a PC that merely visits an
infected Web page.
Articles by Reuters
and Silicon.com
report that one Web page was using the security hole to take control of
AOL Instant Messaging accounts on victims' PCs. The attacker's program
then changed the AIM password and sent messages to everyone on the
victim's "buddy list" encouraging them to visit the infected Web page.
The malicious site has reportedly been taken offline since its discovery.
In addition, security researcher Richard Smith told Reuters that a different
kind of Web attack silently changes the victim's dial-up account so it uses a
pricey, pay-per-call number. Each call costs as much as $5 per minute, Smith
was quoted as saying.
Despite the existence of these threats in full form on the Web,
Microsoft hasn't released a new security bulletin since Sept. 10.
That bulletin was
MS03-039
/ 824146.
It closes an unrelated Remote Procedure Call (RPC) security hole found in
Windows NT, 2000, XP, and Server 2003 (but not Windows Me or 9x). This RPC hole
is the same type of flaw, although in a different section of code, as the one
that was exploited in August by the disastrous Blaster worm. (I described the
MS03-039 situation and its fix in the
paid version
of the Sept. 18 Brian's Buzz.)
A temporary - and not ideal - workaround
If you believe that you or your end users might visit a questionable Web site
that would infect a PC, there is currently no patch to protect you. As I
wrote in the last Brian's Buzz, the only workaround is to disable "active
content" from running in IE. In this week's issue, I'd like to provide
more information about that alternative.
One way to disable active content is to change the ActiveX settings in
Internet Explorer from "Enable" to "Prompt." This will ask you to click Yes or
No every time a Web page tries to run plug-ins. If you believe the page is
legitimate, click Yes, otherwise click No. According to the "frequently
asked questions" section of Microsoft's
MS03-032 bulletin, the following steps should be used to do this:
- In Internet Explorer, select Tools, Internet Options.
- Click on the Security tab.
- Highlight the Internet icon and click on the Custom Level button.
- Scroll through the list to the ActiveX controls and plug-ins section.
- Under "Run ActiveX controls and plug-ins," click Prompt.
- Click OK.
- Highlight the Local Intranet icon and click on the Custom Level button.
- Scroll through the list to the "ActiveX controls and plug-ins" section.
- Under "Run ActiveX controls and plug-ins," click Prompt.
- Click OK; then click OK again to return to Internet Explorer.
Because large, commercial Web sites commonly use one or more active plug-ins
on every page, you might be clicking Yes a lot if you use the workaround
described above.
|
|
SPONSORED LINKS
Price Watch
Powered by Amazon.com. Prices fluctuate daily.
Top 10 Bestselling Windows Books This Week
1.
Microsoft Windows XP Inside Out,
Oct 2001, List: $44.99, Price: $31.49
2.
Mastering Windows Server 2003,
Apr 2003, List: $59.99, Price: $41.99
3.
Microsoft Windows Server 2003 Administrator's Companion,
Apr 2003, List: $69.99, Price: $48.99
4.
Windows XP for Dummies,
Sep 2001, List: $21.99, Price: $15.39
5.
Microsoft Windows Server 2003 Administrator's Pocket Consultant,
Mar 2003, List: $29.99, Price: $20.99
6.
MCSA/MCSE Self-Paced Training Kit (Exam 70-290),
Aug 2003, List: $59.99, Price: $41.99
7.
Windows XP Annoyances,
Oct 2002, List: $29.95, Price: $20.97
8.
Programming Windows with C# (Core Reference),
Dec 2001, List: $59.99, Price: $41.99
9.
MCSA/MCSE Self-Paced Training Kit (Exams 70-292 and 70-296),
Sep 2003, List: $69.99, Price: $48.99
10.
MCSE Self-Paced Training Kit (Exams 70-210, 70-215, 70-216, 70-217),
Aug 2002, List: $199.99, Price: $139.99
Search Amazon.com
Get a powerful e-mail publishing platform
ActionMessage.com powers the publishing of Brian's Buzz, and it can power your
newsletters, too. Our full-color charts give you immediate feedback on the
delivery and results of your e-mail newsletter campaigns. Contact us for a
quote and a free 30-day trial account.
ActionMessage.com
Advertise in Brian's Buzz
Circulation: over 45,000. Cost per 1000: $5 per 50 words.
Text-only ads get results.
Contact us now
|
|
|
|
For this reason, you may want to add sites you regularly
visit to the Trusted zone, and allow these sites to run active content
without prompting you every time. Microsoft recommends the following steps
to accomplish this:
- In Internet Explorer, select Tools, then Internet
Options. Click the Security tab.
- In the box labeled "Select a Web content zone to specify its current
security settings," click Trusted Sites, then click Sites.
- If you want to add sites that do not require an encrypted channel, click
to clear the "Require server verification (https:) for all sites in this zone"
check box.
- In the box labeled "Add this Web site to the zone," type the URL of a site
that you trust, then click the Add button. Repeat for each site that you want
to add to the zone.
- Click OK twice to accept the changes and return to Internet Explorer.
- Add any sites that you trust not to take malicious action on your computer.
One in particular that you may want to add is
http://windowsupdate.microsoft.com. This is the site that will host the patch,
and it requires the use of an ActiveX control to install the patch.
The final point in the steps above is the most ironic of all. The only
workaround Microsoft can suggest is to disable active content
in IE. But doing so also disables Windows Update - which requires ActiveX
to download and install Microsoft's eventual patch! You'll need to
re-enable active content every time you wish to run Windows Update (or
place it in your Trusted zone as explained above).
To send me more information about this, or to send me a tip on any other
subject, visit
WindowsSecrets.com/contact.
Don't believe any e-mail attachments from 'Microsoft'
Several readers have asked me about e-mail messages that claim to be
from Microsoft and bear attachments that claim to be critical patches.
Don't be fooled! These are always hoaxes that use falsified From
addresses to distribute viruses or pranks. Microsoft never distributes
software patches via e-mail. I wrote about this in more detail in the top story
of the May 8 issue of Brian's
Buzz, but it's worth repeating.
THIS WEEK'S HOT TIPS - news of the world of Windows
SoBig's silent payload is generating massive damage
The widespread SoBig virus, which I described in the
Sept. 4 issue of Brian's
Buzz, has become a huge problem for the Internet. More than
100 million
virus-carrying e-mail messages were spread by SoBig.F, the sixth variation of
SoBig to emerge this year. But an even more severe problem is that the
PCs that were infected by the disease are now running "zombie" programs. These
routines silently run as "open proxies" in compromised PCs. As such, they obey
directives from the virus's originators to send vast quantities of spam through
whatever Internet connection each machine may have.
I subsequently wrote in my
Sept. 22
column in eWeek that the zombie army was also being used to flood
anti-spam "block lists," shutting them down with overwhelming DDoS
(distributed denial of service) attacks. I said one block list - Osirusoft,
host of SPEWS -
had already been knocked out of business. Since that time, the Monkeys.org
list has been shut down as well, as announced in a newsgroup
posting
at Google Groups. In addition, the Blackhole.compu.net list has folded due to
spam that was falsified to appear to be coming from it, with a full DDoS attack
expected to follow, according to an
msnbc.com article.
(My thanks to reader James Schmidt for his help on this subject.)
When I was writing my eWeek column, I didn't have hard figures on the
number of PCs that had been compromised, so I wrote, "The rampant SoBig virus
has quietly installed zombie programs on thousands of PCs." That prompted an
e-mail from reader Rich Kulawiec, whose own testing clearly suggests that
the number is now well over 1 million:
-
"SoBig turns the huge numbers of end-user systems connected to broadband
DSL/cable/etc. ISPs into an enormous, scalable, distributed, fault-tolerant
'spamplifier.' And spammers are, of course, using it - what would be the
point in writing and releasing SoBig if they weren't? ;-)
"Let me show you what I mean. Back on July 26, I did a little analysis
of the sendmail logs on a cluster of four little servers. I picked that
cluster because (a) the size of the logs made the analysis easy to do
and (b) previous experience indicates that trends found there are
faithfully reflected in the logs of much larger systems.
"In particular, I grabbed all the entries where the SMTP input channel
was lost. This is a characteristic symptom displayed by certain
SMTP engines used by spamware, which (in their attempt to blast as
much spam per unit of time as possible) ignore the SMTP protocol and
just fire away without waiting for the server side to respond.
SoBig includes just such an SMTP engine. I found these numbers of
transactions displaying this behavior during 2003:
| 2,025 |
| Jan |
| 2,454 |
| Feb |
| 3,043 |
| Mar |
| 8,491 |
| Apr |
| 55,448 |
| May |
| 45,843 |
| Jun |
| 42,144 |
| Jul 1-25 |
which I can also break down by various ISPs, e.g., for some broadband
consumer ISPs here in the US:
Comcast:
| 7 |
| Jan |
| 27 |
| Feb |
| 32 |
| Mar |
| 295 |
| Apr |
| 2,147 |
| May |
| 2,498 |
| Jun |
| 1,721 |
| Jul 1-25 |
ATTbi.com (which is also now Comcast):
| 14 |
| Jan |
| 19 |
| Feb |
| 35 |
| Mar |
| 417 |
| Apr |
| 2,335 |
| May |
| 2,778 |
| Jun |
| 1,753 |
| Jul 1-25 |
Verizon:
| 9 |
| Jan |
| 121 |
| Feb |
| 214 |
| Mar |
| 306 |
| Apr |
| 1,255 |
| May |
| 1,076 |
| Jun |
| 651 |
| Jul 1-25 |
"... Why did the pace appear to slacken [in July]? Folks finally ran
their AV [anti-virus] programs, I think. And some ISPs blocked outbound port
25 traffic in desperation. And I think some redesign of SoBig was going
on, leading to the more virulent version we saw released in August.
"Subsequently, I've gone back through the logs on some larger servers
as well, and found that over the past six months I've got hundreds
of thousands of log entries corresponding to almost certainly hijacked
systems on every broadband ISP - Charter, RoadRunner, Comcast, Verizon,
PacBell: you name it, I've got spam attempts from it.
(A back-of-the-envelope grade analysis of those logs indicates roughly
320,000 distinct IP addresses are involved. No doubt many more have
been similarly hijacked, but they just haven't had the occasion to try to
abuse the particular servers I'm running.)
"And so do lots of other people: this has all been well-known within the
anti-spam community for months, and is frequently discussed on Spam-L
(the primary forum for that community). But numerous attempts to get the
ISPs responsible for this situation to do something about the amazing
quantities of spam coming out of their networks via millions of hijacked
systems have been met with auto-acks from ignorebots. (Even though
those of us reporting these problems are doing their work for them, by
providing them detailed logs - with IP addresses, timestamps, etc. of
the abuse emanating from their networks. You'd think they'd be
delighted to have someone else pointing them to the exact source of the
problem - but apparently not.)
"So there's the explanation ... for why so many of these ISPs find their
IP space listed on various DNSBLs (DNS block lists). Their failure to
adequately budget/staff in order to operate their networks properly has
made them an operational hazard to the rest of the Internet, which has
responded by doing what it can to minimize the ensuing damage.
"So ... please realize that most of the
anti-spam block lists would not exist if the ISPs whose networks are
the source of the spam would get off their butts and do something. But their
failure/refusal to do so, after days and weeks and months and years,
has made it necessary for others to defend themselves. And it's clearly
disingenuous for those same ISPs to whine about the impact of blocking:
this is a problem entirely of their own making, and it's entirely
their responsibility to solve it. Perhaps it hasn't dawned on them yet
that they are responsible for every data packet that comes out of their
networks. And if they're not ready to discharge that responsibility,
then they should not be connected to the Internet."
Although I have serious concerns about the lax management of some block lists,
I agree completely with Kulawiec that the attacks on them represent a serious
and unacceptable problem. When all of the anti-spam resources such as these
have been driven out of business by the costs of DDoS battles, legitimate
companies will have lost many valuable tools to stop spam. Even worse,
the spam gangs that are behind the SoBig epidemic will then be free to turn
their DDoS weapons against any other Web servers they wish to shut down,
including your company's Web server.
Until there's a better technical solution, you should make an extra
effort to run up-to-date anti-virus tools and clean up any machine that's
infected with the SoBig zombie or any other. And because most of the DDoS
attacks are coming from home PCs that are connected to major ISPs,
those service providers need to immediately scan their networks and
take action to block the attacks.
If you have more information about this, or you wish to send me a tip on any
other topic, please visit
WindowsSecrets.com/contact.
FORWARDING INSTRUCTIONS - news gains value when it's shared
Please share this information with your colleagues
You're encouraged to refer your friends and colleagues to this free
newsletter. Because most e-mail programs don't correctly display a formatted
message that's been forwarded, simply call people's attention to
the permanent Web address of this issue:
BriansBuzz.com/w/031002.
HERE'S A TIP - you'll get a better newsletter if you choose the paid version
You're reading the free version of Brian's Buzz on Windows
Subscribers to the paid version receive additional information in each issue,
plus the opportunity to download bonus content every three months.
Some of the extras this week are:
- Spam-Proof Your E-Mail Address. My first PDF
e-book is a 15-page description of my research over many months into
eliminating spam. What I've discovered can eliminate 97% of the spam you
receive. It's a cost-free technique that doesn't require filters or
block lists (although you can use those as well). Everyone who becomes a paid
subscriber to Brian's Buzz by Oct. 8 will receive a free download code
by e-mail on Oct. 9.
- Viruses that look like Microsoft bulletins. The dastardly new "Swen"
worm is getting an unusual number of smart people to open attachments that
silently infect their PCs. I show you how to detect and avoid it.
- The best free software. Ever wonder what those cryptic Windows
error codes mean? A new release of freeware gives you a straight answer -
tailored to your version of Microsoft's operating system.
The contribution amount is up to you. Readers may specify any
amount of their choice to receive the paid version of Brian's Buzz - and the
quarterly bonus content. If you make a contribution before October 15, 2003,
you'll be sent the full, paid version of this week's newsletter.
To upgrade to the paid version, please visit
WindowsSecrets.com/upgrade.
Thanks in advance.
WACKY WEB WEEK - playing for you the Internet's greatest bits
Would you like fries with that?
One of the funniest animations I've seen has recently come along
to help us have a wacky day.
A voice very much like Jack Nicholson's provides the audio track for a
Jack-in-the-Box talking head in this clever claymation video. The dialog that
results is hilarious but in no way kid stuff, although it's fairly clean (a
couple of minor exceptions are bleeped out). You may wish to turn your PC
speakers down so the whole office doesn't get the drift.
The production is by Jamie Clay, a compositor who uses Discreet.com's
3D Studio Max rendering software. His home page
explains that he temporarily had to stop hosting this .wmv file, not because
the hamburger chain complained, but because he'd used someone's toy car
in the stop-action animation without their approval! The 1:20 video,
entitled "Fry Day (Out)" is now hosted by Daryl Dulong, a staff member of
the University of Rochester whose site has lots of other cool parodies as
well.
Fry Day page
My thanks to reader Herb Hizer for this multimedia tip.
Geek-proof cup warmer turns itself on and off
I don't know what it is about cup warmers, but my
Sept. 18 review of them has
generated more reader e-mails than almost any other subject that's ever been
featured in Brian's Buzz.
For that issue, I tried my darndest to find a warming pad that would keep
coffee or tea piping hot and then automatically shut off so the remaining
liquid wouldn't turn into brown tar by the end of the day. My searching was
all to no avail. But then reader Steven Buschman pointed me to the
Mr.
Coffee Mug Warmer (above right). This $15.60 item not only turns itself off
after 30 minutes, but the weight of the cup turns the warming element on
and off when your drink is put down and picked up. Buschman says:
- "I can't vouch for the store, but what I can say is
that I've been using the Mr. Coffee warmer for about 10 years. The single
most important attribute is auto-shutoff. This is a must for clueless
software guys (like myself).
"However, for coffee, I must tell you that my mug warmer has fallen out
of favor.
"For the past few years I've been using a dual-use insulated mug [pictured at
right, about $24.99] - the
Avantro One Mug 2.0.
(Yes, there is a
release
3.0 [and
4.0]
- I haven't upgraded yet.)
Its advantage are myriad:
"1. For a coffee purist, keeping your coffee hot with a mug warmer is
somewhat of a faux pas - it tends to burn the coffee.
"2. A mug warmer is useless if you forget to put your coffee cup on it.
Do not underestimate the failure rate here. And once coffee gets cold, you
need to toss it - nuking coffee is a mortal sin. (I'm not so dogmatic about
nuking tea.)
"3. The Avantro mug can be used at home with its removable base (less likely
to spill, also a high failure rate) and in the car on the way to the office.
It really does keep coffee hot for two to three hours.
"4. An insulated mug doesn't need to be put in the dishwasher each day -
fewer dishes to wash."
There you have it - the last word on the subject. Cup warmers are out,
energy-efficient mugs are in. And who has time to put things in a dishwasher
with all these Windows patches we need to install lately?
See you next issue.
|
|
|
|
|
| |
|
|
|
 | |