In a couple of recent blogs, I’ve been reporting about a particularly nasty strain of malware based on a Windows Shell Vulnerability that affects all desktop versions of Windows from 2000 through 7, and all Server versions from 2000 to 2008 R2:
- 7/29/2010: Vulnerability in Windows Shell could allow remote code execution
- 8/2/2010: Windows Shell Vulnerability to Get Emergency Update Today
Turns out that this is a particularly nasty strain of malware that served, for example, as the underlying attack vector for the StuxNet worm that has been successfully used to penetrate numerous Siemens-designed power plants using Windows-based SCADA systems. Even more troubling, this original implementation (which featured rootlet functionality and ran as signed code, indicating a sophisticated attacker at work), has been imitated successfully by less sophisticated malefactors and “…is likely to become a mainstay of malware distribution techniques…” according to Eset researcher Pierre-Marc Bureau of ESET (quoted in Sherman Hand’s prescient 7/23/2010 story entitled “Unpatched Shortcut Vulnerability Exploited by Malware“).
Interestingly, Eset antivirus is one of a number of packages that attempt to block the installation of KB2286198 (the emergency update released on 8/2/2010 by Microsoft) which is designed to counter this very threat. Reports from the field indicate that several AV or malware protection packages may block or mangle application of this update. Current recommendations are to download the patch, disconnect the PC to be patched from the network, disable the AV or other security software in use, apply the patch, then reverse the process to restore the machine to normal operation.
Some users have also reported that they cannot access their most recent restore points as they seek to undo the damage that can result from failed or incomplete application of the KB2286198 patch. In those cases, booting from a system repair disk, a bootable Windows 7 install UFD, or the original Windows 7 DVD provides access to that restore point, after which the system can be returned to its presumably pristine (or at least working) state prior to initial attempts to apply the update.
Then by following the recommended steps (disconnect from network, disable security software, apply update, re-enable security software, reattach to network) the patch can be applied successfully.
The shortcut vulnerability I reported on in my blog last week “Vulnerability in Windows Shell could allow remote code execution” — namely by enabling malefactors to include malicious code as part of a Windows shortcut definition, so that said code executes whenever the shortcut is used — has apparently been judged serious and scary enough to warrant what Microsoft calls an “out-of-band update” that precedes the August Patch Tuesday update release (8/10/2010). I guess that means it really does pose a serious threat, as I had guessed that it might from its technical description.
According to InfoWorld “Microsoft … said it will isse an emergency patch for the critical Windows shortcut bug on Monday, August 2.” Upon seeing increased attempts to exploit this vulnerability in the field, MS decided to speed up release of the update to provide much-needed protection as soon as possible. According to the Infoworld report, the patch should become available at or around 1 PM EDT (GMT -05:00) today. Because you never know what kind of software users are likely to install on their PCs, this is one upate that should be pushed into deployment as soon as vetting and authorization processes allow. It probably also warrants an email to users exhort them to apply this patch to personal or home machines ASAP as well.
Last week (I’m still playing catch-up from my vacation from 7/18 to 7/28, sorry) Microsoft announced the availability of a new beta version of its Microsoft Security Essentials package. Described as a “low-cost light weigh anti-malware service” this package offers reasonable but not top-of-the-line security protection for free to anybody with a genuine Windows license on his or her PC. Independent reviews of the previous version give the package so-so marks (as ably demonstrated in Neil J. Rubenking’s March 2010 review of the program for PC Magazine) where the net-net takeway is something like this “adequate for handling viruses and spyware, not so great with rootkits and scareware/scamware.”
As of June 20, 2010, Microsoft is trying to clean up its act, and is giving users the chance to try out and comment on the upcoming vesion of Security Essentials. To do this, users must log into the MS Microsoft Connect Website (and register, if they aren’t already signed up there), after which they’ll get the chance to sign up for and download the beta vesion of Security Essentials.
Here’s what’s new in this latest edition, straight from that MS Web page:
What’s New in the Microsoft Security Essentials beta?
This Beta version of Microsoft Security Essentials includes these new features and enhancements to better help protect your computer from threats:
1. Windows Firewall integration: Microsoft Security Essentials setup allows you to turn on Windows Firewall.
2. Enhanced protection from web-based threats: Microsoft Security Essentials has enhanced integration with Internet Explorer which helps prevent malicious scripts from running and provides improved protection against web based attacks.
3. New and improved protection engine: The updated engine offers enhanced detection and cleanup capabilities and better performance.
As with my previous discussions of and recommendations for Security Essentials, IT pros will probably be able to server their users best by recommending this package as one of a number of free alternatives for home or personal machines where budgets are tight and free software is thus either highly desirable or the only tolerable option.
Thanks to Paul Thurrot’s SuperSite for turning me on to a serious Windows vulnerability related to the same shell shared by “… all modern Windows versions from Windows XP through7, including all Server versions…” There’s also a July 21, 2010 Microsoft Security Advisory (2286198) that explains this issue available, that’s probably worth reading, too.
Here’s the 10,000 foot view: a Belarussian security firm named VirusBlokAda reported its discovery on June 17 that Windows passes shortcuts in such as way as to enable malicious code to be executed when the icon for a specially-crafted shortcut gets displayed (the code is attached to the icon image, so that processing the image for display also causes the attached code to run). Microsoft plans to issue a fix on the August Patch Tuesday (8/9/2010) but the Security Advisory includes a workaround that may be applied in the iterim. Basically it strips all shortcuts of their icons (no display, no possibility of running malicious code: get it?) so that users enjoy security from this vulnerability at the cost of little white boxes for shortcuts instead of pretty icons.
In testing the workaround on my Windows 7 x64 test machine I also encountered the new Microsoft Fix It facility, which applied the patch (and gave me access to a reverse the fix tool as well). Pretty interesting stuff, and I expect to see it used more often as Microsoft steps up its proactivity in dealing with security glitches in advance of published updates, as in this case. Kewl!
As an aside, I personally hate shortcuts and always opt to keep them off my desktop in 99 out of 100 cases. Who knew that what I thought was an esthetic foible could turn out to be a best security practice?
“One step forward and three steps back” must’ve been the guiding force for my first day back from vacation yesterday, where I struggled both mightily and frantically to get my working life back on the rails after a blissful 6 days of vacation bracketed by a full day of travel to and from the lovely and cool mid-coast region of Maine. Before my departure, I’d been seeking diagnosis and cure of an ongoing series of network failures on my home LAN which currently includes 10 computers: 6 running some form of Windows 7, one each XP and Vista, one running a Fedora-based Linux image (an OLPC that I supposedly bought for my son), and one running whatever GNU/Linux version the Nintendo Wii uses, plus my D-Link DIR 655 router/switch/WAP and my D-Link 2100AWL 802.11 g wireless hub.
By the time I left town to hit the Maine beaches and attractions, I’d determined by trial and error that my network failures would cease when I removed the cable coming from the network interface on the Asus P5E3 Pro motherboard in one of my machines named A900Test. To fix the problem, I purchased a D-Link DGE-530T 10/100/1000 PCI network adapter at my local Fry’s before leaving town. Upon my return to work, after I got through e-mail, and met all of yesterday’s immediate deadlines, I decided to disable the NIC on the Asus motherboard in A900Test, and to install the D-Link NIC in its place.
After installing the 530T in that machine, I found myself in the rare position of rebooting to have Windows 7 tell me it couldn’t find a driver for the NIC by itself. This is the first time Windows 7 has come up short in this regard in the year-and-a-half-plus that I’ve used this OS, starting with Build 7000 way back in January 2009. “No problem,” I thought, “I’ll just use the drivers on the CD that comes with the NIC.” But there, I found my only option was to use x64 Windows Vista drivers, since the card itself is old enough that it apparently predates the official Windows 7 release date in late October, 2009.
Again my thought was “No problem, I’ll just download the newer Windows 7-friendly drivers to a UFD on another machine, then install them on this one.” But when I did so, I got an error message from the D-Link installer informing me that another network control program was present on my machine that had to be removed before the D-Link installer (and its drivers) would install on my machine. “No problem” I said to myself “I’ll use Universal Extractor to suck the necessary driver files out of the setup.exe program and then install the drivers via Driver Update in Device Manager.” No dice: Device Manager politely informed me it could find no suitable drivers in the $INSTDIR that Universal Extractor created for me with all of the .sys, .cat, .dll, and .inf files that supply drivers to Windows 7 (and other OSes) these days.
“Aargh!” I thought to myself “Time for a call to D-Link tech support.” I shouldn’t have bothered. After a nice but fairly ignorant support tech named Seetha ran me through everything I’d already tried myself (with regular pauses for her to consult with some more knowledgeable third party, she had me uninstall the unidentified Ethernet NIC in Other Devices in Device Manager, then re-run the installer several times), she informed me I would have to return the card for a replacement to Fry’s and try again. I *KNEW* this to be bogus advice, because my problem was that the installer wouldn’t run, not that the hardware wouldn’t work (you can’t really tell the hardware isn’t working properly, in fact, until you have a working driver installed and running).
Upon trolling through Programs and Features in Control Panel, and reading through various items in the aforementioned $INSTDIR directory that Universal Extractor created for me, I saw numerous entries named yk*.*. Subsequent inspection of the readme file also unpacked in this directory informed me the NIC includes a Marvell Yukon GbE chipset. At this point, I finally realized that the D-Link card incorporates the same chipset that my on-board Asus NIC also uses.
Mystery solved: I had to uninstall the Marvell Control Program in Programs and Features before the D-Link installer program could do its job, after which everything went as smooth as silk. My question to D-Link is “Why doesn’t your standard 530T script for first-level Tech Support people include a question like ‘What kind of NIC chipset does your motherboard use?’” If that were the case, Seetha could have told me to uninstall the Marvell Control Program, and informed me that installation would proceed without further trouble. I’m just glad I know enough about how networking operates in the Windows environment to be able to figure this kind of thing out for myself.
Sigh. And so it goes… At least the network is working properly, and I’ve experienced no further LAN failures since I successfully installed the 530T on my primary test machine. I’m crossing my fingers that this will fix my network glitches going forward, but only time will tell. FYI, I’m forwarding this blog to a couple of D-Link PR people and requesting a response, which I’ll add to this posting should any such reply make its way into my inbox.
[Note added 7/29/2010: I did get a "looking into it" reply from one of the D-Link PR people to whom I sent a link to this blog, but nothing more substantial in reply just yet. Stay tuned! -E-]
Here’s an interesting table from CNET that reports on the 64-bit installed Windows base vis-v-vis 32-bit versions by OS for Windows 7, Vista, and XP:
It certainly looks like the ability to access and use RAM sizes in excess of 3.1-3.2 GB or so (about the best you can do with Windows 7 32-bit versions, even with 4 GB of RAM installed) has to be contributing to this change in the makeup of the Windows OS distribution when it comes to relative numbers of 32- and 64-bit versions for recent Windows OSes. With memory getting cheaper, increasing use of virtual machines, and a growing number of applications designed to take advantage of 64-bit data structures, file sizes, and so forth, there are also lots more reasons why it makes sense to buy a PC with 64-bit Windows pre-installed, or to switch from 32-bit Windows XP or Vista when upgrading to Windows 7.
As I look at my own PC population in-house, I see that except where 64-bit versions aren’t possible (as on Atom-based netbooks) or don’t make sense (as on older hardware with 4 GB or less of RAM installed), my own preference has been to upgrade to 64-bit Windows 7 on existing hardware. All of the systems I’ve purchased recently (except for an HP MediaSmart Server, for which 64-bit Windows is not available) in fact, have come with Windows 7 pre-installed as well.
Just over a month ago, I cited reports that Microsoft’s run rates for Windows 7 sales worked out to 7 copies per second in my blog “Windows 7 Posts 150M LIcenses Sold…” In the 29-day period from June 23 to July 21, that run rate jumped to 10 copies per second, given cumulative sales of 25 million licenses over that interval, according to a story posted at Computerworld last Friday. My later posting discussed speculations that Microsoft might not be able to maintain this momentum in light of its relatively low (25%) conversion rate among enterprise-class buyers, most of whom continue to use Windows XP. Looks like that has not dampened momentum for Windows 7 uptake, in light of this recent uptick.
That raises the very interesting question of whether or not surveying blog or article readers to assess market intentions or status is valid. My best guess is that those who read articles about Windows 7 are already showing tangible signs of interest in the OS, and that they probably represent a different population than the entire enterprise IT sector. What makes the question — or rather the characteristics of those who would choose to read and respond to such surveys — interesting, is that the composition of such readership isn’t clear, nor can it be demonstrated to consist solely (or even mostly) of enterprise IT professionals.
My gut feeling is that those who are interested in Windows 7 come from all walks of life, including some enterprise IT professionals but also SMB IT professionals as well as plenty of people who probably work outside the IT umbrella entirely. Surveying this population to determine enterprise interest or intent is probably a risky proposition at best, if not downright meaningless. The close correlation between the survey results and the declared intentions of enterprise-class outfits might be accidental or uninformative as well.
I have to believe that the combination of an aging PC fleet, impending cutoffs for XP support and updates, and genuine performance and security improvements in Windows 7 as compared to XP will help, not hinder, enterprise migrations from the older Windows platform to the newer one. When the balance will tip and enterprise adoptions and migrations start speeding up, however, remains anybody’s guess. Just in case the conventional wisdom that enterprises will indeed wait for SP1 to be released before migrating proves true, MS would be well-advised to push that date forward rather than allowing it to occur later rather than sooner.
OK, so I’m on vacation this week and I’m learning how not to be at work most of the time, and how to be relaxing and enjoying my family and my freedom instead. To some extent, this is a challenge all by itself because I’m so used to hunkering down by myself in my office, immersed in a world that’s more virtual than real, chasing interesting phantoms of thought and technology.
This week, my challenge is of a completely different order. I’m out of the customary routine, now responsible for finding things to do, places to visit, and sights to see not just for my own family, but also for my sister’s family (herself, her husband, and their 11-year-old son and 14-year-old daughter). Of course, I’m not in this alone — there are three other adults around to provide input, exert leadership, and guide choices, and the kids are never shy about making their wants and wishes known, either.
But so far we’ve managed nicely to enjoy ourselves and our surroundings. We’ve hit the local beaches four times, have visited a nifty museum or two, and have taken several lengthy hiking excursions into nearby local attractions. It’s always interesting getting a bunch of people moving, and keeping them moving at enough of the same pace to make satisfactory progress between points A and B (or as Tolkien put it as the subtitle for The Hobbit: “There, and Back Again.”
In the meantime, I’m observing that many of the same skills I’ve developed in setting up, configuring, and troubleshooting technology have some small value in helping to manage family affairs and activities. More humorously, my tendency to make assumptions about causes and solutions can also lead me away from the truth just as well in this sphere as it can in my more customary haunts. But gosh, it sure it fun to turn my hand (or more appropriately, to lend that hand) toward steering “rough consensus” about what we should do today, and helping to foster a situation where everybody gets to have fun, and enjoy themselves.
Now, if only I could figure out how to bring this spirit and attitude to work, too!
Work. Work. Work. Go all day, deal with the rest of life as busy schedules permit, catch a few Zs, then get up and do it all over again. That’s the typical rhythm of life for most of us working stiffs, most of the time. Every now and then, though, it’s a good idea to make a break from the dull routine and go do something else.
That’s why I’ve found myself singing “I’m on vacation. I’m on vacation. I’m on vacation.” over and over again during the past few days. The family and I have broken with the usual routine and are spending our days together right now, exploring places and activities we’d never normally undertake during the week. And though the new routine has its own rhythm and I still fall into bed exhausted (or at least, pleasantly tired) each night, it’s different enough for me not just to recharge my batteries, but also to get some perspective on working life as well.
Summer is a traditional time for vacations. And although it’s hot and sometimes difficult to be outside wandering around, it’s a terrific break and a positive and pleasant change. I’m off for the next week, which I hope will be long enough for me to regain my balance, refresh myself, and to feel good about jumping back into the workaday routine by the time I officially return to my desk next Tuesday (June 27). In the meantime, I’ll be sharing some idle but hopefully also productive thoughts about working life and plans from the “different place” that is the vacation mindset. Please stay tuned for more, and I hope you too get the chance to change your venue and perspective in the same way soon, if you have recently done so already!
The TechNet Evaluation Center released the combined Windows 7 and Windows Server 2008 R2 SP1 beta package yesterday. Check out this warning that advises end users to steer clear:
Anybody who wants to grab the beta can do so, however, but the usual restrictions apply. To me the most onerous typical restriction is that the machine upon which such a beta gets installed usually has to be wiped and a clean base OS installed against which to apply the final version of the service pack when it becomes available. Thus, this isn’t for production machines by any stretch of the imagination, and I can readily understand why MS wants to discourage home or casual users frm attempting giddy experimentation with this code without fully appreciating what kind of work will be involved when it’s time to replace the beta with the final release.
That said, enterprise and other Windows 7 admins looking to evaluate the impact of SP1 — who usually have test machines at their disposal — will probably want to grab this update and get going on installation and impact analysis. SoftPedia has a pretty nice summary of SP1 available, including a useful overview of the changes that SP1 will bring to both Windows 7 and Windows Server 2008 R2. It’s worth checking out, if you want to understand better what’s under the hood here.