[LINK] Animated cursor flaw in All Windows

[Rick Welykochy]

Mike Shearer wrote:

> I've read the MS announcement and am completely 
> befuddled.  To make any sense of it I'd have to make sense of an awful 
> lot of material on which it depends.  Reaction: denial, this problem 
> won't affect us!

I don't blame you. It would have been a lot more work for me to troll
through pages of tabular descriptions trying to comprehend the depth
of this particular exploit, especially since it affects all Winders
back to Win95 and NT, iirc. So I didn't. And when I just glanced at
it with a "layman's cap" on, it looked like gooble-de-goop.


> Periodically we get screen announcements that an automatic update is 
> about to be executed.  They look like MS's, they happen anyway, we have 
> no idea how to verify them, and afterwards everything seems OK.  

The thought hadn't even crossed my mind that an attacker might
try the Windows Update channel, which of course they can do if
they first execute a domain-hijacking exploit on your machine so
that the windowsupdate.com web address gets changed without you
knowing it. The same could be said of a Linux or Apple Mac update,
but the challenge on those two more secure platforms is to accomplish
the domain hijacking. Much more difficult but probably not impossible.

Microsoft could take some measures to ensuring you are getting
genuine updates by throwing some sort of digital certification process
into the update mix. It would have to be seamless, flawless and totally
transparent to the user, otherwise it wouldn't work.


  Lately my aging Toshiba laptop has been firing up extremely slowly but
> experts haven't been able to find any reason other than virus checks 
> over the hard drive and/or a mismatch of the system and MS bloatware  

Sounds like a software product that is "unfit for purpose" and a
refund should be due ;) I know, I know, you'll cut your losses
and ...

> (I'm about to switch to Apple and open source so it's not a compelling 
> issue).

Great idea! I run both and spend about 0 minutes per month worrying
about security and maybe 5 minutes a month overseeing a few security
updates and cross checking that nothing's been broken by them. Ah, a
life of cyber-bliss. (Should I touch wood now?)


<RANT>
It leaves me wondering why open source (with very little funding) and Apple
(with far less funding than Mickeysoft) can accomplish relative security
with the resources they have to hand, where as Microsloth has a feather's
chance in hell of ever reaching the same level of security. Could it
be a conscious decision on the part of their marketing dept to sell
style over substance (i.e. Vista!!) ... nah, as has been pointed out
countless times on Link, the Windows system design is internally flawed,
and has been from the start. The combination of "ease of use" (read:
reckless cross-application and cross-system integration) and an original
*un-networked* design will doom this little number to the scrap heap
in the history of computing science. Windows will eventually be a pimple,
a blemish, a mere sideshow and curiosity on the landscape of cyber history.
For at almost every turn, Mr Gates has decided not to follow the combined
wisdom of all computer scientists and operating systems engineers and
do things his own way. With tragic results. (Did you know that in 1994
Microsoft in conjunction with Telstra attempted to bypass the existing
Internet and create their own private commerical net? Laughable now,
I know, but it was a real threat.)
</RANT>


I haven't run a Winders box for many years now, so will have to make
a guess at some of these answers. There are more wizened Windographers on
Link who should be able to help as well.

> 1.  does an average JC ever find out about these MS security alerts?  
> I've only heard of it so far thru Link.

http://www.microsoft.com/technet/security/bulletin/notify.mspx

   Microsoft Technical Security Notifications

   Better protect your computing environment by keeping up to date on
   Microsoft technical security notifications. Notifications are available
   in RSS, instant message, mobile device, or e-mail format, and are
   always available online at TechNet on the Security Bulletin Search Web page.

(( or dump Muckysoft and free up valuable time you used to spend reading
    RSS, instant messages, SMSs, and emails just to play safe on the Net ))

And beware:

http://www.techshout.com/security/2006/31/sophos-warns-of-fake-microsoft-security-email/

    Security giant Sophos has issued a warning in which it speaks about
    the presence of a spammed email campaign which claims to be a security
    advice from Microsoft; however what it actually does is that it tries
    to tempt users to install a keylogger onto their systems.

(( So even as you are busy keeping up, you might overlook the fact that one
    little email alert is actually a phish that belies all your efforts by
    key-logging you into poverty ))


> 2.  is it intended that the average JC should be able to make any sense 
> out of them?

I don't really think the avg user is expected to understand the nature and
mechanism of the exploits, but is expected to know enough to accept an update
and have either automatically or manually installed. Knowing that there are
exploits and how to go about securing your machine against them is expected.

And this is being debated in various circles even as we speak. e.g. you have
an embedded Windows system running on your you-beaut zPod that suddenly
becomes vulnerable to a key-logger attack. Who is responsible for the ensuing
losses you incur as you merrily keep on banking? Surely you would have no
idea about this... how could you be expected to? OTOH the provider of the
software is the only entity in a reasonable position to be able to prevent
or at least detect such an attack. And on and on the discussions go, with
no real legally enforceable outcome. These discussions have been going on
for over twenty years now. It gives you an idea of how powerful the mere
concept of fabulous wealth coupled with a monopoly can be, and how it can
have politicians, legislators and policy makers running in fer, too scared
to even raise let alone address such issues until you and me become the
the victims enmasse of a gross negligence.

I point to the problem that SPAM and PHISHING have become to illustrate my
point. The computer and comms industry has been screaming blue murder about
these problems for decades. All we have seen are some rather weak laws in a
few countries ... and how many convictions? The laws are obviously ineffective,
as we are now witnessing levels of 80% SPAM in email traffic worldwide, most
of it originating on zombie boxes. I challenge the legislature to address that
one.



3.  what is actually at risk for a user such as I've
> described us if they are ignored?

Some of the bigger risks that come to mind:

(*) financial fraud, i.e. you being deprived of your assets with
     little or no recourse for recovery or recompense

(*) identity theft - this can take years to recover from

(*) data theft - are you holding unencrypted confidential data
     on your machine? it carries cachet ... it can demand a price
     on the market; anything from personal financials to
     sensitive corporate data


> 4.  what is actually at risk for OTHER USERS  if we ignore them?

Your Windows box is a target for the black mafia in Russia and
crime syndicates around the world. There is a price on your machine.
And crims will pay hackers for flocks of thousands of "owned" PCs
so they can send out spam, distribute pr0n, launder money, hide
their tracks and use the machines for exortion via DDoS threats,
to name but a few. All happening in front of you without you even
being the slightest bit aware. Yeah, that modem transmit light
might be flashing 24/7 but do you notice it?

I watch my modem's send + receive status LEDs *all the time*, as a
matter of fact. I also have an active graph showing network activity.
If *anything* unexpected shows up on the modem LEDs or the graph, I
find out why real fast. Sometimes it has taken 1/2 hour to track down,
but I find out! And usually learn something interesting from the time
spent. Not once have I found something untoward like a spam bot or
relay station happening on my boxes. But then again, none of them are
running Winders.


> 5.  are MS service packs installed as part of the MS automatic updates?  
> How can you find out what exactly MS has been updating, and why?

AFAIK, service packs are available via the update Service, along
with everything else.

And I have seen a list of updates available on the local host at
my brother's place on his XP system.

Anyone with more Winders experience is welcome to chime in here.

This knowledge is becoming more and more important and timely.
It is akin to knowing how to secure your valuables at home and while on
the road. If you don't do it, you will eventually lose them.


cheers
rickw


-- 
_________________________________
Rick Welykochy || Praxis Services

People who enjoy eating sausage and obey the law should not watch either being made.
      -- Otto von Bismarck