You are currently browsing the MSBLOG weblog archives
for April, 2008.
Let it be known, long and far across all distant lands. This blog is totally independant from Microsoft and any other company or organisation and this blog (not the people) is not affiliated with Microsoft at all.
There have been conflicting public reports describing a recent rash of web server attacks. I want to bring some clarification about the reports and point you to the IIS blog for additional information.
To begin with, our investigation has shown that there are no new or unknown vulnerabilities being exploited. This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server. We have also determined that these attacks are in no way related to Microsoft Security Advisory (951306).
The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application’s database. To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here. Our counterparts over on the IIS blog have written a post with a wealth of information for web developers and IT Professionals can take to minimize their exposure to these types of attacks by minimizing the attack surface area in their code and server configurations. Additional information can be found here:http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx
As outlined in other reports the security flaw seems to be in poor code on websites, hackers a merely taking advantage of it on a massive scale.
Installing updates and blocking any malicious websites is the best method to protect your IIS Server.
Preforming a simple Google search for traces of the malicious script results in over 510,000 modified pages.
With more and more websites using a SQL back-end to make them faster and more dynamic, it also means that it’s crucial to verify what information get stored in or requested from those databases – especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms etc. Unless that data is sanitized before it gets saved you can’t control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls.
Currently the malicious file that is being injected is 1.js however it must be noted that this could change at any stage. Visitors to this website are â€œtreatedâ€ to 8 different exploits for many windows based applications including AIM, RealPlayer, and iTunes. DO NOTvisit sites that link to this site as you are very likely to get infected. Trendmicro named the malware toj_agent.KAQ it watches for passwords and passes them back to contollerâ€™s ip.
In this case the injection code starts off like this (note, this is not the complete code):
Â Â Â DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300
Â Â Â 4C00410052004500200040005400200076006100720063006800610072
Â Â Â 00280032003500350029002C0040004300200076006100720063006800
Â Â Â 610072002800320035003500290020004400450043004C004100520045
Â Â Â 0020005400610062006C0065005F0043007500720073006F0072002000
Â Â Â 43005500520053004F005200200046004F0052002000730065006C0065
Â Â Â 0063007400200061002E006E0061006D0065002C0062002E006E006100
Â Â Â 6D0065002000660072006F006D0020007300790073006F0062006A0065
Â Â Â 00630074007300200061002C0073007900730063006F006C0075006D00
Â Â Â 6E00730020006200200077006800650072006500200061002E00690064
Â Â Â 003D0062002E0069006400200061006E006400200061002E0078007400
Â Â Â 7900700065003D00270075002700200061006E0064002000280062002E
Â Â Â 00780074007900700065003D003900390020006F007200200062002E00
Â Â Â 780074007900700065003D003300350020006â€¦
Which when decoded becomes:
Â Â Â DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor
Â Â Â CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b
Â Â Â where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35
Â Â Â or bâ€¦
So far three different domains have been used to host the malicious content â€” nmidahena.com, aspder.com and nihaorr1.com. There’s a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are inaccessible but that could change. So if you’re a firewall administrator we recommend you to block access to them.
I would recommend that Administrators blockÂ access to hxxp:/www.nihaorr1.com and the IP it resolves to 219DOT153DOT46DOT28 at the edge or border of your network.
A new version of the Visual Studio 2008 Product Comparison Guide is now available. Version 1.08 includes updates to a number or line items, but in particular it includes a lot of fixes in the debugging section and adds a section on 64-bit development features.
Picture this: You’re a developer who frequently writes console applications. Each day after work you go home and head to bed, you close your eyes and burnt into the darkness is the ever so familiar output of command prompt jargon.
Does the above sound like you? Sick of screen-burn in your eyes?
Well Microsoft have answered your call to give your eyes a rest 🙂
Introducing the “Consolas” font Microsoft developed specifically for developers!!
“When we began work on a project to create a new set of fonts which would take maximum advantage of ClearType, we decided to develop a fixed-pitch font for developers – because no one ever thought of their needs, and we realized a highly-readable fixed-width font would make their lives a lot easier…
…The Windows International fonts team is alsoÂ working on another version thatâ€™ll support Vietnamese, and also the line draw characters that we made to support the console window.”
See for yourself-This image (asÂ shown on IE blog is of the standard 8 x 12Px Raster font used by default in CMD.exe
Compare this to the Consolas type fonts:
You can defiantly seeÂ how much more cleaner and easy to read the new font looks compared to the old Raster font (you can’t fit as much on the screenÂ – it’s a trade off for the best in my opinion)
Now, this font comes bundled with Microsoft Office 2007 but if you don’t happen to have Office installed or available to youÂ Microsoft have provided a download for the font from here.
To install the font simply do the following in CMD.exe
After months of being left in the dark after the first release of Microsoft Ultimate Extra’s for Windows Vista’s Ultimate edition Microsoft surprised us yesterday with some new content.
I admit surprised is sort ofÂ the wrong wordÂ used to describe my feelings for the latest batch of Ultimate Extra’s…
But nonethe less – Get ready to justify Ultimateâ€™s large price tag because today we were gifted a few cheesy Windows sound effects, some language packsÂ and a couple more mediocreÂ Windows Dream-scene wallpapers.
…Sure in the past we were rewarded with Texas Hold’em Poker as well as Windows Dream scene, with promises of more to come but the latest instalment has left me with a bitter taste in my mouth-I think itâ€™s time Microsoft woke up and actually fulfilled their promise and take care of the little guy!
…But who knows, perhaps its just a Taste of whats to come?
The WoW Starts now?
Added Feature?: Windows Live Photo Show NOW appears in the list of apps to which sound events may be added. New sound effects to come?
After investigating public reports, Microsoft has published Microsoft Security Advisory 951306, which describes a vulnerability that affects multiple versions of Windows (including Windows XP Professional Service Pack 2, all supported versions and editions of Windows Server 2003, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.)
The newlyÂ found securityÂ flaw could potentially allowÂ a malicious local userÂ (who has authentication)Â to execute specially crafted code to raise his privilege level to LocalSystem. IIS and SQL Server are the main attack vectors. But other vectors are possible, such as Microsoft Distributed Transaction Coordinator (MSDTC) on Windows Server 2003.
The vulnerability looks like it basically allows for any process that has the SeImpersonatePrivilege to execute some code and be able to impersonate LocalSystem (which has the NT AUTHORITY\SYSTEM SID and a wealth of privileges in its token). For Windows 2003 and beyond the users awarded that privilege are in the Network Services, Local Services, Local System, and Administrators groups. On Vista/Server 2008 you additionally won’t have the privilege unless you’ve elevated. That fortunately reduces the scope of this otherwise highly serious vulnerability, though it still isn’t pretty.
It must be noted howeverÂ Microsoft stated in its advisory that- â€œHosting providers may be at increased risk from this elevation of privilege vulnerability.â€ However, no exploitation has been observed at this time. Microsoft Security Advisory 951306
Ever since i made the change to Vista I have noticed that the browsing of network foldersÂ Â on my network was slow-with OR without connecting through a domain (esp When browsing Windows Server 2003 shared folders).
When opening the network folder your computer displays straight away but thereÂ isÂ Â 5-6+ second wait before other network computers & shares are displayed…
So what to do? The fix involves changing two settings from the command prompt. You need to run the command prompt as an administrator. You can do this by right-clicking and selecting run as administrator. Type in the following commands:
netsh int tcp set global autotuninglevel=disabled
netsh int tcp set global rss=disabled
You will need to restart your machine afterwards. The difference is night and day. I wonder what the reasoning was for not having Vista set like this out of the box?If you are unhappy with the changes you can restore the default settings with
netsh int tcp set global autotuninglevel=normal
netsh int tcp set global rss=enabled
If you are a Microsoft Certified Systems Administrator (MCSA) or a Microsoft Certified Systems Engineer (MCSE) on Windows Server 2003, you can now transfer your skills to achieve multiple Microsoft Certified Technology Specialist (MCTS) certifications or Microsoft Certified IT Professional (MCITP) credentials on Windows Server 2008.
Because there is a significant technology gap between Windows 2000 Server and Windows Server 2008, only IT professionals with specific Microsoft Certifications on Windows Server 2003 can utilize these transition or upgrade paths. In addition, there is no upgrade path from messaging or security specializations to Windows Server 2008 certifications.
Well it seems as though its finally happened-Service Pack 3 for every-ones favourite OS, Windows XP has been released to manufacturing (however not available to the public just yet-expect to see it on April 29th).
Service Pack 3 updates all 32-bit versions of Windows XP from Starter to XP Professional (the x64 edition of XP is based on Server 2003 and requires the Service Packs for that product). The complete package from the Download Center will reportedly be some 320 MB. Downloads via the Update function will be around 70 MB according to Microsoft’s current plans; this update can be so much smaller because only the data required for a specific XP version are downloaded, not the entire package.
Support for Windows XP without any service packs expired long ago and officially SP2 has to already be installed before SP3 can be installed, despite the fact there is no technical reason for this requirement. However Microsoft is inconsistent and SP3 can in practice be installed on XP with only SP1. Strangely, the complete SP3 contains all of the patches you need to update even a fresh base version of XP. Microsoft says that a slipstream installation CD can be created so that the operating system with SP3 can be installed at once without any other service pack.
SP3 not only contains patches and updates, but also a number of add-onsthat have been sold separately, such as Background Intelligent Transfer Service (Bits) 2.5, Windows Installer 3.1, Management Console (MMC) 3.0 and Core XML Services 6.0. SP3 does not, however, contain any fundamentally new functions, and no new versions of Internet Explorer or Media Player are included.
This isÂ set to be theÂ very last Service pack for XP however patches and updates for the OS are set to continue until Service Pack 3 expires in 2014.
A time line of SP3:
April 14, 2008: Support is available for the release version of Windows XP SP3
April 21, 2008: RTM, OEMs
April 29, 2008: RTW, Windows Update and Microsoft Download Center
May 2, 2008: MSDN and TechNet subscriber downloads
May 19, 2008: Windows XP SP3 Fulfillment Media
June 1, 2008: Microsoft Volume Licensing customer downloads
June 10, 2008: Automatic Updates
An overview for SP3 is available here (MSFT), however expect new documentation to arise pretty soon.
Its a cold horrible day here in New Zealand (winters on its way! )â€¦
Whilst sitting in the college comp labs I stumbled across a really cool video from Microsoft that they are pushing out to undergrad students here.
This video, with its really catchy tuneÂ did infactÂ brighten up my day. I know itâ€™s onlyÂ an ad aboutÂ software but in a way I can relate to it somehow-a normal geeky guys, Digital lifestyle!
The video is usually shown at Microsoftâ€™s events and apparently usually generates quite a good responce.
Most Microsoft products featured in this video, including Windows Mobile, Zune, XBOX 360, and Windows Media Center fall under the Entertainment & Devices (E&D) division at Microsoftâ€¦.
â€¦And thatâ€™s what the videos all about here at my college-recruitment and the Come work hereÂ messageâ€¦
Â â€¦One day!
On a side noteÂ I realize this blog has been dead for a while, but ill post anything whenÂ I get the time