Yep…It’s still going-and its worse than ever it seems. Hundreds of thousands of unsuspecting people are stillstumbling across perfectly legitimate websites that have been compromised by an SQL injection, and as a result are infected with a nastyTrojan.
These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats. (Trend Micro have written a very good post explaining what happens once infected)

Therefore I thought I would take some time to mention a dew domains (courtesy of f-secure) admins should block to avoid any possible chance of infection:

yl18.net

www.bluell.cn

www.kisswow.com.cn

www.ririwow.cn

winzipices.cn

www.wowgm1.cn

www.killwow1.cn

www.wowyeye.cn

vb008.cn

9i5t.cn

computershello.cn

This is a good time to again mention that this not a vulnerability in Microsoft IIS or Microsoft SQL that is used to make this happen. If you are an administrator of a website that is using ASP/ASP.NET, you should make sure that you sanitize all inputs before you allow it to access the database.

There are many articles on how to do this such as this one. You could also have a look at URLScanwhich provides an easy way to filter this particular attack based on the length of the QueryString.

With Netscape now dead (thanks to AOL) I saw a funny little comic on joyoftech.com the other day.

 Click for bigger view

With the availability of rich media such as online video becoming more and more important in day-to-day life the Windows Live team have come up with a pretty neat idea to share video with a friend through Windows Live Messenger.
Messenger TV is born: Launching in 20 countries (Surprisingly not the U.S) and in 12 languages, Microsoft hopes to lure a few more people away from youtube and onto the MSN powered service.

“Watching online video is no longer about one person in front of their computer, it’s now a social experience. Users can now share a selection of free content and watch it at the same time as their friends through Messenger TV.” 

To do this Microsoft have partnered with a number of popular content providers, such as MTV, Sony BMG Music Entertainment, National Geographic, and the U.K.’s Channel 4 to offer content that people will want to watch

To give it a whirl simply open up a convo with a friend, click activities and select Messenger TV. If you cant wait to try it with a buddy you could add the bot (MessengerTV@live.com [click on the link to add]) and it will take care of the rest.

The service is determined by your Internet Language options…so if you have it set to English (U.S) then chances are it won’t work for you. Using something link English (U.K) or English (N.Z) should do the trick. 

Click for bigger view

Check out http://messengertv.msn.com/mkt/en-gb/default.htm

Many know for a fact that the transition from Windows XP to Vista was a major step for most. The heightened system requirements to run all that eye candy were immense-even if Vista only just slightly out performs XP.
People therefore turned to Microsoft’s next planned operating system, Windows Seven as the answer to speedy computing with system requirements equal to Vista’s and (hopefully) not a whole lot higher.

Today the Now retired Bill Gates had this to say about Microsoft Windows Seven:

We’re hard at work, I would say, on the next version, which we call Windows 7. I’m very excited about the work being done there. The ability to be lower power, take less memory, be more efficient, and have lots more connections up to the mobile phone, so those scenarios connect up well to make it a great platform for the best gaming that can be done, to connect up to the thing being done out on the Internet, so that, for example, if you have two personal computers, that your files automatically are synchronized between them, and so you don’t have a lot of work to move that data back and forth.

Huzzah…The people rejoice?
…Not just yet-Its early days, and Gates touched on a lot more than just the system requirements of the next gen OS.
Seven is of course built on top of the existing Vista structure and so far not much has really changed dramatically-yet. Hardware will most likely change a lot by the time we see 7 on shelves. Watch this space

—–

Seven has been planned to ship 3 Years after Vista RTM’ed but let’s face it, Microsoft are useless at sticking to deadlines. I believe Seven will bring with it a lot more hype and I for one am looking forward to seeing/testing 7 a lot more than I did Vista.

Hi All,

For those of you looking for a list certified hardware for Windows Server 2008 (x64), here’s the current and growing list:

All Hardware Items: http://www.windowsservercatalog.com/results.aspx?&bCatID=1283&cpID=0&avc=11&ava=23&avq=0&OR=1&PGS=25&ready=0

For details:

Product category

Storage (371)
Networking (102)
Servers (102)
Other Hardware (26)
Printers (20)
Bus Controllers and Ports (13)
Cameras and Video (5)
Scanners (2)
Input Devices (1)
Sound (1)

If you would like per Vendors:

Vendor

Intel Corporation (97)
Hewlett-Packard Company (82)
Dell Inc. (64)
NetApp (63)
HITACHI, Ltd. (30)
Fujitsu Siemens Computers (28)
QLogic Corporation (26)
EMC Corporation (21)
IBM (13)
Pioneer Corporation (13)

More…

Sourced from Nick MacKechnie’s MSDN blog

Bill Sisk just wrote an article on the Microsoft Security Response Centre (MSRC) blog:

There have been conflicting public reports describing a recent rash of web server attacks. I want to bring some clarification about the reports and point you to the IIS blog for additional information.

To begin with, our investigation has shown that there are no new or unknown vulnerabilities being exploited. This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server. We have also determined that these attacks are in no way related to Microsoft Security Advisory (951306).

The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application’s database. To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here. Our counterparts over on the IIS blog have written a post with a wealth of information for web developers and IT Professionals can take to minimize their exposure to these types of attacks by minimizing the attack surface area in their code and server configurations. Additional information can be found here: http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx �

As outlined in other reports the security flaw seems to be in poor code on websites, hackers a merely taking advantage of it on a massive scale.
Installing updates and blocking any malicious websites is the best method to protect your IIS Server.

�

HEROES Happen {HERE}

Microsoft have just posted the resources from the Windows Server, SQL Server & Visual Studio Heroes happen {Here}  launch. Check them out they are very informative indeed!

Catergorys include:

• Session 1 | What’s New in Windows Server 2008
• Session 2 | Virtualization and Your Infrastructure
• Session 3 | Securing Your IT Infrastructure with Windows Server 2008
• Session 4 | Exploring Windows Server 2008 Web and Application Technologies

Find the links to the slides here: http://www.technetbriefings.com/2008-launch-resources.aspx

A new version of the Visual Studio 2008 Product Comparison Guide is now available. Version 1.08 includes updates to a number or line items, but in particular it includes a lot of fixes in the debugging section and adds a section on 64-bit development features.

Also check out the update for Visual Studio 2008 and Visual Web Developer Express 2008 @ http://code.msdn.microsoft.com/KB946581

Picture this: You’re a developer who frequently writes console applications. Each day after work you go home and head to bed, you close your eyes and burnt into the darkness is the ever so familiar output of command prompt jargon.
Does the above sound like you? Sick of screen-burn in your eyes?
Well Microsoft have answered your call to give your eyes a rest

Introducing the “Consolas” font Microsoft developed specifically for developers!!

“When we began work on a project to create a new set of fonts which would take maximum advantage of ClearType, we decided to develop a fixed-pitch font for developers - because no one ever thought of their needs, and we realized a highly-readable fixed-width font would make their lives a lot easier…
…The Windows International fonts team is also working on another version that’ll support Vietnamese, and also the line draw characters that we made to support the console window.”

See for yourself-This image (as shown on IE blog is of the standard 8 x 12Px Raster font used by default in CMD.exe

Compare this to the Consolas type fonts:

You can defiantly see how much more cleaner and easy to read the new font looks compared to the old Raster font (you can’t fit as much on the screen - it’s a trade off for the best in my opinion)

Now, this font comes bundled with Microsoft Office 2007 but if you don’t happen to have Office installed or available to you Microsoft have provided a download for the font from here.
To install the font simply do the following in CMD.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont" /v 00 /d Consolas

logoff

Note: In Windows Vista, you need to run the reg command from an elevated command prompt… When you log back in, Consolas will be an option in the “Command Prompt” Properties.

That should make the reading of Command Prompt output a whole lot more easier… Still, personally this font reminds me of the font used within Konsole/Terminal in Linux.
http://www.microsoft.com/downloads/details.aspx?familyid=22e69ae4-7e40-4807-8a86-b3d36fab68d3&displaylang=en

After months of being left in the dark after the first release of Microsoft Ultimate Extra’s for Windows Vista’s Ultimate edition Microsoft surprised us yesterday with some new content.

I admit��surprised is sort of the wrong word used to describe my feelings for the latest batch of Ultimate Extra’s…
But nonethe less - Get ready to justify Ultimate’s large price tag because today we were gifted a few cheesy Windows sound effects, some language packs and a couple more mediocre Windows Dream-scene wallpapers.

…Sure in the past we were rewarded with Texas Hold’em Poker as well as Windows Dream scene, with promises of more to come but the latest instalment has left me with a bitter taste in my mouth-I think it’s time Microsoft woke up and actually fulfilled their promise and take care of the little guy!

…But who knows, perhaps its just a Taste of whats to come?

The WoW Starts now?

Added Feature?: Windows Live Photo Show NOW appears in the list of apps to which sound events may be added. New sound effects to come?

After investigating public reports, Microsoft has published Microsoft Security Advisory 951306, which describes a vulnerability that affects multiple versions of Windows (including Windows XP Professional Service Pack 2, all supported versions and editions of Windows Server 2003, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.)

The newly found security flaw could potentially allow a malicious local user (who has authentication) to execute specially crafted code to raise his privilege level to LocalSystem. IIS and SQL Server are the main attack vectors. But other vectors are possible, such as Microsoft Distributed Transaction Coordinator (MSDTC) on Windows Server 2003.

The vulnerability looks like it basically allows for any process that has the SeImpersonatePrivilege to execute some code and be able to impersonate LocalSystem (which has the NT AUTHORITY\SYSTEM SID and a wealth of privileges in its token). For Windows 2003 and beyond the users awarded that privilege are in the Network Services, Local Services, Local System, and Administrators groups. On Vista/Server 2008 you additionally won’t have the privilege unless you’ve elevated. That fortunately reduces the scope of this otherwise highly serious vulnerability, though it still isn’t pretty.

It must be noted however  Microsoft stated in its advisory that- “Hosting providers may be at increased risk from this elevation of privilege vulnerability.” However, no exploitation has been observed at this time.
Microsoft Security Advisory 951306

If you are a Microsoft Certified Systems Administrator (MCSA) or a Microsoft Certified Systems Engineer (MCSE) on Windows Server 2003, you can now transfer your skills to achieve multiple Microsoft Certified Technology Specialist (MCTS) certifications or Microsoft Certified IT Professional (MCITP) credentials on Windows Server 2008.

For the first time, the transition path is available before the product release. If you have a Windows Server 2008 certification on your resumé, you have an excellent opportunity to catch the eye of early adopter organizations. Microsoft Learning developed this transition path to recognize the investment and expertise you have demonstrated throughout your certification history—don’t miss your chance to take advantage of these new certifications.

Your path consists of one exam, which allows you to earn multiple Microsoft Certified Technology Specialist (MCTS) certifications on Windows Server 2008.
-First step: Take one exam to earn MCTS certification on Windows Server 2008

From there, you can complete the remaining requirements for one or both of the Microsoft Certified IT Professional (MCITP) certifications for Windows Server 2008.
-Your transition path from MCSA on Windows Server 2003 to MCITP 
-Your transition path from MCSE on Windows Server 2003 to MCITP

Because there is a significant technology gap between Windows 2000 Server and Windows Server 2008, only IT professionals with specific Microsoft Certifications on Windows Server 2003 can utilize these transition or upgrade paths. In addition, there is no upgrade path from messaging or security specializations to Windows Server 2008 certifications.

 Check out all the details here:
Thanks Microsoft

Well it seems as though its finally happened-Service Pack 3 for every-ones favourite OS, Windows XP has been released to manufacturing (however not available to the public just yet-expect to see it on April 29th).

Service Pack 3 updates all 32-bit versions of Windows XP from Starter to XP Professional (the x64 edition of XP is based on Server 2003 and requires the Service Packs for that product). The complete package from the Download Center will reportedly be some 320 MB. Downloads via the Update function will be around 70 MB according to Microsoft’s current plans; this update can be so much smaller because only the data required for a specific XP version are downloaded, not the entire package.

Support for Windows XP without any service packs expired long ago and officially SP2 has to already be installed before SP3 can be installed, despite the fact there is no technical reason for this requirement. However Microsoft is inconsistent and SP3 can in practice be installed on XP with only SP1. Strangely, the complete SP3 contains all of the patches you need to update even a fresh base version of XP. Microsoft says that a slipstream installation CD can be created so that the operating system with SP3 can be installed at once without any other service pack.

SP3 not only contains patches and updates, but also a number of add-onsthat have been sold separately, such as Background Intelligent Transfer Service (Bits) 2.5, Windows Installer 3.1, Management Console (MMC) 3.0 and Core XML Services 6.0. SP3 does not, however, contain any fundamentally new functions, and no new versions of Internet Explorer or Media Player are included.

This is set to be the very last Service pack for XP however patches and updates for the OS are set to continue until Service Pack 3 expires in 2014.
A time line of SP3:

An overview for SP3 is available here (MSFT), however expect new documentation to arise pretty soon.

REDMOND, Wash., Feb. 4, 2008 –Approaching the company’s largest enterprise launch in its history, Microsoft reached another important milestone today with the release to manufacturing (RTM) of Windows Server 2008. The response from IT professionals and developers has been strong as the company moves toward the worldwide launch of Windows Server 2008, SQL Server 2008 and Visual Studio 2008 on February 27.

One indication of the momentum that is building around the latest server operating system is the number of beta and evaluation versions that customers and partners have obtained: more than two million.

IT professionals face increasing pressure from rapidly changing technology, increasing costs and security concerns, and expanding business needs. Windows Server 2008 helps alleviate these pressures by automating daily management tasks, tightening security, improving efficiency and increasing availability. It also offers virtualization solutions that will enable IT professionals to reduce costs, increase hardware utilization, optimize their infrastructure, and improve server availability.

Furthermore, because Windows Server 2008 was developed in tandem with the Windows Vista code base, it has most of that operating system’s advanced management and security features, such as integrated Network Access Protection (NAP) and Group Policy. Customers will also see system-wide performance improvements from an integrated system architecture, including network file sharing, managed quality of service and reduced power consumption. Common tools and processes across both operating systems will result in efficiencies for IT organizations.

“We’ve been working with partners around the world who are creating solutions that take advantage of the new platform’s feature set,” said Bob Visse, senior director, Windows Server Marketing Group at Microsoft. “There’s been tremendous support for the operating system and a lot of excitement around the opportunity it represents for the industry.”

Source: http://www.microsoft.com/presspass/features/2008/feb08/02-04WS2008.mspx

Edit (Patrick S):If you were on the technical beta for Windows Server 08 you can download the RTM images/iso’s from MSFT Connect. No Keys will be provided however-nor will previous Beta issued keys activate the RTM version. These images will only be on Connect for 30 days… So if you wish to keep a permanent copy you must download and save them locally.