Privacy Digest

Automatic Patch-Based Exploit Generation - Via cs.cmu.edu:

by David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng
Abstract
The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update.  read more »

Windows Update Can Hurt Security - Via Slashdot >:

An anonymous reader writes
"Researchers at Carnegie Mellon University have shown that given a buggy program with an unknown vulnerability, and a patch, it is possible automatically to create an exploit for unpatched systems. They demonstrate this by showing automatic patch-based exploit generation for several Windows vulnerabilities and patches can be achieved within a few minutes of when a patch is first released. From the article: 'One important security implication is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update... can detract from overall security, and should be redesigned.' The full paper is available as PDF, and will appear at the IEEE Security and Privacy Symposium in May."

(Read Original Article - Via Slashdot.)

Pentagon Hid Magnitude of Data Loss From Recent Breach - Via Slashdot:

blueton tips us to a brief story about recent revelations from the Pentagon which indicate that the attack on their computer network in June 2007 was more serious than they originally claimed. A DoD official recently remarked that the hackers were able to obtain an "amazing amount" of data. We previously discussed rumors that the Chinese People's Liberation Army was behind the attack.  read more »

Best Buy Sold Infected Digital Picture Frames - Via NYT > Technology:

Best Buy Co. Inc. sold digital picture frames during the holidays that harbored malicious code able to spread to any connected Windows PC, the big box retailer has confirmed. It is not recalling the frames, however.

What Best Buy called "a limited number" of the 10.4-in. digital frames sold under its in-house Insignia brand were "contaminated with a computer virus during the manufacturing process," according to a notice posted on the Insignia site last weekend. The frame which went by the part number NS-DPF10A has been discontinued, and all remaining inventory pulled, Best Buy added.

But that didn't happen until after some of pre-infected frames were sold to customers.  read more »

Boot Record Rootkit Threatens Vista, XP, NT - Via Slashdot:

Paul sends us word on a new exploit seen in the wild that attacks Windows systems completely outside of the control of the OS. "Unfortunately, all the Windows NT family (including Vista) still have the same security flaw — MBR [Master Boot Record] can be modified from usermode.  read more »

2008: DRM continues to punish paying customers - Via EFF: Deep Links:

Just three days into the new year, we have another example of DRM punishing paying customers, rather than "pirates." Netflix subscriber Davis Freeberg ran headlong into an incompatibility between Microsoft DRM and ... Microsoft DRM.

The trouble all started when Freeberg bought a new monitor for his Vista computer. When he decided to watch streaming movies from Netflix, Netflix documentation warned him that the recommended means of fixing a problem with DRM-restricted Netflix programming "may remove licenses to other content using Microsoft DRM" -- including, in particular, restricted programming he had already purchased through Amazon Unbox. Trying to resolve this problem just got Freeberg a tech-support runaround, with each company involved pointing the finger at another.  read more »

Microsoft's Windows Home Server corrupts files - Via Computerworld:

December 26, 2007 (Computerworld) -- Microsoft Corp. has warned Windows Home Server users not to edit files stored on their backup systems with several of its programs, including Vista Photo Gallery and Office's OneNote and Outlook, as well as files generated by popular finance software such as Quicken and QuickBooks.

"When you use certain programs to edit files on a home computer that uses Windows Home Server, the files may become corrupted when you save them to the home server," Microsoft said in a support document posted last week.  read more »

Microsoft yanks free Vista, Office offer - Via computerworld :

Fills ranks of program that gave away software to users installing monitoring app

[...]

December 12, 2007 (Computerworld) -- Microsoft Corp. on Tuesday withdrew an offer of free copies of Windows Vista Ultimate and Office 2007 in exchange for consumers agreeing to install monitoring software, saying it had exhausted the supply of software.

Until mid-afternoon Tuesday, the company's Windows Feedback Program was handing out copies of Vista Ultimate, Office Ultimate 2007 and other software to users who agreed to complete regular surveys and to install a program that tracked Windows and Office use for three months. The program transmitted the information to Microsoft's servers daily.  read more »

Microsoft Disses Windows to Sell More Windows - Via Slashdot:

mjasay writes "I stumbled across this fascinating Microsoft tutorial entitled "How to Justify a Desktop Upgrade." It's an attempt to coach IT professionals on how to sell Windows desktop upgrades internally. Apparently the value of Vista is not readily apparent, requiring detailed instructions on how to connive and cajole into an upgrade from XP.  read more »

Microsoft Withdraws Vista's Kill Switch - Via Slashdot:

l-ascorbic writes "In what they are calling a change of tactics, Microsoft has removed the controversial 'kill switch' from Vista in SP1. This feature is designed to disable pirated copies of the OS, but had led to numerous reports of it disabling legitimate copies.  read more »

Microsoft patents the mother of all adware systems: "The application, filed in 2006, describes a multi-faceted, robust ad-delivering system that lives on a 'user computer, whether it's part of the OS, an application or integrated within applications.'

'Applications, tools, or utilities may use an application program interface to report context data tags such as key words or other information that may be used to target advertisements,' says the filing. 'The advertising framework may host several components for receiving and processing the context data, refining the data, requesting advertisements from an advertising supplier, for receiving and forwarding advertisements to a display client for presentation, and for providing data back to the advertising supplier.'

The adware framework would leave almost no data untouched in its quest to sell you stuff. It would inspect 'user document files, user e-mail files, user music files, downloaded podcasts, computer settings, computer status messages (e.g., a low memory status or low printer ink),' and more. How could we have been so blind as to not see the marketing value in computer status messages?

The software would also free advertising from its traditional browser yoke.  read more »

Microsoft to Release 6 Security Updates Next Week: "An anonymous reader wrote in with an article that leads: 'Microsoft will release six groups of security patches next week, including three critical updates for Windows and Excel users.  read more »

Forget about the WGA! 20+ Windows Vista Features and Services Harvest User Data for Microsoft - From your machine! - Softpedia: "Are you using Windows Vista? Then you might as well know that the licensed operating system installed on your machine is harvesting a healthy volume of information for Microsoft. In this context, a program such as the Windows Genuine Advantage is the last of your concerns. In fact, in excess of 20 Windows Vista features and services are hard at work collecting and transmitting your personal data to the Redmond company.

Microsoft makes no secret about the fact that Windows Vista is gathering information. End users have little to say, and no real choice in the matter. The company does provide both a Windows Vista Privacy Statement and references within the End User License Agreement for the operating system. Combined, the resources paint the big picture over the extent of Microsoft's end user data harvest via Vista.  read more »

Vista is Watching You: "greengrass writes 'Are you using Windows Vista? Then you might as well know that the licensed operating system installed on your machine is harvesting a healthy volume of information for Microsoft. In this context, a program such as the Windows Genuine Advantage is the last of your concerns.  read more »

Full Disclosure: 6 Month Vista Vuln Report, Debunked: "This report from Microsoft's Jeff R. Jones is ludicrous:

http://www.csoonline.com/pdf/6_Month_Vista_Vuln_Report.pdf

The Microsoft 'researcher' claims that Windows Vista is exponentially
less vulnerable than many Linux distributions and Mac OS X.  read more »

Vista Security Claims Debunked: An anonymous reader writes "Apparently Microsoft still hasn't learned that counting vendor acknowledged vulnerabilities isn't a good way to establish the security of an OS. As an analysis of Microsoft's claims on Full Disclosure shows, we see that the methodology used was badly flawed. A bug in Firefox (not to mention emacs), counts as a flaw for Linux, while IE bugs get ignored on Vista's chart.  read more »

Microsoft ditches about-face on virtualization restrictions at 11th hour : "The scuttlebutt this week has been that Microsoft was about to relent and allow the virtualization of Windows Vista Home Premium and Home Basic. Since the launch of Windows Vista, only Business and Ultimate editions have been legally approved for virtualization, thanks to the Vista EULA. A change in the EULA was forthcoming, according to embargoed information from the company, and it was a change that I think everyone believed should be made.  read more »

Slashdot | Microsoft Flip-flopping on Virtualization License: "Cole writes 'Microsoft came within a few hours of reversing its EULA-based ban on the virtualization of Vista Basic and Premium, only to cancel the announcement at the last minute. The company reached out to media and bloggers about the announcement and was ready to celebrate 'user choice' before pulling the plug, apparently clinging to security excuses.  read more »

New software can identify you from your online habits - tech - 16 May 2007 - New Scientist Tech: "IF YOU thought you could protect your privacy on the web by lying about your personal details, think again. In online communities at least, entering fake details such as a bogus name or age may no longer prevent others from working out exactly who you are.

That is the spectre raised by new research conducted by Microsoft. The computing giant is developing software that could accurately guess your name, age, gender and potentially even your location, by analysing telltale patterns in your web browsing history. But experts say the idea is a clear threat to privacy - and may be illegal in some places.  read more »