Tag Archives: Zero-day vulnerability

Newest Vulnerability in Windows Computers, an Emerging New Class

If the expression “opening a can of worms” means anything to you, you’ll start to get the idea on what’s happening with this subject. Or maybe Pandora’s box is a better metaphor. At any rate, It seems that a vulnerability disclosed lead to another, and another. As predicted in a recent article, these are now surfacing. And one of the immediate problems is that is not only having to do with the Windows operating system per se, but with programs used in Windows. Many of them.  Details on this new class are still sketchy, since the idea is to get patches developed before revealing too much about the vulnerability.

About a week ago a Slovenia based security company called Acros published an advisory regarding a vulnerability related to iTunes, that would allow a remote attacker to take control of the attacked computer. Acros has reportedly been working on analyzing this type of vulnerabilities since late 2008. A tool was developed to spot this vulnerability in many Windows based programs – over 200 programs were tested, and surprisingly, about 90% were found potentially vulnerable to the exploit. This testing had gone unpublished until a few days ago.

Hours after Acros published the above mentioned advisory, HD Moore, the Chief Security Officer of Rapid7, a US based security company, published the fact that he had discovered about 40 Windows based programs to be vulnerable to this new exploit. Then Acros decided to let the big cat out of the bag and next day they expanded the list of 40 to over 200. And then over this past weekend, academic researcher Taeho Kwon, a Ph.D. candidate in computer science at the University of California Davis also joined the party with the research paper he and Zhendong Su had published earlier this year on the  subject. Then just yesterday Microsoft published a security advisory on the subject. That’s the time track so far when it comes to this new vulnerability class.

What to do

Patching this vulnerability is a bit of a catch-22 because the nature and reach of this vulnerability is so wide, that if Microsoft were to issue a single patch that would handle the vulnerability, it would break scores of legit applications. Plus the vulnerability lays mainly in the lax way the programs have been coded, so the programs creators are the ones that need to issue individual patches. For these reasons mitigating actions are all that can be done for now. One of the mitigating actions that can be taken is stopping and disabling the service that allows for a remote (over the internet) exploit of this vulnerability (the webclient service). Disabling this service will have no impact on most users machines as far as functionality is concerned.

To stop and disable the webclient service:

1a. for Windows XP users, click on start, All Programs, Run, type “cmd” (without quotation marks) and press enter.

1b. For Vista and 7 users, click on start, type “cmd” in the search box, go to the top of the list, right click on cmd.exe and select Run as Administrator. Click on continue if prompted.

2. Now let’s type a couple of commands in the black box that showed up.

First let’s stop the service. Type (or copy and paste):

SC stop webclient

And press enter.

Now let’s disable it so the service doesn’t restart automatically next time you reboot your computer. Type (or copy and paste):

SC  config webclient start= disabled

And press enter.

(Notice the space after the equal sign in the above command. That’s mandatory.)

Now you can close the command prompt window where you typed all the above.

A well configured firewall will also help mitigate the effects of this problem. Incoming and outgoing ports 139 and 445 need to be blocked. (Port: In computer networking, specific channels are used to send and receive data. These are called ports and are numbered from 1 to 65536). Be aware that some functions like network file sharing, and printing over a network might be affected by blocking these ports. IF you block this ports and afterwards notice a loss of network connectivity, revert the changes.

Another action that can be taken is to close the door to the possibility of unauthorized programs execution, with programs like AppGuard by BlueRidge Networks. This has been covered before in other computer security articles.

If you have any questions on how to do any the above, I’ll be happy to answer them.

To Update or Not to Update, That is the Question

Normally I wouldn’t even write about this subject because it almost seems like a redundancy to mention it, but recently came across some misconceptions that urged me to help set the record straight.

Software updates, what are they? what are they for? should they be installed? Generally speaking, the main computer software updates are its operating system updates. Since I don’t work with Macs, this means Windows updates. These updates can have 3 goals: improved stability, improved security, improved performance.

Specifically on security, the cycle goes like this: some not-so-well-intentioned fellow(s) looks for and finds a vulnerability in a current Windows operating system. That means a security hole which if successfully exploited, allows the bad guy to gain access to your computer data and maybe even gain control over it. Not good. Microsoft gets wind of the vulnerability, develops a “patch” to fix it, tests it, releases it through Windows update, it gets applied broadly, no more security hole. The cycle repeats over and over in an endless race over the zero-day exploit. The term derives from the age of the exploit. When Microsoft becomes aware of a security hole, there is a race to close it before more attackers discover it or the vulnerability becomes public. A “zero day” attack occurs on or before the first or “zeroth” day of vendor awareness, meaning Microsoft has not had any opportunity to disseminate a security fix to users of the software.

Stability and performance follow a less hectic path, but they are nonetheless also upgrades.

Other non-operating system software vendors also provide updates for their software with the same goals.

Now, some people seem to be against installing updates, partially due to bad past experiences, i.e. after installing an update, something went wrong and the computer had a new problem. Does it happen? yes. Have some updates been more damaging than beneficial? yes. Does that mean one should just not update? NO. In the overall grand scheme of things, updates will always be more beneficial than harmful.

Keep your computer up-to-date with the latest updates from Microsoft and any other applicable software vendors. It is an essential step to keeping your computer secure and healthy.

Contact me if you need help on the subject.