AskWoody.com

MS-DEFCON 4: Get Patched

Microsoft just fixed the really bad February patch. MS10-015 / KB 977165, which I wrote about two weeks ago, had a nasty habit of clobbering Windows XP machines. According to a Microsoft Security Response Center blog, MS10-015 is now offered “with new logic that prevents the security update from being installed on systems if certain abnormal conditions exist.”

In other words, if your WinXP PC is infected with the Alureon rootkit, MS10-015 won’t install itself, and you won’t be faced with an endless cycle of Blue Screens of Death.

With that big problem out of the way, it’s now time to apply the February Black Tuesday patches. Get yourself all patched up, then make sure Automatic Updates is turned off. The two March patches will be out next week, and you don’t want Microsoft to zap you. Again.

I’m moving us to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

Windows 7 mysteriously re-boots every two hours

If your copy of Win7 is mysteriously re-booting itself every two hours, and none of your changes are saved in the process, chances are very good that you’re running the Release Candidate.

It’s time to get real. Er, get the real version of Win7.

Microsoft’s Knowledge Base article 971767 has the details, but the bottom line is that two-hour re-boots start today, and on June 1, you’ll start booting to a black Windows wallpaper. It ain’t the end of the world, but if you haven’t saved your changes, the result could be, uh, startling.

Microsoft Confidential for Law Enforcement Use Only

That’s what the disclaimer says. I believe it.

Brennon Slattery at ComputerWorld just posted an article that’s going to be very controversial. In it, he not only describes the

Microsoft Online Services Global Criminal Compliance Handbook , a “spy guide” for law enforcement detailing what data Microsoft has, keeps, and can relinquish. Since most of you are Microsoft users, there are a few tidbits of information you’ll need to know before purchasing Xbox Live points, logging onto Office Live, or sending an e-mail through Hotmail.

The handbook was posted online by muckraking site Cryptome, prompting Microsoft to issue a DMCA complaint, which in turn led to Cryptome being shut down by its ISP. Calmer heads prevailed and Cryptome is back online.

Amazingly, Microsoft’s Global Criminal Compliance Handbook is still online. Get it while you can. Use a one-time email address if such things bug you.

Thanks to yangs for the heads-up.

MagicJack SLAPPed with $50,000 penalty

I’ve been running a series of articles about Microsoft’s End User License Agreement – particularly the Win7 EULA – in Windows Secrets Newsletter. Microsoft’s EULA is hardly a paragon off clarity and fairness, but it pales in comparison to MagicJack’s.

Back in April 2008, Bob Beschizza at Boing Boing posted a short review of MagicJack’s EULA:

[The EULA] not only has one agree to ads with its paid-for system, but claims that the ads are necessary for it to work. It will also snoop on your calls to target ads more accurately, and has you sign away your legal right to take it to court if it defrauds or otherwise harms you. Delightful.

Neither the EULA itself, nor any other privacy or legal information, can be easily found at its homepage. It’s not even provided at the point of sale, where one enters credit card info, email and street addresses as such, so as to gain access to the service and have your MagicJack dongle delivered. I found the EULA’s URL through Google.

MagicJack took umbrage, and sued Boing Boing for defamation. Fast forward a year, and MagicJack not only lost the lawsuit, it was hit with a $50,000 penalty for what amounts to a frivolous lawsuit.

Fascinating wrap-up on the Boing Boing site.

Most Windows 7 machines max out their memory – the rest of the story

Sometimes my friends write and ask why I don’t comment on certain stories here on the AskWoody site. Case in point: the ComputerWorld article from last week that claims “Most Windows 7 PCs max out their memory, resulting in performance bottlenecks.”

I took one look at the story and figured, meh, what a crock. Win7 may fill up all of your PC’s memory, but that inevitably leads to improved performance, not degraded performance. I figured, why parrot something that was obviously wrong?

Ends up that there’s more to the story.

Peter Bright at Ars Technica wrote an accurate article that refuted the claim. I didn’t bother writing about that either, because the original article was so hairbraned.

The person who wrote the CW story was sucked in by a guy whom Paul Thurrott calls “insane.” Now comes word that the guy who originally duped CW was, in fact, an InfoWorld writer, who was pimping his own software in InfoWorld articles written under a different name. Full details on Ars Technica.

Amazing how things echo around in the Windows reporting vacuum…

European IE ballot screen final

Microsoft posted a final screen shot and description of the Internet Explorer “ballot screen” that will roll out across Europe shortly.

I think the most telling detail is this: the technical explanation appears on Microsoft’s Legal blog, “Microsoft On the Issues.”

The browser choice screen software update will be offered as an automatic download through Windows Update for Windows XP, Windows Vista and Windows 7… [it] will present you with a list of leading browsers. In keeping with our agreement with the European Commission, this list is presented in random order. You can also scroll to the right to see additional browsers, which are also presented in random order.

I don’t see anything unexpected. Apparently Windows Update determines your location based on your IP address – so if you travel to Europe, but don’t live there, you may see this screen anyway.

MS10-015 Blue Screens due to TDL3 rootkit infection

Fascinating.

Last week I wrote about Microsoft’s security patch MS10-015 causing Blue Screens of Death on some machines: if you install MS10-015/KB 977165, or it gets installed for you, your machine may BSOD on reboot. Every reboot.

Marco Giuliani on the Prevx site has this explanation:

TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem resides in the lazyness of rootkit writers when writing the driver infection routine.

When the rootkit dropper is run, the infection calculates the RVA offsets of some Windows kernel APIs and hard code them so that at every restart the portion of the rootkit loader injected inside the infected driver can use these offsets to immediately calculate the address of the wanted functions.

This worked well until the MS10-015 update, when Microsoft updated Windows NT kernel. This update changed those offset values and consequently broke the rootkit code. When the update procedure is finished, system is restarted. At system restart, the rootkit code tries to call a non-valid address and this causes the BSOD.

Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch.

Iceman gets 13 years for stealing credit card numbers

Robert McMillan at IDG News reports that Max Butler (a.k.a. “Iceman”) was just sentenced to 13 years in prison for breaking into financial institutions’ computers and stealing credit card information. 13 years plus $27.5 million in restitution.

After a promising start as a security consultant who did volunteer work for the U.S. Federal Bureau of Investigation, [Max] Butler was arrested for writing malicious software that installed a back-door program on computers — including some on federal government networks — that were susceptible to a security hole.

Butler served an 18-month prison term for the crime and fell on hard times after his 2002 release, he said in a sentencing memorandum filed Thursday. “I was homeless, staying on a friends couch. I couldn’t get work,” he wrote. In desperation, he turned again to cybercrime. By the time of his arrest in September 2007, he had built the largest marketplace for stolen credit and debit card information in the world.