Category Archives: Microsoft

Microsoft

Internet Explorer 2006 – 9 Months of Vulnerability

Posted on by

If you use Internet Explorer (IE) on Windows it appears that you spent 9 months open to being hacked on your computer.

For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.

On the other side, Firefox had a single 9 day window of vulnerability to an exploit.

Microsoft Details on Vista Protections

Posted on by

For those who would like to see some corroboration of Peter Gutmann’s A Cost Analysis of Windows Vista Content Protection which I posted about previously you can access a document from Microsofts own website called Output Content Protection and Windows Vista which goes into some detail about what you can expect.

In the future, some types of premium content— through its content policy—will specify that a full-resolution analog VGA output is not allowed and that the resolution must be reduced. It is not practical to change the actual scanning rate of the display, particularly because some displays are fixed resolution. But what is important is that the information content of the signal is reduced to the resolution specified by the content owner. Basically, a high-resolution picture needs to be degraded to make it soft and fuzzy.

You may find that if you connect your LCD flat screen via a digital DVI cable it might just stop working.

In contrast, DVI without HDCP is definitely not liked by content owners, because it provides a pristine digital interface that can be captured cleanly. When playing premium content such as HD-DVD and Blu-Ray DVD, PVP-OPM will be required to turn off or constrict the quality of unprotected DVI. As a result, a regular DVI monitor will either get slightly fuzzy or go black, with a polite message explaining that it doesn’t meet security requirements.

Even your analog VGA monitor may get turned off in future.

There have been some successes in getting content owners to make some allowances for this ubiquitous interface. Consumers would certainly be unhappy if it were immediately outlawed; so instead, many content owners are requiring that its resolution be constricted when certain types of premium content are being played. Eventually they may require that analog VGA outputs be turned off completely; but for the moment, it is possible to provide the necessary level of protection by constricting the information content.

It’s not just users who are going to be worse off under this scheme – would you like to be a graphics card manufacturer when Microsoft tell you things like this ?

Content Industry Agreement hardware robustness rules must be interpreted by the graphics hardware manufacturer. Vendors should work to ensure that their implementations will not be revoked for playback of high-level premium content, as the result of a valid complaint from the content owners.

and

It is the responsibility of the graphics chip manufacturer to ensure that their chips are not used to manufacture “hacker friendly” graphics cards or motherboards. If someone does try to manufacture such a card, then the graphics manufacturer should refuse to sell chips to that board manufacturer.

So those are some random restrictions, if you read the whole document you’ll find plenty more to get your blood boiling quite nicely..

Found via a useful comment by Sergio on Bruce Schneier’s blog post about PG’s analysis.

Microsoft Vista Content Protection – Inflating the Price of a Computer Near You

Posted on by

Peter Gutmann, crypto geek and author of “Everything you never wanted to know about PKI but have been forced to find out“, has written an analysis of the long-delayed Microsoft’s “Vista Content Protection” specification (( Warning, plain text document, may cause culture shock to the Flash Generation due to high signal to noise ratio and lack of pretty pictures )).

The Vista Content Protection specification could very well constitute the longest suicide note in history.

Peter has drawn on a heap of sources (both public and private) to work out the implications of Microsoft wanting to make the content providers dreams come true and going to extreme lengths to try and stop a few people tampering with “premium content”. The results are going to be more unreliable systems with large processing overheads and less functionality.

Since S/PDIF doesn’t provide any content protection, Vista requires that it be disabled when playing protected content. In other words if you’ve invested a pile of money into a high-end audio setup fed from a digital output, you won’t be able to use it with protected content. Similarly, component (YPbPr) video will be disabled by Vista’s content protection, so the same applies to a high-end video setup fed from component video.

Echo cancellation will be another victim of Vista as the required feedback system will not be permitted, instead it’ll degrade the quality to stop the potential for capturing “premium content” and the legitimate users will just have to cope. This sort of audio and video degradation will occur whenever the system believes it is playing “premium content”, even if you’re doing something else important:

What makes this particularly entertaining is the fact that the downgrading/disabling is dynamic, so if the premium-content signal is intermittent or varies (for example music that fades out), various outputs and output quality will fade in and out, or turn on and off, in sync. Normally this behaviour would be a trigger for reinstalling device drivers or even a warranty return of the affected hardware, but in this case it’s just a signal that everything is functioning as intended.

It appears the user will have no control over this, if someone manages to introduce something that Vista believes is “premium content” (and we all know how bad Microsoft are at getting things right) then the constrictors will kick in, downgrading the signal and then upgrading it to the required spec but with loss in quality. This pretty much rules Vista out for use in hospital imaging systems, astronomy or anywhere else where lossy compression is verboten. This is going to be a nightmare for the hardware vendors:

Amusingly, the Vista content protection docs say that it’ll be left to graphics chip manufacturers to differentiate their product based on (deliberately degraded) video quality. This seems a bit like breaking the legs of Olympic athletes and then rating them based on how fast they can hobble on crutches.

This is also going to have serious ramifications for developers of drivers for open source operating systems like Linux, FreeBSD, etc as Vista will introduce a requirement called Hardware Functionality Scan (HFS for short) where the driver interrogates a device and gets it to attest it is legitimate (and not a software phantom). This, of course, is being done through security through obscurity and, as Peter says:

In order for this to work, the spec requires that the operational details of the device be kept confidential. Obviously anyone who knows enough about the workings of a device to operate it and to write a third-party driver for it (for example one for an open-source OS, or in general just any non-Windows OS) will also know enough to fake the HFS process. The only way to protect the HFS process therefore is to not release any technical details on the device beyond a minimum required for web site reviews and comparison with other products.

In return the hardware will be monitored for odd things happening (unexpected voltage changes, etc) and the drive can set so called “tilt switches” to let the O/S know that something bad might be happening, which will be real fun for Vista users when the virus writers figure out how to trip these from software. The hardware is also going to have to support video decompression as the CPU won’t be allowed to do that due to its vulnerable nature, which is going to constrain the codecs that “premium content” will use. This is already an issue:

This is particularly troubling for the high-quality digital cinema (D-Cinema) specification, which uses Motion JPEG2000 (MJ2K) because standard MPEG and equivalents don’t provide sufficient image quality. Since JPEG2000 uses wavelet-based compression rather than MPEG’s DCT-based compression, and wavelet-based compression isn’t on the hardware codec list, it’s not possible to play back D-Cinema premium content (the moribund Ogg Tarkin codec also used wavelet-based compression). Because *all* D-Cinema content will (presumably) be premium content, the result is no playback at all until the hardware support appears in PCs at some indeterminate point in the future.

So this will stifle the innovation in video codecs, no hardware support then no undegraded playback. This will probably rule out the use of Vista for high-def Access Grid videoconferencing. Add in on top of all this the requirements to support hardware encryption between components and all the patent licenses that are needed for this and you’ve got a recipe for disaster.

For those of us lucky enough to not be under the thumb of the Redmond monopoly this will either mean a ramp up in hardware costs across the board, or (less likely) the hardware vendors will start to sell two streams of hardware, one “Vista Certified” and costing more and another which isn’t and costs less (possibly being older hardware predating these crazy requirements).

(Via)

An Amusing Collection of Quotes

Posted on by

From Shelley about IE7:

Writing Learning JavaScript and now Adding Ajax, as well as creating web page applications such as my photo popup has led me to an epiphany: Microsoft really doesn’t want us to use IE. No, I’m not being facetious–the company would probably prefer that people move to another browser.

(Those looking for an alternative might want to try Firefox)

Shelley also mentions how she has to test with IE6 now, using a Virtual PC image:

According to the IE weblog, this VPC image will only function until April 1st, 2007, but I think the April Fool’s joke is getting people to reserve both memory and disc space–as well as having to go through Microsoft’s validation process–just to test against a browser. What happens after April, then? Are all the Windows 2000 installations going away? There will be no need to test for IE6?

But there seems to be a problem with those images, as Paul Morriss found out, Microsoft seems to think they’re dodgy knock-offs, even though they came from them originally:

Just for fun I then decided to upgrade IE on the Virtual PC to IE7. When it got to verifying whether the copy of Windows on the Virtual PC was genuine it concluded it wasn’t.

He’s got a screenshot as proof..

Then, as a final funny thought, this worked example from Sterling W. “Chip” Camden derived from a theory by Shelley that “Every spec should be written like it was going to be read by VB developers.”:

See Dick and Jane play tag.
See Dick forget his namespace prefix.
See Jane throw an exception.
Run, Dick, run!

🙂

Microsoft Promised to Guarantee BayStars Investment in SCO ?

Posted on by

The thlot pickens! Groklaw has “IBM’s Memo in Support of its Motion for SJ on SCO’s Interference Claims” (SJ is summary judgement I believe) and has the interesting quote from Lawrence Goldfarb, a BayStar Capital’s managing partner, about what happened when BayStar invested in SCO after Microsoft introduced them:

“Mr. Emerson and I discussed a variety of investment structures wherein Microsoft would ‘backstop,’ or guarantee in some way, BayStar’s investment…. Microsoft assured me that it would in some way guarantee BayStar’s investment in SCO.”

Apparently Mr Emerson was Microsoft’s “senior VP of corporate development and strategy“, but when BayStar invested things changed:

“Microsoft stopped returning my phone calls and emails, and to the best of my knowledge, Mr. Emerson was fired from Microsoft.”

Richard P. Emerson is on the MSFT’s 2002 list of directors, but is absent from the 2003 list..

Microsoft Locking Out Third Party Security Software From Vista ?

Posted on by

The BBC has a report that’s meant to be about free security software for Windows (but doesn’t really say anything substantive on that matter) which contains a rather illuminating section on Microsofts latest adventure in security:

Laura Yecies of Zone Labs said: “Microsoft is certainly making it more difficult for the independent security vendors right now.

What a surprise! So what are they doing ?

“They’re essentially trying to take control of the security user interface functions.

Probably under the guise of “improving” Vista’s security (not that they’ve got a great track record in IT security anyway), but it leads into this rather nice piece of irony.

“Fortunately we have a pretty crack team which is finding new and innovative ways to continue to provide a very important security layer to our users.”

I couldn’t put it any better than the BBC themselves:

So the antivirus people are having to hack Windows so they can get close enough to protect it.

Of course Microsoft themselves would have no vested interest in stopping other peoples security software from working on Vista, would they ?

At the same time as Microsoft starts closing off parts of the operating system to security software vendors, it has also released its own security product known as OneCare. The all in one package is designed to look after your computer and all your data, leaving the whole gamut of security on Microsoft’s shoulders.

Can you say “monopolistic practices” ? I knew you could..

Buggy Virus Checker Deletes Windows O/S File

Posted on by

This is almost a program falling for the SULFNBK.EXE hoax.

From ZDNet:

Some Windows 2003 users have been experiencing problems with the operating system after CA antivirus software wrongly detected part of the operating system as malicious software last week.

I could beg to differ with about detecting Windoze as malicious software being wrong..

CA could spin this in one of two ways, either the eTrust virus checker signature for Win32/Lassrv.B had an unfortunate bug that caused unwanted side effects, or, the virus checker was taking extreme proactive measures to protect the rest of us from Windows systems being used as spam sources and denial of service zombie botnets. 🙂

Hollywood to Require 64-bit Intel/AMD Processors for HD-DVD and BlueRay Playback ?

Posted on by

From El Reg:

Speaking in Australia this week, Microsoft Senior Program Manager Steve Riley effectively revealed Windows Media Player 11 will not play HD content from HD DVD or BD sources unless it’s running under a 64-bit version of Vista. According to Riley, 32-bit mode is too open to hacks designed to bypass the optical discs’ copy-protection mechanisms.

Given MS’s current current track record with security, it remains to be seen how effective this push to use the UnTrusting Computing platform will be for this..

According to Riley, the decision to drop 32-bit HD DVD and BD playback from WMP 11 was made because “the media companies asked us to do this”. What’s more, he added, “they don’t want any of their HD content to play in [32-bit] at all, because of all of the unsigned malware that runs in kernel mode can get around content protection”.

So presumably anyone else not MS who wants to beg leave to create an official player is going to have to play along with the media companies attempts to wrest control of your computer from you.

It also probably means that Apple Mac users will have to buy 64-bit Intel Macs if they want to be able to watch this new content and high quality (as I don’t believe that the PowerPC line of processors supports the lock in that Hollywood requires).

With Sony and Toshiba supporting BD and HD DVD playback, respectively, on select PCs running 32-bit Windows XP, playing content from pre-recorded discs may not seem to be much of a problem. But it will become more of an issue once content companies begin enforcing region coding and HDCP compliance for full-resolution output. That may require new software for playback, and the updated code could well meet Hollywood’s demand for 64-bit computing.

Given that I don’t run Windows anyway, the whole question is likely to be moot..

Google To Warn About Pages With Malware

Posted on by

The BBC is reporting that Google will try and warn people about pages they return that may contain malware.

Initially the warnings seen via the search site will be generic and simply alert people to the fact that a site has been flagged as dangerous. Eventually the warnings will become more detailed as Stop Badware researchers visit harmful sites and analyse how they try to subvert users’ machines.

I had a play with one example that the BBC quotes:

A research report released in May 2006 looked at the safety of the results returned by a search and found that, on average, 4-6% of the sites had harmful content on them. For some keywords, such as “free screensavers” the number of potentially dangerous sites leapt to 64%.

But I couldn’t get it to warn me – perhaps it’s because Google knows I’m not running Windows ? 🙂

Microsoft, Firefox and Bad (X)HTML

Posted on by

So Microsoft stuffed up their redirect of real web browsers at one point from their preview page (you’ll need to set your browser to lie and say it’s IE 6 on XP to avoid the now-working redirect to the standard MS home page).

I think it’s a device to try and hide the fact that it’s the usual MS generated broken markup, the W3C validator spat out 113 errors and 13 info messages and their CSS doesn’t fare much better!

They’ve got their work cut out for them if they want to avoid making it a significant regression on the results for the current home page which has only 2 HTML errors (though still with a considerable number of CSS bugs).