Tag Archives: Microsoft

ATI Driver Flaw Exposes Vista Kernel to Attack

Security researchers have discovered a flaw with an ATI driver that allows unsigned and potentially dangerous code to be installed and loaded into the Vista kernel.

In order to increase security and to protect against attack, Microsoft have introduced a new driver signing requirement in Vista. By requiring that drivers are signed, Microsoft hoped that this would ensure that only drivers which were verified as being clean and compatible with Vista could be installed.

ATI duly had their drivers signed by VeriSign so that they could be installed on a Windows Vista system. Unfortunately, their was a flaw in one of the drivers. Apparently the flaw was originally intended as a shortcut in the driver that allowed ATI developers to load modules into the driver for testing. When the driver was released, either no-one thought to remove the shortcut or ATI forgot about it.

In order to close the hole, ATI will have to patch the flaw in their driver, have it signed with a new certificate, roll-out the update via Windows Update, then have the original signing authority revoke the original certificate. It’s not a straightforward process and it’s by no means foolproof either.

STOP 0x0000007E on Booting Windows XP

For the past couple of weeks I’ve been experiencing intermittent boot problems with my desktop machine running Windows XP. As anyone who has ever worked in tech support will tell you, these are the type of problems that give tech support agents nightmares. Though when I say intermittent, the error would appear on every second boot. Restarting the system would resolve the problem.

I tried searching Google and the Microsoft Knowledge Base for answers, but not one of the pages I found seemed to deal with my particular problem. Given that the problem would resolve itself after a hard restart I began to think that it might be a hardware problem – this kind of symptom might be related to a component which wasn’t initialising correctly, and was causing the OS to blue-screen. By the time I restarted the system, it had “warmed up”, and that’s why it was only on every second boot that I was seeing the problem.

This particular machine is only a couple of months old, and as you can imagine I wasn’t too happy that it was beginning to fail on me, especially as I store all my important data on it.

But more in hope than expectation I decided to ignore the possibility of a hardware issue, and troubleshoot the software side. From experience I’ve found that more often than not when Windows blue-screens it’s driver related, and even more often than not the driver responsible is the video driver.

My PC has an nVidia Geforce 7500 card, so I updated the drivers to the latest ForceWare driver version 94.24. A quick restart, and the problem was solved.

While my problem is resolved, I don’t know what caused it in the first place. I haven’t installed or changed anything on the machine in a while, except for the usual Microsoft Updates. The only thing that I can think of is that an update from Microsoft didn’t like the video driver on my computer, and that there was a timing issue with the initialisation of the driver. That’s not s definitive answer, but I think it’s a fairly decent guess.

Online Lectures

Microsoft are due to sign a deal with the organisation representing all the Irish 3rd Level institutions to stream lectures online or to record them and provide online access. The agreement with CHEST will see Microsoft working with the universities to implement the technology to improve teaching methods, and to introduce technology when and where requested.

Microsoft’s education and business manager stated that would be working to allow access at any time, at any place and on any device. Based on Microsoft’s previous strategies, it seems likely that any technologies introduced will be proprietary and Windows only, leaving students using other OS’s out in the cold. Though only time will tell.

Another Way to Subvert Windows

Symantec have released details of another possible way to subvert Windows, more specifically through the Background Intelligent Transfer Service (BITS).

BITS is used by Windows Update to automatically download updates in the background and by Microsoft Messenger to transfer files. The fault lies in the fact that BITS bypasses any installed firewalls, and does not require any suspicious actions to start the download. By using BITS, an attacker could automatically download whatever they wanted to your computer, including password/ credit card logging software, remote access control software, the possibilities are endless.

While there are no major infections using this method, it is just a matter of time before one does come along. Hopefully, Microsoft will have addressed the issue before that happens.

When Windows File Associations Go Awry

You’re sitting in front of your computer and you’re bored. You’ve been to all your favourite websites, you’ve done the online crossword and a couple of games of Sudoku but you still have time to waste, so you decide to mess around with Windows for a while. You’re clicking buttons, opening dialog boxes and just generally trying to educate yourself on the finer points of the operating system.

Then you remember that you’re actually supposed to be responding to an urgent email you received about 6 hours ago. You try to open the mail, and instead of launching your email client it opens in your text editor instead. The email is no longer readable and is just gibberish. At the back of your mind, you have a hazy memory of doing something with an email saved on your desktop. You can’t remember exactly what you did, but you know it was one of those “A-ha, that’s funny” moments. For the life of you, though, you can’t remember what exactly you did.

Chances are that you’ve changed the program associated with the file extension for your email. Unlike the various flavours of Linux and Unix, Windows uses file extensions to decide what type of file it is dealing with. A file ending in .exe is an executable, ending in .txt and it’s a text file, ending in .doc and it’s a Word document, and so on. You can if you wish change these associations, and if you do this inadvertently you will probably end up with problems.

To change the association, you first of all need to locate one of the files showing the problem.

  • Then hold down the shift key and right click on the file. On the context menu, you should see an “Open with…” sub-menu.
  • On this sub-menu you’ll see a “Choose Program” option.
  • Click on this and you’ll be presented with a dialog box displaying list of programs that you can use to open the file.
  • Select the correct program from the list. If you cannot find your program listed, then click the “Browse” button to locate the program file.
  • Directly under the list of programs is a “Always use the selected program to open this kind of file” tick box. Place a tick in the box and click “Ok”.

Now any file with the same extension as the file you right clicked on will open in this new program.

Program Names Matter on Windows Vista

One of the selling points of Windows Vista is it’s increased security. User Account Control, (UAC), is designed to ensure that unknown programs aren’t launched without the users express permission. The idea is sound, but the actual implementation may be off.

The Register reports that the name of the program has a major bearing on whether or not UAC asks the user to authenticate the installation. If the program is named “install.exe” for example, then Vista will require that the program have admin rights and UAC will prompt the user to cancel or allow installation. However, if the program name does not contain any references to “install”, “update” or “uninstall” then Vista will happily let it run without user intervention, even though it is the exact same program.

Microsoft responded that Vista was designed to automatically detect install, update and uninstall programs. As these types of programs generally need to write to protected areas of the registry and system files, then Vista would prompt for admin rights to be assigned to the program.

While Vista may have been designed to detect these type of programs, it seems that all it is doing is checking the program name, otherwise renaming the program would not allow the program to run without UAC prompting the user. While this type of behaviour may offer a modicum of protection, it can be sidestepped by using an innocuous file name. The big question now is how long will it take for malware authors to use this to bypass UAC and get their programs on to a Vista machine?