CRN (among others) have posted word about an exploit in Windows -- including Vista! -- that uses the Windows Proxy Auto-Discovery (WPAD) function. This is one of those features that most people never use anyway and which should be disabled by default, so you're probably better off turning it off completely as a pre-emptive measure. See the 2nd link for instructions on how to do this; the whole thing takes maybe 30 seconds.
Recently in Security Category
Microsoft gadfly Joanna Rutkowska is at it again. She's reported what she believes to be a security hole in Vista's UAC -- the fact that application installers automatically run with elevated privileges, and cannot be run in a reduced-user context. This prompted a reply by none other than Mark Russinovich (now with Microsoft officially), who pointed out that there is indeed a weakness -- however subtle - in UAC that allows for a possible, but difficult-to-execute, exploitation. Rutkowska, however, isn't amused, and considers the fact that installers run as admin to be defective by design.
In theory, this means that someone could deliver a trojan to you branded as a benign application and trick you into installing it -- something that was possible in XP as well, but which hasn't been made any less difficult in Vista because of UAC. My question is, is this the sort of attack that UAC should try to protect people from? I'm not sure it is, since detecting and blocking trojans are more properly the province of an antispyware or antivirus application.
I would like to see the option to run an installer without privilege elevation, but for me it's not a deal-breaker. Also, at this point, there's really no mechanism to allow an installer to tell the OS that it doesn't need to run as admin, but perhaps this will spur Microsoft to build in such a functionality later on. "Why should a Tetris installer be allowed to load kernel drivers?" Rutkowska points out, and in that respect I'm in agreement. I just don't think this means UAC is worthless / owned / compromised / etc.
Today I had my first experience with why Vista's User Account Control (UAC) feature is a good thing to leave on, even if you do get the occasional (and I do mean occasional) false alarm with it.
When I sat down today to get to work, I noticed that a UAC prompt wanted my attention so that it could deal with a program called exec.exe. Since I associated that name with a trojan that I obviously didn't want running, I hit Cancel. Then it came up again, and again, and I decided I was dealing with something fairly serious.
The program was trying to run from my user profile's temp folder -- even in Vista it's still a dumping ground of digital clutter; be sure to clean it out -- where I could find no evidence of the file. I started thinking horrors like "rootkit" and "bleeding-edge zero-day Vista attack" until I did a little more search to see if anyone else running Vista had run into this issue. Someone else had, and as it turned out, it seemed to be related to AOL Instant Messenger.
Then I remembered something else: Whenever you install AOL, you also get an annoying freebie added on with it, the Viewpoint Media Player. This thing has caused me enough trouble in the past, so every time I've added AIM to a system I've been sure to uninstall it. However, it had slipped my mind this time -- it was still running. I snapped open Programs and Features (the new Add/Remove Programs window in Control Panel); there it was. Thankfully it's not something that takes a lot of work to uninstall.
I haven't been pestered with another UAC warning about exec.exe since this happened.
This, then, is probably why I want to leave UAC turned on: it's an early-warning system that can give you a fair amount of information that you can use before something bad happens, not after it's already struck. If that means putting up with having to OK a prompt before I can run RegEdit, frankly, I'll live with it. (It's also a sign that AOL may need to rethink how they implement AIM in Vista to keep UAC from freaking out.)
There is an interesting article over at PC World about a group that may be responsible for the vast majority of phishing scams currently in the wild, or at least responsible for making it easier for third parties to devise and execute such scams.
Security experts guess that Rock Phish is run by an extremely small group of technically savvy criminals--probably about a dozen hackers--who set up the phishing Web sites, manage the domain name registration, and ensure that the stolen financial information is funneled into a central server, which researchers call the "Mother Ship."
This group then sells the credit card and banking information in Internet-based chat rooms to a much wider range of money launderers who actually extract money from these accounts, according to researchers who asked not to be identified.
Even ten years ago, this would have sounded like the plot of a Michael Crichton novel. Twenty years ago, it would have been a John Brunner or William Gibson tale. But it's reality; we're living with it right now, and dealing with its troubling consequences.
Scary, innit?
DSLReports.com has a feature that I've found endlessly useful for live tests of anti-phishing tools: the Phish Tracker. This is a list of known phishing sites, contributed to by DSLReports.com users, along with information about their activity and any other additional information that might prove useful. Links to the phishing sites themselves are live, so use them with caution!
