Sharing my thoughts with the world.
SANS ISC is reporting that various sources are saying that we may see XP SP3 before the end of the month. With OEMs and MSDN subcribers seeing the patch on April 21st and an end-user release date of April 28th.
Confused? I know I was... but this is actually quite interesting.
OS Version (via systeminfo)
Vista Ultimate Release: 6.0.6000 N/A Build 6000
Vista Ultimate Service Pack 1: 6.0.6001 Service Pack 1 Build 6001
Server 2008 Standard Release: 6.0.6001 Service Pack 1 Build 6001
You can read more about it here.
So I was browsing Task Manager on my Vista box as Admin (Show all users processes) and I noticed wininit.exe. This file has that "virus ring" to it, so I decided to check it out. I'm positive my system hasn't been infected with anything, but there's never harm in checking. I did some searching and the first two results on Google are:
Interesting... I don't know how this got here, but let's kill it. Click on wininit.exe, click end process, blue screen. That's right... blue screen. Apparently wininit.exe is a crucial system file in Vista and shouldn't be killed by anyone, yet the administrator can kill it and easily blue screen the system. This probably shouldn't happen, and it's most likely something Microsoft should consider looking into... no user should be able to end task a single process and blue screen the system... not even the Administrator... I'd probably label this as a vulnerability, but I'm sure Microsoft sees it as a stability issue. This would be similar to lsass.exe on Windows XP with the nice pop-up that says, 'This is a critical system process... Task Manager cannot terminate this process' (or something similar).
So end result:
Running Vista:
WinInit.exe is a system critical process, even though some malware scanners identify it as a bad apple. This file should exist in C:\Windows\system32 (or more accurately - %windir%\system32)
Details (Windows Vista Home Premium) as of Today:
File Description: Windows Start-Up Application
File Version: 6.0.6000.16386
MD5: D4385B03E8CCCEE6F0EE249F827C1F3E
Pre-Vista Windows:
Trust your AntiMalware Software.
Anyone with other versions of Windows... see if your wininit.exe is the same (I'm assuming they all are, but if it's different... please post the version of Vista and the MD5 Hash... Thanks.
Today there are a lot of people talking about the release of the Windows Server Protocols and the Windows Communication Protocols. They are series of specs defining various proprietary Microsoft protocols. There are plenty of them and they are rather in depth. These are being released right on the heels of last week's release of the Microsoft Office file format specs. The release of these is, of course, tied to the EU decision that Microsoft has to be more open to interoperability.
Most people, who are talking about the protocol specs so far, are security researchers. This plays a major role in the research game for us. I can remember a few MS Tuesdays that were spent with IDA Pro attached to some listening service, trying to figure out how to generate valid data that would traverse the service to a specific breakpoint. In a lot of ways this will make that research quite a bit easier... and this is what most people are talking about.
While researchers are sitting saying, ‘WOW, this is amazing.' There are a few things that we need to remember:
The improvements we'll see in open source projects. Projects like Samba, mod_ntlm and others will most likely undergo changes to implement portions of the protocols that were never properly understood, or never properly implemented. Someone did point out, however, that developers on some open source projects who enjoyed reversing the protocols may fade away from the projects, bringing in new developers who ‘just want to code'.
Another interesting thing will be the updates to packet analysers and protocol dissectors. I'm sure that we'll see some impressive updates out of Wireshark... but I'm also guessing we'll see the introduction of several small protocol-dependant sniffers. The specs are there, so why not write them?
While security researchers are excited... I'm willing to bet that will stop on the first or second MS Tuesday following this release. Something tells me that this will lead to better fuzzers and more vulnerabilities. This will create a lot of work for those of us in Vulnerability Management, IDS/IPS, etc.
We may also see malware authors looking at various services for new covert channels in which to hide their phone home capabilities... I guess we'll just have to wait and see.
In the end this is really exciting... I will probably spend my entire weekend staring at my new 22" wide-screen monitor reading some of these specs. It'll be interesting to see what the next few months hold.
Does anybody have any thoughts or concerns over these protocols opening up? Any project ideas they are willing to share or propose?
I decided to install PowerShell for Vista today, specifically because Michael keeps talking about PowerShell Scripting over at Terminal23.net. Now, I have Vista Home Premium (it came with the PC) and I failed to realize that PowerShell won't install on my version of Vista. However, this post is about what happened before the installer even told me I couldn't install it.
When I double clicked the installer, I was greeted by UAC and after pressing continue, I received the following message:
Installer encountered an error: 0x80070422
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
It seems that if you have the 'Windows Update' service disabled, you cannot use the Windows Update Standalone Installer. Now those XP users out there that dislike 'Automatic Updates' will be accustomed to the concept of disabling the AU service. However, with Vista, Automatic Updates are controlled via the 'Windows Update' service. So, just as I would on XP, I disabled the service when tweaking a couple of weeks ago, low and behold, this also disabled the ability to install standalone updates that you download from the website. After looking at the 'Windows Update' service again it makes sense, as part of the description states, "programs will not be able to use the Windows Update Agent (WUA) API."
Now maybe it's just me, but I don't think that installing software/update should require a running service, this seems to be like a waste of resources.
I've had Vista on a laptop for a couple months now, and a few weeks back I bought a desktop with Vista. So far I've been fairly happy with it... I don't understand a lot of the complaints that people have been making. Well a few weeks ago I needed to console into a Cisco switch. I've done this just a few times before, so I go about my business as I normally would -- Start -- Programs -- Accessories -- Communications -- Wait a second... No HyperTerminal. So I do some searching online and I find the answer. Vista doesn't ship with HyperTerm anymore. They suggest using the command line telnet for telnet connections, and completely forget about serial communication. So I had to go find a freeware option on the net. The option I found was Poderosa. Which supports telnet, ssh, local cygwin shell and serial communication.
Now, a week or so later, I wanted to telnet into a pop3 server (I wanted to test credentials) and I don't have netcat on this box yet. So I go to the command prompt and I type telnet. I'm rather surprised by the result:
C:\Users\Tyler>telnet
'telnet' is not recognized as an internal or external command,
operable program or batch file.
I don't get it... The Microsoft help page told me to use command line telnet. I do a bit more searching and find this page. Telnet was removed as a default install option for Vista, you have to go into Programs and Features --> Turn Windows Features on or off and install it. So Vista ships without a single telnet client installed, while previous versions shipped with two and that's it... that's my first beef with Vista.
It's fairly well known that I'm quite the Microsoft advocate... right now they still produce the superior product. However, that's not what I want to discuss... I want to discuss this blog post that keeps appearing on the SecuriTeam RSS feed as new (various little things are updated in it), that other websites have picked up as well. It discusses "cracking" Windows with the DVD.
Now I think there's a language issue here, as I in no way, shape or form consider this cracking or anything remotely close to cracking; nor would I use the word cracking to describe the process occurring with third party software. What bothers me is that anyone, anywhere, with even a shred of technical background would attempt to make a big deal about this. We're talking FUD and nothing but FUD.
So what is this FUD exactly? Well, when you boot with the Vista DVD and use the System Recovery feature, you can get a high privilege command prompt. Why is this FUD? Well, Mr. Rousku, this discoverer of this "crack", states, "This is the first time when cracking Windows operating systems is really easy and needs no deeper technical knowledge." I'm confused here... downloading knoppix requires no technical knowledge. I suppose you could make the argument that you have to navigate Linux but it's a GUI... I'd say the Windows Command Prompt is more difficult to navigate than a Linux window manager. What about a BartPE disk or ERD Commander? Both of these give you nice, easy to use GUIs again easier than a clunky command prompt.
The defense against this is to change your boot order (removing your optical disk) and set a BIOS password. Home users don't need to take this action... why would they, generally home users share a single account so there's no need to worry about this. This applies to business, and in most businesses you should already have secured your computers against the possibility of boot disks. If you haven't then you were already at risk to the software I listed above.
I also don't see how this is different than Linux and lilo's 'init 1' or grub's 'single'. A process that is still used in the Red Hat Enterprise Linux 4 Manual.
Solaris, AIX, and HP-UX also have methods of booting a single user mode. So why did Mr. Rousku beat up on Microsoft? Did he want to see his name in the paper? A better question is why does SecuriTeam, a group of experienced security researchers, continually push this as a security issue... updating and maintaining the post so that it continually reappears in their RSS feed. This is nothing more than unfairly attacking Microsoft and spreading FUD.
I must say I was a little confused today when I clicked on help in Hex Workshop and the help window I was used to in XP popped up (I bought a new computer last week, running Vista), however instead of displaying the help file, I received a message that WinHlp32.exe wasn't supported in Vista. There was even a link to a KB article.
It seems that WinHlp32.exe is a program designed to assist with only 32-bit help files (.hlp). 16-bit help files are handled by WinHelp.exe. For some odd reason, this still exists in Vista. Microsoft claims that their reason for removing WinHlp32.exe is:
"The Windows Help program has not had a major update for many releases and no longer meets Microsoft standards. Therefore, starting with the Windows Vista operating system release, the Windows Help program will not ship as a component of the Windows operating system. Also, third-party programs that include .hlp files are prohibited from redistributing the Windows Help program together with their products"
Now this can't help but make me curious... WinHlp32.exe no longer meets standards but somehow WinHelp.exe does? I somehow doubt that they are still maintaining WinHelp.exe. Anyone with a 95, 98 or 2K system up and running, I'd love to know the version of WinHelp.exe. On Vista it is version '3.10.0.425'. I also find it odd that they are prohibiting third parties from distributing the Windows Help program and are instead suggesting they move to .chm, .html and .xml file formats.
The fact that they are prohibiting it makes me think there's a glaring vulnerability that they aren't overly eager to patch... At the same time though, Microsoft is offering the file for download to Vista users. This update downloads a .msu (Windows Update Standalone Installer) which installs a single update (not available through Microsoft Update) - Update for Windows (KB917607). As soon as the installation was complete, the Hex Workshop help file opened without problem. If it's really that easy, considering how much was included in Vista... could one last file not be included?
I'm curious to see what will happen as knew .hlp vulnerabilities come to light. Will my copy of WinHlp32.exe that I've installed on Vista receive security patches now? Anyways... I find it very odd that this file was't included and that third parties can't redistribute it.
I always love learning something fairly basic, that in the long run will make my day run more smoothly. Even better than that is learning it by mistake. That's what happened to me today. I managed to accidentally hit F7 and up popped a history in my command prompt. Every command I had typed in was laid out nice and neatly for me. (Yes... all those commands are legit.. the first thing I do with a Windows box is install the unixutils package). Anyways you can scroll up and down and then press enter to re-execute a command. I tried this on XP (both Home and Professional) but not on other versions of Windows. It's probably existed for quite some time and it's probably common knowledge... but it's something I just picked up.
Just a short post here... The guys over at ieXwiki are maintaining a Vista RTM Software Compatibility List. It contains three categories... Works, Small Problems (work arounds usually fix these ones) and Heavy Problems (incompatible). They list is fairly in depth with plenty listed. So if you're wondering about any of your software feel free to check this out.
Design by Beccary and Weblogs.us
·
XHTML
·
CSS
·