Security researchers have discovered one of the most subtle and sophisticated examples of Windows rootkit software known to date.

The AutoRun-NOX worm extends the standard VXer trick of using software vulnerabilities to infect systems, by including functionality that allows the worm to exploit Windows security bugs to hook into parts of the Windows system that operate below the radar of anti-virus packages.

"Most malware with rootkit functionality will tamper with the Windows kernel and attempt to execute code in kernel mode," net security firm F-Secure reports. "Typically, a special driver is used to do this... AutoRun.nox is different — it uses a vulnerability to do the job. For malware, it's rather unique to see such a technique being used."

The worm uses a long-standing Windows vulnerability, patched by Microsoft in April 2007, involving a GDI privilege elevation flaw. If the attack using the vulnerability fails, the worm falls back to plan B - using the more common (but less elegant) driver method.

A blog posting by F-secure containing screenshots and a detailed technical run-down of the worm's modus operandi can be found here.

Source: TheRegister

Ubuntu today became the latest Linux vendor to patch a vulnerability in the open source operating system's kernel that could have left the door open for hackers to find their way into users' machines.

In an email sent overnight, the Linux vendor warned users to update all machines running recent versions of Ubuntu, ranging from 6.06, which was released back in mid-2006, to version 8.04, which came out earlier this year. The problem also applied to other versions of Ubuntu such as Kubuntu, Edubuntu and Xubuntu.

"It was discovered that there were multiple NULL-pointed function de-references in the Linux kernel terminal handling code," wrote Ubuntu administrators in the email. "A local attacker could exploit this to execute arbitrary code as root, or crash the system, leading to a denial of service."

The email also detailed a number of other bugs which could be exploited by an attacker who already had some level of access to a computer running Ubuntu.

A number of other Linux vendors including Novell have recently released similar patches to address the problems.

Source: ZDNet Australia

Symantec's comprehensive security report on the malware industry from July 1 to December 31, 2007, is now available (PDF) in its 100+ page glory. While some parts of the report simply reiterate data we're well aware of - it's no surprise to read that the majority of malicious activity originates in the US - there's also a great deal of new information here that we'll examine below.

OS/software vulnerabilities

Symantec broke down information on patch development time by operating system and by the type of vulnerability encountered. Surprisingly, Microsoft had the shortest time-to-patch over both halves of 2007. In the first part of the year, Microsoft released 38 patches (two of which involved third-party applications) with an average deployment time of 18 days. From July to December, Microsoft released 22 patches with an average patch time of six days.

Source: Ars Technica

Apple's teasing commercials that imply its software is safer than Microsoft's may not quite match the facts, according to new research revealed at the Black Hat conference on Thursday.

Researchers from the Swiss Federal Institute of Technology looked at how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate.

They analyzed 658 vulnerabilities affecting Microsoft products and 738 affecting Apple. They looked at only high- and medium-risk bugs, according to the classification used by the National Vulnerability Database, said Stefan Frei, one of the researchers involved in the study.

What they found is that, contrary to popular belief that Apple makes more secure products, Apple lags behind in patching.

"Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005," Frei said. "Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple."

Source: Yahoo News

Kevin Remde: The product team decided to give you TechNet and MSDN subscribers a little Valentine's Day gift by making SP1 available for download.

Go to the http://technet.microsoft.com/subscriptions/default.aspx page. Notice the "Top Subscriber Downloads" section.



You can also go here to get it -

• For TechNet Subscribers
• For MSDN Subscribers

And if you're a subscriber, it will require you to log-in with the Windows Live ID you associated your subscription with.

If you're NOT a TechNet Subscriber, I can save you $100 if you're interested.

Link: Kevin Remde's IT Pro WebLog
Source: WinBeta

It looks like Microsoft has posted the final Vista SP1 bits to their OEM site which is accessible to anyone that registers. The file is a 1.13GB .img which combines the 32-bit and 64-bit update executables into one image:

Windows Vista Service Pack 1 (SP1) is now available for download. Windows Vista SP1 will deliver improvements and enhancements to existing features that significantly impact customers, but it does not deliver substantial new operating system features.

Download Windows Vista SP1 here. The download contains Window Vista SP1 for five languages: English, French, German, Japanese, and Spanish. Note Additional languages will be available soon.

Once you download the Windows Vista SP1 package, you will need to extract the appropriate .exe file for the language you wish to install.

Download: Windows Vista SP1 Update Image (32-Bit & 64-Bit)
Source: WinBeta.org

Windows Vista SP1 will be released as an update on Microsoft Update (MU). The patch is very large and there is a bug in Windows Server 2003 in the WinVerifyTrust API that will cause signing validation to fail. What this means is that once you approve this update on a System Center Essentials 2007 server on a Windows Server 2003 server, every time the server sync’s from MU it will redownload the package, fail the cert validation, and so the download will fail.

The problem will continue until you install the WinVerifyTrust patch on the System Center Essentials server. This patch is a hotfix (not a public GDR), so is not intended to be widely distributed. We recommend it only be installed on the System Center Essentials server itself.

You can obtain this hotfix here:
Windows Server Update Services cannot download large Windows update files in Windows Server 2003
http://support.microsoft.com/kb/888303/en-us

Source: System Center Essentials Team Blog