Hackers target Microsoft Windows XP support system

Hello All!

People might find this interesting

Hackers target Microsoft Windows XP support system
Thursday, 1 July 2010 10:17 UK

The bug affects well-established Windows XP operating system .
Hi-tech criminals are "escalating" attacks on an unpatched bug in the 
Windows XP help and support system.

http://news.bbc.co.uk/2/hi/technology/10473495.stm


-- 


James Silverton
Potomac, Maryland

Email, with obvious alterations:
not.jim.silverton.at.verizon.not 

0
James
7/1/2010 9:14:21 PM
windowsxp.help_and_support 1192 articles. 0 followers. Follow

1 Replies
1031 Views

Similar Articles

[PageSpeed] 19

James Silverton wrote:

> Hello All!
> 
> People might find this interesting
> 
> Hackers target Microsoft Windows XP support system
> Thursday, 1 July 2010 10:17 UK
> 
> The bug affects well-established Windows XP operating system .
> Hi-tech criminals are "escalating" attacks on an unpatched bug in the 
> Windows XP help and support system.
> 
> http://news.bbc.co.uk/2/hi/technology/10473495.stm

That article is so vague as to be worthless.  It never mentions any
technical articles that actually describe the vulnerability.  It doesn't
even bother to provide a link to the Fix-It page.  As such, it smacks of
sensationalism to scare their readers.  It's not even a "news" article.
It's some joker's blog who doesn't even bother to identify themself.

http://www.microsoft.com/technet/security/advisory/2219475.mspx
http://support.microsoft.com/kb/2219475

The solution is a really old one: don't web browse while logged on as an
admin-level user.  Either logon under a limited account when web surfing
or run your web browser under a LUA (limited user account) token to
reduce its privileges.  Windows XP already provides SRPs (software
restriction policies) that will let you run a program under a "Basic"
(LUA) account; however, you need to perform a registry hack to get Basic
listed as a policy mode (by default, it only lists Allowed and Blocked).

Security experts usually recommend that users log into a limited user
account (LUA) to more securely surf the web.  When logged under a LUA,
privileges are reduced on the web browser will severely curtails the
damage that malware can perform when the web browser is the infection
vector into your computer.  Under a limited account, the user cannot
install software.  This all sounds nice except that users often need the
privileges of an admin-level account to run their applications, plus
they cannot install updates to Windows when using the web browser to
visit the Windows Update site (after all, the web browser has limited
privileges so it can't install anything).  So how does the user that
wants to log under an admin-level account make sure their web browser is
running under limited privileges to afford the extra security that it
offers but also occasionally run the web browser with unrestricted
privileges so they can perform software installs when they so choose?
Some choices are shown below.  The last one involving Software
Restriction Policies (SRPs) uses the power to exercise access control
within Windows itself and doesn't require the installation of any
additional security software (or can be used to augment security
software that doesn't provide the option of running the web browser
under a LUA token).

You could use the 'runas' command to specify that the web browser runs
on another account which is a limited account.  That's a pain in the
ass.  Everytime you use 'runas' (interactively or with a shortcut), you
will get prompted for the password of that limited account.  This won't
work if that limited account has no password (it is blank) or you have
no limited accounts (i.e., they're all admin accounts).

Windows XP, and later, has its Fast User Switching (FUS) feature which
lets you stay logged in under your current account while simultaneously
logging under another account.  So you could log under your limited
account to do most of your everyday tasks there including your casual
web browsing.  When you need admin-level privileges on your programs,
use FUS to login and switch to your admin-level account and run your web
browser and installs over there.  Window Vista's UAC (User Access
Control) eliminates having to do this switching back and forth between
limited and admin accounts; however, many users disable UAC soon after
getting acquainted with Vista because they consider it a nuisance.
Using FUS to switch between limited and admin accounts (which can remain
logged in) might be more comfortable for these users.

There are utilities that will load a program under a LUA token.  The
process gets the same privileges as the token.  Since the LUA token has
reduced privileges so does the process loaded under a LUA token, and so
are all child processes of that parent LUA-tokened process forced to run
under reduced privileges.  An old utility that allowed you to run a
program under a LUA token was DropMyRights.  An alternative is
SysInternals' psexec utility (with its -l command-line parameter).  The
problem with this method is that only the program started by
DropMyRights or psexec would have its privileges reduced by running
under an LUA token.  It does not handle when the program is started as a
child process of another program, like when you click on a URL in a
message in your e-mail client that loads the web browser.  The shortcut
that runs DropMyRights or psexec to run the web browser under an LUA
token has no effect when the web browser is started by some other
program.  You can define shortcuts that use DropMyRights or psexec to
reduce privileges on the program that they load but you can still have
instances of that program started that will run with unrestricted
privileges (i.e., they get the same privileges as the program that
loaded them which probably will be the privileges of your admin-level
account that you logged into).

There are security programs that let you run a program under reduced
privileges.  For example, there is Tall Emu's Online Armor (firewall
with HIPS [Host Intrusion Protection System] which has rules to govern
what applications can load and/or obtain network connections).  It has
the Run Safer option which will ensure that the program always gets
loaded under a LUA token no matter who or what started that program.  So
whether you clicked on a shortcut to load the web browser or you clicked
a URL link in a message in your e-mail client, the web browser will
still run under a LUA token.  Comodo's firewall (v4) has a
pseudo-sandbox feature (it has some virtualization but is not a full
sandbox, like Sandboxie).  You can add a program to the "Programs in the
Sandbox" list which means they will always get sandboxed.  This will run
that program in Comodo's isolated environment and also runs the program
with reduced privileges.  There are problems when running programs
within a sandbox due to trying to isolate that program.  Here we are
only discussing how to reduce privileges on a process to restrict what
it or any child processes started by it can do.  In Comodo's sandbox,
you can disable file (and registry) virtualization and the program will
not be sandboxed but it will run under a LUA token.  If you are looking
to add a firewall+HIPS security product then one that affords you to
configure a program to force it to always run under a LUA token is a
good choice.  Both OA and Comodo let you quickly disable their Program
Guard or sandbox by right-click on their tray icon.  That way, when you
need unrestricted (admin) privileges for the web browser, like when
getting updates from the Windows Update site, you can quickly turn off
the protection, start a new instance of the web browser to do your
thing, unload that instance of the web browser, and then re-enable the
protection.

The last method doesn't require any additional software if you are using
Windows XP, or higher.  It involves using software restriction policies
which are a feature of those operating systems.  In Windows Vista and
up, there is a "Basic User" protection level that can be specified in a
SRP rule which will run the specified program under a LUA token.  Alas,
this policy level is available but hidden in Windows XP.  To add the
"Basic User" policy level to Windows XP, run the following command to
add an entry into the registry:

reg.exe add
"HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v
"Levels" /t REG_DWORD /d 0x20000

The above line may be wrapped.  It is one line that runs reg.exe
(command-line registry editor) with a whole lot of parameters.  Then to
see if this policy level got added, run the group policy editor
(gpedit.msc) and navigate to the following node:

Computer Configuration -> Windows Settings -> Security Settings ->
Software Restriction Policies -> Security Levels

Note: gpedit may not be available in Home editions of Windows.

You should see the following security levels:

Disallowed: A program with this policy level cannot load.
Unrestricted: A program has all privileges of the account under which it
was loaded.
Basic User: A program runs under the reduced privileges of a limited
account.

Now you can define an SRP path rule to a program that will force that
program to be managed by one of these policy levels.  The Disallowed
level can be used to keep programs from loading.  You may install a
program that you want but it keeps trying to run another program that
you don't want to let run (like Quicktime that keeps trying to run
qttask.exe or RealPlayers realsched.exe program to check for updates).
To force the web browser to run under the Basic User policy level (so it
has the reduced privileges of the LUA token):

- Go under "Additional Rules" tree node.
- In the right panel listing the rules, right-click and select "New path
rule".
- Browse to the web browser's executable file (e.g., iexplore.exe).
- Select "Basic User" for the security level.
- Add a comment, like "Force web browser to run under reduced
privileges".
- Click OK.

Any currently open instances of the web browser will retain whatever
privileges they had when they loaded.  Close them all.  Now when you
load the web browser whether directly with a shortcut or indirectly as a
child process, like a URL link in an e-mail, the web browser will run
under the Basic User security policy which reduces privileges on that
process.  

Okay, you've now choked the privileges of every instance of your web
browser but you know there are times when you need an unrestricted
instance to, say, apply updates through the web browser to Windows or to
install AX controls into the web browser.  Well, remember that the SRP
policy is a *path* rule.  It will apply the policy to THAT program that
you specified, not to a file in some other path.  So, and using Internet
Explorer as an example, just make another copy of the web browser's
executable file that is in a different path (some, like IE, won't run if
you merely make another copy of iexplore.exe and call it another name,
like iexplore2.exe).  Go to the web browser's install folder (C:\Program
Files\Internet Explorer), make a subfolder called, say, NoSRP, and copy
iexplore.exe under that new folder.  The SRP policy won't apply to that
copy of the web browser's exectuable file because the path to it is
different.  Then create a shortcut to that alternately pathed executable
file and use that for your unrestricted copy of the web browser.

For those that like to add 3rd party security products, some will let
you restrict the privileges on a program, like the web browser, to make
it more secure against attack as an infection vector for malware.
However, for those that don't want all the overhead and headaches of
adding more security software that produces more prompts that the user
may not understand and causes potential conflicts with use of the
programs that you are trying to protect, an SRP policy using the Basic
User security level to run the program under a LUA token that reduces
that program's privileges is just as good as logging under a limited
account and running the program there.
0
VanguardLH
7/2/2010 5:49:11 PM
Reply:

Similar Artilces:

Microsoft Excel Traininh
hi folks Does MS still have mcse type certificaton for applictons? what is the title for excel training ? I've serched ms on MCP with no luck thanks John john Images of nz (home) http:\\www.myplace.co.nz/home What we are up to in the UK http:\\www.myplace.co.nz I don't know the answer to your question but it would seem that this page should have it: http://www.microsoft.com/learning/mcp/default.asp -- Jim "John in Surrey" <j@myplace.co.nz> wrote in message news:o4lul1hk2hgkcs00hmlsi56tn79oes7hfg@4ax.com... | hi folks | | Does MS still have mcse type certificaton...

Tracking Bullion Investments from Microsoft Money
I need a good way to track bullion investments from Money. The only thing I have been able to do is create an asset and manuelly update the price by searching for the price for the day and multiplying it by the number of ounces, and adjusting it. That is a lot of work. I would like to have that be an investment type where I choose the type of bullion (Gold, Silver, Platinum, etc), and then when I do a purchase put the date and the number of oz that I buy and have it track my gains and losses like my stocks. Additionally it would track your capital gains (which are 28% as it is cons...

After Office XP SP3 now the login name and password are always cleared
After installing SP3 for Office XP we lost the saving of the username and password, is there a way to make this save. I hope so because this SP3 is really a nightmare!! ...

Microsofts way of gainig PROFIT
I'm asking you following. When you are selling your product Windows XP you are=20 promising a lot of extras that is in the product. But when the user wants to use them it all of sudden costs=20 700 dollars to get information of how to set it up. Is it Microsofts policy to hide all the costs so that=20 first when the user is hooked on the Program. He will=20 start to pay. Now in Sweden it's like this, that it's illegal according=20 to Swedisch consumer law to suppress information like=20 this. In Sweden you can't tell that some option is=20 included in the price but not tellin...

Microsoft OS X Excel
My question is this: How do I copy our company logo into the header section of an Excel spreadsheet? Christine Hi Christine, I don't think you can do that. The header and footer sections only accept text. That would be a nice new feature, though. Please take a moment to send your feature request to Microsoft (they don't read the newsgroup postings necessarily). Here's the URL to use: http://www.microsoft.com/mac/feedback/suggestion.asp If you send feedback to this URL then it is tracked in Microsoft's database and read by the product managers. They rely on user feedback ...

Saving graphics in Microsoft Publisher 2007
Bonjour, I created a logo in Microsoft Publisher 2007 which I want to use on my web site. I saved the file as a MP2007 and also "saved as" a jpeg file. Now, when I open the jpeg file, the graphic is not crisp etc. is there a special way of saving the file so as to receive the same results as saving the file as MP2007 file.? Thanking you in advance, Elenora Elenora wrote: > Bonjour, > > I created a logo in Microsoft Publisher 2007 which I want to use on > my web site. > I saved the file as a MP2007 and also "saved as" a jpeg file. > > Now, wh...

hackers?
I have a feeling our exchnage 5.5 server is being used to send JUNK mail. every day at set times our Internet connection slows to an unusable spped. as soon as I stop the Internet Mail service, the intenet works at top spped again, what can Ido to set my theroy and if Im right, how can I stop it. regards. RAC wrote: > I have a feeling our exchnage 5.5 server is being used to > send JUNK mail. Entirely possible if you didn't close your open relay ... if you look at the queues, who are the messages from? If they aren't from valid addresses on your domain, or from <> ...

Microsoft Outlook Shutdown
Is it possible to dis-allow users to shutdown outlook? We use it for inner office email, amongst other features, however, certain users tend to shut off outlook even tho they have been instructed not to. Thomas ...

No menu option in Excel 2002 to close a window.
Where on Excel 2002's menu interface do you close a window? My Excel menu bar's Window item only has New Window, Arrange, Hide, Unhide, Split, Freeze Panes, 1 WorkbookNowInMemory.xls:1 and 2 WorkbookNowInMemory:2. The last two items have no functionality (apart from switching window context). It took much trial and error to discover that the (only?) way to do it is indirectly, by tiling the windows then mouse-clicking an icon to kill one window. What kind of unfeature is that? *** Generally one just clicks on the "x" at top right of active window to clos...

Support site updated
http://support.microsoft.com/default.aspx?scid=fh;EN-US;mny ...

windows 2008 license key
recently we installed windows 2008 std by using the ms select license key, after 2 weeks , system prompt to activate the license key. is it something wrong with the license key or we need to activate the key ? first time installed windows 2008. All Windows 2008 product keys require activation. There's nothing wrong with the license key. You can see license status and partial product key from the command prompt: slmgr -dli slmgr -dlv "DD" <DD@discussions.microsoft.com> wrote in message news:9367BD2D-8823-496D-950B-065A8C0DFD23@microsoft.com... &...

Earthlink target problems
My Exchange 2003 server (in 2003 AD domain) has problems sending to the earthlink domain. The error the target server sends back is: <#5.5.0 smtp;550-Earthlink does not recognize your computer (x.x.x.x) as connecting from an Earthlink connection. If this is in error, please contact technical support.> Wouldn't be a big deal, as only one person in my company, the owner, sends to it. His wife has a personal account there. This is the only domain that doesn't work. I have RDNS set up right, and my mail server is NOT sending things out my firewall via NAT, it's sending dir...

MFC 8.0 target platforms supported ?
Can anyone point me to a page that defines where MFC 8.0 applications will run? I am interested in two cases, an MFC 8.0 application that is: 1) Statically linked with MFC and ATL. 2) Dynamically linked with MFC and ATL and does not modify the PATH. If no such page exists, does anyone have the straight skinny on the situation? Thanks, Mike http://pnmx.com/ On Aug 25, 6:26 pm, Paratracker <Paratrac...@discussions.microsoft.com> wrote: > Can anyone point me to a page that defines where MFC 8.0 applications will > run? I am interested in two cases, an MFC 8.0 application that i...

Adding Exchange System Manager to Active Directory User/Computers
Greetings, Basically, I have one domain. When I open active directory and I select my domain to search for resources on the network. I want the Exchange Systems Manager below the domain level. I've seen this before at previous jobs. Any ideas! Thanks Create a custom Management Console and add the "Active Directory Users and Computers" and "Exchange System Manager" snap-ins. To create a new Management Console, go to the Run command and type MMC -- Mark Fugatt Microsoft Limited This posting is provided "AS IS" with no warranties, and confers no rights. ...

Hacker System f5
Invitation HSF5 We invite everybody hacker and programmer who actually are those and wish to enter the organization. HSF5. You should do the following: in order that we could become sure of your opportunities and purposes, you must purchase f1,this disck where you can find information about us, our works and achievements, includihg barriers,which you must overcome in order to reach f2, but already in Internet. You should be sure of your powers, in order that we can become sure of you. To provide confidentiality, we must follow an untraditional way,which might drive you into doubts. But you ha...

InternetCheckConnection craches on Windows 98
Hi guys! Anyone know anything about this? The app works fine under XP but crashes on InternetCheckConnection calls unders 98 although the documentation says it is supported. Compiled with VS .NET 2003, under XP Pro. I noticed that linking with the library Wininet.lib has no effect under XP and can be excluded. Can this be the problem under 98 and if so can I force the linker to include Wininet.lib? Thanks and regards Anders I tracked it down to beeing the flag FLAG_ICC_FORCE_CONNECTION that produces the crashes. But calling InternetCheckConnection withought this flag never returns ...

Microsoft Money Plus 2008 Freezing
I am having an issue where Money will freeze up inexplicably when I am trying to merge transactions in my Bank of America (CA) account. When transactions are downloaded and get matched up with the wrong manually entered transaction, i click the "change" button on the transaction line. This takes me to another screen where I can either click the radio button to select "Do not match these transactions" or "match this transaction to..." Regardless of which option I select, when i click on the "Done" button OR the cancel button, the main window goes white a...

Why Controls have focus and the window is not Active
hi.. Why is it so that the controls have the focus (i.e TEXT BOX), but the window does not have the focus Can any one explain me.. I've never seen this happen where a child window (a control) could show on the screen while covered by another window or where you could enter text while the parent window is not active. Do you have some more specific information? Tom "Anis Khalife" <anis.khalife@gmail.com> wrote in message news:1136532189.673939.269070@o13g2000cwo.googlegroups.com... > hi.. > > Why is it so that the controls have the focus (i.e TEXT BOX), bu...

Access XP and CHM Help Files
Hi I have just started creating a CHM file and associating it with the various forms, controls etc. by using context and helpfile properties. Problem is that when the file is opened from Access, all the search functionality looks towards Access help and not my help file. The contents/help structure displays OK but any keywords etc. don't get picked up in searches. Is there a solution to this limitation (seems pretty stupid to not be able to search the application specific help just coz the file was called via object properties in an Access frontend) that doesn't involve me hav...

Look at that critical package from the Microsoft
--qdwelvsz Content-Type: multipart/related; boundary="saxdkovec"; type="multipart/alternative" --saxdkovec Content-Type: multipart/alternative; boundary="ftbetfotlimt" --ftbetfotlimt Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Microsoft Client this is the latest version of security update, the "October 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities. Install now to protect you...

Hackers??
Is this site under attack from hackers? Every time I press the Forum tab on this site... an unusual web pag come up. - Larry -- Message posted from http://www.ExcelForum.com Hard to tell, since you're in fact posting to a newsgroup, not a web page. Most people don't read the group using ExcelForum. I'd suggest you send a message directly to Mr. Rubin. In article <nrage21.14lt7e@excelforum-nospam.com>, nrage21 <<nrage21.14lt7e@excelforum-nospam.com>> wrote: > Is this site under attack from hackers? > > Every time I press the Forum tab on this ...

Subject: send to mail recipient function in windows 2003 server / outlook 2003
I have just recently noticed that on the new servers that I am building, running windows 2003 server and outlook 2003 and terminal services, the "Send To Mail Recipient" option doesn't work. Everything appears normal, but when I click on the icon nothing happens. I have attempted to run "REGSVR32 SENDMAIL.DLL" and have checked the registry for the proper keys. I have never experienced this problem with previous versions of the OS or Office and I'm surprised I haven't found any other posts similar to this. Please help. How did you install Office 2003 on the Term...

hire hackers
Want to hack , crack someone's Yahoo! , Hotmail or AOL email password ? Do you want to know the password your target is using ? Hire a Hacker for that.... All you need to do , is to goto www.hirehackers.net . HireHackers group cracks the password for you , for flat $100 USD. Some of the important details are:- 1- They get the original password the victim is using. 2- After getting the password, they provide you with solid proofs. 3- Payment is made ONLY AFTER you are convinced with the proofs they send you. 4- You are required to pay through various methods , including westernunion , ...

Windows Mail fails when connecting to AIM.COM mail server
I tried to post this earlier, but I don't see it. Sorry if this is a duplicate. I have an HP laptop with Vista as the OS. I use Windows Mail to access my aim.com email. I've used this for over a year. Suddenly, I am getting the following error. I can connect to the aim web mail, so my password, etc is valid and working. This seems to be an SSL error, but I have not changed my configuration of the servers in Windows Mail. Any ideas why this is suddenly occurring? Thanks. -------------Error message below ------------------- The connection to the server has failed....

caching tool for Microsoft CRM
I saw "caching tool for Microsoft CRM" at the website : http://blogs.msdn.com/joris_kalz/default.aspx?p=2 Anybody tried this tool before? any troubles or does it really worth to try? thanx. Yes, I had used, it depends on your requirements to use this tool. -- Regards, MS CRM Certified Professional http://microsoftcrm3.blogspot.com Chat with me on MSN / Gmail / Skype : ID Is :.. mscrmexpert@gmail.com "ismail" wrote: > I saw "caching tool for Microsoft CRM" at the website : > http://blogs.msdn.com/joris_kalz/default.aspx?p=2 > Anybody tried thi...