SecurityGarden

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, May 30, 2012

Sysnative - What is it?

Posted on 4:13 PM by Unknown
*

Sysnative is a term that has two meanings.  For those interested in the technical explanation, refer to the section on Sysnative in 64-Bit Windows operating systems below.

The other use of Sysnative, and the usage of interest to readers of Security Garden, is that it is the domain name for Sysnative.com.

What is special about Sysnative.com?  Let's find out.

About Sysnative.com

At one time or another, most people who use the Windows operating system have experienced the dreaded "Blue Screen of Death" (BSOD) -- until Windows 8, a strange blue screen filled with numbers and codes, completely incomprehensible to most everyone.

Granted, there are occasions where a shutdown/restart or evoking "Last Known Good Configuration" appear to have resolved whatever issue caused the BSOD.  More times than not, however, help is needed to trace the source of the problem.  This is where Sysnative.com comes in to play.

Sysnative.com is the result of a vision of Microsoft MVP, John Griffith. John, known in forum communities as jcgriff2, specializes in Blue Screen of Death (BSOD) Kernel dump analysis.  John also enjoys a reputation as an expert Windows forensic troubleshooter, typically sought by Windows Vista and Windows 7 owners after all else has failed.

John developed an application for use by BSOD OPs known as the "jcgriff2 BSOD File Collection app". The output, including mini kernel memory dumps, is used by BSOD Analysts who assist computer users in tracking down the source of the BSODs plaguing their computers.

John also developed BSOD kernel dump file scripts that automate many of the mundane tasks performed by the Windbg GUI. The scripts allow the running of multiple BSOD kernel dump files vs. running dumps one-by-one with Windbg.  In addition, the scripts also incorporate a direct interface to the Driver Reference Table, known as DRT, created by Microsoft MVP John Carrona for driver look-ups.

The contributions by many talented people who are involved in analyzing the data compiled by John's application have made the "jcgriff2 BSOD File Collection app" and the "jcgriff2/niemiro BSOD Dump Processing Scripts" the tools of choice for BSOD Kernel Dump Analysis.

Should you be faced with the dreaded Blue Screen of Death, expert assistance is available from the many talented analysts at Sysnative.com.  Registration at the site is free, as is the help.  Follow the BSOD Posting Instructions and rest assured, help is on the way!

Wait, there is more!

That is correct.  Help isn't limited to BSOD crash analysis, debugging and error reports.  Help and information are available from Microsoft MVPs, Microsoft MCCA's as well others knowledgeable in Microsoft Windows Operating Systems, Programming, Networking, Graphics, and Games.

*Sysnative Logo

The logo for Sysnative.com, displayed above, was created by a very talented graphic designer.  I have long been acquainted with the designs he has made for ASAP members and member sites and was very excited when he volunteered to create a logo for Sysnative.com.

Aside from the fantastic Sysnative logo, one of my favorite examples of this talented designer, known on various help forums as NJustice or N_J, is the artwork and website design for Amelia Eisenhauer, a talented young singer.

If you or someone you know are in the market for a custom design, I heartily recommend contacting Amazing Dezigns.

Sysnative in 64-Bit Windows 

The Sysnative alias was first seen with Windows Vista.  The Sysnative folder is used by a 32-bit application to access the native system folder instead of the %WinDir%\System32 folder.  In addition, WOW64 recognizes the Sysnative folder as a special alias.  As a result, the file system does not redirect access away from the Sysnative folder. This mechanism is flexible and easy to use and the Sysnative folder can be used to bypass file system redirection.

Additional information is available at MSDN in "File System Redirector". 




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More
Posted in Microsoft, Windows 7, Windows 8, Windows Vista, Windows XP | No comments

Monday, May 28, 2012

Flame, aka Flamer or sKyWIper

Posted on 12:01 PM by Unknown
Flame, aka Flamer or sKyWIper, has been dubbed more complex than Duqu and Stuxnet.  In fact, it has been described as "the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found." 

As described in The Flame: Questions and Answers - Securelist:
"What exactly is Flame? A worm? A backdoor? What does it do?

Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.

The initial point of entry of Flame is unknown - we suspect it is deployed through targeted attacks; however, we haven’t seen the original vector of how it spreads. We have some suspicions about possible use of the MS10-033 vulnerability, but we cannot confirm this now.

Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers.

Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated."
The map below, compiled by Kaspersky, shows the top seven countries affected by Flame:


The following quote by Professor Alan Woodward Department of Computing, University of Surrey, was included in the BBC article, Flame: Massive cyber-attack discovered, researchers say:
"This is an extremely advanced attack. It is more like a toolkit for compiling different code based weapons than a single tool. It can steal everything from the keys you are pressing to what is on your screen to what is being said near the machine.

It also has some very unusual data stealing features including reaching out to any Bluetooth enabled device nearby to see what it can steal.

Just like Stuxnet, this malware can spread by USB stick, i.e. it doesn't need to be connected to a network, although it has that capability as well.

This wasn't written by some spotty teenager in his/her bedroom. It is large, complicated and dedicated to stealing data whilst remaining hidden for a long time."
In other words, it appears that this is just the tip of the iceberg.

Update:  A search of the Malware Protection Center Portal for Win32/Flame shows the addition to detection by Microsoft Security products, Published: May 29, 2012 , Alert level: Severe:
  • Worm:Win32/Flame!cfg
  • Worm:Win32/Flame.gen!A
  • Worm:Win32/Flame.gen!B
  • Worm:Win32/Flame.gen!C  

Additional References

  • Crysys Lab Skywiper Analysis (PDF)
  • Iran Maher CERT Flamer Analysis
  • Meet “Flame”, The Massive Spy Malware Infiltrating Iranian Computers
  • Reuters: Powerful "Flame" cyber weapon found in Middle East
  • F-Secure: Case Flame -News from the Lab 
  • ESET Threat Blog: Win32/Flamer: the 21st Century Whale
  • The Verge: 'Flame' cyberespionage worm discovered on thousands of machines across Middle East
  • Symantec: Flamer: Highly Sophisticated and Discreet Threat Targets the Middle East
  • McAfee: Skywiper – Fanning the “flames” of cyber warfare



      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Read More
      Posted in malware, Security | No comments

      Sunday, May 27, 2012

      JavaCool Software Now BrightFort

      Posted on 12:30 PM by Unknown
      SpywareBlaster has long been recommended  to prevent the installation of spyware and other potentially unwanted software.  It is probably the most well known program from the JavaCool Software label. 

      SpywareBlaster and the other JavaCool Software programs are now under a new label -- Brightfort.  From the BrightFort About page:
      "Our Company BrightFort (formerly: Javacool Software) is a privately-owned, US-based software company. Since 2002 we've been dedicated to providing innovative and useful security and privacy solutions.

      We provide feature-packed yet lean programs. Our team works closely together to design and build the fast, and compatible programs that effectively solve critical problems and help improve your computing experience."

      BrightFort Programs

      SpywareBlaster
      "Multi-Angle Protection
      • Prevent the installation of ActiveX-based spyware and other potentially unwanted programs.
      • Block spying / tracking via cookies.
      • Restrict the actions of potentially unwanted or dangerous web sites.
      No-Nonsense Security SpywareBlaster can help keep your system secure, without interfering with the "good side" of the web. And unlike other programs, SpywareBlaster does not have to remain running in the background. It works alongside the programs you have to help secure your system."
       (Note:  An enterprise version of SpywareBlaster is also available.  Information at SpywareBlaster Network Version.)

      EULAlyzer
      "Making EULAs Easy

      Discover if the software you're about to install displays pop-up ads, transmits personally identifiable information, uses unique identifiers to track you, or much much more. EULAlyzer can analyze license agreements in seconds, and provide a detailed listing of potentially interesting words and phrases."
       Doc Scrubber
      "Share Only What You Want

      Microsoft Word (.DOC) files can contain more than just text you see while editing them. Depending on the settings or features you use, they may contain all kinds of additional information that you may not want shared outside your home or company. Doc Scrubber lets you see that information, and scrub it from files before sending them to others."
      MRU-Blaster

      "Protect Your Privacy

      MRU-Blaster is a program made to do one large task - detect and clean MRU (most recently used) lists on your computer.

      These MRU lists contain information such as the names and/or locations of the last files you have accessed. They are located ALL OVER your registry, and for almost ANY file type."

      Retired

      The code for FileChecker and ID-Blaster was written for older versions of Windows and has not been tested on newer version.  Since the code is very old, both programs have been retired.


      (H/T:  Siljaline)



      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Read More
      Posted in Security | No comments

      Tuesday, May 8, 2012

      Microsoft May 2012 Security Bulletin Release

      Posted on 10:23 AM by Unknown

      Microsoft released seven (7) bulletins, of which three (3) bulletins ares identified as Critical and four (4) as Important.

      The bulletins address twenty-three (23) vulnerabilities in  Microsoft Windows, Office, Silverlight, and .NET Framework.  At least two of the updates will require a restart. 

      If you have had difficulties with .NET Framework in the past, it is strongly advised that updates MS12-034 and MS12-035 be installed separately, including a shutdown/restart. 


      Security Bulletins

      • Microsoft Security Bulletin MS12-029 (Critical): Vulnerability in Microsoft Word Could Allow Remote Code Execution (2680352) 
      • Microsoft Security Bulletin MS12-030 (Important): Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2663830)
      • Microsoft Security Bulletin MS12-031 (Important): Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2597981)
      • Microsoft Security Bulletin MS12-032 (Important): Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338)
      • Microsoft Security Bulletin MS12-033 (Important): Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege (2690533)
      • Microsoft Security Bulletin MS12-034 (Critical): Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
      • Microsoft Security Bulletin MS12-035 (Critical): Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777)

      Support

      The following additional information is provided in the Security Bulletin:
      • The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
      • Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
      • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.

      References

      • MSRC: Bulletin Management Process and the May 2012 Bulletins
      • TechNet: Microsoft Security Bulletin Summary for May 2012
      • Security and Safety Center:  Microsoft security updates for May 2012 
      • Security Research & Defense:  MS12-034: Duqu, ten CVE's, and removing keyboard layout file attack surface




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Read More
      Posted in Microsoft, Security, Updates, Vulnerabilities | No comments

      Saturday, May 5, 2012

      Critical Adobe Flash Player Update

      Posted on 7:23 AM by Unknown

      Adobe Flash Player was updated to address critical security vulnerabilities.  According to the Adobe PSIRT blog posting,
      "There are reports that the object confusion vulnerability (CVE-2012-0779) addressed in this update is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only."

      Update Information

      The newest version for Windows, Macintosh, Linux and Solaris is 11.2.202.235. 

      Release date: May 4, 2012
      Vulnerability identifier: APSB12-09
      Priority: See table below
      CVE number: CVE-2012-0779
      Platform: All Platforms

      Priority and Severity ratings

      Adobe categorizes these updates with the following priority ratings and recommends users update their installations to the newest versions:
      Product
      Updated Version
      Platform
      Priority Rating
      Adobe Flash Player 11.2.202.235 Windows
      1
      11.2.202.235 Macintosh and Linux
      2
      11.1.115.8 Android 4.x
      2
      11.1.111.9 Android 3.x and 2.x
      2
       

      Flash Player Update Instructions

      Adobe Flash Player for Android

      The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

      Flash Player for Windows, Macintosh, Linux and Solaris

      Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.

      Notes:
      • If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box.  It is not needed for the Flash Player update.
      • Uncheck any toolbar offered with Adobe products if not wanted.
      • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
      Flash Player For Internet Explorer
      • 32-bit:  http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x_32bit.exe
      •  64-bit: http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x_64bit.exe

      Non-IE (Opera, Firefox, Etc.)
      •  32-bit:  http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe
      • 64-bit:  http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin_64bit.exe

      Flash Player Uninstallers:

      32-Bit Uninstaller: http://download.macromedia.com/pub/flashplayer/current/uninstall_flash_player_32bit.exe
      64-Bit Unisntaller: http://download.macromedia.com/pub/flashplayer/current/uninstall_flash_player_64bit.exe

      *HatTip: ky331 for FTP download links.

      Verify Installation

      To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 
      Do this for each browser installed on your computer.

      To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

      When Adobe Flash Player is updated, it is recommended that Adobe AIR version be checked as well.  Go to Adobe AIR Help to determine the version of Adobe AIR runtime installed.

      References


      • Adobe Priority Ratings
      • Adobe Security Advisory: Security update available for Adobe Flash Player
      • Adobe PSIRT Blog: Security Update for Adobe Flash Player (APSB12-09)





      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Read More
      Posted in Adobe, Security, Updates, Vulnerabilities | No comments

      Thursday, May 3, 2012

      Security Bulletin Advance Notification for May

      Posted on 12:53 PM by Unknown

      On Tuesday, May 8, 2012, Microsoft is planning to release seven (7) bulletins, of which three bulletins are identified as Critical and the remaining four as Important.

      The bulletins address twenty-three (23) vulnerabilities in  Microsoft Windows, Office, Silverlight, and .NET Framework.  At least two of the updates will require a restart.  If you have had difficulties with .NET Framework in the past, it is strongly advised that update be installed separately. 

      As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

      References

      • MSRC Blog:  Advance Notification Service for May 2012 Security Bulletin Release
      • TechNet: Microsoft Security Bulletin Advance Notification for May 2012



      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Read More
      Posted in Microsoft, Security, Updates, Vulnerabilities | No comments

      Wednesday, May 2, 2012

      Good-bye Windows Live, Hello Microsoft Apps

      Posted on 7:16 PM by Unknown
      When Windows Live was introduced in 2005, it took me a while to get accustomed to adding "Windows Live" to Hotmail, Windows Messenger, Windows Movie Maker, Windows Photo Gallery, and the other programs that eventually became Windows Live Essentials*.

      With the changes announced today at the Building Windows 8, it is time to start getting adjusted to new terms.  After all, when logging on to Windows 8 with your Microsoft account (formerly Windows Live ID, the apps will be immediately available with the information provided by cloud services. 

      The chart below was provided at the Building Windows 8 blog showing the new breakdown of software and services.

      Service
      		 Windows 8
      		 Windows Phone
      		 Web/HTML 5
      (live.com)
      		 API (dev.
      live.com)
      		 Earlier Versions
      Account
      		 Microsoft account
      		 Microsoft account
      		 Account.live.com
      		 OAUTH
      		 Windows Live ID, Passport
      Storage/
      Docs
      		 SkyDrive app, SkyDrive Desktop
      		 SkyDrive app, Office app
      		 SkyDrive.com
      		 REST, JSON
      		 FolderShare, Live Mesh, Windows Live Mesh
      Email
      		 Mail app
      		 Mail app
      		 Hotmail.com
      		 EAS
      		 Windows Live Mail, Outlook Express
      Calendar
      		 Calendar app
      		 Calendar app
      		 Calendar.live.com
      		 EAS, REST
      		 Windows Live Mail, Windows Calendar
      Contacts
      		 People app
      		 People app
      		 People.live.com
      		 EAS, REST
      		 Windows Contacts
      Messaging
      		 Messaging app
      		 Messaging app
      		 Integrated in Hotmail and SkyDrive
      		 XMPP
      		 MSN Messenger
      Photos/ Videos
      		 Photos app, Photo Gallery, Movie Maker
      		 Photos app, Camera Roll
      		 Photos.live.com
      		 REST, JSON (via SkyDrive)
      		 Windows Live Photo Gallery, Windows Live Movie Maker

      Even if you aren't testing Windows 8 Consumer Preview, the live.com links all work.  Go ahead, give it a try.  Check your calendar at http://calendar.live.com or look up a contact at http://people.live.com.

      See the Building Windows 8 blog for additional information about the rebranding of Windows Live as Microsoft Apps.  Detailed information has been promised in upcoming articles about Microsoft account, cloud services, SkyDrive, Hotmail, Messenger, as well the work Microsoft is doing with Skype.  

      *Windows Live Essentials Applications

      • Windows Live Family Safety 
      • Windows Live Mail 
      • Windows Live Mesh 
      • Windows Live Messenger 
      • Windows Live Messenger Companion 
      • Windows Live Movie Maker 
      • Windows Live Photo Gallery 
      • Windows Live Sign-in Assistant 
      • Windows Live Writer 
      • Bing Bar 
      • Microsoft Outlook Hotmail Connector 
      • Microsoft Silverlight 

       References

      • Cloud services for Windows 8 and Windows Phone: Windows Live, reimagined
      • Windows Live Essentials

       


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Read More
      Posted in Microsoft Apps, SkyDrive, Windows 8, Windows Live | No comments
      Newer Posts Older Posts Home
      Subscribe to: Comments (Atom)

      Popular Posts

      • Security Bulletin Advance Notice for August, 2013
        On Tuesday, August 13, 2013, Microsoft is planning to release eight (8) bulletins.  Three of the bulletins are identified as Critical with f...
      • Critical Out-of-Band Update Released for MS10-046
        Microsoft released Security Bulletin MS10-046 out-of-band to address a vulnerability in Windows. The security update is identified as crit...
      • Hotmail Security to Protect and Recover Your Account
        Time and time again I see reports from Hotmail users who have lost control of their e-mail account.  As explained by Walter Harp, Director o...
      • Long Awaited Outlook.com Calendar Refresh Rollout
        The long-awaited Outlook.com calendar refresh has been released and is in the process of being rolled out. Because the servers are grouped i...
      • Microsoft Security Advisory 2269637 Released
        Microsoft released Security Advisory 2269637 which relates to a remote attack vector to a class of vulnerabilities affecting applications t...
      • Oracle Java Update
        Oracle released the Java SE 7u40 today.  In addition to bug fixes and enhancements, the update includes the following: advanced monitoring ...
      • Adobe Reader Security Updates
        Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.03) and earlier versions for Windows and Macintosh. Adobe identif...
      • Advance Notice: Security Updates for Java SE
        The Sun Security Blog published the following update announcement: "On November 3, 2009, Sun will release the following security update...
      • Adobe Flash Player and Adobe Air Security Updates
        Adobe released updates to both Adobe Flash Player and Adobe AIR to correct a critical vulnerability in both products. From the Adobe Securi...
      • Waledac Botnet Takedown
        The Waledac botnet had the capability of sending 1.5 billion spam e-mails per day. During a three-week period in December, 2009, approximat...

      Categories

      • Adobe
      • Advisory
      • Amero
      • AntiVirus
      • Apple
      • Ask
      • AVG
      • Bing
      • Browser
      • Child Safety
      • email
      • ESET
      • Ethics
      • Facebook
      • Firefox
      • Firewall
      • FixIt
      • Fraud
      • General
      • Google
      • Hotmail
      • IE10
      • IE6
      • IE7
      • IE8
      • IE9
      • Java
      • Lavasoft
      • malware
      • Microsoft
      • Microsoft Apps
      • Mozilla
      • MVP
      • NCSAM
      • Office
      • Office 2007
      • Office 2010
      • Opera
      • Outlook.com
      • Phishing
      • Privacy
      • safety
      • Search
      • Security
      • Service Pack
      • SkyDrive
      • Skype
      • Software
      • SP1
      • sp2
      • SP3
      • Spotlight
      • Sumatra
      • tutorial
      • UAC
      • Updates
      • Vulnerabilities
      • Windows
      • Windows 7
      • Windows 8
      • Windows Live
      • Windows Live OneCare
      • Windows Vista
      • Windows XP
      • WinPatrol

      Blog Archive

      • ►  2013 (93)
        • ►  October (2)
        • ►  September (8)
        • ►  August (9)
        • ►  July (5)
        • ►  June (8)
        • ►  May (7)
        • ►  April (15)
        • ►  March (9)
        • ►  February (16)
        • ►  January (14)
      • ▼  2012 (98)
        • ►  December (7)
        • ►  November (6)
        • ►  October (11)
        • ►  September (5)
        • ►  August (10)
        • ►  July (8)
        • ►  June (12)
        • ▼  May (7)
          • Sysnative - What is it?
          • Flame, aka Flamer or sKyWIper
          • JavaCool Software Now BrightFort
          • Microsoft May 2012 Security Bulletin Release
          • Critical Adobe Flash Player Update
          • Security Bulletin Advance Notification for May
          • Good-bye Windows Live, Hello Microsoft Apps
        • ►  April (12)
        • ►  March (6)
        • ►  February (6)
        • ►  January (8)
      • ►  2011 (130)
        • ►  December (8)
        • ►  November (10)
        • ►  October (7)
        • ►  September (12)
        • ►  August (9)
        • ►  July (6)
        • ►  June (13)
        • ►  May (14)
        • ►  April (13)
        • ►  March (15)
        • ►  February (10)
        • ►  January (13)
      • ►  2010 (146)
        • ►  December (10)
        • ►  November (15)
        • ►  October (19)
        • ►  September (15)
        • ►  August (14)
        • ►  July (8)
        • ►  June (19)
        • ►  May (5)
        • ►  April (11)
        • ►  March (6)
        • ►  February (14)
        • ►  January (10)
      • ►  2009 (33)
        • ►  December (11)
        • ►  November (11)
        • ►  October (11)
      Powered by Blogger.

      About Me

      Unknown
      View my complete profile