Microsoft today gave more details about how various Vista activation exploits will be handled by the soon to be released SP1, and beyond. Their Windows Genuine Advantage blog gives some of the details on what will happen to machines running an exploit, and reveals that not only will SP1 be looking for these exploits, but a soon to come Windows Update as well. The notice you may get from this update borders on humorous.
Once SP1 is installed, it will disable the OEM BIOS and Grace Timer exploits. Those that had the Grace Timer exploit installed will immediately be prompted to activate their copy of Vista. Those with the OEM BIOS exploit may not see the prompt for up to 15 days, due to the way normal OEM activation works. In either case, once prompted to activate, users will have a 15 second delay in login while waiting for an ‘activate later’ option to appear, and will have notifications every hour, as well as having their desktop turned black every hour (you can change it, but in an hour it will change back). This is obviously better than the pre-SP1 behavior which basically throws you out of Vista.
Later this month, a Windows Update will be released that scans for the exploit, and upon its discovery notifies the user, as a way of ‘protecting’ them from software piracy. Here’s the message those with the exploit will receive:
Windows has found software that circumvents Windows activation and interferes with it’s normal operation. The presence of this software may indicate your copy of Windows is counterfeit.
After repair, your copy of Windows must be activated.
If you do not repair-Windows, Windows might disable the software and you may need to activate this copy of Windows.
Where to start on picking this language apart! First, it would appear Windows ‘normal operation’ is to make sure it’s been paid for, which of course is what most users are concerned about, and is always the first reason to upgrade to a new OS. Of course possibly being counterfeit means it’s broken and is in need of repair. The update can’t repair it though, it simply points to instructions on line on how to do that. Of course once you repair it, restoring it to it’s normal operation, you must activate it. You have the choice not to repair your copy of Vista, but if you don’t, it’s going to repair itself anyway. Nice how they give you a choice without really giving you a choice. Also nice how it’s ‘Windows’ that might disable the software, and not Microsoft. It’s almost like Microsoft is saying “Hey, if it were up to us, we’d let you keep using it, but that Windows, it’s got a mind of it’s own!”.
So, in the end, if you really want to continue using an exploited version of Vista, don’t install SP1, and be very careful about which updates you install. Down the road, it sounds like Windows Updates will be how exploits are handled. Future updates will not only immediately detect exploits, it will remove (or ‘repair’) them as well. Running Vista illegally is getting more difficult, will it result in increased sales, or just decreased use of Vista?
Post from: ITsVISTA
Running a Hacked Vista? Microsoft Wants to ‘Help’ You…
Related posts
Written by Joe on February 21st, 2008 with comments disabled.
Read more articles on General and HACK and Sales and Updates and exploit and sp1.
When it comes down to the 32-bit Windows Vista vs. 64-bit Windows Vista, the comparison generally focuses on the added benefits synonymous with handling system memory. Because the address space of 64-bit Vista is not limited to 4GB, users are able to use a maximum of 128 GB of RAM with the Ultimate, Business and Enterprise SKUS. But at the same time, there are added benefits, and one of them is in terms of security. The 64-bit editions of Vista come to the table with PatchGuard (Kernel Patch Protection), Address Space Layout Randomization (ASLR), Heap and Stack randomization, and even heap corruption detection.
As far as Heap Based Buffer Overruns are concerned, both 32-bit and 64-bit Vista offer protection, but only in the x64 versions of the operating system is the even heap corruption detection enabled by default. Michael Howard, Senior Security Program Manager in the Security Engineering group at Microsoft, explained that, in x86 Vista, software developers have to call the HeapSetInformation API in order to enable heal corruption detection. (more…)
Tags:
64 bit windows,
defense,
exploit,
kernel,
kernel patch,
Microsoft,
Security,
security engineering,
security program,
senior security,
system memory,
vista software,
Windows,
windows vista
Related posts
Written by Jason on February 21st, 2008 with comments disabled.
Read more articles on 64 bit windows and Security and Windows Vista and computer and defense and exploit and kernel and kernel patch and microsoft and security engineering and security program and senior security and system memory and vista software and windows.
Microsoft’s Internet Explorer is without a doubt the main vector of attacks, when it comes down to web-based threats. Its ubiquity, as well as its intimate integration into the Windows platform, makes it an excellent avenue for attacks. With IE6, Microsoft has gained an ill reputation for failing dramatically to protect end users. From IE6, which undoubtedly is an apex of insecurity compared to alternative browsers, the Redmond company moved to Windows Vista and Internet Explorer 7 under User Account Control, virtually cutting the browser from the critical areas of the operating system. Web-based attacks coming via IE7 in Protect Mode will not be able to write themselves to disk without specific user permission, because the browser runs with the very least possible privileges. (more…)
Written by Jason on February 6th, 2008 with comments disabled.
Read more articles on ActiveX and Internet and Internet Explorer and exploit and ie and microsoft and vulnerability.
If you have looked into "The onion ring", or just "Tor", you have probably wondered if it would be wise to block access from these anonymous servers (or maybe just the exit nodes). I am not gonna talk about how the encrypted Tor network works, as a great deal of info can be found "out there". Main source should be: www.torproject.org - and perhaps WikiPedia.
As a security guy (or ISA administrator maybe), you ask yourself "why do these people want to be anonymous"? In this case "anonymous" means that "they" don’t want targets on the Internet to see the originating IP address (the source). A "target" is typically a web site or some other web service.
The answer? Well, first you gotta ask yourself: "who are they"? And there’s really no good answer to that question I guess - who really knows? All we can do is guess, so let me turn these questions around: if I were to try out a hack, or some new exploit, would I do it directly over my personal WAN IP? Or would I try to "hide" my originating IP? If you look at it in that perspective Tor networks are GREAT for hiding out - the whole idea is that it shouldn’t be possible to track the communication. What you don’t know can hurt you, right? I’m not saying all Tor users are hackers or anything, because they are not, but you have to look at the odds… What do you think? I cant help thinking, that if you hide from someone you have something (bad) to hide - but hey, it could be a Christmas present, right?
Anyway - you have to decide - do I want these people to be able to access my web sites and services or not? I’m not going to decide on your behalf - that’s politics!
So, what can we do about it if we want them out? Well, after reading Thomas Shinders Blog entry "HammerOfGod Computer Sets — Block and Log by Country" I got an idea. How about downloading a list of Tor servers, import it into a Computer Set (CS) and make sure that CS is an Exception on all of you Published services? This way hackers out there, behind Tor servers, won’t be able to poke around your IIS servers or whatever you have.
So, I started a search for Tor lists - the best thing would probably be to create it yourself dynamically - but that would take programming skills that I unfortunately haven’t got. I’m just a scripting kinda guy… The thing is, you would need to have a Tor client installed and from that extract the list once in a while - not possible for me (maybe you can do it easily - please post a "how to" then).
But, then I found a list on Proxy.org - this list it updated regularly - the only thing is, that this list is formatted for easy import on Apache servers, definitely not ISA. But hey, we can change the formatting in a script and then call the "AddComputersToComputerSet.vbs" script from Microsoft… Simple, all we have to do then, is to configure the CS exceptions on our ISA rules, schedule the script and never touch it again!
So, I created a simple script for:
a) Downloading the latest Tor server list from Proxy.org
b) After the download it creates a new file with the correct format (machine_name<tab>IP_address)
c) And then it calls the AddComputersToComputerSet.vbs with the correct parameters
You can download the script here - also download the script from MS (link above) and place them in the same directory. You will need a bit of VBS knowledge to "tweak" the script(s), but I’ve tried to make the code "easy understandable". Now, make sure you can run it from your ISA box (it downloads over HTTP), and then schedule the thing (oh, and remember to remove the Msgbox "Done!" line if you want this as a scheduled task).
If you want it to run from another machine, take a look at the link to the AddComputersToComputerSet I provided above (some changes are needed).
Please report back if you have any bug reports or ideas! It provided "As Is" - after downloading you’re on your own 
The dynamically created/updated ISA Computer Set:
The ISA Rule/Publishing Exceptions:
What’s missing?
I can think of a lot of things I’d like to add in there - but the idea with this blog entry is to "spread the word" and a Proof of Concept.
Personally I want to add logging of script actions, email alerts if the list is unavailable or some other errors occur. Also, there’s a weakness in case the downloadable list is compromised somehow. Say someone adds Internal/Private/"not-Tor" IPs etc. to the list, it just might give some strange results for your users. So, we have to trust the list is OK secure - but it would be a good idea to put in some sort of validation on what IP addresses are put into this particular CS.
Hope you can use this
.
Written by Jakob H. Heidelberg on January 30th, 2008 with comments disabled.
Read more articles on ISA and Security and The onion ring and Tor and encryption and exploit and hacking and microsoft and script and scripting.
