GSD’s Weekly Briefs…the clean ones

cc photo credit Augapfel on flickr

This “Spring Forward” time change is going to eat my lunch tomorrow morning.

OK kiddo’s  Here you go.  The GSD Link Briefs of the Week.

Light on comments.  Maybe that will keep em from riding up too much in the tender places…

• Windows Incident Response: Looking for "Bad Stuff", pt III (Malware Detection)

• Windows Incident Response: Malware Characteristics - An Example

• Windows Incident Response: Malware for Incident Responders – FakeXPA

All must reads for folks doing incident response due to suspected malware.  Lots of great tips and techniques to use.  Each case is different, but having an organized response plan makes these things easier to take apart.

• Microsoft Malware Protection Center : FakeXPA – The Journey Continues – As noted by Harlan this baddie is pretty interesting.  The Microsoft team pick it apart pretty good with technical information.

• Ask the Performance Team : Netbooks and Windows 7 – I’ve heard that a PC maker is suing Intel over the “netbook” term as trademarked.  But it does look like W7 design bodes well for good performance even in the hardware challenged arena of netbooks and micro-laptops.  That’s a good thing for older system performance as well.  I like Vista and it seems to run OK on our laptops, but I’m really feeling performance could be much snappier still.  I might get bold and try to dual-boot it with a VHD boot of Windows 7 so I can really get a sense of the true hardware performance it could offer.

• Ask the Performance Team : The Case of the Unsigned Printer Drivers and .NET 3.5 Service Pack 1 – Not quite as good as a Mark Russinovich special, but still good troubleshooting information.

• 4sysops - Windows 7’s Problem Steps Recorder – Good peek into this helpful tool for remote troubleshooters.

• 4sysops - Windows 7 new manageability features – Michael’s got a nice rundown of some more advanced features of W7 that system administrators may be curious to know.

• NK2View - (freeware) – Nirsoft utility update - View/Delete/Edit Outlook .NK2 AutoComplete Information.  New version supports backup/restore of the file itself.  Something previously not quite possible.

• Panda USB and AutoRun Vaccine - (freeware) - Panda Research Blog provides a two-stage tool.  Stage one locks down your entire system from auto-run exploit.  Stage two renders any USB drive that the tool is applied to “inoculated” against infection by an auto-play vectoring malware infection.  Read carefully before applying.  Some could be “permanent” (at least without reformatting the removable device).  See also these related AutoRun security posts: Grand Stream Dreams: USB Security: AutoRunGuard, Encryption ..., Microsoft Security Advisory (967940): Update for Windows Autorun (fixes the not-quite working completely patch), as well as AutoRun Eater - (freeware) – This neat security utility provides a different take.  It runs in the system tray full-time and monitors execution of autorun files when devices are inserted or executed.  Upon discovery it first performs an analysis. If a suspicious pattern is found, it blocks execution, tosses up a dialog window, and presents the suspicious code.  Then it allows the user to block or ignore execution.  Amazingly clever.  Certainly not a cure-all, but it might very well provide a first and easy to use line of defense for non-technical users as well as experienced system administrators who don’t want to use some of the tougher/lock-down methods against blocking all autorun executions.

• Quickpost: /JBIG2Decode Trigger Trio « Didier Stevens blog, and Sûnnet Beskerming - An Interesting Result for JBIG2 PDF Vulnerability, followed up by Inside Exploited PDF from the Threat Researcher’s blog.  These are primarily discussing the latest Adobe Reader vulnerability - This has been simmering for a while but security researcher Didier Stevens (who specializes in PDF formats) found something very serious.  Quoting from Didier’s first link: "Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability. Just like it would when you would explicitly open the document. In fact, we could say that the document is opened implictly, because of your actions with Windows Explorer."  That could be a biggie considering the pervasiveness of PDF documents.  Malicious PDF's as a vector attack have been around for a long time, as readers of Didier's blog know. However this one seems to be particularly potent as the mal-crafted file doesn't need to even be launched.  Furthermore, many have moved to the great (and free) Adobe Reader alternative Foxit Reader. However, if Adobe Reader is installed on the system also, the vulnerability still actively exists. You currently appear to have to entirely uninstall the Adobe Reader from your system...

I'm not suggesting folks should run out and do that...but at least for now, keep a close eye out on these developments as many AV vendors still are not detecting this new threat. Hopefully Adobe will be responding with a fix soon.

Didier suggests using Nir Sofer’s freeware Shell Extension manager to disable this feature for now.  Or you could also use Sysinternals Autoruns to display and disable this handler. For this PDF handler, look in the tab “Explorer” under the following section:

“HKLM\Software\Classes\Folder\Shellex\ColumnHandlers”.

Search for the PDF Shell Extension and disable it.

Finally, you might want to take a look at the advice in the Do you use Adobe Reader? post also at the awesomely good Threat Researcher blog.  Good stuff to know for Adobe Reader fans.  I’ve walked away impressed enough to add this blog to my RSS feed list.

• PortableApps.com Platform 1.5 Released - (freeware) – New app launcher build from the first-place I go to find portable tools that work flawlessly on my Windows USB stick.  Many new features and tweaks.  Check it out.

• FreeCommander - (freeware) – The very best-est (IMHO) freeware multi-paned file manager there is, hands down.  Period.  No more discussion.  The only file manager I use at work and home on my personal systems.  Anyway, new version release came out for some enhancements, feature adds, and stability fixes.  2009.02.  You can get in in an installer based setup file, or if you know where to look, portable versions are available as well.  Scroll that page to the very bottom to find the simple zip file versions.

• Mozilla rethinks the behavior of new browser tabs – download squad – You think?  What with the new Safari 4 beta favorites page, Chrome’s favorite page, Opera’s favorites page, all these multipage pages makes Firefox look a bit late to the party.  So Mozilla thinks it needs to the bloat-creep by doing one as well.  See next link…

• New Tab Page: Proposed design principles and prototype – Mozilla Labs.  Bloat-creep/feature-creep.  I’m wondering if it isn’t all the same thing…

• NewTabURL :: Firefox Add-ons – This is my response.  I use this Add on and love it.  It is perfect with customizing new-tab content launching.  While I do feel Mozilla should provide just a bit more default customization options to new tab handling, too much is a bad thing.  NewTabURL  allows you to set new tabs to open to your home page, blank page, or current page, it also allows you to specify your own default URL to open up to. Want to go even more custom? Create your own HTML page, image or other stuff and point to it instead! For example I can use the format file:///%drive-letter%:/filename.whatever and open that in blank tabs. On my system, I have it set to use the following link: http://bighugelabs.com/flickr/random.php . I have coupled that with some editing (redaction) of page elements with the Remove It Permanently :: Firefox Add-on and now each time I open up a blank page, I am gifted with a random selection of images from flickr.  Of course….that is on my home machine only.  I end up getting some NSFW images from time to time that I couldn’t tolerate at work.  So for there I have to go with something a bit different.  Finally, NewTabURL can be set to open up a URL if it finds one in the clipboard contents. Very handy when you find a non-hyperlinked address browsing and copy it. Instead of manually opening a blank tab, pasting it into the address bar and launching it, this extension can handle it automagically!

• Next Firefox version bumped to 3.5, another beta to come - Mozilla Links.  OK.  Get a move on.  I’m still waiting for the next 3.1 beta release 3 to come out.  I tried the nightly version in a testing package I use, but it didn’t render the NewsFox RSS feed reader extension I use very nicely.  So I’m sticking with the stable 3.1 beta 2 release still for now.

I had hoped to get through a number of additional posts this weekend, but it was too sunny, Alvis was at her Grandparent’s house, and the chores and quality time spent with Lavie were just too important to pass up camped out on the laptop all weekend long.  Had some Apple Safari issues as well as a rouge VIPRE definitions update that locked up our desktop system until resolved.  Those took an unexpected amount of time.

Lavie and I even managed to escape on a “date-night” Saturday.  Sure it was just down to the local Chick-Fil-A, but we did score a bar-height table complete with fresh flowers and a view over the sparking and romantic lights of the local Lowe’s store in the strip center.

Romance is where you make it happen for yourselves kids….

Cheers!

--Claus V.