@Brian

What is your opinion on this with regards to the full-disclosure aspect. HD Moore released this in July, and Microsoft has had plenty of time to patch, but it hasn't gone into the "wild" until September.

Doesn't this show a serious flaw in their "only show the vendor because it will cause 'wild' exploits too quickly" policy regarding disclosure?

Thanks!

I agree with David. MS is very selective when it comes to patching. When the problem will hurt MS' pocket, they'll do it in double quick time, like the recent DRM problem. Else they typically would deny the problem is a major issue until things get out of hand.....

I run Firefox, not IE. I don't want Windows Genuine Advantage issues, so my update is set to manual. My AV s/w, OTOH, updates automatically (Bit Defender).

My computer was massivly attacked between September 25 and 29 while I was in Istanbul, Turkey, using the Wi Fi system of the hotel. I have been going to the same hotel twice a month for the past year and never had a problem before. I stated getting unsolicited escort and get-paid-for-phone-interviews pop-ups, a page from a Monaco casino, and several warning messages and entire pages from vendors of anti-spyware and anti-malware vendors, some in English and others in French. I unistalled all unknown software in my system and bought locally the latest version of McAfee Viruscan. I run several scans on the PC and on-line but nothing was found. I also checked with McAfee the virus names supposedly infesting my computer but they seem uknown to them.

The names of the cleaning products I am getting as pop us include: Security Trouble Shooter, Online Security Guide, WinFix, Security Monitor, Privacy Inspector, Security Fix,Troubleshoother.net and some others. I managed to put WinFix on quarantene, just in case it were a genuine one, but I am stuck with the rest. I already had MS automatic updates and have reset all the other McAfee and MS parameters to highest levels, but some pop ups persist.

The "system alerts" I am still getting at the right lower corner of the screen warn of "malware threats", back-door Trojans, and a virus "Win32.MT.Rs". I am returning soon to Europe and will have the computer examined, but during my trip I transferred and received sensitive information and am therefore nervous and furious. If private labs and Microsoft knew of the threat so long in advance and did nothing in any direction there is not just "flaw" in their security. It is negligent, careless and even criminal behavior. I wonder what judicial action can be taken against Microsoft and other parties acting in such manner.

If there are any tips as to how to remove the above intruders please write.

To Jacques:
Your machine has been compromised and the most effective solution is also the most unpleasant one: flatten and rebuild your system.

a. backup your data files
b. reformat the hard drive
c. reinstall Windows XP SP2

d. make sure the Windows firewall is on or you are behind a router with onboard firewall

e. connect to Microsoft's windows update site and get all of the critical/high-priority/security patches issued since XP SP 2 was released. This will take awhile and several reboots.

f. follow Mr. Krebs' instructions for creating a limited user account for your daily use. You were probably running as an administrator since this is the default setting. Your intruders took advantage of this default. By operating as a limited user, you restrict what can be installed (by you or anyone else). Use the administrator account only when performing software installs, updates, and system changes.
http://blog.washingtonpost.com/securityfix/2006/05/the_importance_of_the_limited.html

g. Your web browser should have Javascript and ActiveX turned OFF by default. Only turn them on for web sites you trust. For Firefox, install the NoScript extension. For Internet Explorer, change the Custom Security settings for the Internet Zone.

There is a workaround available (described at SANS) for the "WebView ..." vulnerability, although it involves setting the "Kill bit" for the vulnerable CLSIDs, which are:

{844F4806-E8A8-11d2-9652-00C04FC30871} and
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}

Tom Liston at SANS has made available a small Windows program that will set and unset the relevant "kill bits". You can get it at:

http://isc.sans.org/diary.php?storyid=1742

I have done this on the two Win XP machines we still have (we mostly use Linux),and have encountered no problems so far. As always, YMMV.

HTH, Rich
richg74 AT gmail DOT com

This PowerPoint issue mentioned is remarkable old, however, because Microsoft advisory #925984 was available since 27th September already.
Targeted attacks are here to stay and we will see these every moth because Office systems are widely installed to corporate machines and normally companies don't filter common Office file types.

IE 7 is still a Release Candidate. How can you recommend that users run a browser that is still in testing? No WAY!

HD Moore originally didn't think it would lead to code execution (from what I understand). Microsoft didn't seem to look very far into it. I think it would be a good idea for Microsoft to look very carefully at anything that HD finds. Just to be on the safe side.

I'm not sure if anyone ever told Microsoft ahead of time they had ended up finding a code execution capability. Even though it was reported to them previously as not being the case, finding this is the case should result in them being notified so it doesn't put innocent users at risk.

No Beta Tester:

I have used IE 7 for the last 2 or 3 months now and while I wouldn't recommend a company to upgrade all of their browsers I don't think it could hurt for people to give it a try. I have had zero problems with it and have tested it with some of these latest zero-day exploits. Word has it that there is a new Firefox vulnerability (that they say can't be patched) and PoC exploit code possibly available.

I think it is great that there is at least one possible alternative browser (IE 7) that can be used to at least keep your computer from being pwn3d.

Computer security is a matter of risk management and not solely based on one piece of software.

Defense in depth: "represents the use of multiple computer security techniques to help mitigate the risk of one component of the defense being compromised or circumvented."

Time will tell how secure IE7 will be. I have been using it through the betas and now the release candidate. There ARE major security changes in the browser that make it exponentially more secure. Thus, it will be a major part of any defense in depth strategy, just as using Firefox can be.

Also, as a matter of course, I have personally used and professionally supported Windows systems for over ten years. In my experience, a well-managed system is very secure. Of course, a well-educated operator is also part of that defense in depth strategy! (As such, my personal systems have not been compromised by a single piece of malware). A large part of that strategy is using a non-admin account!

Last point; patching is part of computing. Software will never be bug free and criminals will never stop trying to use those flaws to compromise a system.

microsoft knew about it as it was found. they read security researcher's blogs.

@Nick Koen

"Why in the name of god Internet Explorer - a plain browser - is integrated in the OS?"

One word - Netscape

Sorry to disagree with the author, but IE7 is no the solution. A month after IE7 is mass-installed tru Windows Update it will be swarmed with just as many hacks as IE6. The reason? The underlying unsecurity of Windows.
Why in the name of god Internet Explorer - a plain browser - is integrated in the OS? We all pay the price of Microsoft's Marketing Dept. when a simple malformed web page causes the browser - and Windows - to crash or worse - to install some illegal key-logger and CC-number stealer program.

Keep in mind that many of the issues here are self-impossed. You can buy the best locks and security system for you home, but if you don't use them properly (i.e. lock the doors and set the alarm), it is your own fault if someone breaks in.
Don't get me wrong, I don't subscribe to the "it's ok to hack those who don't patch because they deserve it" crowd... quite the contrary. However, I understand that the internet is ate-up with this type of person and I cannot rely on Microsoft to protect my PC anymore than I can rely on Schlage (lock manufacturer) to come lock my doors for me.

Quick note to Jacques... you did the right thing in getting AV Software, but waiting until after you got hit was not that great. I'd recommend that the first thing anyone with a new PC does is to install AV software.
As for the popups, I don't think you have a virus per-se, most likely just tons of Spyware/Adware.
Lavasoft puts out a nice produce called Adaware (not the best idea for a name, but it works well). I'd recommend using something like this to scan your PC periodically and clean up anything your AV software deems too trivial to stop.
Other than that, follow Ken L's suggestions and you should be fine.

I always find your articles informative. But I'm afraid I don't agree with the 'upgrade to IE 7' advice.

1} Not everyone's applications will work with IE7. We have several packages which we already know don't work with IE7 {custom ActiveX controls}. We also have packages for which we will lose technical support for if we 'upgrade' to releases not yet certified by the vendor. In all cases, these packages are IE specific browser based packages. One of them is a payroll entry application. This a fact of life I'm extremely unhappy with.

2} IE7 is still a Release Candidate. Unqualified advice to upgrade to any RC is inappropriate. Frankly, I'm tired of spending time testing and working around MS beta / RC software issues. 'Gold Release' verions present enough problems without my going to deliberately expose myself to even more.

Personal anecdotal experience: Every person (over 50) I've convinced to switch to Firefox as their browser has not gotten re-infected once I've cleaned their systems. Every person (7) who persisted in using IE except one got re-infected. Since I charge $100 a pop to clean up residential PCs, the extra $600 was nice to have.

No matter how many times you tell them, you'll never get all end users to update patches in a timely manner. Defense in depth is a requirement. In my opinion, switching from IE is just one layer of defense in depth. Switching to text only mode or a text only email client is another. For Windows users, I normally recommend either Thunderbird or Forte Agent.

That's just for starters. YMMV

I want to thank Ken L. and Rich Gibbs for their respective advice on Oct 2--very useful.