By Jin Nan Goto

Microsoft’s new anti-malware software which is to intended to replace the discontinued Windows OneCare will be released tomorrow, Sept. 29th.  Microsoft Security Essentials, codenamed Morro, was offered earlier this year as a beta to 75,000 users and now it will be made available as a free download to the public.  From my use during the beta I found MSE to be a very capable  AV software. It offers a much lighter footprint than the massive AV suites and along with Windows Defender, bundled with Windows Vista and Windows 7 and a free download for XP users, it is a great antivirus/antispyware solution.

Additional Info:

Story from pcadvisor.co.uk
http://www.pcadvisor.co.uk/news/index.cfm?newsid=3202792

Story From zdnet
http://blogs.zdnet.com/microsoft/?p=4091

By Jin Nan Goto

Formatting emails in HTML is a very powerful tool and is often used very attractive emails.  Examples of legitmate uses of HTML email are for online promotions or newsletters.  However HTML has been heavily abused and has some very serious consequences for security.  It is very easy to hide the true destination of a link using HTML.  This is part of the nature of HTML.  Here is the code used to create a link.

<a href=”evilsite.com”> (This is the actual address of the link)

https://www.onlinebankingsite.com</a> (A fake address posing as a legitimate site)

In HTML a spammer can easily define a url and include also descriptive text which is presented to the recipient rather than the link.  The recipient does not see the url hidden behind the descriptive text and will click it, thinking it is the site referenced in the descriptive text, and is directed to whatever site the spammer wants. It is a potent tool often used in Phishing attacks to steal usernames and passwords, banking information, credit card numbers, etc.

Here is a real example

I got this suspected phishing email.  The link says www.paypal.com.  It’s also https so it’s secure right?

Here’s what what the link looks like if you look at the code.  Notice that the real address for the link is not https://www.paypal.com, but an IP address.

How to protect yourself

1. The safest way to protect yourself is to turn off the display of HTML in your email program.  This will ensure that all your messages are sent in plain text.  This is the safest way to use email.

2. If you absolutely need to follow a link in an email, copy the descriptive text of the link and paste it directly into the address bar of your browser.  This should ensure that the descriptive text is used as the address and not any hidden address.

3. Many email programs will automatically disable links in emails from unknown senders.  They also will recognize the spoofed address and warn user before enabling the links.  Although you should never rely on your email program to keep you totally safe.

By Jin Nan Goto

Back in November Microsoft announced that it will no longer sell Microsoft Live OneCare on June 30 and that the anti-virus aspect of OneCare will be replaced with a free Antivirus product codenamed “Morro”.  Today a beta version of Morro has been released by Microsoft as Microsoft Security Essentials.  The beta was released in 4 countries United states, Israel, Brazil and China.

I installed it on a couple of my machines and it seems to follow Microsoft’s claim that this is a leaner Antivirus with a low memory and processor footprint.  The interface is very clean and simple as opposed to other anti-virus software.  Overall it seems like a very good solution for a free anti-virus.

Screenshots

Installation went very smoothly.  Although there were a lot more prompts than I would have liked.

Microsoft Security Essentials will only on validated Windows machines so it makes you pass validation before you can install it.  This is pretty common for Microsoft’s downloads so I’m not going to complain too much about it.

Here’s the EULA

A reminder that you should only have one anti-virus software installed or else you will potentially have conflicts between the different AV products.  In fact installing MSE will also disable Windows Defender (Vista’s built in Antispyware software).

Once you get though all the prompts the installation breezed through very quickly.

Installation is complete and you are prompted to download the latest Definitions and run a scan.

The interface is very clean and Changing the time and frequency for the weekly scans is very easy.

Not being willing to download an actual real virus to my computer just to get a screenshot, I downloaded the Eicar Test Virus and MSE immediately flagged it as possible malicious code.

It removed the test virus and everything turned back to a calming green.

By Jin Nan Goto

Microsoft announced today that it will discontinue the sale of it’s Windows Live OneCare suite on June 30, 2009.  Live OneCare is a commercial all-in-one anti-malware/security/backup/network management/kitchen sink application, and it will be replaced by a free downloadable anti-virus application code-named “Morro”.

Code-named “Morro,” this streamlined solution will be available in the second half of 2009 and will provide comprehensive protection from malware including viruses, spyware, rootkits and trojans. This new solution, to be offered at no charge to consumers, will be architected for a smaller footprint that will use fewer computing resources, making it ideal for low-bandwidth scenarios or less powerful PCs. As part of Microsoft’s move to focus on this simplified offering, the company also announced today that it will discontinue retail sales of its Windows Live OneCare subscription service effective June 30, 2009.

Morro essentially branches off the anti-virus and anti-spyware portions of OneCare into a separate but free product.  From the press release it’s not clear what the future relationship Morro will have with Microsoft’s other anti-malware program, Windows Defender.  Will they ship as two separate applications or will the be combined. Also OneCare had other features other than Anti-malware and it’s not clear how those features will be replaced. While Microsoft hasn’t said so publicly, there is another Microsoft product that is also expected in the second half of 2009.  That product is Windows 7.  Coincidence? 

This move seems to fit with Microsoft’s plans to move a lot of bundled applications off Windows 7 and into the Windows Live Suite.  Bloggers have for years pointed to Windows Movie Maker as evidence of how bloated Windows had become. In Windows 7 Movie Maker will no longer be bundled with Windows and will be offered as a free downloadable program. Offering Morro as a free download rather than bundling it with Windows also has the advantage that it makes it much less likely that Microsoft will face the same kind of legal issues from the US Justice Department and the EU than it faced with its bundling of Internet Explorer and Window Media Player.

Links:

Microsoft Press Release
http://www.microsoft.com/Presspass/press/2008/nov08/11-18NoCostSecurityPR.mspx

OneCare Blog Entry
http://windowsonecare.spaces.live.com/blog/cns!C29701F38A601141!10418.entry

By Jin Nan Goto

Making sure Windows is fully patched is the most important way to improve your security against malware and viruses.  Within hours of patching a security hole, Malware creators will have reverse engineered the patch and will actively start exploiting the problem.  This creates a short timeframe where the computers that did not receive the update are vulnerable. Antivirus software can help protect you but it is not guaranteed to prevent malware from installing on your computer, especially if the exploit is new.  Ensuring that you install updates (eliminating the problem) as soon as they are released provides the best protection.

However it’s not just Microsoft products that suffer critical security flaws and patches. While Microsoft provides its updates automatically through Windows updates, many third party applications such as Adobe Reader and Java Runtime may go a long time before they the patch is installed. During that time your computer will be vulnerable. Also, Microsoft to its credit has greatly improved the security on Windows (especially Windows Vista).  In fact Microsoft reported that in the first half of 2008 none of the top 10 browser exploits affecting Windows Vista were Microsoft Vulnerabilities.  All were from third party software vendors (Microsoft Security Intelligence Report Volume 5). 

This illustrates that just patching Windows is quickly becoming insufficient as malware is now frequently targeting popular non-Microsoft products. Secunia PSI is a free program that will scan your computer and will check all of your installed programs (both Microsoft programs and programs from other vendors). It will check and see if there are vulnerabilities with those programs that have been patched.  It will then provide a link to the update.

Secunia PSI is very easy to run and I found it very useful for alerting me to out of date software that I wouldn’t normally think of.  I recently reinstalled windows on this machine, and when I ran it I knew that Adobe Reader and Adobe flash player was out of date (just because my restore disks were old).  Sure enough Flash player and Adobe reader were flagged by Secunia.  However, it also alerted me that my version of Java Runtime environment was also out of data and had an update available. For convenience, links to the patches were provided and that made fixing all the issues found by Secunia very easy. Secuina PSI is an incredibly valuable tool for securing your PC and I highly recommend it to everyone.

You can download Secunia PSI from this address
http://secunia.com/vulnerability_scanning/personal/

By Jin Nan Goto

I wasn’t planning on writing another post about the Engineering Windows 7 blog since I already mentioned it last week. But this latest post from the E7 blog is about User Account Control and I couldn’t resist.  Bottom line is UAC is coming to Windows 7.  This is probably disappointing news for many who considered UAC to be too obtrusive and obnoxious (although I don’t think anyone thought UAC wasn’t coming back).  Still, the Windows 7 people are working to improve it and lower its annoyingness.

Now that we have the data and feedback, we can look ahead at how UAC will evolve—we continue to feel the goal we have for UAC is a good one and so it is our job to find a solution that does not abandon this goal. UAC was created with the intention of putting you in control of your system, reducing cost of ownership over time, and improving the software ecosystem. What we’ve learned is that we only got part of the way there in Vista and some folks think we accomplished the opposite.

Based on what we’ve learned from our data and feedback we need to address several key issues in Windows 7:

• Reduce unnecessary or duplicated prompts in Windows and the ecosystem, such that critical prompts can be more easily identified.
• Enable our customers to be more confident that they are in control of their systems.
• Make prompts informative such that people can make more confident choices.
• Provide better and more obvious control over the mechanism.

Excerpt from Engineering Windows 7 Blog

Designed out of a desire to make Vista the “most secure version of Windows ever” UAC has done a lot to change a very destructive aspect of Windows, which is that everyone ran Windows as an Administrator.  UAC has not only helped by warning users when installing software(or malware), it has also helped developers create better software that was more conducive to allowing users to run as a limited user and improve security. Malware is generally not able to install itself without permission when running as a limited user.

The older versions of Windows (Win95, Win98, WinMe) were all single user operating systems. This is where the user had full control over modifying the system.  The newer versions of windows (Windows 2000 and later) were multiuser capable, This allowed the for limited user accounts as well as administrator accounts. The data from Microsoft’s Windows Feedback Program showed that around 75% of computers have only one user account Which defaults to the Administrator account.   In the past many software developers made assumptions that the computer would have full access to be able to modify the system.  The E7 blog admits that even some developers at Microsoft made those assumptions as well.  This really made running Windows XP as a limited user incredibly difficult.

With Vista and UAC, developers had to take a hard look at the programs that required Administrator rights and whether they could (or should) change them to not require elevation.  If they did require elevated privileges the secure desktop popped up and the user had to explicitly allow it.

We also found that there were many cases in previous versions of Windows where we had lumped things together when instead only part of the task really should have required the user to be an administrator.  For example, in Windows XP you had to be an administrator in order to change the time or the time zone of the system. The reason that time functions are usually restricted is that you can do some pretty sneaky things if you can change the system time — like trick system logs or backdate emails.  But as it turns out, changing the time zone of the machine so that a business traveler based on the West Coast goes to their meetings at the right time when they are visiting New York really doesn’t need to be protected — so in Windows Vista, we split that out and now allow a standard user to change the time zone.

Excerpt from Windows Vista Blog

Vista has been incredibly effective in reducing the number of programs that require full administrator privileges, and this is only improving as time passes.

However the implementation of UAC in Vista is far from perfect.  While you want to warn users against doing things that are dangerous (installing un-trusted software or messing with the registry/or device manager) the frequency of prompts runs the risk of the user ignoring them and always approving.  The darkened screen of the secure desktop is somewhat alarming and unfriendly to users.  Also, in Vista even an administrator is not “really” an administrator.  They run as a standard user unless they need to approve an action.  This upsets experienced users who know what they are doing and want full control over their computer.  Still an improved version of UAC is a really important addition to the future Windows 7.

External Links:

Engineering Windows 7 Blog
http://blogs.msdn.com/e7/archive/2008/10/08/user-account-control.aspx

Windows Vista Blog
http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/23/security-features-vs-convenience.aspx

(Originally Posted May 9, 2008)

Nobody writes perfect software and programs are constantly being updated an patched to fix security vulnerabilities.  One of the most essential ways to harden you computer against attacks such as malware is to make sure that the software on your computer is up to date.  All modern operating systems offer mechanisms for updating themselves.  Windows uses Windows Updated to automatically search for new updates and install them.  Due to the explosion of spyware, virus, trojans, and all kinds of malicious junk it is very important to stay current with all the critical security patches.

While Windows Update does a decent job patching your operating system, windows is not the only software that needs to be patched.  While third party programs such as iTunes and Adobe reader have their own update program, Other software from Microsoft, such as Microsoft Office, can use Windows Update.  Except you have to change Windows Update to Microsoft Update.

Step by Step Installation of Microsoft Update

The first step to turning on Microsoft update is to run the windows update tool.  I did this by selecting Windows Update from the Start menu.  If it is not on your start menu you can also find it by selecting “Run” from the start menu and typing in “wupdmgr.exe”.

Once you have Windows Update open, click on the “Upgrade to Microsoft Update…” link on the right hand side of the page.

Next hit the “Start Now” button, pretty self explanatory.

In the next step, you are instructed to read the license agreement.  Once again you can just click the button and proceed.

At this point you may be prompted to install the ActiveX Control to run Microsoft Update.  Click on the yellow bar at the top of the page and select “Install ActiveX Control”.

From there the only thing left to do is to push the “Install” button to confirm the installation of Microsoft Update.

Congratulations you are done.  Also, make sure that Automatic Updates is set to on so that you get updates as they come out.