For a week or two after the official Windows 7 launch, I’ll be posting all sorts of videos, interviews, and other content. Stay tuned and either bookmark this post (and check repeatedly) or simply check AeroXperience for more updates. These will be the last major posts prior to the rollout of winJade, of which I’m intentionally withholding details because I’m mean and simultaneously awesome.

1. The day after 7: perspective… and Brad Brooks (October 23, 2009) (Update: video brightened)
2. The Windows 7 tweet-up in New York City, Winners, etc. (October 24, 2009)
3. The Effects of Leaks: A Candid Interview (October 25, 2009)
4. Coming Soon

Trust me when I say that whatever I’ll deliver will be worth your while in many ways.

On Tuesday, some no-good hackers decided to post a vulnerability, complete with a proof-of-concept Python script, that can remotely crash any Windows-based computer that has the SMB 2.0 network protocol enabled, which includes any system running Windows Vista or later. So like anybody with a bunch of free time would do, I cracked open a couple of VM’s and had some BSoD fun with Vista but noticed that 7 didn’t budge whenever I sent the exploit packets, so I suspected that they probably tested the RC version against this exploit

Well my gut feeling was right, and Microsoft released a security advisory later that day stating that it only affected Windows Vista and Server 2008, as well as the Windows 7 RC, but no mention of the 7 RTM (or Server 2008 R2). Plus, the scope was narrowed further when it was revealed that Public network locations were unaffected (they blocked incoming connections anyway). So nothing that bad to get riled over.

Of course, until a hotfix is released, if you’d like to completely protect yourself from the exploit you can follow the directions to either

• Block ports 139 and 445 from inbound connections using a firewall
• Disable the SMB2 driver
• Both (why not? unless you’re actively using file/printer sharing)

As those involved in the Windows 7 community may know, Microsoft has failed to fix a crucial flaw in the User Account Control feature of the operating system which allows a specific whitelist of applications to inject code that can allow any application to silently elevate. The code was released about a month ago as a proof-of-concept by Leo Davidson showcasing the flaw elevating a command prompt window using the whitelisted explorer.exe process.

The company stands by UAC in its final form, but they’re taking it a step further by blocking the program that causes the exploit using their own security software.

Today, I just happened to download the zip file that causes the exploit when Microsoft Security Essentials greeted me with a nice dialog telling me that what I just downloaded is malware, specifically HackTool.Win32/Welevate.A and HackTool.Win64/Welevate.A (depending on architecture). While I’d agree that this can be considered a form of malware, it’s just a very bad way of dealing with the situation. However, Leo noted that Windows Defender in Vista did not detect this exploit, and Bryant confirmed that the same is true for Windows 7 (where the trick would actually work), so this seems to be exclusive to Microsoft Security Essentials.

It’s not clear what method the signatures take to detect it, but I promptly recompiled the source code under the Visual C++ 10.0 toolkit using VS 2010 Beta and the application ran undetected. Not a very good solution if it actually hash checks for the specific applications.

Leo, and I (or Bryant) will update our respective pages accordingly as we discover more. Bryant is seeking official word from Microsoft on what’s going on. Meanwhile, you can see the VirusTotal report here and grab the exploit here.

Update (~Bryant): let’s take a look at what’s going on here from a different approach. Microsoft says that the vulnerability here is not actually a vulnerability and is, in fact, by design. However, they’ve also classified Leo’s proof-of-concept as malware. Logically speaking, if a process whose sole purpose is to exploit a perceived vulnerability is marked as malware, then it’s reasonable to assume that the perceived vulnerability is indeed a significant problem. Basically, Microsoft contradicted themselves by listing the proof-of-concept as malware.

Update 2 (~Bryant): A friend of mine proposed one particular argument as a potential explanation to this issue, whereby this is a bug within Microsoft Security Essentials. The reasons I don’t believe this to be the case are:

• This exploit was specifically named as HackTool:Win32/Welevate.A (A quick googling shows only three links; one is to the aforementioned virustotal link, the second and third to a Microsoft encyclopedia entry.
• This particular label only applies to this specific proof-of-concept
• A reasonable vulnerability assessment (”Medium”) was applied to this particular proof-of-concept, which makes sense given that this security vulnerability in UAC is only really an issue if either a user runs a malicious application or if some other internet-facing application were to be compromised. I covered the latter in an older post of mine where I explain how this flaw essentially raises the vectors of attack many-fold.

Leo and Bryant contributed to this post.

It has come to my attention (Thanks, William and Pastor Johnnie Sloan!) that a number of spambots took advantage of our lenient forum registration mechanisms to spam other blogs and forums. To this end, I’d like to personally apologize for the inconvenience caused. We are also trying to curb spam on our own blog and board, but this new form caught us off guard mainly due to its implementation.

Spambots were registering zero-post user accounts and filling the About-Me profile information with ads for the usual cocktails of worthless medications. We’ve done a mass deletion of all zero-post accounts made after the 20th of May and temporarily disabled the ability for a member with less than 100 posts to edit his/her profile. As a result, the spam links associated were typically in this format:

http://www.aeroxp.org/board/index.php?showuser=insert_number_here

We expect to return back to normal operating conditions soon.

Again, my sincerest thanks to William and Pastor Johnnie Sloan for tipping me off, and to the Akismet crew for guidance on the matter.

For those looking for IPs and emails to block, I can’t give block-worthy IPs as the automated nature of the spam meant that new IPs were used for each account. However, one domain suffixed to the bulk of our spam was “@top-medz.com”. If you operate your own forums and have recently fallen victim to spammers using your board to spam others, please check for this domain and any others and pass it to the guys at Akismet.

Update: added a link to the original exploit

I really, really hate having to interrupt a good series bashing Apple, but this has to be said.

Long has resumed his crusade on fixing UAC, and normally, I would tell him to give it up for the sake of saving his own time. However, even though Mark Russinovich might not see UAC as a security boundary, the original UAC team sure as hell did, which makes me want Long to see this all the way through. (check the sidebar on the left)

“User Account Control (UAC) is a core security feature in the next release of Windows Vista and Windows Server code name Longhorn.” –UAC Blog

Guys, just fix it. I don’t see why things have to be made so hard; the UAC team clearly calls it a security feature, so do them a favor, don’t make them feel like they’ve wasted their time, and fix the problem. Thanks, Long, for telling me that this can’t actually be fixed as it’s a design issue, so here’s a better solution: give the user the ability to chose which UAC setting he/she wants upon first run. Here are three good options:

1. Always On
2. Notify when programs try to change settings (give a warning with this option about the potential risk of compromise)
3. Always Off (give a bigger warning with this option)

You’ll notice that I didn’t actually suggest the option which gets rid of the secure desktop: I personally believe that that particular option offers absolutely no benefit over having UAC off altogether.

I figured it had to be said.

(If you want to take this for a test run yourself, check Leo Davidson’s site for the original source code and binaries for the proof of concept exploit)

Mark & friends, I love you guys dearly, but I’ll be taking the original team’s word on this one. If you guys try editing it out, keep in mind the Internet Archive has a copy of the original statement.

Seems a few people have been pushing around the idea that 7077 is no different from 7100. Given that 7088 was the build that was jumped to 7100 and not 7077, it means there were still 11 builds worth of changes before a build was finally signed off as the release candidate for Windows 7.

If you’re running Windows 7 build 7077 (leaked earlier), you really do need to install 7100 if you want to give any relevant feedback. 7077 still has a few stability issues which, if reported, would be nothing more than a waste of time while being totally redundant. Granted, the build is stable, but when you’ve got a more stable build available to you, why hold back?

As everyone knows, 7100 already leaked via usenet/torrents, but if you want to give feedback, your best bet would be to just wait until 7100 is released via the usual channels (in this case, MSDN/TechNet on April 30 and worldwide on May 5).

Sorry for singling you out, Ed. You’re awesome, but I had to post this to suppress any confusion which might’ve resulted amongst our readers from your post.

We started tossing subtle hints on the site last week to highlight our presence at this year’s PDC in Los Angeles. Now, roughly three weeks before the event kicks off, I’d like to know what you want us to cover the most: which keynotes you want to hear the most, which sessions you would prefer to hear, and which “UnSessions” you’d like to see. If it’s within our bounds (A Sinofsky Interview is out of the question, unfortunately), we can deliver.

Events to choose from:

• Preconference Sessions
• Conference Sessions
• Keynotes
• Symposia
• UnSessions

If you have any people in mind whom you think would provide good insight into a particular subject, feel free to list them as well and I’ll see what I can do.

If you’re registered, please leave your ideas as replies to this forum thread. If you’re not registered, feel free to leave suggestions here. (On that note, why not subscribe? We pay out of pocket for these trips; Even a little bit helps!)