Monday 8 August 2005

Old blog - Flaws in the architecture of Windows Vista (formerly Windows Codename Longhorn) could allow user driven code execution

Following hot on the heels of the news that the first viruses that target Vista have(n't) been discovered comes news that the fledgling OS is vulnerable to an even more basic attack. Microsoft have architected the system in such a way that it's possible (in fact it's down right child's play) for a user to download an application, install it and run it.

The implications of this are staggering. With just one or two mouse clicks users could be launching applications that have full and unrestricted access to their computer. It's all very well them not releasing MONAD (some kind of black window, a bit like DOS) as part of Vista but what is to stop a user visiting http://www.fuckyourpc.com, downloading something and then watching helplessly as their machine is destroyed?

Microsoft have to pull this shoddy beta right now. And then they need to come back with a version of Vista that doesn't have such obvious flaws.

As a precaution I recommend finding any .exe on your machine, and renaming it to .idontthinkso. In fact, just delete any exe you find. You may have to power down, stick your hard drive into another PC and do the delete from there, but it's worth it.

For more news on Vista vulnerabilities see the F-Secure blog.

Next week: Doors and windows in your house? You're just inviting the thieves in.

Monday 1 August 2005

Old blog - breaking news

Disturbing reports are emerging of a serious flaw in the very foundations of the internet. Top scientist people have discovered that it is in fact possible to fabricate emails. But unlike other forms of attack this needs no special skills or equipment. All that is required is a computer and a few kilobytes of web space.

Dr Alfred Epstein at the University of Pilsbury was the first to spot the problem. He returned home to find his 13 year old son reading Playboy and smoking cigars. His son showed him the following email:

Subject: RE: Permission
Date: Thu, 28 Jul 2005 17:31:42 -0700

From: "Alfred Epstein"

To: Freddy34343234_3434@hotmail.com

Sure thing son.

From: Freddy34343234_3434@hotmail.com
Sent: 28 July 2005 16:45 -0700
To: aepstein@pilsbury.ac.uk
Subject: Permission

Dad

Can I read your playboys and smoke cigars in the house?

Freddy

Epstein says that he never sent that email. When questioned further little Freddy said that he'd accidentally deleted the original mail, but that didn't matter because he'd the contents on his home page.

"I couldn't get anything else out of him," said Epstein, "so I reviewed the web logs. I found this page in his history. When confronted with this page he admitted he'd made the whole thing up. It was lucky he tried the scam on me and not his mother."

Concerned by the incident Epstein posted his finding to various newsgroups in the hope of warning the rest of the online community.

It was a shocking miscalculation.

Within minutes the whole internet was brought to its knees as hordes of people rushed to post their own fake emails online.

"People started off small. Your boss promising you a day off work or your Dad promising you a puppy. But then they got carried away. It's the victims that I feel sorry for. The innocent internet users who don't know any better."

One such user is Jenny. Her only crime? To be a bit tasty and live in the same building as several teenage Java programmers.

"They turned up and told me what they were there for. I didn't believe them at first, but then the showed me the page with the email. I just can't believe I'd send an email like that. I mean the sex was one thing, but in time to the Dark Side of the Moon being played in time to the Wizard of Oz? That's just weird. But it's in that mail and its on his website, so I mean I must have sent it."

There are other victims too, people you wouldn't expect to have gotten hurt by the scam.

Jeremy, a 24 year old player of an online Star Wars game, is now the proud owner of an Imperial Super Star Destroyer. He used the scam to con a fellow player out of it. But where once it would have left him the envy of all his friends (online), it now marks him out as different.

"I was going to blow the guys on the forums away. And then I get online and it's deader than when Episode III came out. I found out later that they were all getting lucky with a Princess Leia look-alike. I'm the last virgin in the Galactic Empire. I would take out their home systems with my Death Star but they're not online any more for some reason."

An unnamed source speaking on behalf of an unknown corporation had this to say:

"How the hell this wasn't picked up in testing I don't know. It's bound to be Microsoft's fault. To think that someone is able to post any old crap on a web page and that people believe it? It's crazy."

Related stories

IE7 nukes Google, Yahoo! search

If you ever get an email from someone who says it's from me...