E-Musings Mon Immorata

Microsoft AntiSpyware's Bang on the Button Zap spyware with Microsoft AntiSpyware Beta, learn more about the Windows LoadImage flaw and how to protect yourself from attack. Plus which older Mozilla software's vulnerable to attack Microsoft's released AntiSpyware Beta with a separate antivirus expected later in 2005. Both applications will use a subscription model. However during the Beta period, AntiSpyware is free. The current build will work until March 21, 2005. Microsoft's AntiSpyware Beta is a re-worked (and partially re-engineered) version of Giant Software's AntiSpy application. Giant was bought over by Microsoft in late 2004. As a matter of record Giant's engine is also used by Sunbelt Software's CounterSpy; currently available commercially as an enterprise product. However, compared to the Giant application. I found CounterSpy so unformed that I discarded it soon after signing up for the Beta! As a matter of fact AntiSpyware is more with it thatn CounterSpy ever was. What I do remember of that not so lamented Beta was too many false positives to count. And a seeming inability by the developers to include Beta feedback into a new build. Most tellingly, CounterSpy never seemed to identify spyware as detected by PC-Cillin Internet Security's rather basic spyware scanner. Never mind playing in the big leagues with found by Ad-Aware SE or SpyBot Search & Destroy. Microsoft AntiSpyware is a two part product. There's the actual scanner and remover. Plus SpyNet, a network community connecting AntiSpyware (as well as Giant) users to share information about unknown spyware applications and signatures. This wiki-like data hive will build a global database of spyware. Knowing Microsoft I wonder how secure will SpyNet be. I'm sure each entry includes tags indicating how it was so classified, the context and perhaps even details about the user reporting the issue. But I like how Microsoft has improved upon Giant's user interface. The software now supports XP Themes. And while the interface seems streamlined there remain a few gray areas. For example I think AntiSpyware sometimes offers up too much information. Unfortunately there seem to be only two settings: basic and geek! But where AntiSpyware really scores is its depth of features. For most users the most common hijack is that of the browser Start Page. Now you can auto-restore the default even after a hijack attempt. The Real-Time Protection agent (installed by default) alerts you to any changes made to current settings. However, the software identified Messenger Plus as spyware! Despite my custom install to avoid including its adware bundle. I think Microsoft is tagging utilities that modify default settings for their applications as spyware! Scanning is easy to configure, and is speedy without consuming vast amounts of system resources. For example, on a Pentium 4 HT 2 GHz, a full system scan covering about 60 GB of data on 4 separate drives took 2 minutes. In all 2,174 memory processes, 24,924 files and 8,868 registry keys were scanned. And 18 registry entries found. In comparison Ad-Ware SE 1.5 didn't detect any threats. And I have been unable to get Spybot to complete scans. It begins scanning the final key in its database and remains there until the scan is manually terminated! The full scan allows to define drives/folders to include. You can also scan mapped network drives. The quick scan options parses memory processes and the Windows Registry hive. Where AntiSpyware scores is it can estimate how long a specific scan task will take. And as it scans your system, agents discovered are displayed with a hyperlink to a pop-up window with more information. The Results pane is quite detailed. The recommended action is displayed first. Followed by the spyware agent detected and its threat level. Nested under each agent name is a list of keys or files identified as spyware. The user can change the recommended action (remove, ignore, quarantine). The software separates actual spyware from possible. Perhaps in an attempt to avoid lawsuits. Or because its better to be safe than sorry later. However, an undo feature is missing. As is support for the Windows ME/XP Restore Point. And I still don't understand why AntiSpyware needs to restart the computer after completing the install. There's a dedicated news group. Oddly AntiSpyware seems to have issues with Windows XP SP2! One tester reports losing his TCP/IP setting altogether. Reader Lakhani reports that he had to restart his laptop twice before he was able to get TCP/IP. Since I firmly believe that prevention is better than a cure. I run the free Spyware Guard (SG) utility (from the developers of the free Spyware Blaster) at both home and work. SG can identify (and block) possible spyware before it installs to your computer. Of course, no tool can keep you save if you, the user, willingly install or allow software to install itself to your computer. From spyware to Windows flaws. There's a critical bug in Windows LoadImage function that could result in a DDoS attack. The vulnerability is caused by an integer overflow that can be exploited to cause a buffer overflow. This event is triggered via a malicious icon, cursor, animation or bitmap file. And allows execution of arbitrary code. In addition, errors in the Windows Kernel when parsing ANI files may cause a system crash that is in part attributable to the buffer overflow. And to a separate integer overflow in winhlp32.exe. The flaw affects Windows 98, Windows 98 SE, Windows ME, Windows NT, Windows 2000, Windows Server 2003 and Windows XP. A patch resolving these issues is expected January 11, 2005. But until don't open any email attachments with a .HLP extension. Avoid untrusted sites or e-mail messages from unknown sources. And read all email as plain text. If you use older versions of Mozilla, Firefox or Thunderbird you may be opening yourself to attack. Mozilla 1.7.4 and older include a boundary error that results in a critical application crash. The bug is in Mozilla's NNTP handling. An attacker develops an overly-long "news://" link to distribute by e-mail or embedded into a Web page then entices a user to click the link; a method successfully used to spread worms. Mozilla Version 1.7.5 (and later) resolves the problem. As does Firefox 1.x and newer and Thunderbird 0.9 and newer. For the Mozilla application family don't expect older-version specific updates. Just upgrade to the next, bug-fixed version. That's all this week. More next time. Stay Safe. Click Here to Email Me