ByteCrusher Blog

The details of an apparent flaw in Windows Vista's UAC functionality were revealed yesterday.  The flaw was found by eEye and originally reported to Microsoft on January 19th.  With Vista's User Account Control feature, Windows users have limited system privileges by default. In order to get system, or administrator, level privileges, a user must provide appropriate credentials. The vulnerability allows a local user to permanently increase their privileges to the admin level.  As of today, Microsoft has not issued a patch.  But maybe this is not a security flaw in Vista at all.  "What?!?", you say?

Well, Microsoft Technical Fellow Mark Russinovich says that flaws in UAC can't be considered security flaws. Whoa, maybe he's been taking verbiage lessons from former President Clinton; e.g. "it depends on what your definition of security is."

We certainly think of UAC as a security measure. In our own WindowZones product, we assume, as does Microsoft's own Group VP Jim Allchin, that most users of Windows XP use a logon account that is an administrator account. WindowZones allows you to strip away from Internet-facing applications all of the administrator rights, which substantially reduces your exposure and any resulting impact from Internet threats - especially new ones known as "zero-day" attacks.

It will be interesting to see what the future holds for UAC in Windows Vista.

-AllenN

The rallying cry for some time has been to dump Microsoft's Internet Explorer in favor of an alternate browser, such as Firefox, and in doing so dramatically improve your Internet Security.  The solution is it's not quite so simple, and while Firefox seems to be under a recent stream of attacks, at least they're actively patching.

Stefan Esser, who writes for a the Hardened-PHP Project, detailed a vulnerability in Firefox (recently patched), IE, and Opera (neither patched) that opens the three browsers up to all the UTF-7 XSS vulnerabilities.  The rub here is that Firefox was thought to be imune to these vulnerabilities.  Unfortunately when the malicious code is injected through an iframe, Firefox is still exposed.

As of this date, Mozilla has patched Firefox however neither Opera nor Microsoft has patched their browsers. 

-Allen

It seems basic, but lots of folks never change the default password on their home routers. If you're reading this and you don't know if you changed your default password, LOG IN TO YOUR ROUTER AND CHANGE IT NOW. 

There is lots of focus on getting home network users to secure their wireless connections, but probably not enough on simply securing the router itself. And now the bad guys are targeting home routers in the payloads of their malware.  Indiana University and Symantec have published a paper describing attacks on home routers executing from malicious web sites using JavaScript. 

The default password for home routers is often blank or "admin" - easy to guess.  If the number of users who turn off updates of their anti-virus software is any indication, the number of users who fail to change their default router passwords are probably quite large.

Did I mention you should change the default password on your home router?  It should be the very next step you do after you turn the router on for the first time.  I say, after you buy a house, you of course have the locks changed, right?  Right?

-AllenN

It seems fitting that we launch our blog 12 years to the day that Kevin Mitnick was arrested by the FBI in first high-profile cracking case.  Tony Long at Wired News gives a brief run-down of it.

A lot has changed since then but a lot has also stayed the same.  Here at ByteCrusher Labs we're motivated to bring PC users innovative security software that helps protect them when they're on-line. Our first product, WindowZones, prevents viruses and other malware from getting admin rights on Windows XP PCs. This is applicable to almost every single Windows XP user given that when you setup or install Windows XP, the default user accounts are created as admin accounts, and most users never change this setting.

So I'll talk here about our existing and upcoming products, the PC security space, and whatever else I find interesting in computing. Until next time!

-AllenN