Category: Windows

The Microsoft (R) Operating System

Security

Patch! Patch! Patch!

As much as this should be ingrained in our computing habits, this still needs to be said: Apply patches when they come out!

The Microsoft Security Bulletin MS06-040 came out on the 8th, and a module to exploit the flaw came shortly after. Tech e-zine eWeek reported that Immunity and Core Security Technologies had both released what they deemed “reliable exploits” for the flaw and declared it wormable on all Windows versions.

Dave Aitel, CEO of Immunity said in an interview with eWeek “A worm is coming. This bug is just too easy to exploit.”

This is a vulnerability that would allow for remote takeover of an unpatched Windows machine. It will be interesting to see how widespread the damage is when (not if) a worm is released.

Patches are available from the bulletin (follow the links) or from Windows Update.

Linux

Ultimate Boot CD

Anyone who has ever had need of bootable recovery tools knows what a pain it is to try to build a bootable CD containing all the needed tools. Why do it all the hard way? There is a very handy one already built and ready for download at . This is a Linux-based live CD with lots of Linux tools. There is a Windows-based version as well. While the Linux-based version comes with its own kernel, and allows for adding modules (available at SourceForge) the Windows version requires that you have your own WindowsXP CD with SP1 (and preferably 2) – although they also have a utility to help you slipstream the service packs if your disk doesn’t have them.

Best Practices

10 Windows Password Myths

I saw this article (Ten Windows Password Myths) over at Security Focus and thought it was worth sharing. And something I didn’t know about Windows (2000/XP) passwords:

If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password.

The nice thing about that is that it then becomes impossible for your password to be cracked from the SAM database, since we kow it isn’t actually null.

Perhaps the most interesting point the article makes, (and though it has been made many times before it bears repeating) is that despite every other security measure we put into place, without strong passwords our defenses are easily overcome.