Must read: Why BYOD is not about to take over your office

Topic: Security

Discover

Is Windows vulnerable to attack by stolen digital certificates?

Summary: Hacker claims that stolen SSL certificates can be used to create fake Windows Update packages.

Adrian Kingsley-Hughes

By for Hardware 2.0 |

An Iranian hacker going by the name of 'Comodohacker' claims that Windows PCs are vulnerable to attack from malware-loaded updates digitally signed with stolen certificates.

'Comodohacker' makes the claim following attacks on several certificate authorities (CAs), the companies responsible for issuing SSL certificates, including Comodo back in March and DigiNotar in July. The hacker now claims that the certificates he has stolen could be used to create fake Windows Updates.

I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is totally false! I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and... Simply I can issue updates via windows update! You see? I'm so smart, sharp, dangerous, powerful, etc. huh?

Microsoft however says that these claims are not accurate. Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), had this to say:

In this particular case, we were originally aware of fraudulent certificates issued by DigiNotar for *.google.com and have since become aware of fraudulent certificates issued for *.microsoft.com, *.windowsupdate.com, www.update.microsoft.com, and a number of other domains for which conversation privacy is extremely important. Windows Update is a special case addressed later in the blog; however, suffice it to say that if the attacker had one of those certificates and had man-in-the-middle access to your network traffic, they could potentially snoop on (or change the contents of) conversations between you and any of those domains.

...

All versions of Windows are affected by this attack. However, when a user initiates an HTTPS SSL connection via Internet Explorer on Windows Vista, Windows 7, or Windows Server 2008 and encounters a new root certificate, the Windows certificate chain verification software checks a list of valid root certificates, which is hosted on Windows Update. As of August 29th, this Certificate Trust List (CTL) on Windows Update has been revised to remove DigiNotar from the list of trusted Certificate Authorities so that any certificates issued by DigiNotar are no longer trusted for HTTPS conversations.

Windows XP and Windows Server 2003 do not have the same Windows Update check mechanism. Instead, these versions of Windows rely on a static list of trusted root certificate authorities. This list is updated through the non-security update "Update for Root Certificates (KB 931125)". DigiNotar was not initially included as a trusted root certificate in Windows XP, so if you have never installed this update, you are not vulnerable to any certificates issued by them.

However, any Windows XP or Windows Server 2003 system that installed this update as of November 2008 or later would have DigiNotar added as a trusted root certificate. Administrators of these systems can follow the steps in the "What you can do to protect yourself" section below to take proactive actions to remove DigiNotar as a trusted root Certificate Authority until Microsoft releases an update that fully addresses this problem.

Updates for Windows XP and Windows Server 2003 platforms which will add DigiNotar to the Untrusted Certificate Store will, according to Microsoft, 'be available soon.' are available now [see update below].

Ness also gives instructions on delete the DigiNotar root from the certificate store. I've reprinted them below for your convenience:

Step 1: Remove the DigiNotar Root from the trusted root CA store

  • Click Start, click Start Search, type mmc, and then press ENTER.
  • On the File menu, click Add/Remove Snap-in
  • Under Available snap-ins, click Certificates, and then click Add
  • Under This snap-in will always manage certificates for, click Computer account, and then click Next
  • Click Local computer, and click Finish
  • If you have no more snap-ins to add to the console, click OK
  • In the console tree, double-click Certificates
  • Double-click the Trusted Root Certification Authorities store and click on Certificates to view all certificates in the store
  • Select the two DigiNotar Root CA certificates. You can confirm the right certificates by checking their thumbprints which should be "c0 60 ed 44 cb d8 81 bd 0e f8 6c 0b a2 87 dd cf 81 67 47 8c" and "43 d9 bc b5 68 e0 39 d0 73 a7 4a 71 d8 51 1f 74 76 08 9c c3"
  • Right-click the certificates and select Delete

To perform the above steps from the command-line, you can use the certutil.exe tools as follows:

  • certutil -delstore authroot "c0 60 ed 44 cb d8 81 bd 0e f8 6c 0b a2 87 dd cf 81 67 47 8c"
  • certutil -delstore authroot "43 d9 bc b5 68 e0 39 d0 73 a7 4a 71 d8 51 1f 74 76 08 9c c3"

Step 2: Clear the cache to remove any older cached CTL

The simplest way to do so is to use "certutil -urlcache * delete". This will clean up the cache for the current user.

Stay safe!

[UPDATE: While the Microsoft blog post says that the updates for Windows XP and Windows Server 2003 platforms will be 'available soon' they are available now.]

Topics: Security, Networking, Operating Systems, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

33 comments
Log in or register to join the discussion

  • Is this unique to Windows?

    It seems to me that the real conclusion is that if you steal a key, you will be able to open the lock that key was for. This is newsworthy?

    I was wondering how long it would take for ZDNet to turn this DigiNotar issue into a Windows specific issue. Looks like we didn't have to wait long and sure enough, it is AKH leading the charge.
    toddybottom
    Reply Vote

    • RE: Is Windows vulnerable to attack by stolen digital certificates?

      @toddybottom Exactly, if someone robs a bank do you blame the bank's customer for using said bank?
      clcrockett
      Reply Vote

      • RE: Is Windows vulnerable to attack by stolen digital certificates?

        @ccrockett@... I am surprised Adrian did not tell everyone Apple has yet remove DigiNotar from their browser on Macs
        mrlinux
        Reply Vote

      • RE: Is Windows vulnerable to attack by stolen digital certificates?

        @mrlinux

        <A HREF="http://www.zdnet.com/blog/hardware/hey-applegoogle-whats-taking-you-so-long-to-block-those-fraudulent-ssl-certificates/14628?tag=mantle_skin;content">He did.</A> ;)
        The one and only, Cylon Centurion
        Reply Vote

    • RE: Is Windows vulnerable to attack by stolen digital certificates?

      @toddybottom How the hell is that fair? NOWHERE does Adrian blame Microsoft.

      You are right this isn't Microsoft's fault, and I expect the problem will have other unintended consequences too (not just Windows).

      However, this IS serious. Adrian (or more correctly Microsoft who Adrian is quoting) explains how to protect Windows systems from this. So instead of telling us the article is biased, why don't you run along and do what it says? THEN your Windows PC will actually be protected and you can go back to being a fanboy.

      Jeesh!
      Jeremy-UK
      Reply Vote

      • Mr. Grumpy Pants

        @Jeremy-UK
        "NOWHERE does Adrian blame Microsoft."

        Nice strawman. Nowhere did I accuse AKH of blaming MS for this.

        I did accuse AKH of turning this into a Windows specific issue which is exactly what he did.

        Sounds like Mr. Grumpy Pants needs a nappy changing.
        toddybottom
        Reply Vote

    • RE: Is Windows vulnerable to attack by stolen digital certificates?

      @toddybottom
      AKH didn't turn this into a Windows issue, the hacker that says he can publish malicious Windows Updates using the stolen certificates did. All AKH did was show that MS is on top of their game and have given users of their software (including the no longer officially supported Windows XP) ways to mitigate those attacks. Geez, some people just aren't happy if they can't complain about something.
      swmace
      Reply Vote

  • RE: Is Windows vulnerable to attack by stolen digital certificates?

    90% of your post is/was/most of the time are c/p. Why not just have a link to said article and save space?
    Return_of_the_jedi
    Reply Vote

  • RE: Is Windows vulnerable to attack by stolen digital certificates?

    So... Why are we still using Windows XP again? Everyday a new attack seems to come out that affects XP, but not so much Vista and 7. Rootkits come to mind here.
    The one and only, Cylon Centurion
    Reply Vote

    • RE: Is Windows vulnerable to attack by stolen digital certificates?

      @Cylon Centurion wrote:<br>"Why are we still using Windows XP again?<br><br>The economy?! It's adversely affecting many consumers and enterprises (especially local, state and federal gov't organizations). Plus, XP still has approx. 3 years of Microsoft support remaining.<br><br>@Cylon Centurion also wrote:<br>"Rootkits come to mind here. <br><br>Keep Windows and your apps updated/upgraded, don't run day-to-day in the Windows default account (i.e., create and use a limited/standard user account) and download software only from trusted sources like the developers sites, if at all possible. There are rootkits available for all versions of Windows, from XP to 7. And some have even gotten around PatchGuard.<br><br>That said, only keeping Windows and internet-facing apps, such as web browsers and email clients, updated will help protect against the stolen digital certificates under discussion. The vast majority of consumers will not use the Certificates snap-in to delete certificates as discussed in this article.
      Rabid Howler Monkey
      Reply Vote

      • Reply: Rabid Howler Monkey.

        Seriously, XP is a monster and can be found anywhere computers are used in business. It forms the backbone of the current MS structure and finances. However, It also has received 70% of the 4.5 million TDL-4 botnet infections done in the first three months of 2011. MS is trying to kill it outright and also by the IE-9 debacle. Posters at ZDNet would like you to think it is a minority, obsolete and a non-issue. It amazing how fast they turn on it like it's some kind of pariah and responsible for all the evil in the Microsoft World.

        New developments with TDL-4 research have discovered the creators are openly advertising anonymous proxy use of the infected computers and accepting payment via Visa, MC, AMEX and paypal. Several Firefox add-ons are available to configure and switch between proxies.

        The second link is chilling, since it describes how illegal activity performed on an infected computer can result in legal ramifications if the victims IP address was identified. Very sobering indeed.

        http://krebsonsecurity.com/2011/09/rent-a-bot-networks-tied-to-tdss-botnet/

        http://www.h-online.com/security/news/item/Anonymisation-service-uses-botnet-as-proxies-1339950.html
        Joe.Smetona
        Reply Vote

      • RE: Is Windows vulnerable to attack by stolen digital certificates?

        @Joe.Smetona Think about the default install of the most popular desktop Linux distros. (I know you're a Linux fan.)<br><br>1. The default account is a non-root account (usually with full sudo+ privileges).<br>2. The package manager provides users access to default software repositories with applications to download and install. (Users can choose to add add'l repositories.)<br>3. The updater takes care of all package updates, including the installed applications. In my experience, an icon or balloon notifies the user of available updates, the user clicks the icon or balloon and is presented with a list of updates and command button that he/she clicks to retrieve and apply the updates.<br><br>These three (3) items are pretty much in line with my above recommendations for Windows XP, Vista and 7. And why does Windows XP get picked on for rootkits such as the Alureon(TDL4/TDL3) family? Because there are so many unpatched, pirated versions of XP:<br><br><a href="http://www.sectechno.com/2011/08/06/pirated-copies-of-windows-xp-top-rootkit-target/" target="_blank" rel="nofollow"><a href="http://www.sectechno.com/2011/08/06/pirated-copies-of-windows-xp-top-rootkit-target/" target="_blank" rel="nofollow">http://www.sectechno.com/2011/08/06/pirated-copies-of-windows-xp-top-rootkit-target/</a></a><br><br>In addition, many users running licensed versions of Windows XP run day-to-day in the default account (as Admin), install software from untrustworthy sources and fail to keep their systems and applications updated. These latter two poor practices will also help to bring down Windows Vista and 7. The figure in the link above clearly indicates both Vista and 7 rootkit infections.<br><br>Note that there are rootkits for Linux too. Check the rkhunter and chkrootkit home pages for a listing of *Nix rootkits. Btw, rkhunter and chkrootkit are open-source rootkit (or malware if you like) scanners for *Nix, including Linux.<br><br>Why aren't rootkits a problem for desktop Linux users? A combination of reasonable default security settings and low market share (read 'the malware miscreants aren't interested because there isn't enough money in it to make it worth the effort'). *Nix rootkits are primarily an issue for servers. Especially those servers that are poorly configured, infrequently updated and/or inadequately monitored.<br><br>+ sudo - On a new Linux install, I add 'timestamp_timeout=0' to the 'Defaults' line in /etc/sudoers to remove the default 5-minute time period after a successful sudo authentication when no further authentication is requested for elevating privileges (it's just like running as Admin in Windows XP for 5 minutes). Also, I modify /etc/sudoers to allow the default user access to only a handful of commands not susceptible to shell escape (thanks ye), I run 'su root' in a terminal window for all other commands that require root privileges.
        Rabid Howler Monkey
        Reply Vote

      • Reply: Rabid Howler Monkey.

        Thanks for the information about Linux. It's really very, very good advice and it makes a lot of sense to minimize exposure to priority use. It's really like polishing your driving skills to make you a safer driver. Linux has been an extremely good experience for me and my family.<br><br>It's given me total freedom from maintenance and security issues. I've tried to extend it's benefits as much as possible to others, including friends and family and readers here. I installed Mint 11 in two schools and it removed a lot of headaches and problems from the students and faculty. <br><br>I can recommend Mint from my own experience. My computer experience goes back to before MS using mini-computers, so I can understand that Windows is not "computing" and alternatives are available. Unfortunately, MS through strong arm tactics has cultivated an image of being the only player. This isn't based on quality of product.<br><br>The one totally underrated characteristic of Linux is the fact it's code and kernel are open source. I can't stress enough how important that has been. Linux was open source since version 1 in 1991 under the GNU/GPL license. This is one attribute of Linux that seems to go completely over peoples' heads and it's the most important. Linux making their complete blueprint available to anyone for free (OS and Kernel) speaks volumes to the quality and security of their code.<br><br>Attacks on Windows are from indirect information. Since their source code is closed and held in strictest privacy, someone wanting to understand it's operation has to use other indirect means to gather data. I've used the Mutek Black box on a sophisticated CAD program. I opened the program, drew one line, and closed the program. The Black box generated a file of over 30,000 operations. These "sniffers" can also identify a program or OS sending information or connecting to the network or internet.<br><br>Having experienced this, It became apparent to me that Windows source code can never be published, even if it were not a matter of Microsoft IP. Windows is actually relying on keeping it's source code private for security. Binary files aren't readable. That's why AV companies are so important in it's life cycle. Feedback has to be provided to MS to create "Critical Updates". This system is desirable to MS because they really don't have to pay for AV services or security. <br><br>As time goes on, the OS becomes more secure. That's what happened to XP. Ten years of exploits, Free AV feedback and Critical Updates have created a relatively strong platform. XP really became too popular, too seasoned and well entrenched for MS financial health.<br><br>I think a lot of people here think I sprouted out of the ground as a LInux Geek. Actually the opposite is true.<br><br>I worked for a large engineering company and we were all using Windows for Workgroups 3.1. We were using a new relational database system with our CAD system called Rebis. It was very slow and kept crashing to the point of being unusable. I was asked to write a report on upgrading our companies existing Windows for Workgroups 3.1 (16-bit) computers to the new 32-bit Windows NT OS's. I supplied an 18 page report with NT technical innovations to management and they decided to go with NT (10,000 computers world wide). Part of the transition was to use Net-G online testing for NT with all employees having to score at least 80 to pass. I was one of two in the office (of 1000) to score 100. Using 32-bit NT allowed the project to complete successfully.<br><br>Ye, along with a few others have mentioned that they can use Windows without AV. I don't doubt them, but they are experienced professionals and use scanning tools to hand pick items of interest. The real world and ordinary people are different. There's probably no conscious effort to be secure. Linux excels for these people, because it does keep them safe with no attention or maintenance required.
        Joe.Smetona
        Reply Vote

      • RE: Is Windows vulnerable to attack by stolen digital certificates?

        @Joe.Smetona The open-source nature of Linux and open-source applications is a double-edged sword. Open-source devs are just as human as the devs at Microsoft, Apple, etc. and they all make mistakes, both in design and implementation (read 'coding'). And the C (and C++) language, with which poor coding practices can lead to buffer overflow vulnerabilities and associated exploits, is used for all the Linux, Windows and Mac OS X kernels.<br><br>A malware miscreant is free like anyone else to inspect open-source code for vulnerabilities. But unlike the good guys, he/she will quietly craft an exploit and start using it. Also, there is voluminous, publicly available literature on discovered vulnerabilities in open-source (and closed-source) software. And guess what, some of these vulnerabilities, for various reasons, have gone unpatched. In this case, the malware miscreants will craft an exploit from a known and published vulnerability. And in fact, the most recent in-the-wild, DoS exploit for the Apache web server resulted from a vulnerability that was first noted in 1999 and remained unpatched for years:<br><br><a href="http://www.zdnet.com/blog/security/kill-tool-released-for-unpatched-apache-server-vulnerability/9304" target="_blank" rel="nofollow"><a href="http://www.zdnet.com/blog/security/kill-tool-released-for-unpatched-apache-server-vulnerability/9304" target="_blank" rel="nofollow"><a href="http://www.zdnet.com/blog/security/kill-tool-released-for-unpatched-apache-server-vulnerability/9304" target="_blank" rel="nofollow"><a href="http://www.zdnet.com/blog/security/kill-tool-released-for-unpatched-apache-server-vulnerability/9304" target="_blank" rel="nofollow">http://www.zdnet.com/blog/security/kill-tool-released-for-unpatched-apache-server-vulnerability/9304</a></a></a></a><br><br>In addition, a technique known as 'fuzzing' is used by hackers/crackers to find exploitable vulnerabilities in software. It was highlighted at a recent Pwn2Own contest and resulted in the identification of exploitable vulnerabilities in OpenOffice (in addition to Microsoft and Apple software):<br><br>"Respect The Fuzzer <br>http://threatpost.com/en_us/slideshow/10%20Lessons%20From%20The%20Pwn2Own%20Hacker%20Contest?page=9<br><br>Fortunately, Charlie Miller is one of the good guys.<br><br>@Joe.Smetona wrote:<br>"Ye, along with a few others have mentioned that they can use Windows without AV ... The real world and ordinary people are different. There's probably no conscious effort to be secure. Linux excels for these people, because it does keep them safe with no attention or maintenance required.<br><br>With regard to using an AV on Windows, true least privilege beats an AV hands down. And by least privilege I mean don't use a Windows default account for anything except administering the system. Create and use a limited user account on XP and a standard user account on Vista/7 for day-to-day activities.<br><br>Just remember that the digital certificate fiasco discussed in this very article put Linux users at as much risk as Windows and Mac OS users. Also, Linux users remain susceptible to both phishing and spear phishing attacks.<br><br>That said, I have to agree with your statement. However, "the ordinary people" you describe usually need a helping hand getting started with desktop Linux. This is also why I favor Apple's iPad, with it's curated app store, and Google's Chrome OS for "the ordinary people" you describe. But, make no mistake, there will eventually be LOTS of malicious web apps to ensnare "the ordinary people" that will use Chrome OS in the future.
        Rabid Howler Monkey
        Reply Vote

      • It's sometimes a difficult topic.

        @Rabid Howler Monkey ,,, I would not trust ZDNet articles about such problems. I've found them to be threaded with propaganda and especially propaganda by omission (or card stacking). For the most part, even if the author seems to advocate Apple or Linux, they provide subtle references to discredit their use. Discrediting Apple or Linux actually is a hidden endorsement of Microsoft. Zdnet exists to further Microsoft marketing and sales ambitions. It's very time intensive to research and validate an article like that.<br><br>One of the areas I have found most disturbing here over the years (and it hasn't changed) is the omission of the OS used in the articles. From a propaganda standpoint, it serves a two-fold purpose. 1. It may be assumed that MS is being used, but not mentioning it advances the perception that "it's the only player". 2. In cases (as you mentioned) of security articles on OpenOffice, Firefox or Chrome, the issue at hand is blamed on the application, even in most cases that I have seen there is an underlying component causing the problem in the OS. Again, this is how propaganda works, by not mentioning the OS, all the blame is pushed onto the application. The dirty little secret is that sister applications I have used for years on Linux don't have any issues. So, it's logical to see even though a vector is free to penetrate Firefox, it's root cause is a problem with Windows. For arguments sake, let's say that for Firefox to compete, it winds up fixing the hole to protect Windows. That's something it should not have to do on a secure OS like Linux without the vulnerability. Firefox having a problem on Windows doesn't necessarily mean it's a Firefox problem. In fact, I would not expect any application used on Windows to correct Windows security. These articles are written and the net result is that "Windows suffers a complete takeover by an un-trusted source". Really? How is Firefox to blame for that? People just don't think sometimes.<br><br><a href="http://www.zdnet.com/tb/1-102399-2008592?tag=talkback-river;1_102399_2008592" target="_blank" rel="nofollow"><a href="http://www.zdnet.com/tb/1-102399-2008592?tag=talkback-river;1_102399_2008592" target="_blank" rel="nofollow"><a href="http://www.zdnet.com/tb/1-102399-2008592?tag=talkback-river;1_102399_2008592" target="_blank" rel="nofollow">http://www.zdnet.com/tb/1-102399-2008592?tag=talkback-river;1_102399_2008592</a></a></a><br><br>I've seen listings for Linux malware and have investigated to a degree. It seems a lot of what has been posted are potential problems that have long since been corrected. I go to a new version of Linux Mint every 6 months. I'm not sure any of those documented problems have any bearing on Mint 11. I've maintained the family Win98 and WinXP computers years ago, when my oldest son was in HS and college. It was horrific, even with ZoneAlarm and AV and spyware protection. It was always getting infected and always at the worst time. Win7 is no different, only slower. Relatives have infection issues and the UAC is a nuisance. Why does it continually pop up even though I didn't request to install anything? It's dumb, I have to dismiss it every 3 minutes. Linux does not request confirmation unless you want to install something.<br><br>I disagree about the open source/closed source statements. Windows 7, 8 or whatever would be taken down within minutes if the source code ever got out. Don't get me wrong, it doesn't have to be that way. Closed source could easily be private and have the same security level as Open Source. But I've seen the listing of companies acquired by MS and the corresponding technology gained (Like Active-X). MS pieced together this acquired code to create their OS. That and the arrogance of supplying just the binary files allowed them to create code without regard to security. Think about this, why would they have to do otherwise with AV companies giving them feedback on any major problem for free? Did you ever see the Stuxnet .pdf file from Symantec? That's a 77 page freebie for MS loaded with data. Why pay someone to research it or even try to write secure code to prevent it.<br><br>Stuxnet, Conficker, TDL-4 and others don't affect Linux.<br><br>I use the computer every day and in 9 years I haven't had to think about any security issue, virus, AV update, botnet or identity theft. It really does sound to good to be true. I wouldn't put too much trust in ZDNet articles though. TDL-4 infected millions in the first quarter of 2011 and ZDNet completely ignored it. People don't know they were infected. The 4.5M infections were derived by Kapersky Labs. 70% were XP and 30% were Vista and Win7, incl.64-bit Win7 with driver signing protection. This is obviously something MS is deathly afraid of.<br><br>80,000+ web hits for "tdl4" + "rootkit"<br><a href="http://www.google.ca/search?q=%22tdl4%22+%2B+%22rootkit%22&hl=en&num=10&lr=&ft=i&cr=&safe=images&tbs=" target="_blank" rel="nofollow">http://www.google.ca/search?q=%22tdl4%22+%2B+%22rootkit%22&hl=en&num=10&lr=&ft=i&cr=&safe=images&tbs=</a>

        TDL-4 variant discovered: TDL-4.2
        http://sub0day.com/?page_id=2
        Joe.Smetona
        Reply Vote

      • RE: Is Windows vulnerable to attack by stolen digital certificates?

        @Joe.Smetona wrote:<br>"I would not trust ZDNet articles about such problems. I've found them to be threaded with propaganda and especially propaganda by omission (or card stacking).<br><br>The Apache web server vulnerability in question was reported by ZDNet (linked in my post above) as well as other well-known tech publications. However, ZDNet's article didn't go into detail regarding the history of this particular vulnerability. Below are two links, external to ZDNet, that discuss the vulnerability in detail, the first from a software perspective and the second from the TCP perspective:<br><br>"a cheesy Apache / IIS DoS vuln (+a question)<br><a href="http://seclists.org/bugtraq/2007/Jan/83" target="_blank" rel="nofollow">http://seclists.org/bugtraq/2007/Jan/83</a><br><br>This vulnerability was reported on January 4, 2007 for *both* Apache and IIS. Microsoft actually fixed the problem for IIS versions 6.0 and higher.<br><br>"Vulnerability Note VU#102014<br>"Optimistic TCP acknowledgements can cause denial of service<br><a href="http://www.kb.cert.org/vuls/id/102014" target="_blank" rel="nofollow">http://www.kb.cert.org/vuls/id/102014</a><br><br>This vulnerability date is November 10, 2005. Note that the 'condition' was first described in 1999.<br><br>Using your dislike and mistrust of ZDNet as an excuse to discount factual information just makes it clear that you're only interested in running around waving the FOSS flag. Whatever. Knock yourself out.<br><br>Here's my anecdotal story: I've been running Windows XP since 2004, mostly as a limited user, and have seen only one infection attempt on my system. This was back in early 2005 when I was experimenting with a 3rd party software firewall (Outpost, I think) and was not behind a hardware firewall. I got the firewall rules wrong and took it down by mistake. Almost immediately, I got nailed and what saved me in the end was XP's Data Execution Prevention (DEP) which I had enabled for all programs (not Microsoft's default setting). DEP stopped the infection attempt in its tracks and also provided me with a notification.<br><br>The moral of the story? Windows XP's default security settings are terrible, even at SP3. However, one can improve security considerably with just a few set and forget configuration changes to the OS discussed in my posts on this thread. And one can improve their security even more through good practices, also discussed in my posts.<br><br>Ciao
        Rabid Howler Monkey
        Reply Vote

      • I have to respond to this.

        @Rabid Howler Monkey ...<br><br><i><font color=navy>"Using your dislike and mistrust of ZDNet as an excuse to discount factual information just makes it clear that you're only interested in running around waving the FOSS flag. Whatever. Knock yourself out."</font></i><br><br>Are you serious? I can't believe you wrote that. How in the world do you explain ZDNet writing or reporting absolutely nothing about the TDL-4 botnet in over 9 months??? TDL-4 infected 4.5 million Windows users in the first three months of 2011. These users are in danger of identity theft, bank theft, credit card theft and other atrocities without even being aware they are infected. And you don't see the Propaganda angle here??? <br><br>The Apache issue is a "denial of service issue" which builds into a life or death article by ZDNet. Alert: It's another lame attempt to discredit Apache and/or open source. IT'S NOT A TDL-4 SITUATION, LIKE THEY *** DON'T *** REPORT FOR WINDOWS. It's propaganda, but in order to see that, you have to know the history. I have 4516 archived email and newsletters from ZDNET. If I click my ZDNet label, I see the last 100 newsletters and topics at a glance. I know how they dance around. How about that Ed Bott article on Windows security advancements where he did not even mention TDL-4??? The one where 45 non-offensive posts were deleted. I feel sorry for people who don't notice what's going on here.<br><br>Basically if you don't see how not reporting TDL-4 for nine months (when there are 87,000 NON-ZDnet posts about it) is not propaganda, then you will never see it.<br><br>You have to ask yourself, Why write an article about an old DoS issue on Apache when we could be writing about TDL-4 and 4.5 million infected Windows users? Nah, we won't ever mention TDL-4. That's how you begin to see propaganda.<br><br>I'm reading posts about TDL-4 and 4.2 and it's very obvious that very talented and street wise users are getting infected too. The precautions you are doing for XP are notable, but given 2 rooms with 100 low-average users in each using Win7 or Mint, I'll put my money on the Mint users for security. And that's without any training or intervention.<br><br>Good luck with this TDL thing, it's constantly changing and it's surely nothing to be ignored. Waving flags has nothing to do with it, Linux doesn't get it, that's notable. This is a real Windows killer and hiding under a rock isn't going to make it go away.
        Joe.Smetona
        Reply Vote

      • RE: Is Windows vulnerable to attack by stolen digital certificates?

        @Joe.Smetona Here's a link to a ZDNet article on Windows rootkits dated August 5, 2011:<br><br><a href="http://www.zdnet.com/blog/security/study-rootkits-target-pirated-copies-of-windows-xp/9223" target="_blank" rel="nofollow">http://www.zdnet.com/blog/security/study-rootkits-target-pirated-copies-of-windows-xp/9223</a><br><br>The "Alureon(TDL4/TDL3) family" is mentioned prominently in the body of the article which also gives a nod to Windows 7 improved security. Even though both Windows Vista and 7 also had rootkit infections, but at significantly reduced levels relative to XP. Only one commenter recommended desktop Linux or Mac OS X as alternatives to Windows. And a blog spammer pushed cheap iPad2s (among other things), probably nothing to do with the article though.<br><br>All in all, a pretty weak article. Why don't you get SJVN to write an article on the Windows Alureon malware family? He enjoys shining a spotlight on Microsoft.
        Rabid Howler Monkey
        Reply Vote

      • You are welcome to believe anything you want.

        @Rabid Howler Monkey ... I come here for the posts and more than a few times, got valuable information from some of the blog contributors. The stories, like I mentioned before are imbalanced, like putting a few bricks in the spin cycle. They aren't designed for people like me, they are designed for people who believe them and accept them at face value (without a critical eye). So, I guess if you want to agree with the article, it's your prerogative. Personally, I see a much darker picture. I expected they would blame pirated copies of XP. Why not kill two birds with one propaganda stone? The information I read about TDL-4 is obviously from people using genuine copies. And what about 64-bit Windows 7 with it's driver signing getting hosed? I don't think there are too many pirated copies of those around.<br><br>This is not an article about TDL-4 by any stretch of the imagination. <br>Please note that I do feel sorry for some of the authors here, but unfortunately they are victims and heavily scripted by Microsoft. It's patently obvious there are certain things they are forbidden to discuss or mention.<br><br>Have a cup of tea, fire up your Windows and enjoy the article. It's good that you have determined there's nothing to worry about. Surely ZDNet has full equipped you to recommend Windows to your friends and colleagues without hesitation. That's more money in the Microsoft coffers, exactly as designed and planned. <br><br>I wouldn't discount some of the authors purporting to advocate Linux or Apple here. The articles are threaded with reverse incantations either directly or indirectly promoting Microsoft (if you look closely). Remember, I have the Microsoft newsletters since 2006 and have a good perspective to see what goes on here. The article you referenced is an absolute joke, and I'm sure even the author is ashamed of it, but a job is a job. It's not an article on TDL-4 at all. <br><br>I'm just the messenger, I don't use Windows, but have friends that do. If Linux is so bad, why isn't it considered for Stuxnet or TDL-4? I think you mentioned market share befrore, but that bird has flown since Android and Apple. How has MS done in the smartphone arena? Windows smartphones need AV. I recently got a Walmart flyer with a page dedicated to smartphones. It only depicted 9 Android phones. All that money and no Smartphone share to speak of. Why? (They can't schlep their botnet, virus, AV garbage on closely metered cell tower 3G and 4G internet.) 2,500 spam emails a day from a botnet smartphone create some pretty hefty data plan overages. How are you going to spin that, or is there another ZDNet article on it? Microsoft hit a brick wall with this.
        Joe.Smetona
        Reply Vote

      • RE: Is Windows vulnerable to attack by stolen digital certificates?

        @Joe.Smetona Now you're on to market share. <img border="0" src="http://www.cnet.com/i/mb/emoticons/happy.gif" alt="happy"><br><br>Consider desktop vs. mobile market share from two sources:<br><br><a href="http://gs.statcounter.com/#mobile_vs_desktop-ww-monthly-201101-201108" target="_blank" rel="nofollow"><a href="http://gs.statcounter.com/#mobile_vs_desktop-ww-monthly-201101-201108" target="_blank" rel="nofollow">http://gs.statcounter.com/#mobile_vs_desktop-ww-monthly-201101-201108</a></a><br><br><a href="http://www.w3schools.com/browsers/browsers_os.asp" target="_blank" rel="nofollow"><a href="http://www.w3schools.com/browsers/browsers_os.asp" target="_blank" rel="nofollow">http://www.w3schools.com/browsers/browsers_os.asp</a></a><br><br>Looks like mobile device usage from a web site perspective is a fraction of desktop device usage. Current mobile device usage is 7% from StatCounter and 1% from w3schools. The desktop gets the remainder, over 90%.<br><br>Looking at it another way, combining both mobile and desktop OS market share:<br><br><a href="http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10" target="_blank" rel="nofollow"><a href="http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10" target="_blank" rel="nofollow">http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10</a></a><br><br>Windows XP, 7 and Vista continue to dominate all other OSs, including mobile OSs.<br><br>For the malware miscreants, the Windows-based PC remains as their primary revenue source. But, this is beginning to change. Mobile device usage is trending upwards.<br><br>Google's Android Market has been plagued by miscreants introducing malware-laden apps into the store, to be discovered and reported by university researchers, security researchers, AV companies, etc. I guess that Google doesn't care much for the repository model used by the desktop Linux distros (Apple likes it though, KaChing!). Pity.<br><br>AV products actually exist for iOS- and Android-based mobile devices. They're completely unnecessary for the iPhone and iPad. However, for "the ordinary people", AV software for Android-based devices is as relevant as it is for Windows-based PCs. I, personally, would not use AV software on a mobile device (unless my employer required it). But, then again, I wouldn't touch Android (other than a Nook Color eReader/tablet) with a 10-foot pole. Not to mention many Android OEMs that are late (or, worse, absent) with important firmware updates and upgrades.<br><br>P.S. Send SJVN an email requesting that he write an article on the Windows Alureon malware family. He just might do it. And, if so, it will be a doosy.
        Rabid Howler Monkey
        Reply Vote
CNET Join | Log In | Privacy | Cookies Close