August 9th, 2008

Posted propecia discounts by Adrian Kingsley-Hughes

So, in a stroke, two security researchers (Mark Dowd of IBM and Alexander Sotirov or VMware) at Black Hat have set browser security back 10 years and rendered Vista’s security next to useless (PDF of paper here – site currently Slashdotted …).

Some random thoughts in no particular order …

• First off, I’m surprised that it took this long for the walls to come tumbling down, but I have to admit I didn’t expect all of them to come down at once like that! After boasting about Vista’s heightened security, Microsoft is now left with a serious amount of egg on its face.
• While there’s a lot of cool stuff discussed in the paper, many of the vulnerabilities come down to running insecure applications. Not only does Microsoft need to up its game, it needs to get developers who are pumping out applications to do the same.
• The sky isn’t falling in, but this does make things a lot easier for the bad guys.
• You can’t trust software to protect itself, and we need to combine hardware and software. One example – under Vista DEP (Data Execution Prevention) isn’t enforced well enough. It’s only partially enabled and if switched fully on too many applications fail. This is unacceptable. I’m sure that DEP isn’t perfect either, but it’s another layer that hackers have to get through.
• It’ll be interesting to see how Microsoft spins this. The paper has huge implications and fixing these issues is going to be tricky. Given how long we can expect Vista to be around I expect that Microsoft will try to fix things in a future service pack. These issues are going to haunt Windows for years.
• Where does this leave Windows 7? I would have expected Microsoft to have ported the security features from Vista into 7, but this paper kinda makes that obsolete. If Microsoft is going to make a stab at fixing these issues then this could very well delay Windows 7.
• Now that Vista’s defenses have been crippled, we’re back to relying on third-party security applications to detect malicious code … some things don’t change.

[UPDATED: Source code here.]

[UPDATE: Since Ed Bott has picked up on this issue and has disagreed with some point I made, I’ll post my response to his post here too:

… I know you read the paper because I sent you the PDF, but it seems you failed to notice a few things.

You accuse me of “alarming oversimplification” with the “set browser security back 10 years” quote yet you seemed to have overlooked that the authors themselves used that has the sub heading to the paper.

Also, you seem to emphasis that Vista’s memory protection features were supposed to make attacks “more difficult,” not “impossible”(a viewpoint that I agree with) but you don’t follow on from that to the logical conclusion of this paper – that these defenses have, in part at any rate, been undone so the “more difficult” argument is now quickly becoming moot.

Also, you seem to have been selective in choosing quotes. From page 1 of the paper:

“We aim to show that the protection mechanisms in Windows Vista are particularly ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers.”

And the paper goes on to back that up … in spades. This isn’t an issue about defense in depth, it’s about the quality of those defenses. From the paper again:

“Since real-world exploitation requires
bypassing multiple memory protections, we will present several ways in which these techniques
can be combined to achieve remote code execution.”

Defense in depth is a non-starter if the bad guys can bypass enough of them to achieve their nefarious goals.

You said: “If you read the authors’ actual words, not the sensationalist and wildly inaccurate news accounts, you get a completely different story.”

Quote directly from the paper:

– “Setting back browser security by 10 years”

– “We aim to show that the protection mechanisms in Windows Vista are particularly ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers.”

– “The design and implementation of the memory protection mechanisms in Windows have a number of limitations that reduce their effectiveness.”

– There are dozens more to choose from … but I think that the conclusion is worth repeating: “In this paper we demonstrated that the memory protection mechanisms available in the latest versions of Windows are not always effective when it comes to preventing the exploitation of memory corruption vulnerabilities in browsers. They raise the bar, but the attacker still has a good chance of being able to bypass them.” … defense in depth shot down in flames.

You said: “One of the biggest targets of the work by Sotirov and Dowd is Address Space Layout Randomization (ASLR).”

GS, SafeSEH, heap protection and DEP are also covered. These are separate from ASLR.

You said: “The idea that they’ve been completely blindsided by the revelations in a single Black Hat paper and that they’ll have to scrap the entire architecture of the Windows platform is naive, to put it charitably.”

Good for Microsoft, Ed, but tell me how this helps me in the now better protect systems?

Sure, this paper doesn’t foretell of the apocalypse, but it’s enough for me, personally, to begin asking myself which OS is best to protect me and mine from the bad guys out there.

Link to Ed Bott’s post.]

[UPDATED: Bruce Schnier’s take on this. Three words: “This is huge.”

Now when it comes to this kind of stuff, Schneier is one of the smartest on the planet, and when he speaks, I for one am going to sit up and pay attention.]

[UPDATED: Further commentary by Schneier:

“Here’s commentary that says this isn’t such a big deal after all. I’m not convinced; I think this will turn out to be a bigger problem than that.”

Again, I have to choose a side to believe here (Schneier vs. Ars Technica), I’m siding with Schneier.]

Q:
I've been using Internet Explorer 7 for quite some time now and I think I'm getting pretty good at working my way through it. So, I was wondering if there were any keyboard shortcuts you knew about that I could start using. I'm ready to make my IE 7 time even easier!

A:
That's the perfect attitude to have! Yes, it's hard to get used to new things (Web browsers, operating systems, etc.), but if you have a positive outlook on them, they can be pretty easy. I would guess that the person who asked today's question downloaded the new Internet Explorer 7 when it first came out and just worked at learning it. Eventually, as you all can see, they were able to get a pretty good handle on it and now, they're looking for more!

Well, either way you look at it, if you're on a hunt for some IE 7 keyboard shortcuts, you've come to the right place. I've been keeping a few up my sleeve just for this special occasion! So, shall we take a look at them? I thought you might enjoy that. Here we go!

Now, most of these shortcuts deal with using tabbed browsing. That's one of the main features that came along with Internet Explorer 7. If you're not too familiar with tabbed browsing, these shortcuts may not be very useful to you, but I would suggest hanging on to this tip anyway. Once you do get the hang of tabbed browsing, you can refer back to it and you'll be all set!

1.) Ctrl + T – Opens a new tab in the foreground.

2.) Ctrl + Click – Opens links in a new tab in the background.

3.) Ctrl + Shift + Click – Opens links in a new tab in the foreground.

4.) Alt + Enter – Opens a new tab from the address bar.

5.) Alt + Enter – It also opens a new tab from the search box.

6.) Ctrl + Q – Opens up quick tabs, which are thumbnail views.

7.) Ctrl + Tab or Ctrl + Shift + Tab – Allows you to switch between tabs.

8.) Ctrl + N – Switches to a specific tab number. In this case, N can equal anything between the numbers one and eight.

9.) Ctrl + 9 – Switches to the last tab.

10.) Ctrl + W – Closes the current tab.

11.) Ctrl women taking viagra + Alt + F4 – Closes other open tabs.

12.) Alt + F4 – Closes all the tabs.

Now, here are a few mouse shortcuts for you as well.

1.) Click the middle mouse button (if your mouse has one) on a link and it will open that link in a background tab for you.

2.) Double click any empty space right next to the last tab you have open and it will open a brand new tab.

3.) If you click on the middle mouse button on one of your tabs, it will close the tab for you.

How does all that sound? Pretty cool, huh?! Now, you might want to start memorizing these shortcuts if you think you'll use them a lot. Or, just print them out so that you'll have them right by your computer when you're ready to use them. Either way, these simple shortcuts can make your IE 7 experience so much easier!

Date: May 7th, 2008

Author: Mark Kaelin

The venerable Web browser continues to evolve. No longer just an application for displaying HTML, the Web browser now has to handle JavaScript, PHP, Java, Active X controls, loosely coupled Web services, plug-ins, multimedia, XML, RSS feeds and more. The Web browser has become an integral part of the total computer experience. All of those expectations make choosing a preferred browser more important than many ever thought it would or should be.

Microsoft Internet Explorer 7 (IE7) and Mozilla Firefox 2 are the latest Web browser contenders for your attention (apologies to fans of Opera and other Web browsers, but these are the two that garner the most attention). Many of us have tried both and made a decision about which is the browser of choice.

If you have chosen Firefox 2, then you may want to uninstall IE7. But this brings up two questions: Can you uninstall IE7 and if you can how do you do it? The answers are: Yes, you can and here’s how.

This blog post is also available in PDF format in a TechRepublic Download.

Uninstall IE7

If your installation of IE7 was successful and uneventful, then uninstalling it is relatively simple process. The following steps will uninstall IE7 and restore IE 6.

If where to buy viagra online for some reason Windows Internet Explorer 7 does not appear in the Add or Remove Programs, you should:

• Open Windows Explorer
• Click Tools | Folder Options
• Click the View tab
• Make sure the radio button next to Show hidden files and folders is on
• Click OK
• Click Start, and then click Run
• Type: %windir%\ie7\spuninst\spuninst.exe into the text box and click Enter

Specified user account

In some cases, you may get an error message when you try to uninstall IE7 that says you cannot uninstall from a specified user account. To get around this check you will have to edit the Windows Registry.

Warning: Editing the Windows Registry incorrectly can cause the Windows operating system to stop functioning completely. This is an advanced operation and you are encouraged to back up the Windows Registry before you attempt any editing of the file. You have been warned.

Bypass the user account check with this Windows Registry edit:

• Click Start, click Run, type regedit, and then press ENTER.
• Navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer.
• Right-click the Internet Explorer key, click New, and then click DWORD value.
• Type InstalledByUser as the name, and then press ENTER to finish creating the new registry value.
• Try to uninstall Internet Explorer 7 again.

More help

If you find yourself still needing help uninstalling Internet Explorer 7, check out the IE7 release notes found on the Microsoft MSDN Web site.

So, tell me, have you ever tried typing out a long message like this:

Now, while you were doing that, did you have enough time to spell check each word individually? Probably not, right? If that sounds familiar to you, I have the perfect Internet Explorer add on for you today! It’s called ieSpell and it acts just like the spell check function in Microsoft Word. It's awesome!

To make sure we're all on the same page, here’s an example of how you can use ieSpell:

1.) You're typing out a comment to the Webmaster of your favorite Web site, telling them how much you like their site.

2.) You accidentally spell the word "definitely" wrong, but you don’t realize it and just when you're about to hit the Submit Comment button, you have second thoughts. If you think you may have spelled something wrong, you can check it with ieSpell (as long as you have it installed!) To do that, just right click within the comment box and choose this:

3.) ieSpell will find your spelling mistake and give you some alternative spellings.

If you agree with the change ieSpell suggests, go ahead and click on Change.

It will then make the change and tell you "The spelling check is complete!"

It’s basically just like using the F7 spell check function in Microsoft Word, but now, you won’t have to copy and paste your text from Internet Explorer to Word anymore!

To install ieSpell, head on over to http://www.iespell.com/, click Download on the left sidebar and then choose the Primary Mirror download (this is a CNET download, so you know it’s free of spyware). Once ieSpell is finished downloading, simply open a new IE browser window and go about your business. If you happen to make any more spelling errors, ieSpell will come to your rescue. Yes!

[Note: ieSpell allows you to add custom dictionaries. Your MS Office viagra substitutes Dictionary is located at:

Another reader asks: I'm an avid wireless user, but I've been having trouble getting connected to the Internet when I go to a free WiFi hotspot. Do you have any idea what I might be doing wrong?

If you use wireless Internet in your home, you may think it's the easiest thing in the world. I mean, after you get everything connected and hooked up, it's so easy to obtain Internet access. You don't have to worry about any cords, you hardly ever lose connections and it just makes your computer life simple. So, you have mastered using wireless in your house and you think you might as well try it outside of your home too. You go down to the local coffee shop, which is a free WiFi (Wireless Fidelity) hotspot. You turn on your computer and everything is fine until you realize you can't get connected to the Internet. What could possibly be wrong?

Well, there is a difference between home wireless use and public hotspot use. Even if your WiFi card shows that you're attached to an access point, you still might not be connected to the Internet and all you will receive are the dreaded "Page Cannot Be Found" messages.

The viagra patent main thing you should remember when you go to a public hotspot (free or paid) is to open up a new browser window before you do anything. Do it before you open up your e-mail, a chat program or any other Internet functions. The browser window you open will usually have a log in screen (or something similar) so that you can get connected to the Web.

By doing things that way, paid hotspots are able to collect the fee information they need and free places are able to put up their information and disclaimer screens. The process really only takes a couple seconds and it will save you time for the next time you go to that same hotspot. Most of them have you set up an account with a username and password so that you can just log in easily the next time you visit.

You may be wondering what you're supposed to do if the above process still doesn't work. What if you do everything and you still don't get a log in screen? Well, there are a couple of things you can check. Make sure you have your browser homepage set to something. Don't just have it set to a blank page. If it's blank, it won't be able to trigger the needed port opening. You also need to make sure you have the updated Service Packs (at least SP2 for Windows XP). One final thing that may be causing you problems: you might just be too far away from the access point. If you're too far, your signal may be too weak to catch a connection. So, just move a little closer!

If you follow the steps and procedures of the hotspots you like to visit, you will no longer have wireless blues!