No; forward it to the Yahoo SBS list; it's sure to cause many an SBS machine to catch fire... :-p -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young Sent: Friday, April 13, 2007 7:14 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: OT: Fw: [ISN] Vista DRM could hide malware Hmmm... Should I forward this to the honorable Reverend Sharpe? Hmmm... I suppose Imus not. Cordially yours, Jerry G. Young II Application Engineer, Platform Engineering and Architecture NTT America, an NTT Communications Company 22451 Shaw Rd. Sterling, VA 20166 Office: 571-434-1319 Fax: 703-333-6749 Email: g.young@xxxxxxxx > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Friday, April 13, 2007 10:06 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: OT: Fw: [ISN] Vista DRM could hide malware > > So he's tested it, it doesn't work, and therefore it's a story about > "Microsoft Security Flaws". > > Sounds like a nappy headed ho to me. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > > (Hammer of God) > > Sent: Friday, April 13, 2007 9:01 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] OT: Fw: [ISN] Vista DRM could hide malware > > > > Friday and slow, thought I would opine: > > > > It is really amazing when supposed journalism hits this > > level. An entire > > article based on screenshots and speculation- particularly > > when the guy > > couldn't even get the thing to work. Yet, we're supposed to > > be worried > > about malware hiding itself. And just how did the malware > > get on the system > > in the first place to then be hidden? Hmmmm. > > > > t > > > > ----- Original Message ----- > > From: "InfoSec News" <alerts@xxxxxxxxxxxxxxx> > > To: <isn@xxxxxxxxxxxxxxx> > > Sent: Friday, April 13, 2007 12:28 AM > > Subject: [ISN] Vista DRM could hide malware > > > > > > > http://news.zdnet.co.uk/security/0,1000000189,39286677,00.htm > > > > > > By Tom Espiner > > > ZDNet UK > > > 12 April 2007 > > > > > > A security researcher has released a proof-of-concept program that > > > hackers could use to exploit Windows Vista digital rights > management > > > processes to hide malware. > > > > > > Alex Ionescu claims to have developed the program D-Pin > > Purr v1.0 that > > > will arbitrarily enable and disable protected processes in Vista, > > > Microsoft's latest operating system. > > > > > > Screenshots on Ionescu's blog suggest the program can be run > > > successfully. Ionescu included stack information related to > > one of the > > > processes that is by default protected on Vista. Try to > > retrieve that > > > information using Process Explorer and you get an error message. In > > > Ionescu's screenshot, taken after allegedly removing the > > protection, the > > > information is visible. > > > > > > The binary for the program, which is available for download, is > > > currently being tested by security experts. Fraser Howard, > > a principal > > > virus researcher at security vendor Sophos, told ZDNet UK that the > > > program looks feasible. At the time of writing Howard had > > managed to get > > > it running, but had not managed to successfully protect and > > unprotect > > > processes on his machine. > > > > > > "I have not confirmed it, but I have little doubt it will work as > > > intended [to remove protection]," said Howard. "This should > > mean it is > > > perfectly possible to add protection to processes as well." > > > > > > The source code for the program is not available. Should > > the source code > > > of the program become available to hackers, this could mean > > that other > > > processes would not be able to properly "inspect" the > > hacked protected > > > process, according to Howard. > > > > > > "The fact that the DRM within Vista presents a mechanism > > through which > > > code may attempt to restrict what other processes > > including security > > > applications are able to do, is a problem in itself. The > > presence of > > > that problem creates a hive of activity with people trying > > to hijack the > > > mechanism, either as a proof of concept, or as a malicious attack," > > > Howard said. "In this case, the source code has not been > > released, just > > > a binary which can be used to demonstrate the issue. Had there been > > > source code, I am sure we would see malware authors trying > > to add that > > > functionality to malware. As it is, supposing the claims are valid, > > > there will no doubt be authors looking to include such > functionality > > > themselves into their malware." > > > > > > With no release of any source code or details, Howard was unable to > > > comment on how Ionescu had managed to develop D-Pin Purr v1.0. "The > > > binary deliberately uses obfuscation to limit the number of > > people who > > > could reverse engineer and misuse that knowledge," said > > Howard. "But it > > > does use a driver Microsoft states in its documentation that > people > > > should not use a driver to bypass the protection mechanism." > > > > > > Howard said that to run the binary to add and remove > > protection, users > > > need to be running the code with elevated privileges. > > > > > > Microsoft could offer no comment at the time of writing. > > > > > > > > > __________________________ > > > Subscribe to InfoSec News > > > http://www.infosecnews.org > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned.