Here’s an interesting attack vector: get your mark to listen to music to hack them.  Sounds silly?  Well it isn’t.

Apple just recently fixed this “binary planting” vulnerability in their iTunes for Windows application.  A remote attacker merely has to plant a malicious DLL using a specific name in the same network share as a media file and as soon as someone comes along to listen to that media file, BAM!  iTunes would load that laced DLL to play the music and execute goodness only knows what evil.

Many sysadmins are sighing with a bit of relief as this attack vector does require a network share to pull off, which is not something they intend to allow hackers to do this on their networks.  But, need I remind you of the Web Client service, enabled by default, with features like WebDAV, which allows remote network shares, as in internet-based, as in not safely behind  your intranet?

Fortunately, besides disabling these features, you also have options like  firewalls to stop the evil WebDAV and likewise outbound traffic.

Also of good news is that Apple has fixed this security hole in iTunes.

But!

Was iTunes the only hole needing to be patched?  Not according to H.D. Moore of Metasploit, who says that about 40 applications are exploitable in Windows because of the way in which Windows loads “safe” file types from network locations.  A problem which affects not only the older and less-secure Windows XP, but even Windows Vista and Windows 7.

So be warned.  Be wary.  And secure those PCs please.

The dual boot: it’s the answer to all of life’s mysteries.  Well, okay, so maybe not all of them.  But the biggest one, of how to enjoy the security of Linux whilst still being able to use all of your Windows apps and play all of the latest games.  Because as good as Linux is, it just isn’t gaining any popularity, so most software is still in the demesne of Windows.

Well, okay, so in theory there’s also Macintosh in there somewhere.  But honestly, who cares about that?

And, again, another theoretical solution is to use virtualization, like VMware, to run one OS natively and the other on virtualized hardware from inside the native OS.  Except that’s not really the solution that it should be.  If you run Linux native and Windows virtual, it’ll work, sure, but the point of a lot of people of running Windows is to play games that Linux can’t, and even though VMware has made some great strides in graphics virtualization, now that they actually virtualize the 3D acceleration as well, there’s still a significant performance loss running on virtualized hardware.  Which rather defeats the purpose.  Who wants to play their games slowly? But the alternative, running Windows natively so that you get full performance, and virtualizing Linux, is frankly even more useless since you’ve just thrown the whole Linux security advantage out the window.  And really, what can Linux do that Windows can’t?  So then what would be the point of using Linux at all if you were going to make your base OS Windows?  You could just use Windows.

So the answer is to dual boot.  Install Linux and Windows side-by-side and choose which one you want to load at startup.  It’s supposed to be easy.  And solve all of your problems.

Except for when it isn’t, and doesn’t.

Frankly, Linux (and all things related) is really starting to piss me off.

To start with, I decided to try a distro I’ve never touched before, because I’m old school I guess: Ubuntu.  It’s cute.  It’s snazzy.  Shame it couldn’t properly recognize my RAID0 array and trashed it each and every time I tried to install it.  Having installed Windows first in the process, that meant a lot of re-installing Windows, drivers, etc.  It was a royal pain in the asterisk.

But I’m nothing if not persistent.  I switched from using my Intel Matrix RAID controller to the dinky JMicron one that I don’t trust worth a darn, and voila, Ubuntu stops trying to access the component drives separately and treats the RAID0 array as a single disk.  Windows, mind you, had no problem properly using either.

That settled, move on in time.  To a procedure I’d put off perhaps a little too long: making my first backup.

Here’s a freaking rant in and of itself.  Windows Backup in Windows 7 can’t be used because the Linux bootloader partition used by GRUB I stupidly partitioned and formatted for Linux.  You might think “duh” there, as what else would you do?  Well Windows 7 has a stupid shadow copy technique used when backing up drives.  This is poorly programmed, and requires so much free space on each partition.  And yes, you guessed it, Windows both is smart enough to recognize that it needs to backup that bootloader partition, but too dumb to know how to read any Linux-formatted partitions.  So unless you were smart enough to make that bootloader a FAT32 or NTFS format, Windows Backup fails each and every time because it can’t shadow the bootloader partition.  Never mind that you could have literal terabytes of space free on your drive.  The shadow has to be on the partition being copied, and if the partition format can’t be read by Windows, you’re SOL.  And, in fact, I can’t even be sure that making that partition Windows-readable will fix this Windows Backup woe, because I have yet to try it.  It’s only a theory that it might make Windows Backup usable on a dual-boot box.

But honestly, it’s no big deal.  That’s okay, because Windows Backup is a PoS anyway.  There’s so much better software out there, right?  Comodo, for example, is free and does a much better job.  I would have just used my old copy of Norton Ghost, like I have on so many Windows XP boxes past, but it’s not compatible with Windows 7.  Oh, sure, some newer version is, but I’m not going to stump-up cash for that if there’s a free alternative that meets my needs.  And besides, I don’t want to just back up my Windows partitions anyway.  We’re talking dual boot.  We’re talking Windows and Linux living side-by-side.  So a Windows-only backup would be darn stupid anyway.  Just as a Linux-only backup would be.

So let’s try bringing in something truly multiplatform, that can read NTFS and Linux formats equally well, and will respect the whole of the hard drive, the master boot record, the partitions, everything exactly as they are.  Why not try something like Partimage Is Not Ghost (PING) then.

And then watch during a routine backup as PING totally destroys the Windows partition so badly that no Windows or Linux tool can restore it without reformatting the whole NTFS partition Windows used to be using before it was slaughtered by bad programming and heavy Linux hands.

Honestly.  Can anyone tell me why anyone would think a typical Windows user would, at this point, having had his Windows install raped and slaughtered repeatedly by Linux, be even remotely interested in trying to use Linux at this point?  At all?  Ever?

I can’t think of a single reason.

In fact, I feel pretty damn stupid for even giving Linux this many opportunities to nuke my Windows install.

I honestly have no idea why I’m so determined to use Linux at all.  Dualboot is just not working here.  I don’t know why not.  It’s a freaking simple concept.  I know Linux works just great on its own.  And Windows, well, is Windows.  Can’t live with it, can’t live without it.  So…

…I keep on trying.

But if anyone has ever wondered why Windows users don’t switch to Linux for the better security, lower overhead, and easier access to a plethora of wonderful free software?  There you go.  It’s because of all of the bad things that Linux does, that Windows doesn’t.  Like happily deconstruct a RAID array and then write to the drives individually, destroying the array.  Or blithely nuke Windows during a routine hard drive backup, when it should only be reading from the Windows partition in the first place.  Not many Windows users would be happy to reinstall everything from scratch because “oops” we had a little bug.

I’ve decided that I really don’t like Ubuntu though.  So maybe I’ll go back to openSUSE.  Or Fedora.

But later.  Much later.  When the seething anger has gone back down to a dull ache and I can burn a distro to DVD without wanting to throw it across the room, grind it into pulp, etc.

I really never thought I would cherish anything Microsoftian this much.  But I’m about damn ready to mount my Windows 7 disk on a wall.  With those holograms, it’s even kind of shiny…

Today marks the end of Microsoft’s support for Windows XP SP2.  It’s a sad day, though we are reminded that support for Win XP SP3 does continue.

But for those of you who are still working on your migration to Microsoft’s latest darling, Windows 7, you just got a little more breathing room.

As was previously declared, your right to downgrade your shiny new Windows 7 box down to Windows XP Professional would end in 18 months from the Windows 7 launch, or until the release of the first service pack for Windows 7, whichever came sooner.  This put it at the date of October 22, 2010.  In other words, in a couple of months.  And right on track, the first beta of Windows 7 SP1 is heading out as we speak, regardless of how generally useless as it is to most people because it contains no new features, just the same security updates Windows 7 users already have.  But the death knell for Windows XP was ringing.

In typical Microsoft leniency towards Win XP however, they’ve decided to listen to customers, and delay that order.  OEMs were afraid that a date-based limit on when boxes could be shipped with downgrades to Windows XP Professional would be confusing to users, since so many people were still demanding them.  (For migration purposes, of course.)  And yet again, Microsoft listened, breathing yet more life in the the operating system that wouldn’t die.

Yes, that’s right.  In fact, according to the blog, there seems to be no new deadline for Windows XP.  Though we are reminded in a round-about way that again the official support for Win XP SP2 ends today on July 13th, 2010, and Win XP SP3 support ends in of April 2014.

It’s a feature that you should turn off for security reasons anyway, the Windows Help and Support Center feature is, by definition, a means for someone else to screw around with your PC remotely, as are all of the remote procedure call and remote administration services.  I’ve always disabled them on my PCs.

But, in case you haven’t done so just on principle, it’s now a good idea to do it as a legitimate security concern.  Because flaws the Windows Help and Support Center feature in Windows XP, Server 2003, and possibly other versions of Windows, can be exploited by hackers to take control of your computer.  It’s been proven as a vuln now. As if we really needed to wait for that to know it was a possible vulnerability.  Yay Microsoft security holes!

All it takes for a mean nasty hacker to take over your PC is for you to have Windows Help and Support Center running, and for you to visit a malicious website.  The website, using a combination of commands embedded into the URL, cross-site scripting (XSS), and invalid hex sequences to bypass Microsoft’s whitelist verification and protections to keep this very thing from happening.  Which sounds complicated, but really isn’t.

The attack works against most major browsers.  All it takes is accessing the wrong web page.  Once you’ve done that, the hacker has complete control of your PC as if they were you.

So if you haven’t disabled Microsoft’s Windows Help and Support Center, you probably should.

For those of  you who may have noticed your computer screaming for the latest cumulative security update from Microsoft and wondering how April 13th came so quickly, you can rest easy.  You didn’t miss weeks of time.  This one came early.

Microsoft has released an emergency patch for Internet Explorer, from IE 5 to IE 8 no less, to address a zero-day exploit involving iepeers.dll.  As well as a number of other patches.  All rolled into one out-of-the-blue emergency security fix to close up those holes and vulns.

So if you use Internet Explorer (or if you use Windows and fear that on some level just having any Internet Explorer code anywhere in the system makes you vulnerable) then take note and patch from Microsoft’s latest.  Better safe than sorry.