First thing that users notice is the new installer. Avast notes that the beta versions can be installed over existing Avast 6 installations, or separately on the system. The custom installation provides options to install a typical, minimal or custom version of the security software on the system. Especially the latter option should appeal to security interested computer users, as it allows them to block modules from being installed on their computer. Here it is possible to disable any module that you do not want to use, and not only some which seems to be more common in custom installers. This can for instance be useful if those modules are not needed or interfering with other security software installed on the system.

Avast 7 Beta is compatible with all recent 32-bit and 64-bit versions of the windows operating system and the Windows 8 Developer Preview version released last year. The program interface has received a facelift as well. Core program features are available in the side bar menu.

The Real-Time Shields display for instance displays visual information about each security module installed on the system.

One of the new features that Avast has integrated into the beta versions is a cloud based reputation service which improves the decision making process of the program.

Here is the full list of new features:

• New installer
• UI facelift
• FileRep service (cloud based)
• Streaming updates
• Sandbox & Autosandbox improvements
• Browser protection improvements
• Remote assistance feature to help your friends with computer troubles
• Support tool
• Export/Import settings
• Screensaver facelift
• runs on Win8 Developer Preview

It is recommended to check the known issues before installing the beta software on a system.

- In some cases, WebRep Chrome plugin is not installed correctly
- The Safezone browser is opening each time when you switch back and to the Safezone
- Plugins for Outlook 2k3 and 2k7 show “runtime error” message
- Sometimes autosandbox toaster does not close correctly
- Problems with avast sounds on Win 7 and Win Vista
- Remote assistance feature sometimes crashes on Win 7 32b, Win Vista 64b
- avast! account functionality is disabled

Avast’s Auto Sandbox feature sounds like a real winner, if Avast gets the detection right. It puts suspicious processes automatically in a sandbox to prevent them from damaging the underlying operating system, other programs and files.

I would not recommend running the beta version in a productive environment though. It is likely that Avast will release the final version of the program in the coming months. (via Vishal)

The incident came to light only recently, when hackers started to upload code sneak peeks and information to the Internet.

Symantec by then asked users of pcAnywhere to stop using the software to analyze and mitigate any arising risks. Symantec later on released a security recommendations whitepaper that described possible risk scenarios.

• The encoding and encryption elements within pcAnywhere are vulnerable, making users susceptible to man-in-the-middle attacks, depending on the configuration and use of the product. If a man-in-the-middle attack should occur, the malicious user could steal session data or credentials.
• A secondary risk: If a malicious user obtains the cryptographic key, they can launch unauthorized remote control sessions and thus access systems and sensitive data.
• If the cryptographic key itself is using Active Directory credentials, it is also possible for attackers to perpetrate other malicious activities on the network.
• In an internal pcAnywhere environment, if a network sniffer was in place on a customer’s internal network and the attacker had access to the encryption details, the pcAnywhere traffic could be intercepted and decoded. This implies that a customer either has a malicious insider who planted the network sniffer or has an unknown Botnet operating in their environment. As always, security best practices are encouraged to mitigate this risk.
• Since pcAnywhere exchanges user login credentials, the risk exists that a network sniffer or Botnet could intercept this exchange of information, though it would still be difficult to actually interpret the data even if the pcAnywhere source code is released.
• For environments with remote users, this credential exchange introduces an additional level of exposure to external attacks.

These information where later removed from the whitepaper after a patch had been issued.

The hackers in the meantime have released email correspondence on PasteBin. Here it gets a bit blurry as both sides apparently tried to broker a deal that would prevent the source codes from being released to the public. According to Symantec, it was a sting operation from the very beginning. The hackers on the other hand stated that they tried to “humiliate them” further.

A torrent of the source code has since then been released on the popular Bittorrent indexing site The Piratebay where it quickly climbed into the top 5 seeded files of the Misc category.

The hackers have already announced that they will also release the Norton Antivirus source code.

Should Norton and Symantec customers be worried about the source code release? Symantec stated that user’s who have upgraded the products to the latest version have nothing to worry about.

Kaspersky WindowsUnlocker is a free program by Russian security company Kaspersky that you can use to remove the effects of malware that is blocking you from accessing parts or all of the system.

The program ships as an ISO image that you need to burn on CD or copy to an USB device before you can make use of it. The program itself runs independently from the Windows operating system so that the malware has lesser options to block it from doing its deeds.

You can use Kaspersky’s USB Rescue Disk Maker to copy the contents on a USB device, or a CD burner like ImgBurn if you prefer to burn the program to CD.

Once copied or burned, you need to configure the target computer to boot first from CD or USB. You will see the Kaspersky Rescue Disk boot screen if that operation was successful.

You are then asked to select one of the available interface languages. Available are roughly 20 different languages from English and German to Swedish and Dutch.

Select graphic mode on the next screen. You can alternatively boot the program in text mode, display hardware information, reboot or boot from the hard disk instead.

Click on the start button and select Kaspersky WindowsUnlocker from the available selection. The program runs automatically now and starts disinfecting the Registry. Results are displayed directly in the program window so that you can keep an eye on what’s happening on your computer.

A log file is generated in the /var/kl or /var/tmp/ folder for each program run. Once you have finished the operation, reboot your computer, change the startup device to hard drive and boot into the Windows operating system.

If everything worked out, you should have access to your system again. And while this does not resolve all situations you may run into, it certainly can help you if ransom ware locked you out of your own computer (thanks Raymond)

The popular download portal Download.com for instance has also started to bundle adware with the majority of downloads they provide site users with.

Today when I was downloading the latest Adobe Shockwave Player from Adobe’s website I noticed that both the slim online installer and full installer were now offering to install a third party application as well.

Near the end of the installation you are taken to a screen that will install Norton Security Scan on the system if you do not opt-out of it.

Norton Security Scan is a free program that checks computers for potential threats. It will download the latest definition updates to the system when an online connection is available. The program detects but does not resolve the issues though. It in fact very similar to scareware in this regard, which alerts the user of serious problems on the PC to sell a product.

You can only scan the system after launch. Initiating a scan will first check for updates. You will also be notified if security and web protection is installed on the system. Only tracking cookies were detected on the system, which did not keep the program from displaying a big Fix Now button on the left side of the screen. When you press it you are taken directly to a web page where you can purchase one of Norton’s security programs.

Removal of Norton Security Scan is straightforward though. Just click on Start Menu > Control Panel > Uninstall a Program and select it for uninstallation. You need to restart the PC to complete the installation.

Looking for free alternatives that you can make use of right away? Try AVG Anti-Virus Free or Avira Free Antivirus, but keep in mind that they too may be bundling their programs with toolbars.

The configured DNS server basically tells the web browser where to look for when a web address such as www.ghacks.net is entered into the browser’s address bar. If that lookup is manipulated part or all of the page elements of the website can be replaced by the operators of the rogue DNS server.

The FBI back then replaced the DNS servers that the cyber criminals used with working servers to avoid interruption of service for users affected by the DNS server change.

These DNS servers will however be shut down on March 8th, 2012. Affected users from that day on may not be able to connect to Internet addresses anymore until they replace the DNS server with working ones.

Security company Avira, famous for their antivirus solution, has released the Avira DNS Repair-tool.

You can run the portable program on your system to see if your computer’s DNS server has been manipulated by DNSChanger.

The program will reset the DNS servers to Windows default values if it finds out that they have been manipulated by the malware.

It is alternatively possible to check for manipulation manually.

Use the shortcut Windows-r to bring up the run box. Enter cmd in there and tap on the enter key to open the command prompt. Now run the command ipconfig /all and locate the DNS Servers entry. Compare what you see there with the list of rogue DNS servers below

• 64.28.176.0 – 64.28.191.255
• 67.210.0.0 – 67.210.15.255
• 85.255.112.0 – 85.255.127.255
• 77.67.83.0 – 77.67.83.255
• 93.188.160.0 – 93.188.167.255
• 213.109.64.0 – 213.109.79.255

If your DNS server IPs differ from the ones above then congratulations, you are not infected. You otherwise need to change the DNS server. While you could do that manually, you may prefer to use a program for that. You can use the Avira tool to reset the DNS Server, or a program like DNS Jumper to select a public DNS server instead.

You can download the Avira DNS Repair-Tool from the official Avira website

The company nevertheless decided to reset all FTP and shell user access passwords for all Dreamhost users. This should not be confused with the account password used to log into the Dreamhost site itself though. Dreamhost customers who are using the same passwords for multiple services should change passwords on all of them to eliminate the possibility of unauthorized access to those accounts.

Dreamhost furthermore notes that users should also be changing email passwords of all Dreamhost managed email addresses as soon as possible.

We have been sending out update emails to every account owner we have, letting them know what happened, and how to proceed from here on out. As a precaution, we advise every user to change all email passwords as well. We are not forcing this change, however, so make sure you take care of that ASAP.

Shell and ftp passwords can be changed in the Manage Users interface which is accessible here. Dreamhost customers need to click on the edit button next to the ftp or shell user to change the log in password for that account.

A company representative noted that neither credit card data nor web panel logins were accessed by the attackers. If you read through all of the 270 or so comments on the Dreamhost blog, you will notice that many customers were quite infuriated about the level of information they received. Web panel access was not available at all times due to users trying to change their passwords, and rumors spread that Dreamhost was storing passwords in plain text (which was later refuted by a Dreamhost employee who stated that they were hashed).

Lets take a look at what Dreamhost customers need to do right now:

• Log into the web panel and change FTP, SFTP, MYSQL, Email and other account passwords. Some passwords have been reset automatically by Dreamhost which means that they need to be changed anyway to regain access.
• Change passwords on other accounts if the same password was used for access.

Passwords with a reasonable length should be safe, but it is nevertheless better to make the changes to be certain that the attackers cannot use successfully decrypted passwords to gain account or service access. A password manager like KeePass can aid in the creation of secure passwords.

Are you a Dreamhost customer? If so, when did you receive notification about the security incident and what did you experience afterwards?

Tony Hsie, Zappos’ CEO, notes that the credit card and payment database has not been affected or accessed by the attacker.

While not in immediate danger, customers are asked to change their account passwords at the next possible moment to protect their accounts from unauthorized access. If the attackers managed to dump the account username and password, they have likely started to decrypt the passwords with the help of dictionary lists and brute forcing. The attackers cannot use the information directly on the Zappos site though, as passwords have been reset by the company. Customers are asked to create a new password by “clicking on the “Create a New Password” link in the upper right corner of the web site and follow the steps from there”. It is alternatively possible to open the Password Change page right away on the website which leads to the create a new password page.

Zappos notes that users should change passwords on other websites if they have used the same password for accounts on those sites. If the attackers manage to decrypt the passwords, they could try to log into email accounts or other popular web services.

We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.

Resetting more than 24 million customer passwords must have not been an easy decision for the company CEO. Other hacked companies have reacted differently in the past, for instance by only emailing their customers about the breach and asking them in the email to change their account passwords. The better safe than sorry approach seems to be better suited for these kind of situations. What’s your take on the news, and do you think that Zappos made the right move?

The old Virustotal had a file size limit of 20 Megabyte which worked fine for most executables and setups, but not for all. If you encountered a single file that exceeded the 20 Megabyte limit, you could not use the service to scan it at all. The service had other issues that users encountered every now and then, like large queues or pages that were not loading properly.

The developers have recently updated the service website and virus scanning service that improves Virustotal considerably.

When you open the service’s homepage you will notice two of the changes right away.

The first is a new professional feel and look, the second that Virustotal now accepts file sizes of up to 32 Megabytes. That’s a reasonable 60% increase that should resolve the majority of “file size to big” issues that users encountered previously on the site.

Once you upload a file you will notice that the reporting interface has changed as well.

The url scanner is now supporting a total of 19 different scan engines that includes a mix of well known (Google Safebrowsing, Opera, Phishtank) and lesser known services. Some url scanning services provide additional information that are now also displayed in the scan results.

Virustotal has moved to Google’s App Engine Service which, according to the developers, speeds up the analysis significantly. Developers of third party apps now benefit from faster response times thanks to a public API update.

Virustotal has improved significantly thanks to the recent update. Especially the maximum file size increase needs to be mentioned in this regard.

Have you used the new version yet? If so, what is your impression of the service? (via Dottech)

It is interesting to note that the severity rating of the first bulletin is critical on Windows XP and Vista, while only important on Windows 7 and Windows Server 2008 R2. When you look at all bulletins you will notice that Windows XP is affected by all, Vista by five and Windows 7 by four of the vulnerabilities addressed in the bulletins.

The Security Bulletins have just been posted on Microsoft’s Technet website. Here is this month’s summary with links to each security bulletin.

• MS12-004 – Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391) – This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS12-001 – Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow an attacker to bypass the SafeSEH security feature in a software application. An attacker could then use other vulnerabilities to leverage the structured exception handler to run arbitrary code. Only software applications that were compiled using Microsoft Visual C++ .NET 2003 can be used to exploit this vulnerability.
• MS12-002 – Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file with an embedded packaged object that is located in the same network directory as a specially crafted executable file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS12-003 – Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524) – This security update resolves one privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. All supported editions of Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability.

  The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. The attacker could then take complete control of the affected system and install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability can only be exploited on systems configured with a Chinese, Japanese, or Korean system locale.

• MS12-005 – Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file containing a malicious embedded ClickOnce application. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS12-006 – Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584) – This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
• MS12-007 – Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664) – This security update resolves one privately reported vulnerability in the Microsoft Anti-Cross Site Scripting (AntiXSS) Library. The vulnerability could allow information disclosure if a an attacker passes a malicious script to a website using the sanitization function of the AntiXSS Library. The consequences of the disclosure of that information depend on the nature of the information itself. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker’s user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. Only sites that use the sanitization module of the AntiXSS Library are affected by this vulnerability.

The updates are already available on Windows Update. The easiest way to open the updating tool is to click on the start menu orb and select Windows Update from the program listing there.

Windows users who do not want to or can’t use Windows Updates can download the updates from Microsoft’s Download Center beginning later today. Microsoft as usual will release an ISO image with all security updates of the month for easier distribution.

Update: The severity and exploitability index and bulletin deployment information have been posted.

The next security updates will be released on February 14, 2012.

At least one of the vulnerabilities has received the maximum severity rating of critical, the highest possible rating, on all affected operating systems and .Net versions. Microsoft notes that the most severe vulnerability could allow elevation of privileges “if an unauthenticated attacker sends a specially crafted web request to” a target site. Attackers who successfully exploit the issue can “take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands”.

Security updates are already listed on Windows Update. Windows users who have only installed the Microsoft .Net Framework 4.0 Client Profile may only see important in Windows Update instead of critical ones. That is because ASP.Net, the component that is affected by the critical vulnerability, is not included in this version of the framework.

Most Windows users have configured automatic updates. Users who do not use automatic updates or Windows Update may download the patches from the Microsoft Update Catalog site instead. Please note that you can only open the site in Internet Explorer and not in other browsers.

Microsoft’s Download Center is currently not listing the security updates. It is however likely that they will appear on the site in the next days.

A restart of the computer is not required after applying the patches. The patches will merely stop related services during patches before they are restarted.

Additional information about the security vulnerability are available on the Microsoft Security Bulletin page. This bulletin raises the count to 100 bulletins that have been released by the Redmond company in 2011.

A WiFi Protected Setup (WPS) vulnerability has recently been discovered that reduces the brute forcing time significantly. The vulnerability can be exploited to find out when the first four digits of the eight digit pin are correct. Instead of having to try 10⁸ possible combinations, attackers now have to try 10⁴ + 10³ combinations which reduces the attempts from 100 million to 11000 in total.

That’s a significant reduction in attempts. Some wireless routers slow down brute force attempts automatically as a security precaution, others do not have those features implemented. The attack may also result in a denial of service condition according to information posted on the US-Cert website.

Attackers can exploit the vulnerability to brute force their way into wireless routers at a much faster pace than before.

The vulnerability can only be patched with a firmware update. While it is likely that newer models will receive an update eventually that patches the flaw, it is unlikely that all affected router models will receive one.

Computer users who are currently using WiFi Protected Setup should disable the feature and configure their router manually instead. It is recommended to switch to WPA2 encryption with a strong password. US-Cert furthermore recommends to disable UPnP and to enable Mac filtering. The latter may keep amateurs at bay, but not professionals.

The vulnerability disclosure page lists vendors that are affected by the vulnerability. The who is who includes D-Link, Netgear, Zyxel, Linksys or Belkin among others.

Setting up a router’s wireless connection manually is a challenging experience for less than tech-savvy computer users.

Additional information about the vulnerability can be found at Stefan Viehböck’s website. The author promised to release a brute force tool to demonstrate the impact of the vulnerability.

The vulnerability can be exploited remotely if printers supporting the remote firmware update process are not properly protected by firewalls. Local attacks are another possibility.

Consult Researchers Find Security Vulnerability In Printers for additional information about the vulnerability.

A press release issued by HP on December 23 confirms the availability of firmware updates that mitigate the security vulnerability. HP LaserJet printer owners are asked to visit the HP Support website to download the firmware updates to their systems. Here they need to select Drivers & Software, enter the product name or number into the form and select the product from the listing to be taken to a page where they can download the latest printer firmware for that model.

HP is furthermore offering security guidance for imaging and printing on this web page.

The press release provides no details on the changes made by HP or on the printer models firmware updates have been released for. HP stated however that the company is communicating the availability of firmware updates “proactively to customers and partners”. It is however not clear at the time of writing how update news are communicated to HP’s customer base. The HP website for one is not listing the firmware update on the main page, nor on the support start page.

No customer of affected printers has reported unauthorized access to HP, according to the press release.

HP LaserJet users should seek out the HP Support page to find out if a firmware update is available for their printer. The firmware should be installed as soon as possible to protect the printer from the vulnerability.

Ghacks reader Jojo just mentioned that he discovered a new NoScript feature that opens a page of security and privacy related links for domains listed in the NoScript domain listing. The method, while stile requiring a few clicks to receive results, is improving this workflow significantly.

A middle-click on a domain name opens a new browser page with links to several privacy and security information.

The page links to the following security and privacy related services and databases: Web of Trust, McAfee Site Advisor, Webmaster Tips Site, Safe Browsing Diagnostic and hpHost Report.

• Web of Trust – Displays trustworthiness, vendor reliability, privacy and child safety ratings as well as user comments.
• McAfee site Advisor – Informs about download safety, online affiliations and possible annoyances.
• Webmaster Tips – Does not load currently.
• Google Safe Browsing – Displays if Google considers the site to be suspicious, if it has distributed or hosted malware, and if pages on the site contained malware during Google bot visits.
• hpHosts – Lists IP, host and server related information about the selected domain.

Direct optional integration of at least one service into the NoScript domain listing would be optimal. It would also be great if links to standard web searches would be displayed on the services page.

X-Ray, a new portable software by our blog partner Raymond.cc, is a security software for the Windows operating system that combines Virus Total scanning with options to submit files to antivirus companies for manual inspection.

The program asks you to drop one or multiple files into the program interface. You can then start the analysis right away by clicking on Get Recent VirusTotal Report or Send to VirusTotal.

The first computes the hash and submits it to VirusTotal to retrieve previous analysis results (if available). The second sends the file to VirusTotal to run the analysis. The first is faster but results may come up blank if no one submitted the program for analysis before.

Program alternatives are available to submit files to Virustotal. This includes the official Virus Total Uploader among others. Most however do not support retrieving previous reports from the service.

What sets X-Ray apart however is the option to submit suspicious files to antivirus companies for manual review. Before you can use the functionality, you need to setup your email correctly in the program.

The program requires you to enter an email server, port, and username and password. A test button is available to test the settings.

You can configure the preferred submission method for some companies. Available for selection are by email or web form, both of which are processed automatically.

Once you have setup the email provider you can start sending files for analysis. A click on the button in the main interface submits the current file to all companies. Some companies may display captchas as part of the submission process, but that’s the only thing you have to enter before the file is submitted.

The response time depends on may factors, it can take a day, a week or even longer than that. Some companies may not respond at all. But since you are submitting the file to a lot of different antivirus companies, chance is good that you will receive timely responses from some.

X-Ray’s unique approach makes it a must have for Windows users who need to make sure that a file is clean before they run it on their system. And since it is portable, it can be added easily to a troubleshooting tools DVD or USB drive.

Windows users can download the latest version of X-Ray from Raymond’s website.

The developers suggest to run the application directly from within the web browser which is a possibility. Users with SuperAntiSpyware installed cannot run the online scanner at the same time as the core program (killing the process helps).

The program, offered as a .com file, leaves no traces on the system and does not need to be installed. Before you think about copying the program to an USB device or tools DVD, you should consider that there is no option to update the program database. The check for updates button and automatic updates option are grayed out and not selectable. This leaves on demand scans but only on systems with a working Internet connection (to download the portable program).

The program is limited to scanning and repairing the computer. Several features like scheduled scanning or automatic updates are grayed out and not selectable. The same is true for most of the program options which are also grayed out.

A click on scan your computer runs the selected scan. Available for selection are quick, complete, critical point, custom and rescue scans with complete scans being selected by default.

SuperAntiSpyware Online Safe Scan can remove threats found on the computer. This is an advantage of pure online scanners who usually cannot perform those operations.

The Repairs section can also be handy in cases to fix issues caused by malware. This includes reseting the browser homepage, enabling the task manager and system tray, resetting url prefixes or repairing broken network connections.

Those features alone make it a nice to have program. The downside is quite obvious: You need to re-download the program every time you want to scan a computer. If you do not you may not be using the latest program version.

Windows users who want to try out SuperAntiSpyare’s Online Safe Scan application can download it from the official website. (via)

The updates are already available on Windows Update and via the Microsoft Download Center for users who prefer to download them separately. A DVD Iso image has also been released with December’s security updates.

Microsoft recommends to focus the attention on the MS11-092 – Windows Media and MS11-087 – Windows critical updates before installing the remaining patches. The bulletin deployment priority table, and severity and exploitability index provide further assistance.

Here is a list of all bulletins released in December 2011 by Microsoft.

• MS11-087 – Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417) – This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits a malicious Web page that embeds TrueType font files.
• MS11-090 – Cumulative Security Update of ActiveX Kill Bits (2618451) – This security update resolves a privately reported vulnerability in Microsoft software. The vulnerability could allow remote code execution if a user views a specially crafted Web page that uses a specific binary behavior in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls.
• MS11-092 – Vulnerability in Windows Media Could Allow Remote Code Execution (2648048) – This security update resolves a privately reported vulnerability in Windows Media Player and Windows Media Center. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so.
• MS11-088 – Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016) – This security update resolves a privately reported vulnerability in Microsoft Office IME (Chinese). The vulnerability could allow elevation of privilege if a logged-on user performed specific actions on a system where an affected version of the Microsoft Pinyin (MSPY) Input Method Editor (IME) for Simplified Chinese is installed. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected.
• MS11-089 – Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602) – This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS11-091 – Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702) – This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS11-093 – Vulnerability in OLE Could Allow Remote Code Execution (2624667) – This security update resolves a privately reported vulnerability in all supported editions of Windows XP and Windows Server 2003. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.

  The vulnerability could allow remote code execution if a user opens a file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• MS11-094 – Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142) – This security update resolves two privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited either of the vulnerabilities could take complete control of an affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS11-095 – Vulnerability in Active Directory Could Allow Remote Code Execution (2640045) – This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow remote code execution if an attacker logs on to an Active Directory domain and runs a specially crafted application. To exploit this vulnerability, an attacker would first need to acquire credentials to log on to an Active Directory domain.
• MS11-096 – Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241) – This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-3403.
• MS11-097 – Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
• MS11-098 – Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to exploit the vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
• MS11-099 – Cumulative Security Update for Internet Explorer (2618444) – This security update resolves three privately reported vulnerabilities in Internet Explorer. The most severe vulnerability could allow remote code execution if a user opens a legitimate HyperText Markup Language (HTML) file that is located in the same directory as a specially crafted dynamic link library (DLL) file.

The next upcoming scheduled security update will be on the 10th of January 2012.

The installation of Sandboxie is fast and completes without the need to restart the system. The program runs a compatibility check at the end of installation and displays programs it can improve compatibility with in a list.

The main program interface has not changed since our first review of the program in 2008. But that’s not necessarily a bad thing, as it is highly functional. The program ships with a single sandbox but provides options to create new ones. It is not really necessary to configure multiple sandboxes as multiple programs can run in one. It does have benefits though. Each sandbox comes with its own set of rules to configure. Running programs in different sandboxes makes sure that they are isolated from each other as well as from the system.

Sandboxie can run virtually any program in its own virtual space: from web browsers and email clients to Microsoft Office applications and Windows Explorer.

Running applications in sandboxes has implications. Data saved by sandboxed programs for instance is only saved temporarily in the virtual space. Sandboxie does however offer comfortable options to deal with data that needs to be written to the local system (like program updates or downloads).

Lets take a web browser as an example. If you run Internet Explorer in a sandbox you cannot download files to your system. The download works as intended but when you close IE the files get closed as well. Sandboxie ships with a recovery feature that can move files out of the sandbox so that they are stored permanently on the system. This is an automatic process.

Another option to move files out of the sandbox is the quick recovery option which becomes available in the right-click context menu in the main application interface (not automatic).

Both programs scan folders like downloads, favorites or documents on the computer. Additional folders can be added to the configuration, for instance to include different download locations on the PC.

Sandboxie furthermore offers pre-set options for popular applications like email readers, web browsers or download managers. Here it is for instance possible to allow Firefox to save browsing sessions, enable Outlook to access the mailbox or to improve the use of dozens of additional applications.

The developer has added comfortable options to his application to make the program more convenient to use. Immediate recovery is one of those options but there are others, including options to force run applications in a sandboxed environment, and to configure files, Registry keys or hardware that is directly accessible by applications running in a particular sandbox.

It only takes a couple of clicks to run programs in the sandbox. Right-click a sandbox in the main program window and select run sandboxed. A selection menu is displayed with options to run the web browser, email client, any program, any program from the start menu or Windows Explorer in the selected sandbox. Programs can also be started directly from Windows Explorer. A right-click on the application offers to run it in a sandbox. That’s useful especially for downloaded files.

Applications running in the sandbox can be identified by the [#] in the application title, and by moving the mouse cursor over the title which displays a highlighted border around the application window.

Sandboxie Tips

New users who install Sandboxie for the first time need to think about the programs that they want to run in the virtual environment. Programs with Internet or network access, and downloaded programs are two core candidates.

You can test a program’s compatibility by running and testing it in the sandbox. If the program behaves like it should, you could add it to the list of applications that are forced to run in the sandbox whenever they are started on the system. This prevents that you have to remember to launch that software in the sandbox all the time.

Some programs, like email clients or web browsers, need special access to folders on the system for some of their functionality. This can be configured in the sandbox settings. Firefox for instance needs access to data stored in its profile folder, Outlook to the email program’s mailbox and uTorrent to the temporary and complete download directories.

Creating multiple sandboxes has several positive effects. First, it protects applications from each other. Second, it allows the user to run different configuration sets as each sandbox comes with its own set of preferences. This way you could run a program with a different set of rules than others.

You can not only force programs but also all files of a specific folder to run in a sandboxed environment. That’s useful for download folders, optical drives or removable hard drives and other folders where file names may change regularly.

You sometimes may need to run programs normally, for instance when a program update is available. The disable forced program toggle disables sandboxing for selected programs for a limited amount of time. Firefox users could use the toggle to apply updates to the browser or browser add-ons for instance.

Another interesting application is to run program installers in their own sandbox. You can install and use the program normally as long as the sandbox is up. Once you are done testing you can just shut down the sandbox and everything goes back to the way it was before the installation. That’s very handy if you are testing a lot of programs.

The Help Topics on the Sandboxie website offer a getting started tutorial, usage tips and advanced topics.

Sandboxie Video Review

Verdict

Sandboxie adds a whole new layer of protection to the system that runs nearly unnoticed in the background. While it is possible to run the program without configuration changes, it only plays out its real strength when those changes are made. Tech savvy users will love the sheer number of configuration options. Inexperienced users on the other hand may run into troubles during the configuration stage. It is nothing that they cannot overcome though, it just may take them a bit longer before they have configured their system the same way an experienced user would have.

Giveaway

We have ten Sandboxie licenses for this giveaway. You can win one by leaving a comment below. Let us know what you like most about the program. You can download the latest version of Sandboxie from the developer website. The program is compatible with all recent and not so recent versions of the Microsoft Windows operating system.

The new second sign-in verification feature is opt-in at this point in time, and only available to users from the United States, Canada, India and the Philippines.

Yahoo! users can enable the second sign-in verification feature from the Yahoo! account info page. Here they are asked to enter a mobile phone number for verification purposes. This number needs to be verified via SMS before the new account verification option is enabled for the account.

Yahoo! users can enable the new security feature on this page. They can alternatively sign in on the Yahoo! homepage, hoover over their name and select Account Info from the options to open their profile preferences and select the new security option there. It is however usually easier to open the page directly.

Yahoo! users who turn on the new account verification step have the option to use their security question and mobile phone, or only their mobile phone when they are asked to verify account ownership.

Mobile phone has to be selected either way. Once you have made the selection you are asked to enter your mobile phone number and country in a form. Yahoo! sends a SMS to the phone with a verification code that you need to verify ownership of the phone (more precisely the phone number).

The second sign-in verification feature works slightly different from Google’s 2-step verification login. Yahoo! will only ask the user to verify the account in a second step if the company suspects that the account may have been hijacked. It is likely that this is an automated process that checks IP addresses, countries of origins, and maybe even header data and sign-in times.

A confirm your identity:answer security question prompt is displayed after sign-in in this case. It basically blocks the signing in by asking the user to verify the account ownership either by entering the answer to the selected security question or by entering a security code send to a verified mobile phone.

Yahoo will roll out the feature to all of its worldwide audience by March 2012. (via Techdows and Yahoo Developer Network)

The majority of companies offer bootable images of their tools. These images can be copied on USB devices or optical discs.

Microsoft has now made available a public beta version of Windows Defender Offline Tool, a software designed to help users remove malware from their Windows PC.

Windows Defender Offline helps protect your PC from malware. Use this tool to install Windows Defender Offline on a startup device, such as a CD, DVD, or a USB flash drive. If your PC later becomes infected with malware, you can use that device to start your PC in a “clean” environment and attempt to remove threats.

The program is offered as a 32-bit or 64-bit web installer for the Windows operating system. Please note the architecture of the installer needs to correspond to the architecture of the target system that you want to scan for viruses. The web installer downloads 214 Megabytes of data at the time of testing. The data can be burned to CD or DVD, put on a USB flash drive or saved as an ISO file.

USB devices will be formatted by the installer. The user is informed about that step during setup.

It is interesting to note that the setup looks almost identical to that of Microsoft Standalone System Sweeper which is also currently offered as a beta version. It looks as if Microsoft has made the decision to rename the program to Windows Defender Offline Tool.

Windows users can then boot from the newly created media to scan their computer for malicious software traces. The interface of the program that you boot into looks almost identical to the Microsoft Security Essentials interface.

This is probably done to provide Windows users with an interface that they know how to work with. Microsoft recently made the announcement that they would integrate Security Essentials into their upcoming operating system Windows 8. (via Mike)

With different security products available, consumers face the problem that they have to evaluate what type of protections their computer actually needs. Even worse, picking the wrong program can leave the computer open for attacks.

Most vendors produce a basic antivirus protection product that protects and removes malicious software from the computer. The programs usually are bare-bones otherwise with little or even no extra features or protections.

Panda Antivirus Pro 2012 Review

If you look at the feature set of Panda Antivirus Pro 2012 you will notice that it comes equipped with a set of tools usually not found in antivirus software. A quick look at the product page over at the Panda Security website reveals that it ships with a personal firewall, a browser sandbox and several other tools usually not found in antivirus products.

Adding a firewall to the product makes sense from a customer perspective considering that many install only one security product on their system. For Panda, it is a way to distinguish their product from other vendors.

Panda Antivirus Pro 2012 users can install the firewall during installation, or later in the program interface. The program furthermore warns during installation if incompatible software is found on the system. This was the case with a Microsoft Security Essentials installation on the test system.

The program opens up in a dark, functional theme that displays the most important status information right there. Users see if the protections are working correctly, the last time of update as well as scan and detection information. A click on a security module, like firewall, leads directly to the preferences of the selected module.

The main screen links to additional modules near the bottom of the screen. This includes built-in tools like network management or the virtual keyboard, and programs that need to be installed first like the sandboxing component Safe Browser or USB Vaccine.

Protection

It is difficulty to assess the efficiency of antivirus protection. While it is without doubt possible to assess a program’s handling of known threats, it becomes virtually impossible to see how it fares with unknown threats. Still test results can act as indicators of a program’s efficiency in this regard.

AV-Comparatives Retroperspective Test of May 2011 saw Panda Antivirus Pro 2011 (the program’s direct successor) complete the test in fifth place with an advanced certification rating (the second highest). Only two programs, Avira Antivir Premium 10 and Kaspersky Anti-Virus 2011 received the highest rating of Advanced Plus.

AV-Test did not test Panda Antivirus Pro, only Panda Internet Security 2012. The program scored 15.5 out of 18 points, only topped by Bitdefender with a score of 16.5 out of 18.

Other reviewers, like Pc Mag’s Neil J. Rubenking came to the conclusion that Panda’s detection rate was better than its malware removal rate.

Reports

Reports are one of the strengths of Panda Antivirus Pro 2012. A click on the reports tab opens a menu with options to display event reports, and to display statistics and advanced statistics.

The event report is the program’s history log. Updates, malware detections and actions are displayed here in a table. Options to find, filter, print, export and delete entries are available. Panda users can use the information presented here to find out at first glance what happened security wise on their computer at a specific data and time.

The statistics and advanced statistics module display information about a certain time frame. Information include the program’s scanners but also network attacks blocked by the firewall.

Tips

First thing that new Panda users should do is to download Panda Safe CD from the official website. This is a recovery CD that the computer can be booted from when malware has damaged the system.

Another interesting find is that Panda Antivirus Pro 2012 can be installed and run in Safe Mode. Safe Mode is a bare bones mode of the operating system that prevents the majority of installed software and even some system components from being started with the operating system.

Safe Browser, included as a download link in the interface, is actually a standalone program that everyone can download and run. It consists of a version of the Firefox web browser running inside VirtualBox. The sandboxed environment ensures that attacks against the browser are blocked from reaching the operating system. The solution concentrates on one browser, products by other vendors allow the user to sandbox any program.

Warnings can be configured in the program preferences. Here you can enable or disable warnings for specific events.

Cpu load management can be enabled in the preferences as well. That’s especially interesting for slower systems that notice slow downs during scans. Enabling the option reduces the product’s cpu usage during scans.

Verdict

Panda Antivirus Pro 2012 ships with a lot of extras, like the aforementioned firewall component. Some components, Safe Browser and USB Vaccine, are standalone programs and not integrated into the product. More important than the module a security software ships with is how well it protects the operating system from threats and attacks. For Panda that ranged from top results to average results at best.

Giveaway

Panda Security has sponsored 10 Panda Antivirus Pro 2012 licenses. You can win a license by leaving a comment below. Please include your current security software setup in the comment.