A year ago, the author of the MSBlast computer worm taunted Microsoft with a message in the fast-spreading program: “billy gates why do you make this possible? Stop making money and fix your software!!”

Bill Gates and company apparently took up the challenge. On Friday, Microsoft released to PC manufacturers Windows XP Service Pack 2, an update aimed at locking down customers’ computers. SP2 took more than nine months to complete and contains significant security changes to the flagship operating system.

Microsoft’s overhaul of the software underwent a fast shift in direction–from a focus on features to an overwhelming concentration on security–after the rapid spread of MSBlast last summer threw doubt on the operating system’s protections.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

The worm compromised more than 9.5 million Windows PCs by exploiting a flaw in the software that not many customers had actually patched, even though Microsoft had made a fix available.

“This time last year was a really exciting time,” said Amy Carroll, director of product management in Microsoft’s Security Business and Technology Unit. “There wasn’t a lot of sleep involved.”

The MSBlast worm hit the Internet on Aug. 11, 26 days after Microsoft published a patch for the vulnerability that the worm used to spread. But many Windows users failed to vaccinate their systems, even though there was widespread expectation that a virus would emerge from the security hole. The result: The malicious program caused enough havoc to play some part in a major power failure that affected as many as 50 million homes in the United States and Canada, though it did not cause the outage.

SP2 Resource Center
Visit our SP2 Resource Center for more SP2 news, updates, and discussions.

A year later, the release of SP2 means that Carroll and her Redmond cohorts may get at least a few hours more winks. Through changes to the Windows XP code and configuration, the update adds better security to the operating system’s handling of network data, program memory, browsing activity and e-mail messages.

Some security companies are tentatively hopeful that the XP software fix will bolster security in the average PC.

“It is probably too early to say whether SP2 will meet its promise,” said Alfred Huger, senior director of engineering at Symantec, a security company. “That said, it’s a great step in the right direction. We still have all the same fears as before, but we are in a better place to deal with them.”

Those that install the update will be better protected against MSBlast-type network worms. The security revamp has multiple layers of redundancy that would have stopped MSBlast and the more recent Sasser worm from spreading, Microsoft’s Carroll said.

For example, the flaw in the Remote Procedure Call (RPC) component in Windows that allowed MSBlast to spread has now been fixed, she said. Even if it hadn’t, SP2 has an automatic update feature that would have installed the Microsoft patch before MSBlast propagated. Then, if a user turned off that update feature, SP2’s improved firewall would have blocked the worm. And if the firewall had been turned off, Microsoft has changed the way that Windows XP interacts with such viruses, so that MSBlast’s attempts to infect computers would have failed.

“There is a whole cascade of defenses that make the operating system more resilient overall,” Carroll said.

Now Microsoft has to persuade consumers and corporate network administrators to apply the SP2 changes. The company has repeatedly learned that customers are less than assiduous about applying updates to their systems. The Slammer worm, which exploited a 6-month-old security hole in Microsoft SQL Server, spread widely because many companies failed to patch the flaw during that half-year.

“This is the most secure version of Windows that we have shipped yet,” said Carroll, who issued a plea for customers to apply the patch. “That said, it is not a ‘silver bullet,’ and we are doing a lot of other things to address security.”

Complicating matters, the update could cause problems with corporate homegrown applications, Microsoft has acknowledged. IBM, for one, has told employees to wait for the go-ahead from management before installing the update. To allow companies time to test how the update will affect their users, Microsoft has published a tool to enable businesses to block people from downloading and installing the update.

Giving companies a choice is one of the lessons learned by Microsoft. A handful of major worm and virus attacks in the past three years have taught the software giant that security is not simple. The result is that the company pushes for security on multiple fronts.

The Code Red and Nimda worms led the company to embark on its 10-year Trustworthy Computing initiative, designed to focus Microsoft employees on building better security into products and on improving customer response. The Slammer worm convinced the software giant to stress patching and to find ways to defend systems that are not patched. And the MSBlast worm helped lead Microsoft to create Service Pack 2 and to finance a reward program for informants who help pinpoint virus writers.

Although it is harder to create network worms that can penetrate Windows XP SP2’s defenses, it can be done, Symantec’s Huger warned.

“It would stop the old MSBlast. I don’t know if it would stop a new one,” he said. “This isn’t the end of the network worm, but it makes more sense (for attackers) to focus on other methods.”

Security researchers are already picking apart SP2, looking for flaws. Thor Larholm, a senior security researcher with PivX Solutions, downloaded the software last Friday and continues to analyze it. The true test for the update will likely come in the next few months, once those researchers’ efforts bear fruit.

“Give it a few weeks, or a few months, and you will see the first vulnerability announcements regarding Service Pack 2,” Larholm said.

2010 saw the release of version 7.3 of the Vim text processing editor. Vim was originally written by Brian Moolenaar in 1991. While it has not been around nearly as long as Berkeley vi — the model on which Vim was based — it is a venerable mainstay of many developers’ toolkits.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

Vim has offered built-in support for file encryption for a long time, as long as it is built with the cryptv compilation option. This made working with encrypted files incredibly easy and transparent — almost entirely unnoticeable, in fact. Unfortunately, Vim file encryption suffered one major problem: it used PkZip compatible encryption, which is not the strongest encryption available.

As of Vim version 7.3, the editor now supports Blowfish encryption. Bruce Schneier created the Blowfish cipher to fill the need for a replacement for the aging and increasingly vulnerable DES cipher, releasing it in 1993 and declaring that he would never subject it to restrictions on use and implementation:

Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone.

No truly effective cryptanalysis of the Blowfish cipher has been confirmed to date, a good sign after longer than seventeen years of heavy testing and use. It is one of the strongest ciphers available to the general public and, unlike ciphers that have been developed in part by the NSA, there is little reason to fear that it is subject to any intentionally included “backdoor” vulnerabilities.

To determine whether the Vim package you have installed on your OS of choice has been built with the cryptv option, enter the vim –version command at a shell prompt. If the string +cryptv appears in the output under “Features included (+) or not(-):”, your Vim binary has been built with support for file encryption. If your Vim version is 7.3 or later, it should use Blowfish encryption.

On a typical Unix-like system, you may want to filter for the +cryptv string:

vim –version | grep +cryptv

The result, using the grep utility, should look something like this:

+conceal +cryptv +cscope +cursorbind +cursorshape +dialog_con_gui +diff

Assuming it has been built with file encryption support, working with file encryption in Vim is so easy as to be nearly second nature to a habitual Vim user. To open a plain text file or create a new one, you might normally enter a command at the shell like this:

vim filename.txt

The exacting, complex, highly difficult and dangerous version that tells Vim you want to encrypt the file when you save it looks like this:

vim -x filename.txt

Once a file has been encrypted by Vim once, you never need to use the -x option when opening that file again; Vim will automatically recognize it as an encrypted file and Do The Right Thing. Using the -x option when opening a file that has already been encrypted by Vim should not hurt anything, though.

Because Blowfish is a symmetric key encryption system, the same key is used for both encryption and decryption. When Vim opens a file for the first time with the -x option, the first thing it will do is ask you to give it a key you can use to encrypt and decrypt the file, with this prompt:

Enter encryption key:

After entering the key, you will then be asked to confirm the key, to ensure you did not mistype it.

Enter same key again:

After that point, Vim will act exactly the way it always has, as far as the user can tell. When you save and exit the file, there will then be an encrypted file containing the secret data you put in it. When opening the file with Vim again, the editor will ask you to enter the key needed to decrypt it for you; once open, you can again edit the file just as you would any other, and when you save the file again, it will be encrypted again.

Of course, you probably want to avoid littering your hard drive with Vim’s swapfiles, since one of the benefits of using Vim directly for file encryption management is that you do not have to create a decrypted version of the file on the hard drive before editing it, then save it decrypted, and re-encrypt it. That benefit is completely obviated if your editor saves tempfiles full of unencrypted data to disk.

You can do so by creating a special vimrc file — though you will not want to name it .vimrc because it may then be used by Vim all the time, automatically. Call it something like .encrypted_vim_rc and you can use it with Vim’s -u option:

vim -u ~/.encrypted_vim_rc -x filename.txt

That may look like a bit of a virtual “mouthful” to type every time you want to work with encrypted files. A shell alias, such as defining the vimenc alias to execute vim with that set of command line options will help. How exactly you go about setting aliases depends on your shell. In tcsh, for instance:

alias vimenc “vim -u ~/.encrypted_vim_rc -x”

In bash, it would look more like this:

alias vimenc=”vim -u ~/.encrypted_vim_rc -x filename.txt”

You will not need to type more than vimenc filename.txt as a command to open a file (whether it has already been encrypted by Vim or not) and encrypt it while saving it, without unencrypted versions of the file being saved to disk as Vim swapfiles while you have the editor open, then. Of course, for this to work, you need that .encrypted_vim_rc file. It should not write unencrypted data to disk if you include the following in that configuration file:

set nobackup
set noswapfile
set nowritebackup

Note that the -u option ensures that Vim does not automatically load any other vimrc files. If you want Vim to use the complete set of configuration options normally sourced by the editor, you can use Vim’s source command in your .encrypted_vim_rc file to indicate an additional vimrc configuration file, so that the special configuration file that gets loaded when you run the vimenc command alias now contains these lines:

source ~/.vimrc
set nobackup
set noswapfile
set nowritebackup

Unfortunately, Vim’s built-in encryption support is not entirely suitable for sharing encrypted files with others, because its only strong encryption support is the Blowfish cipher. Blowifsh is great, but it is a symmetric key cipher, not a public key cipher. It is great for single-person file encryption tasks, but less so for sharing files with others. This is where external tools must be used with Vim to manage file encryption.

I would like to side-step all pretenses about how and why software is flawed. And, instead, focus on what we can do to protect ourselves from the vulnerabilities caused by the flaws. Have you heard: “Make sure your software programs are up to date?” It’s becoming a tired mantra, but alludes to one of the best ways to stay safe online.

Best online Microsoft MCTS Certification, Microsoft MCITP Certification at Actualkey.com

Not so simple

Keeping updated seems simple enough, but becomes complicated when put into practice. Questions occur. For example:

* How do I know if a program is up to date?
* How often do I need to check for updates?

Some software companies cover the questions by having an automated client application and scheduled updates. Microsoft, for instance, uses Windows Update to roll out patches the second Tuesday of every month. If there is a serious problem, Microsoft will issue an out-of-sequence patch.

Google is another example. The Chrome web browser automatically updates in the background without any user interface.

Unfortunately, Microsoft and Google are the exception. Other software developers tend to update at their convenience or if a major issue surfaces. Which begs the question: How are we supposed to know when that is?
Secunia

One company makes it their business to know. That company is Secunia. They have developed scanners for the corporate world and a freeware version for consumers called Personal Software Inspector (PSI). It is reassuring to fire up PSI and check if programs are up to date. If not, PSI will offer suggestions on what to do. It works well, if you remember to update.

Having to manually update is the chink in PSI’s armor. By not automating, the process tends to be hit or miss.
Auto Update

That has changed with version 2.0 of PSI. Jakob Balle, VP of Product Development for Secunia refers to the new update feature:

“Secunia aims to solve this problem with Secunia PSI 2.0, featuring updates that are truly automatic. In the sense that, if the user prefers, Secunia PSI 2.0 can install most security updates without requiring the user to download, run, or otherwise perform manual actions to patch their PC.”

Secunia received a vote of confidence on PSI 2.0 from the Online Trust Alliance:

“The Online Trust Alliance applauds the launch of the Secunia PSI 2.0. OTA has been working with Secunia for over two years to develop best practices and solutions.”
Installation

Downloading (less than 2 MB) and installing PSI is painless. Also, the install is one of two places where you configure the auto-update feature:

The next configuration PSI asks about is whether you want to have the tray icon show all the details:

If you are a current PSI user, you will notice the user interface screen has changed dramatically. I asked several system admins what they thought about the new interface. All commented it was an improvement:

Alternative settings

Advanced users may not like having programs update automatically. Having thought of that possibility, Secunia offers the choice of only allowing updates to install with user approval:

Final thoughts

I asked the same system admins what they thought about Secunia overall. To a one, they said it was one of few applications that has never disappointed them. I tend to agree