Unfixed Outlook & IE hole allows XP&Vista user promotion to Admin

I’d already decided not to post about this, but then learned more.  There is no fix.  No work around. I’m vulnerable and at this point, I can’t do anything about it.  Even on Vista, just pre-viewing an HTML email in Outlook 2002+ means you are vulnerable.   An that’s not just OE but the REAL Outlook used is offices everywhere.  You can’t turn off Java Script, or Active X or anything.  You don’t even crash.  Your system is just pwned…

What does MS have to say?

Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker. […] Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.  Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary. – http://blogs.pcworld.com/staffblog/archives/003973.html

For Outlook, the only fix Microsoft has is “read all e-mail in plain text rather than HTML”.  I know Outlook REALLY well, but I don’t remember a setting that does that.  There’s no solution for Internet Explorer.  Basicaly any application, even ones that you might have written in Delphi that happen to have a TBrowser component in them that is allowed access to the outside world, is vulnerable.  So if you have any custom email programs you’ve written, watch out!

The basic avenue of attack  is to display a customized animated cursor.  Once you open that email or browse through that site,  they gain access to your computer.  There is no crash, it just instantly happens.  The code can then promote the Limited Access account you are using (because we all only use admin accounts when we need to… Yeah, right!) to an Adminstrator account, and then do whatever they please, from rootkits to personal webservers.  Oh! and of course don’t forget that an “animated” cursor can appear to be static. It can look exact your normal cursor. 

In the article ” Windows Zero-Day Flaw ‘Very Dangerous,’ Experts Say Bug affecting IE and Windows is potentially very damaging, and there’s no quick fix in sight. “, by Gregg Keizer of Computerworld, there are a couple of good quotes.

“This is a good exploit,” Roger Thompson, CTO of Exploit Prevention Labs

“According to Adrian Stone, an MSRC program manager, Outlook 2007 is invulnerable, as is Vista’s Windows Mail–as long as users don’t reply or forward the attacker’s messages. The SANS Institute’s testing, however, contradicted Microsoft; by SANS’ account, Outlook Express in Windows XP, Windows Mail in Vista, and Outlook 2003 in any version of Windows puts users at risk when they simply preview a malicious message. They don’t have to actually open the message to be in danger of an infection.”

“Worse, we know there are vulnerabilities that can be exploited in Vista to escalate privileges,” said Brown. “All you need is access to the system, which this [animated cursor] provides.” Once inside, said Brown, the attacker could up rights from even a safer local user to administrator privileges. “Then, all bets are off.”

UPDATE:

 It seems that eEye Digital Security is taking advantage of the situation and has release a patch if you have their 1 year free personal addtion intrusion software:

Patch Location: Download Now!
Patch Version: 1.0
Patch Source Code: View

The patch prevents the loading of any non local ani files.  Well, my intrusion software is somewhat out of date anyway.  I’ll give it a try.  I’ll let you know if this is another “Scare you till you upgrade” program that is hard to remove.

UPDATE #2: eEye Digital Security is incredible.  At first glance, it seems to be professional and high-level.  I think it is actually meant to protect your system and not scare your Aunt Martha into buying more and more additions to it.  I’m impressed.  I’m also sad to say that for the second time since 1985ish when I first got a PC clone (a Compaq Portable Plus with Compaq Dos 2.12 and 10mb HD, if you must know), I actually had a virus detected on any disk or computer in my home.  It was one just reported in the wild for the first time at the end of Feb.  So my current antivirus software, somewhat out of date, hadn’t picked up on it.  Still I guess 2 viruse detections out of all of the stuff I’ve done and all the disks I’ve used and stuff I’ve downloaded, is a pretty good safety record for 2.2 decades.

USB Cell Phone Drivers – Use your phone to connect to the internet

AKA: How to use your phone to connect to the world wide web, general internet, email and etc.?

The long and short is this:

(THESE INSTRUCTIONS ARE FOR VERIZON WIRELESS CELL PHONES TO ACCESS THE INTERNET.  Your network might work differently.)

1. Buy the right cable to connect your phone to the PC from ebay

2. Come here and download the right driver for your phone

 3. Create the Dial Up connection.  For Windows do the following.

  1. My Computer
  2. Select My network places (look on the left for the link)
  3. Select View network connections (also on the left)
  4. Click Create new connection
  5. Choose Connect to the network at my workplace (this is the one that says VPN in the description.  That’s what you want.  Select it and click NEXT.  DO NOT SELECT “CONNECT TO THE INTERNET” IT WON’T WORK.
  6. Then choose Dial Up Connection.
  7. Type in a name you will remember.  Call it “Cell Phone” or “Verizon” or whatever and click next.
  8. Enter the correct phone number – for Verizon this is #777

4. Go to “Network connections” and double click on the dial up link you just created.

5. Enter VZW for both the username and password

6. Save it and dial. 

You should be in.  Your connection will be lost if you don’t use it frequently and you’ll need to dial out again.

This driver list was snagged directly from http://hk.smscaster.com/download_driver_usb_data_cable.htm

That way it won’t be lost when I need it later… So, now I can use my laptop and get online through my cellphone from anywhere – at no extra charge (beyond the use of my free minutes). It’s not FAST broadband but it is fast enough to support a remote desktop session to my home PC. Dropping down to 256 colors makes it work even better.

On verizon, setup a dial into a VPN make the phone number #777 and the password & username should be VZW. TBH I don’t think the username and PW matter.

If you use a USB data cable as the link between the PC and mobile phone, you need to install the Windows driver for the USB data cable. Most mobile phones come with a CD which contains a bunch of software, including the driver that you want and a software suite that you may not be interested in. But the truth is that it’s all or nothing: There’s no way to install just the driver only.Sometimes, the software is outdated, causing you trouble in getting your USB data cable and mobile phone recognized by the computer. In this case, you need an updated driver for the USB data cable.Here’s an updated list of USB data cable drivers for free download. The drivers are from various mobile phone manufacturers.
 
Nokia
Nokia provide a universal installation software for their USB data cables: Nokia connectivity cable driver. Though it comes with the Nokia PC Suite, we recommend installing this driver separately.It supports Nokia DKE-2, DKU-2, CA-42, CA-53, CA-70.Current Version 6.82.4
Download: Nokia connectivity cable driver v6.82.4Older Version 6.81.1
Download: Nokia connectivity cable driver v6.81.1.2

Link for info: http://europe.nokia.com/A4144937

 
Motorola
Motorola phones use the built-in Windows USB modem driver. If you have issue in recognizing your Motorola phone and do not want to install the official Motorola Phone Tools, we highly recommend you running this Driver Tool by Motorola. See the Motorola support FAQ for detail.Download: Driver Tool by Motorola
Link for info: Motorola Support FAQ
 
Sony Ericsson
Here’s the driver for the USB to serial cable manufactured by Prolific. It’s used by Sony Ericsson mobile phones as a USB-to-Serial com port. Supported Sony Ericsson phone models: K600i, Z800i, K300i, T290i, P910i, S700i, K500i, K700i, T630, Z1010, P900, Z600, T610, T310, P800, T300, T200, T68iCurrent version: v2.0.2.1 for Win2K/XP/2003 (XP Logo Certified)
Download: Driver for Prolific PL-2303 USB to Serial Bridge v2.0.2.1Older version: v2.0.0.26 (some cables require this older driver version)
Download: Driver for Prolific PL-2303 USB to Serial Bridge v2.0.0.26Link for info: Prolific Support Page
 
Samsung
Samsung provides an integrated drivers setup called Samsung PC Studio 3 USB Driver Installer. It is a package of drivers, which is comprised of:

– Samsung CDMA Modem Driver Set
– Samsung Mobile USB Modem 1.0 Software
– Samsung Mobile USB Modem Software

Download: Samsung PC Studio 3 USB Driver Installer
Link for info: Samsung Fun Club

 
LG
LG also provides a drivers setup called LG USB Modem Driver Setup. Phones supported by this driver include:

– KG320 LG Chocolate Bar
– KG810 LG Chocolate Folder
– KG800 LG Chocolate Slide

Version: v4.6
Download: LG USB Modem Driver
Link for info: LG Mobile

 
BenQ-Siemens
There’s no universal driver setup provided by BenQ-Siemens. Each phone model and cable requires a different driver. You’ll need to manually select the driver files when you’re prompted for them.Here’s just one driver for BenQ-Siemens CL71:Version: v1.0.7.6
Download: BenQ-Siemens CL71 driver for Win2kXp
Link for info: BenQ-Siemens Support
 

Is Delphi for PHP better than Delphi 1.0?

Eric Wilms of WilmSoft.com left a comment on an ealier post.  My reply was way to long for a comment, so I’ve turned it into a post.  Then I can get other people’s feedback.  I’ve found people rarely ever read the comments here since most of my posts show in full on the front page…

Let’s catch you up on the story so far…

Eric wrote:

I’ve got the first release of Delphi 4 PHP… I have to say I’m VERY disapointed… I’m a Delphi code since Delphi 1 and PHP programer since 1998 and the thought of a Delphi for PHP was a dream come true. However, I can’t not get it to run any “app” on my Hosted server. The code runs fine on my local machine but, that’s not where my web sites are hosted. I HAD to upgrade to PHP 5.X.X.X in order to even get anywhere on a simple Hello World. I have no issue with that execpt it’s not really mentioned anywhere in the specs… Also, I was completely dumbfounded to find that there was NO FTP built in to Delphi 4 PHP… Come on guyes! You have to “delploy” you project (which puts all the files you’ll need together in one spot then open up your favorite FTP program and copy them to where you want it…. So, that means a simple change is not a click of a button away to update… you have to click deploy and about four “next” buttons to have it “deploy” THEN open your FTP and copy the files to the server…. That is a Joke.

Just calling it Delphi and hoping it will change the way things are done (Like Delphi ONE did) will not change the way things are done. I’m back to hand coding in my Favorite PHP editor. At least when I hit save, it saves it via FTP back to the server it came from….

I wish I could get my money back… :(

To which I said: 

Well, I do understand where you are coming from.

But I can’t say that either of those two things were not issues for me. I usually use PHP 4, but php 5 was always there for me to enable with a simple .htaccess change. Your past that anyway.

As for the FTP setup, I agree that would be nice too, but I don’t need it either as I use the old Novell add on util NetDrive ( abandonware publicly distributed for free to students) to make my debian webserver’s root drive X: on all of my machines, even my laptop. There are a bazillion instruction pages at colleges and elsewhere explaining how to use it, but I really don’t think you need it. Here’s one set http://www.loyola.edu/5555/netdrive/installingnetdrive/

I know lots of people use similar solutions so that their FTP account is just a drive letter on their windows sever.   Maybe it will help the transition for you… The public goal for Delphi for PHP v1.0 was always a Delphi 1 level of ability. It’s surpassed Delphi 1 in MANY, MANY ways, but I can’t deny there are some rough spots that require attention.

And Eric wrote back (OK this is the last quote):

I’m curious (and a die hard Borland….er ahem… Code Gear fan) what do you see as: “It’s surpassed Delphi 1 in MANY, MANY ways, ”

Because for me and Delphi one (coming from VB) was I Dropped down a button, a label and pressed F9. Bam! done… And every thing from “hello world” to middle-ware client server app doing OLE (or what ever) was just as hard (or simple).

I Dropped down a Calendar in D4PHP, do the deploy, copy the files to my server and I get: “Warning: require_once(vcl/jscalendar/calendar.php) [function.require-once]: failed to open stream: No such file or directory in /home/wilmsoft/public_html/delphi/vcl/vcl.inc.php on line 127″

Is that a rough spot? Do I really have to dig in to the source code to figure out what’s missing the vcl.inc.php file?

I hear what your saying about the FTP and figured that would be the general response. But, I’m a contract programmer. I never am “on the server”. I almost always am on someones remote server where I don’t have access to a simple .ini file. I can’t use this tool and make money as it is today. I made money DAY ONE with Delphi One. No telling the customer oh, I’m glad you hired me to fix such and such but, I need you to now use change your infrastructure so my tools work.

I thought (or hoped) that the code gear spin off would start to focus (again) on the little guy writing code not the corporations… and I do see that trend and felt like I need to preorder D4PHP. But, Code Gear bought Delphi 4 php and I think it’s going to take a few releases to get it where they want it. Version one is not there yet. I wish I would have waited for the demo before I put down my money….

And this may not be the place for this conversation but, I couldn’t find any place on Code Gear’s site to vent. I am interested in other peoples view on this potentially awesome product.

So there we are.  This is my reply… 

Well, first off, “How does Delphi for PHP surpass the Delphi 1.0 feature set?”  I’m not going to be able to give you a exhaustive list in without giving it more serious thought, but I can rattle off a quick ten ways Delphi for PHP is improved over Delphi 1.0:

  1. Code completion springs instantly to mind.  Delphi for PHP’s use of code completion is hindered compared to current Delphi versions because PHP is not a strongly typed language.  But, there was nothing to compare to it in Delphi 1 AFAIR.
  2. Datamodules are another addition.  They were introduced in d3, I believe, and take the clutter off of your design forms and allow you to share the database structure across various forms.
  3. If you deployed BDE apps in D1, you should remember that the end user had , until the setup programs caught up. That’s handled for you, though here too there are technical difficulties on the D4PHP side.  So perhaps this one is  a wash…
  4. The Code explorer didn’t exist in Delphi 1.  You couldn’t easily go between unit and unit.  As far as that goes I don’t think Ctrl-Enter worked to open the unit from the uses list either.
  5. Project Groups have been added allowing you to have several projects on a single website.
  6. There are numerous more advanced controls in the tool pallette AND a way for the community to have input and an affect on the behavior of these controls.
  7. The applications you produce are themed, that certainly wasn’t the case in Delphi 1.  Delphi 1 apps didn’t even minimize in quite the same fashion as other Windows Apps.  Because of TApplication IIRC, your main form wasn’t REALLY your main form and you had this double minimize thing going on.
  8. The Data Explorer and all of its numerous features certainly didn’t exist.
  9. Internationalization (I18N) was in its infancy in Delphi 1 days.
  10. Pinning, expansion and restoring of the debug & development “windows” in the IDE allow you to have a much more dynamic IDE than was ever possible in D1.

I’m sure there are plenty of other things to add and the list can be debated, but if you install Delphi 1 again, you might be surprised at the feel of it compared to what we have in today’s delphi.  I was when I did just that last year.

Now I do agree that saying that Delphi for PHP had “Rough Spots” might be a bit rosey.  I also agree that Delphi for PHP could have baked for another month in the oven.  If it would leave a better taste in everyone’s mouth after the first bite.  But if you have more than a day to look at this stuff, you find that there really is some worth here, but it is a paradigm shift that takes some getting used to.   Somethings work really well and somethings… not so much.  D1 was not much different if you got in early enough.  The whole concept of design time libaries and run time libraries and deploying artificially thin EXEs had everyone pulling their hair out for a while. 

With Delphi for PHP, there’s another hurtle to over come.  You are switching from a Native API design environment, into a designer that IS a webrowser and javascript interpreter.  In order to have live components, the designer now has to execute all of that web code.  So there is a significant speed cost to that.  The equivelent would be writing a Delphi app that would use a TWebBrowser component to load rich web pages again and again and again. 

I’m not sure I understand the logic of the one day trial idea in this sitation.  Nothing makes people crankier than a ticking clock, working with something never seen before, things not working right, and a significant money decision on the line.  I’m not sure combining all of those issues into one program was the key to success when taking API developers and putting them in a web environment for the first time.  But…that’s the situation.

There are definately things that you can do to make your situation better.  First, I totally agree with you about the calendar thing. I logged an issue for it here:
Report No: 43501            Status: Reported
js Calendar does not deploy with the deployment wizard
<a href=”http://qc.codegear.com/wc/qcmain.aspx?d=43501″>http://qc.codegear.com/wc/qcmain.aspx?d=43501</a>
ALL of the javascripts should deploy with the rest of the application.

Now that said, there is no reason that you can’t have the full VCL directory already deployed on your site and in that directory. 

I’ve actually taken that one step further.  I have ONE copy of the VCL for PHP for all of my websites.  I hung it off of my web root.  I allow my Delphi for PHP apps to access it by creating symbolic links in the directory containing the Delphi for PHP files.  Just put the VCL up there in your root (or wherever) and then telnet/ssh into your account, change to a different directory and then run these two lines:

ln -s ~/vcl
ln -s ~/vcl vcl-bin

The vcl-bin path is required for images used in the components.  There are other ways you could do this too.  You could just link the vcl-bin for example and then have a custom PHP.INI file in your directory that adds the vcl to your include path.  This solution, though, I think is the most generic.

When you have this done, you should never need to deploy your app again, and can just create a batch file that multi sends only your stuff to the website.  I’ve not experimented much with this solution, but it seems to work fine with all I’ve done with it so far!

Well that did not take long: Delphi for PHP Warez and torrent files

That didn’t take long at all!

Look at this… A simple Google search and there there are all these copies available to download at one site…

The AMAZING thing is that some of these were well within the beta period before the final product was a available. And the size of them? Greater than a single CD? If you download and install this stuff what the heck will you be putting onto your system??? If this doesn’t scare you away from random warez sites, I don’t know what will. So many of them exist SOLEY for the spreading of worms and the like. Well, of course your favorite site for downloading illegal software is an exception. They’re totally honest – as are those people hosting the torrent seeds. You could trust them with anything!

delphi for php *DEVIANCE*

360kb/s  

158.42 MB  

2007-03-27

delphi for php [FULL-CD]

242kb/s  

4209 MB  

2007-03-27

delphi for php WinXP

122kb/s  

3738 MB  

2007-03-27

delphi for php *PAL*

359kb/s  

227.10 MB  

2007-03-27

delphi for php *PAL*

288kb/s  

958.03 MB  

2007-03-24

delphi for php WinXP

374kb/s  

101.46 MB  

2007-03-24

delphi for php (06-07)

99kb/s  

57.02 MB  

2007-03-23

delphi for php *PAL*

53kb/s  

264.41 MB  

2007-03-21

delphi for php [FULL-CD]

156kb/s  

264.41 MB  

2007-03-21

delphi for php ISO

159kb/s  

89.91 MB  

2007-03-21

delphi for php Latest version

209kb/s  

68.96 MB  

2007-03-21

delphi for php [KEYGEN]

110kb/s  

637.89 MB  

2007-03-19

delphi for php *PROPER*

75kb/s  

259.27 MB  

2007-03-19

delphi for php *DEVIANCE*

243kb/s  

700.01 MB  

2007-03-17

delphi for php [KEYGEN]

306kb/s  

75.02 MB  

2007-03-12

delphi for php WinXP

14kb/s  

75.02 MB  

2007-03-12

delphi for php CRACK

108kb/s  

44.40 MB  

2007-03-04

Hey – I am in the official Delphi for PHP Announcement!

I reading the news articles right on the CodeGear home page, and in the first one, “CodeGear Announced General Availability of Delphi for PHP (March 27, 2007)”,  I happened to see a name that looked somewhat familiar! 😉

Sometime after what turned out to be the mid-way point in the field test period, we are given an oportunity to submit testimonials about our experience with the Delphi for PHP field test so far. I figured it would go in the scrolling banner on the CodeGear home page or in a email to CodeGear customers, but what do you know, there it is in plain site on the home page! Nifty!

CodeGear™ Announces General Availability of Delphi® for PHP

Developers Say Delphi’s Rapid Application Development Environment Makes It Easier and Faster to Build PHP Web Applications

SCOTTS VALLEY, Calif. – March 27, 2007 – CodeGear, a leader in developer tools, today announced that Delphi® for PHP – an integrated visual Rapid Application Development (RAD) environment for the popular PHP Web development language – is now shipping worldwide.
Delphi for PHP brings the RAD productivity benefits that Delphi users have enjoyed for years to PHP Web developers. PHP, designed to allow Web developers to write dynamically generated pages quickly, is the most prominent dynamic Web language today and has become one of the top 10 programming languages overall.
The new product from CodeGear can allow developers to be more productive as they write rich, database-driven Web applications in PHP.In addition to a RAD environment for PHP, key features of Delphi for PHP include: VCL for PHP, an open-source PHP 5 visual component library with more than 50 reusable components and seamless AJAX integration; out-of-the-box integration with InterBase®, MySQL, Oracle®, Microsoft SQL Server, and other popular databases; an integrated PHP debugger; drag-and-drop database application development using the Data Explorer for InterBase and MySQL; and a code editor with Code Insight, Code Explorer, and Code Templates.  Deployment options include Windows, Linux, Solaris and other platforms.Developers who have used a pre-release version of the new product said they experienced significant productivity improvements.

Because Delphi for PHP can debug existing PHP projects as easily as it creates new ones, it instantly starts paying for itself. With contract work costing between $80-$100 per hour, if Delphi for PHP saves you just 3 hours, it’s already paid for itself.  It can do that with your first project. I’ll never use “Echo” or “Print” as a debugging tool again,” said Brian Layman, an Akron, Ohio-based software engineer.

As a web designer, you’re judged on the quality of your work and how soon it’s completed.  When Delphi for PHP allows you to offer better products on a time scale your competition can’t touch, your services will be in great demand,” said Layman.

Delphi for PHP is part of a family of products from CodeGear that includes Delphi 2007 for Win32, Delphi for .NET, Turbo™ Delphi, C#Builder®, C++ Builder®, JBuilder® and InterBase.
U.S. Pricing
The product is available for an introductory price of $249; special academic pricing is also available. For more information on system requirements, languages and pricing, visit www.codegear.com/products/delphiforphp.
About CodeGear
CodeGear from Borland Software Corporation (NASDAQ: BORL) delivers innovative, high-productivity development tools for a wide spectrum of software developers ranging from individuals to enterprise teams. CodeGear products enable developers to freely develop on their platform of choice while focusing on simplifying complex technologies and tasks so they can concentrate on application design, not infrastructure, to enable on-time project delivery. To learn more about CodeGear and its products, visit www.codegear.com. CodeGear. Where Developers Matter.
CodeGear, Delphi, Turbo Delphi, C#Builder, C++Builder, JBuilder, InterBase, and all other CodeGear brand and product names are service marks, trademarks or registered trademarks of Borland Software Corporation or its subsidiaries in the United States and other countries. All other marks are the property of their respective owners. Microsoft, and Windows Vista, and all other Microsoft brand and product names are service marks, trademarks or registered trademarks of Microsoft Corporation or its subsidiaries in the United States and other countries.Safe Harbor Statement:
This release contains “forward-looking statements” as defined under the U.S. Federal Securities Laws, including the Private Securities Litigation Reform Act of 1995 and is subject to the safe harbors created by such laws. Forward-looking statements may relate to, but are not limited to, the features available in, and the potential benefits to be derived from, CodeGear products and solutions, and the release dates, plans and market acceptance of such products and solutions, including the CodeGear Delphi product line. Such forward-looking statements are based on current expectations that involve a number of uncertainties and risks that may cause actual events or results to differ materially. Factors that could cause actual events or results to differ materially include, among others, the following: rapid technological change that can adversely affect the demand for CodeGear products, shifts in customer demand, shifts in strategic relationships, delays in CodeGear’s ability to deliver its products and services, software errors or announcements by competitors. These and other risks may be detailed from time to time in Borland Software Corporation periodic reports filed with the Securities and Exchange Commission, including, but not limited to, its latest Annual Report on Form 10-K and its latest Quarterly Report on Form 10-Q, copies of which may be obtained from www.sec.gov. Borland is under no obligation to (and expressly disclaims any such obligation to) update or alter its forward-looking statements whether as a result of new information, future events or otherwise. Information contained in our website is not incorporated by reference in, or made part of this press release.