Sunday, February 24, 2008

Windows Vista SP1 Update Information

KB937287 -- "configuring updates stage 3 of 3. 0% complete"

A few people have run into a problem after installing KB937287, of the pre-requisite updates for SP1. The solution for this issue is available in KB949358. If you have any problems following those instructions, please call 1-866-PC-Safety (1-866-727-2338). This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. Should you call that number, be sure to tell the person who answers that you are calling in reference to a Windows Update issue.

Program Loss of Functionality after Installing SP1

Although most programs will continue to work as expected after you install Windows Vista SP1, some programs were reported as resulting in a loss of functionality after SP1 was installed. The programs and the link to the vendors' solutions are available in KB935796.

Windows Genuine Advantage (WGA) Changes to SP1

With SP1, "Reduced Functionality Mode" (RFM) has been removed and replaced with a notifications-based experience. For a full report and screen captures of what this entails, see Taking the next step with Windows Vista SP1.

References:




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Saturday, February 23, 2008

Lavasoft: Can you hear me now?

On the surface, at least, it appears that there are strange goings on in LavaLand. As of this posting, there is no sign of the "Immediate Release" press release appearing anywhere at Lavasoft.com, in the News, the Blog or the Press Room. Yet, it showed up in my mailbox yesterday.

Edit Note: Although dated February 22, 2008, the Press Release was posted on the Lavasoft website today, 25Feb08.

The press release


"From: press@lavasoft.com
To: press@lists.lavasoft.com
Subject: Press Release: Lavasoft Announces Management Shift
Date: Fri, 22 Feb 2008 12:26:50 PM EST
For Immediate Release:

Lavasoft Announces Management Shift

Gothenburg, Sweden (February22, 2008) - Anti-spyware leader Lavasoft today announced a new addition to the management team. Cliff Everingham joined the company as Chief Technology Officer, while outgoing CTO, Joe Wells, shifts concentration as the new Key Scientist for Future Technologies at Lavasoft.

With over 20 years in the IT/Telecom industry, Cliff offers extensive management experience, having worked with companies including Ericsson, 3GIS, Vodafone, and Cisco Systems.

“I am very excited about joining a world-recognized organization like Lavasoft. We have a very ambitious year planned for 2008, and I will be focused on delivering new anti-spyware technology that meets the demands of today’s malware industry,” said Everingham. Lavasoft’s CEO, Jason King adds, “Computer users will definitely stand up and take notice when we roll out our new versions of Ad-Aware, as well as several other software tools this year.”

About Cliff Everingham

Everingham has an Engineering degree from the University of Technology in Sydney,Australia, and his Master degree in Business from Latrobe University in Melbourne,Australia. He was a key member of the 3G Strategies Group with Ericsson Sweden where he authored multiple white papers on product development.

About Lavasoft

Founded in 1999, Lavasoft is"the original anti-spyware company", with over a quarter of a billion downloads worldwide for the flagship Ad-Aware product. A private company headquartered in Gothenburg,Sweden, Lavasoft provides security solutions for individual consumers and enterprise clients alike, including anti-spyware, registry optimization, firewall, digital shredding, and encryption. Lavasoft has 4,000 partners in 120 countries.

For further information, please contact Michael Helander, Vice President of Marketing at Lavasoft, telephone +46 733 18 45 63 or press@lavasoft.com."
Did you ask why the announcement appears strange? Of course I will tell you.

It was as recent as August, 2007, that Lavasoft announced that the respected Joe Wells was joining Lavasoft as Chief Technical Officer (CTO). Six months later, a telecommunications specialist is assuming the position of CTO at a company that specializes in malware removal and other computer security products. How strange does that sound?

About Joe Wells:

The following was included in the September, 2007, Lavasoft News:
"Lavasoft is pleased to announce that a leading innovator in the security industry, Joseph Wells, has joined the company’s management team as chief technology officer. Wells is well-known for his extensive career in anti-Trojan and anti-virus solutions as well as his more recent work within anti-spyware and emerging security threats. Along with his widely recognized work in the security software field, Wells has authored over 60 technical articles and scientific papers. He is renowned as the founder of WildList Organization International, a global cooperative identifying and reporting the latest virus threats."
A bit more background on Joe appeared in the announcement of his appointment Chief Scientist, Security Research, for Sunbelt:

"Previously the chief antivirus architect at Fortinet, Wells is widely known for his work in research and development of security software. He developed his first product, a virus/Trojan detector, in 1988. Since then, he has made numerous technical contributions to the industry while working for Certus International, Symantec's Peter Norton Group, IBM's Thomas J. Watson Research Center and Cybersoft. Joe was also CEO of WarLab, a subsidiary of Trend Micro. A prolific writer, Wells has authored over 60 technical articles and scientific papers in the field of security research and has been the chief editor of two online technical journals. He is best known as the Founder of the WildList Organization International."
About Cliff Everingham

The only information that appears available in a Google search is his LinkedIn Profile, which essentially repeats the information posted in the press release:

Cliff Everingham
Operations Manager - 3GIS AB Sweden
Göteborg Area, Sweden

Operations Manager
3GIS AB

(Privately Held; 51-200 employees; Telecommunications industry)
February 2001 — Present (7 years 1 month)

Perhaps the next CTO will be a cartoonist.



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, February 21, 2008

Announcement: Microsoft Increases Product Openness

Microsoft made a major announcement today on the availability of technology available. I have encapsulated the highlights below. Complete information is available in the references at the end.

Headline:
Microsoft Makes Strategic Changes in Technology and Business Practices to Expand Interoperability
What does it mean?
Microsoft is changing policies on how information on the high volume products and technologies. The changes will hopefully help increase opportunities for developers, partners, customers and competitors.
Highlights on How Microsoft Plans to Accomplish:
  • Publish on the MSDN Web site more than 30,000 pages of documentation for Windows client and server protocols, previously available only under a trade secret license.
  • Publish protocol documentation for additional products, such as Office 2007, in upcoming months.
  • Provide access to the protocols for free for development and non-commercial distribution to open source developers.
  • License related patents on reasonable and non-discriminatory terms, at low royalty rates for commercial distribution.
  • Document how Microsoft supports industry standards.
  • Document any extensions affecting interoperability that are implemented in Microsoft products, available on Microsoft Web site without a license, royalty or other fee required for access. (Any related Microsoft patents that cover these extensions will be available on reasonable and non-discriminatory terms.
  • Develop new APIs for Microsoft Word, Excel and PowerPoint applications that will enable developers to plug in additional document formats and allow users to select those formats as their default for saving documents.
References



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, February 20, 2008

Windows XP SP3, RC2 Available

Windows XP users note that Service Pack 3 is not far away. Microsoft made Release Candidate 2 available today via Windows Update.

Release Notes for Windows XP SP3
Windows XP Service Pack 3 Release Candidate 2 via Windows Update

Note: This is Release Candidate, not necessarily the final product and thus, still Beta. Never run a beta software on a production machine.




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, February 13, 2008

Windows Vista SP1 Prerequisites Delivered

If you have been following the information being provided on the release of Windows Vista SP1, you should have noticed that there are prerequisites that Microsoft indicated would be made available via Windows Update.

Included in the February 2008 Security Bulletin "High priority non-security updates" and detailed in KB Article 894199 were the following Windows Vista SP1 prerequisites:
  • KB 937287 updates the Windows Vista installation software. The installation software is the component that handles the installation and removal of software updates, language packs, optional Windows features, and service packs. This update is necessary to successfully install and uninstall Windows Vista SP1 on all editions of Windows Vista. After installation, it cannot be removed.
  • KB 938371 updates Windows Vista in order to install or to remove Service Pack 1 more reliably. This update must be applied separately before you install Windows Vista SP1 to make sure that Windows Vista SP1 can be installed or removed from the computer. This update is necessary to install and to uninstall Windows Vista SP1 on all editions of Windows Vista. After you install this item, you cannot remove it.
Windows Vista Enterprise and Windows Vista Ultimate have an additional prerequisite update that must be installed prior to KB 937287 and KB 938371. This is KB 935509, which was released to Windows Update in January. Neither KB 937287 or 938371 will be offered for users of Enterprise or Ultimate until KB 935509 has been installed.
  • KB 935509 contains an update that you must have to correctly service Windows BitLocker Drive Encryption-capable computers and is only for Windows Vista Enterprise and Windows Vista Ultimate.
To check that you have the prerequisites, go to Start\Control Panel\Security\Windows Update\View update history. I'm ready. How about you?



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Lavasoft Addresses Conflict with Windows LiveOneCare (Not!)

It appears that a 31Jan08 update to Windows Live OneCare (WLOC) has resulted in the Ad-Aware 2007 service being seen as a conflict.


Conflicts do occur between security software programs and someone with an all-in-one suite such as Windows Live OneCare needs to consider this when adding another security software, particularly when that software includes a service. (Note for example that Spybot Search & Destroy does not include a service.)

According to responses posted in the help topic at the Lavasoft Support forums, Lavasoft has been working to resolve the problem. Understandable, a new issue arises and it is necessary to determine the source of the conflict, working with the other vendor if needed.

I am rather confused about Lavasoft's method of "working" on the problem. Rather, there seems to be more rudeness and sarcasm involved than helpful information for their customers. Today LS Tobias referred Lavasoft customers to the latest blog post by Lavasoft's VP of Marketing, Michael Helander, copied in part:
Microsoft Bullies

For those of you who are old enough to remember Roseanne Roseannadanna on Saturday Night Live, ”My father always used to say, it’s always something. If it’s not one thing, it’s another”

Microsoft is pushing their weight around. We’ve got Ad-Aware customers contacting us left and right because Microsoft is telling them to uninstall their Ad-Aware software in order to run Windows Live OneCare “security software” (the quotation marks are mine).

Some article title: "Microsoft Bullies"! LS Tobias tells Lavasoft customers that they are working with Microsoft and the VP of Marketing refers to them as bullies. Now that is class (not).

I suppose Marketing VP's get away with being snippy, as in the "(the quotation marks are mine)" in reference to Windows Live OneCare security software.

Also from the Lavasoft blog post:

I guess it always takes two MS people to get your issues resolved?

Smart remarks do not solve issues. But this takes the cake:
Thank you for that wonderful explanation, but isn’t Windows the reason that companies like ours are in business in the first place?
No, Michael, "Windows" is not the reason why Lavasoft is in business. Nicolas Stark is the reason Lavasoft is in business when he took over the original "opt-out" program from Steve Gibson. The malware purveyors keep companies like Lavasoft in business.

It is not uncommon for a security software vendor to point out conflicts between their software and that of another. Trend Micro even includes their own products as well as Ad-Aware as necessary to be uninstalled. See EN-1035951.

The conflict is explained at the WLOC forums as follows:

"As mentioned earlier, Ad-Aware 2007 has changed from previous versions in that it now operates as a service that runs at boot time of the PC. This is discussed on the Lavasoft Support forums at the folllowing link.

http://www.lavasoftsupport.com/index.php?showtopic=9893

Though the free version of Ad-Aware 2007 doesn't include the associated Ad-Watch real-time active mode protection, this service is still loaded at boot time to provide the application with elevated rights to cope with malware, even when the logged in user has limited rights themselves.

Though this choice makes sense for the more effective removal of malware, it creates a new problem. The issue is that when Ad-Aware detects malware the service will attempt to 'take control' and remove the infection, which makes sense by iteself. However, if another anti-malware application also exists on the PC, it may also detect the same malware with its real-time protection at the same moment. Now you have an issue where two programs are competing to remove the same piece of malware at the same moment, i.e. a conflict."





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, February 12, 2008

Microsoft Security Bulletin - February 2008

Microsoft has released the February 2008 Security Bulletin Details. Additional information is available at the linked Bulletin. Many of the updates will require a computer restart. The Microsoft Baseline Security Analyzer can detect which updates your computer system requires.

As reported in the MSRC posting, one update anticipated to be released has been with held for further testing.

Important

Microsoft Security Bulletin MS08-003 -- Vulnerability in Active Directory Could Allow Denial of Service (946538)

Microsoft Security Bulletin MS08-004 -- Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456)

Microsoft Security Bulletin MS08-005 -- Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831)

Microsoft Security Bulletin MS08-006 -- Vulnerability in Internet Information Services Could Allow Remote Code Execution (942830)

Microsoft Security Bulletin MS08-011 -- Vulnerabilities in Microsoft Works File Converter Could Allow Remote Code Execution (947081)

Critical

Microsoft Security Bulletin MS08-007 -- Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution (946026)

Microsoft Security Bulletin MS08-008 -- Vulnerability in OLE Automation Could Allow Remote Code Execution (947890)

Microsoft Security Bulletin MS08-009 -- Vulnerability in Microsoft Word Could Allow Remote Code Execution (947077)

Microsoft Security Bulletin MS08-010 -- Cumulative Security Update for Internet Explorer (944533)


Microsoft Security Bulletin MS08-012 -- Vulnerabilities in Microsoft Office Publisher Could Allow Remote Code Execution (947085)


Microsoft Security Bulletin MS08-013 -- Vulnerability in Microsoft Office Could Allow Remote Code Execution (947108)

Microsoft Windows Malicious Software Removal Tool:

Microsoft is releasing an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Server Update Services (WSUS), Windows Update (WU) and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS). Information on the Microsoft Windows Malicious Software Removal Tool can be located here: http://go.microsoft.com/fwlink/?LinkId=40573

High-Priority Non-Security Updates

High priority non-security updates Microsoft releases to be available on Microsoft Update (MU), Windows Update (WU) or Windows Server Update Services (WSUS) will be detailed in the following KB Article: http://support.microsoft.com/?id=894199

References:

MSRC Blog: February 2008 Monthly Release

TechNet: Microsoft Security Bulletin Summary for February 2008






Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Monday, February 11, 2008

Adobe Reader Security Update

Bits From Bill:
"A number of malicious PDF files have been seen in the wild and we’ve had reports of infection attempts using a vulnerability in Adobe Reader. You can update your system by downloading the new Adobe Reader at http://www.adobe.com/products/acrobat/readstep2.html"
Watch out for the pre-checked install of Photoshop Album Starter Edition! Although it isn't as bad as a toolbar, you don't likely want a starter package foisted on your computer (probably with limited features).

Firefox readers note: http://www.adobe.com/products/reader/dlm/firefox_steps.html


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

ComScore Says 'Researchware' Isn't 'Spyware'

Hat Tip: Lost

Freedomlist member, Lost, certainly got it right when he referred to the old Douglas Adams quotation: "If it looks like a duck, and quacks like a duck, we have at least to consider the possibility that we have a small aquatic bird of the family anatidae on our hands." in reference to a recent Information Week article on ComScore.

ComScore chairman and co-founder Gian Fulgoni was quoted as saying:
"Market research tracking software (we have dubbed it 'researchware') needs to be differentiated from 'adware,' 'spyware,' and 'malware' and should not be treated in the same way as these intrusive and potentially harmful applications," Fulgoni said in a blog post Wednesday. "We must not let the purveyors of spyware -- the rotten apples -- give market researchers a bad name."
I can accept that ComScore software is not malware. Perhaps it isn't adware either. However, a look at the Wikipedia definition of spyware in combination with Privacy-invasive software appears to be in order:

"Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent.

. . . Spyware programs can collect various types of personal information . . . "

"Privacy-invasive software is a category of computer software that ignores users’ privacy and that is distributed with a specific intent, often of a commercial nature. Three typical examples of privacy-invasive software are adware, spyware and content hijacking programs."
ComScore apparently is of the belief that the trade off of the accelerators, games, and screen savers that come with the company's tracking software makes everything acceptable.

I don't care what it is called. Call it duckware, spyware, trackware or researchware. If a software installs without notice or my permission and then "reports home", I consider it BADware.


References:
Ben Edelman: ComScore Doesn't Always Get Consent

InformationWeek: ComScore Says 'Researchware' Isn't 'Spyware'

SunbeltBlog:





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Sunday, February 10, 2008

Websense Reports Streamlined anti-CAPTCHA operations

Many websites and forums use "Captcha" features to keep spammers at bay. In an interesting report, Websense Security Labs illustrates how spammers have created bots capable of getting past the Captcha feature and sign up for Windows Live Mail accounts.

As reported:
"Websense believes that these accounts could be used by the spammers at any time for a variety of social-engineering attacks in future. A wide range of attacks would be possible using the same account credentials in other significant and extended Live services offered by Microsoft Corporation, such as Live Messenger (instant messaging), Live Spaces (online storage), etc."
See the illustrated report at Streamlined anti-CAPTCHA operations by spammers on Microsoft Windows Live Mail.




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Kaspersky Fixes *.blogspot.com Phishing False/Positive

A recent update to the Kaspersky signature files resulted in Kaspersky Internet Security issuing "Phishing Attack" warning messages on all Blogger blogs when visited. Although Kaspersky's database updates were running 3-4 hours behind for end users, it appears that the updates have finally caught up.

Should you encounter what you believe may be a false/positive with the Kaspersky signature files, send an e-mail addressed to notspam(AT)kaspersky.com.

Kaspersky Forum Topic



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

GRISOFT Is Now AVG Technologies

Hat Tip: Stealthzone
In an effort to enhance brand awareness, GRISOFT has changed its name and that of its subsidiaries to AVG Technologies:
The parent company is now AVG Technologies N.V.
The Czech Republic-based company is now AVG Technologies CZ, s.r.o.
The US-based company is now AVG Technologies USA, Inc.
The Cyprus-based company is now AVG Technologies CY, Ltd
The UK-based company, already operating under the AVG name, will now be known as AVG Technologies UK Ltd.
Members of the security community frequently have users employ AVG Anti-Spyware in clean-up efforts. Along with subscription packages, AVG provides Windows Vista compatible anti-virus software free for personal use.




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Back Up, Back Up, Back Up!

A couple of weeks ago, I thanked some of the special people in my on-line world who have served as mentors. I "met" this group of special individuals via a link created in a software update notice which led to a recording by one of those mentors. That recording led me down the garden path where I find myself today.

That mentor is Aaron Hulett, a friend who continues to take the time to explain the "techie" details in easy-to-comprehend non-techie terms. The most recent example came about when a member of The LandzDown Forum (affectionately referred to as LzD) asked how serious it is when a computer suddenly loses power.

See for yourself one reason why I admire Aaron in his response in the "sudden power loss question".







Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Vista SP1 FAQ

Ed Bott published a handy set of answers to questions he has received on Windows Vista SP1. One of the questions relates to the file names and MD5 hashes of the standalone updaters. Whether it is Windows Vista SP1 or another program or update, if you are downloading it from a source other than the official one, you need to be sure that you are getting what you expect and not a "virus-infested fake." As Ed wrote:

"One way to increase your chances of getting a legitimate download is to compare the MD5 checksum of the file you download against an MD5 checksum for the file, published by a known and trusted source.

An MD5 checksum is a mathematical hash of a file that reduces it to a series of numbers and letters. If even a single bit is changed, the hash won’t match and you should be suspicious."

It is important to note that you should also check the digital signature of any executable file tomake sure it is from the claimed source. Right-click an executable file that has been digitally signed to see the Digital Signatures tab. If it matches, you will know that the file has not been tampered with since it was signed, not that it is safe.

Of course the best practice is to download software programs and updates only from the originating vendor. When it comes to Microsoft software/updates, this is even more critical. Too many people are fooled by the phony e-mails claiming to be from Microsoft. As I have written before,
Microsoft Does NOT Send Updates Via Email.

See Ed's A Vista SP1 FAQ. If you have a question that Ed hasn't answered already, ask in the Talkback section.

Information and instructions on MD5 checksum is available in
A useful file integrity checker.

References
:





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, February 08, 2008

The What, Where, How of ActiveX and Kill-Bits

Before I provide any links or further information on this topic, the adventuresome folks out there (yes, you!) are going to be presented with an upfront advisory:

Warning - After reading the articles linked below, some folks may get curious about the registry and decide to do some independent investigation. If you (or a registry cleaner/program) modify the registry incorrectly, serious problems might result -- sufficiently serious to require the operating system to be reinstalled. Modify the registry at your own risk.

Now on to the topic at hand.

Every month myself and many others provide information on the latest Microsoft security updates. When a security update relate to Internet Explorer, ActiveX is frequently mentioned. “Kill-Bits” are commonly part of the security update used to disable individual ActiveX controls.

The Security Vulnerability Research & Defense bloggers really went to town to first provide background information on how to determine wither ActiveX vulnerabilities are exploitable in Internet Explorer. This was followed up with a three-part Kill-Bit FAQ.



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, February 07, 2008

Mozilla Firefox 2.0.0.12 Security Update

Mozilla released Firefox 2.0.0.12 today which includes the security fixes noted below.

Fixed in Firefox 2.0.0.12

MFSA 2008-11 Web forgery overwrite with div overlay
MFSA 2008-10 URL token stealing via stylesheet redirect
MFSA 2008-09 Mishandling of locally-saved plain text files
MFSA 2008-08 File action dialog tampering
MFSA 2008-06 Web browsing history and forward navigation stealing
MFSA 2008-05 Directory traversal via chrome: URI
MFSA 2008-04 Stored password corruption
MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
MFSA 2008-02 Multiple file input focus stealing vulnerabilities
MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12)
Existing users can select Help > Check for Updates. If you need assistance, instructions for updating Firefox are available here.

Release Notes



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Security Bulletin Advance Notification for February 2008

February is looking to be a big month for updates, both security and non-security. In addition to an updated version of the Microsoft Windows Malicious Software Removal Tool, Microsoft is further planning to release

seven non-security, high-priority updates and

two non-security, high-priority updates for Windows

on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Note:

The information provided in the Security Bulletin Advance Notice pertains only to non-security, high-priority updates on Microsoft Update, Windows Update, and Windows Server Update Services released on the same day as the security bulletin summary. Information is not provided about non-security updates released on other days.

Below is a summary of the February 2008 Microsoft Security bulletins (in order of severity). Microsoft Baseline Security Analyzer can detect whether your computer system requires these updates. Some of the updates will require a restart.

Critical

Microsoft Security Bulletin 5

Impact of Vulnerability: Remote Code Execution
Affected Software: Windows.

Microsoft Security Bulletin 6

Impact of Vulnerability: Remote Code Execution
Affected Software: Windows, Office, Visual Basic.

Microsoft Security Bulletin 7

Impact of Vulnerability: Remote Code Execution
Affected Software: Windows, VBScript, JScript.

Microsoft Security Bulletin 8

Impact of Vulnerability: Remote Code Execution

Affected Software: Windows, Internet Explorer.

Microsoft Security Bulletin 10

Impact of Vulnerability: Remote Code Execution

Affected Software: Office.

Microsoft Security Bulletin 11

Impact of Vulnerability: Remote Code Execution

Affected Software: Office.

Microsoft Security Bulletin 12

Impact of Vulnerability: Remote Code Execution
Affected Software: Office.

Important

Microsoft Security Bulletin 1

Impact of Vulnerability: Denial of Service

Affected Software: Windows, Active Directory, ADAM.

Microsoft Security Bulletin 2

Impact of Vulnerability: Denial of Service

Affected Software: Windows.

Microsoft Security Bulletin 3

Impact of Vulnerability: Elevation of Privilege

Affected Software: Windows, IIS.

Microsoft Security Bulletin 4

Impact of Vulnerability: Remote Code Execution

Affected Software: Windows, IIS.

Microsoft Security Bulletin 9

Impact of Vulnerability: Remote Code Execution

Affected Software: Office, Works, Works Suite.


References:




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, February 06, 2008

EULA/TOS Confusion

First a definition of terms. EULA stands for "End User License Agreement" and TOS for "Terms of Service". Although it isn't necessary to remember what the acronyms stand for, it is important to read the EULA or TOS when subscribing to or downloading software.

Unfortunately, we do not generally see a EULA like the Best EULA Ever originally posted on the SunbeltBLOG. Instead, the font is generally small and the language is filled with what appears to be more double-talk than something that makes a lot of sense.

More than that, we are faced with that "I accept" or "I do not accept" right at the moment of installing the software we just downloaded. How many people actually stop and read the agreement?

When reading agreements, the language really does sound more as John Dvorak suggested in "The Terms of Service Bugaboo":

"Generally speaking, a software license and various terms-of-service and terms-of-use agreements say the following:

  • Whatever you think we said, or whatever we said, about the product may have nothing to do with reality, and you agree not to expect that it does.

  • No matter what happens, including damage to your equipment or even someone's death, you agree not to blame us even if it is our fault.

  • If we are a Web site and you use it, no matter what bad things happen, it is not our fault.

  • If you contribute anything at all to a site or system, we own it.

  • You will never sue us for anything, ever."

  • Since we are not presented with blank EULA's like the one Alex found and do not have John Dvorak to translate for us, I suggest giving Javacool Software's EULAlyzer:
    "EULAlyzer can analyze license agreements in seconds, and provide a detailed listing of potentially interesting words and phrases. Discover if the software you're about to install displays pop-up ads, transmits personally identifiable information, uses unique identifiers to track you, or much much more."
    You won't get legal advice with EULAlyzer. However, you will have a much better idea of what you are agreeing to before installing the software.



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Monday, February 04, 2008

    Windows Vista SP1 RTM Announcement

    Not everyone is attuned to acronyms so let's clear that up first:
    SP1 = Service Pack 1
    RTM = Release to Manufacture
    Mike Nash has a long blog post on the Windows Vista Team Blog about the Windows Vista SP1 RTM. I'll stick with the highlights here and you can read the full post at the link provided.

    Processes Starting with RTM:
    • OEM partners will get SP1 so new Windows Vista PCs will have SP1 pre-installed.
    • Microsoft will start the manufacturing process for the retail product of Windows Vista with SP1.
    • Microsoft will start the process to manufacture DVDs for enterprise customers who get software via the Volume Licensing program.
    Availability of SP1:
    • In mid-March Windows Vista SP1 to (in English, French, Spanish, German and Japanese) will be released to Windows update and to the download center on microsoft.com.
    • In mid-April, Windows Vista SP1 will be released to Windows Vista customers who have chosen to have updates downloaded automatically.
    • April, the remaining languages to RTM.

    Important Note:
    Beta testing of SP1 identified an issue with a small set of device drivers which do not follow Microsoft guidelines for driver installation. Although reinstalling the drivers solved the problem, SP1 will not be offered SP1 via Windows Update until the affected drivers have been updated by the vendor(s).

    As updates for the affected drivers become available, they will be installed automatically by Windows Update, which will unblock these systems from getting SP1.

    References:





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...