VeriSign Inc. and Adobe Systems Inc. Collaboration

Being immersed in the goings on at CES this past week, of course I was reading Robert Scoble's blog posts today. His entry, "Netfix is dead" caught my attention, particularly when he described his experience in the VeriSign booth:

". . . demoing: a peer-to-peer system for selling and distributing high-def videos. It really rocks."

Since one of the things I "do" is help users clean malware from their computers, I cringe when I see references to peer-to-peer (P2P). So often the files passed around via P2P are infected. But, that wasn't the part that set off alarms. The ringing started when I read

". . . on Monday Verisign announced a deal with Adobe who’ll distribute their P2P infrastructure along with the next version of the Flash player. That’ll get it into tons of homes nearly overnight."

Great, just great. I already have to politely decline the Yahoo! toolbar when updating Adobe and now I am going to get stuck with VeriSign's P2P software on my computer if I want to use Adobe. This does not make me a happy person.

Windows Vista -- CES "Best of Show"

Congratulations to the folks behind Windows Vista, named the winner of CNET's Best of CES 2007 award in the computers and hardware category!
Was there any doubt that the award would go to Microsoft? I really don't think so. The entire Microsoft Team was shining at the 2007 Consumer Electronics Show (CES) in Las Vegas. It began with Bill Gates giving the keynote address, followed by an incredible show at the Bellagio. (By the way, you can't win unless you play. Find the challenge at Vanishing Point.

Even though I wasn't there, I felt the excitement from the reports of those who were.

Congratulations!

Microsoft IE & Vista Teams Need WinPatrol!

The IEBlog Team reported that on January 8, 2007, they logged the 100 millionth IE7 installation. From their browser usage statistician the IE Team learned:

". . . as of this week, over 25% of all visitors to websites in the US were using IE7, making IE7 the second most used browser after IE6."

In addition to the Windows Vista Team needing to learn about the World's Best Vista Craplet Cleaner, perhaps the IE Team also needs to keep track of Bill Pytlovany, who reported even higher statistics for Internet Explorer 7 a full five days ahead of Microsoft's statistician:

"Today the percentage of IE7 users reading Bits from Bill hit 31.67% exceeding other browsers including all previous versions of Microsoft’s Internet Explorer."

Excel 2000 -- Microsoft Security Bulletin MS07-002 Revision

On 18 January 2007 Microsoft updated Security Bulletin MS07-002: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198).

========================================
Summary:
========================================

On Thursday, January 18th, 2007 Microsoft issued a targeted re-release of the MS07-002 update for Excel 2000.

This bulletin has been re-released to re-offer the security update to customers with Microsoft Excel 2000. The security update previously did not correctly process the phonetic information that is embedded in files that are created by using Excel in the Korean, Chinese, or Japanese executable mode. For additional information see Microsoft Knowledge Base Article 931183.

This re-release only affects Excel 2000. Later versions of Excel (2002, 2003, Excel for Mac) are not affected.

========================================
Recommendations:
========================================

• Customers running Excel 2000 are encouraged to download the re-released update through Office Update or the Download Center. Because the update affects only Excel 2000, the targeted re-release will not be automatically delivered through Automatic Update or Microsoft Update.

• Customers who are not running Excel 2000 need take no action regarding this targeted re-release.

========================================
Additional Resources:
========================================

• Microsoft Security Bulletin MS07-002: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198): http://www.microsoft.com/technet/security/bulletin/MS07-002.mspx

• Microsoft Knowledgebase Article 931183 - Excel 2000 does not open some files after you install security update 925524 that is documented in security bulletin MS07-002: http://support.microsoft.com/kb/931183

• Microsoft Knowledgebase Article 927198 - MS07-002: Vulnerabilities in Microsoft Excel could allow remote code execution: http://support.microsoft.com/kb/927198

• MSRC Blog: http://blogs.technet.com/msrc/

Sun Microsystems Vulnerability Update Advisory

Sun Microsystems updated Sun Alert 102760 today, providing another "after fix" update posting. The vulnerability released by this alert is in processing GIF images in the Java Runtime Environment (JRE), which may allow an untrusted applet to elevate privileges.
It is strongly advised that Sun Java be updated to Version 1.5.0_10 or the new Build Java SE 6, both of which were released in December, 2006.

Sensationalism, Irresponsible Journalism or Microsoft Bashing?

Both Ed Bott of Ed Bott's Windows Expertise and Robert McLaws of Windows Now have had their turn this week being upset with what, in my book, can be construed as sensationalism, irresponsible journalism, Microsoft bashing, or a combination of all three. (See Ed's remarks here and here and Robert's here and here.)
Now it is my turn.
In the hope of educating as many people as possible, I have been following and reporting on the latest "Storm" worm as it has evolved from the first reports by F-Secure. While checking headlines in my RSS feeds, I spotted "Storm" Trojan Hits 1.6 Million PCs; Vista May Be Vulnerable and followed the link to Information Week to read the article.
I hoped that I would cool off by not commenting on the article after reading it yesterday or have a different perspective today. If anything, it is just the opposite.

First, a couple of quotations from the InformationWeek article:

"The Trojan horse that began spreading Friday has attacked at least 1.6 million PCs, a security company said Tuesday.
In addition, it appears that Windows Vista, the new operating system Microsoft will launch next week, is vulnerable to the attack."

and

"Microsoft's soon-to-release-to-consumers Vista, however, does appear at risk, added Symantec Tuesday. 'It appears most if not all variants could execute on Vista,' the spokesman said. 'The only way the Trojan would be unsuccessful is if somehow Vista is able to detect/prohibit the e-mail. This seems unlikely.'"

Now my comments:

Let's start with the story headline which includes "Vista may be Vulnerable". This story is about a nasty trojan but it appears the only way to get attention by journalists these days is including the name "Microsoft" or "Vista" in the title.

The next mention of Windows Vista is in the beginning of the article which includes the statement that "it appears Windows Vista . . . is vulnerable. . ." Yet, neither there nor anyplace else in the article does the author provide any indication whatsoever of how or why Windows Vista may be vulnerable to this trojan, distributed as an attachment in emails.
Now we move to the end of the article where the next mention of Microsoft and Vista appear, this as a quotation attributed to a Symantec spokesman in which the spokesman made a ridiculous statement referring to the operating system deleting or prohibiting the email.

That is right, the Symantec spokesman is suggesting that the operating system, not the anti-virus software, should be deleting/prohibiting trojans. (Didn't I read somewhere that Symantec was one of the companies complaining that Windows Vista has too many restrictions?)

Other than the ridiculousness of the Symantec representative's statement, why do I find that quotation and the earlier innuendos irresponsible? It is this simple: The "Storm" worm is propagated as an attachment to spam emails. Assuming the email gets past the user's email filters, it requires user intervention to open the email and to then click open the attachment.
By the author's own admission:

"Anti-virus companies have updated their signature databases with fingerprints that identify and then delete (or quarantine) the Trojan as it arrives. Other defensive advice includes filtering traffic on UDP ports 4000 and 7871, update anti-spam products, and configure mail gateways to strip out all executable attachments."

So, for the trojan to reach the user, there must be a situation where the user and the ISP have no email filter and the user allows executables in their email program (or clicks on the .exe attachment in webmail). Since A/V companies have updated their databases, we then must presume that the user either does not have an anti-virus software installed or it is not up to date.
Remember, the article author and Symantec spokesman indicate that Windows Vista may be vulnerable. Thus, they must also have forgotten that the Vista user must have "administrator-like" UAC (User Access Control) authority in order to allow the executable to run after the trojan has by-passed email filters and anti-virus software. We would further have to assume that the user does not have any real-time protection (i.e., Windows Defender, AVG Guard, Ad-Watch, WinPatrol, and the like). Thus, a Windows Vista computer can be infected. However, that does not make Vista vulnerable. It means that the computer own/operator is responsible.

I would strongly suggest that both Gregg Keizer and his Symantec spokesman head over to the Windows Vista Blog and read Jim Allchin's excellent presentation of "Security Features vs. Convenience", noting in particular the bold text in the following quotation:

". . . we created a mode of UAC called admin approval mode. In this mode (which is on by default for all members of the local administrators group), every user with administrator privileges runs normally as a standard user; but when an application or the system needs to do something that requires administrator permissions, the user is prompted to approve the task explicitly. Unlike the "super user on" function from UNIX that leaves the process elevated until the user explicitly turns it off, admin approval mode enables administrator privileges for just the task that was approved, automatically returning the user to standard user when the task is completed."

I hope everyone takes the time to read the above article by Jim Allchin and realizes that articles like the one in InformationWeek and those that Ed Bott and Robert McLaws referred to have a purpose -- sensationalism and as Ed states, "fact-free journalism".

Microsoft Extends Support for XP Home and Media Center

Excellent news for Microsoft customers not yet ready to upgrade to Windows Vista, Microsoft announced extended support for Windows XP Home Edition and Windows XP Media Center Edition:

"With the addition of Extended Support, the support life cycle for Windows XP Home Edition and Windows XP Media Center Edition will include a total of five years of Mainstream Support (until April 2009) and five years of Extended Support, matching the support policy provided for Windows XP Professional."

With Windows Vista reaching the shelves next week, users with unsupported versions of Windows operating systems will likely be able to obtain discounted prices for Windows XP, knowing that security updates will be available until 2009, or with extended support to 2014.

Microsoft Security Advisory

Today Microsoft released Security Advisory 932114, described as relating to a vulnerability in Microsoft Word 2000 which could allow remote code execution. In order for the attack to be successful, it is first necessary to open a malicious Word file attached to an e-mail or otherwise provided by an attacker. Obviously, the common sense approach applies yet again to not open unexpected or unusually named attachments.

Reminder: As stated in the MSRC Blog on this advisory, Microsoft is aware of very limited, targeted attacks attempting to use the vulnerability.

Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Celebrate Windows Vista and Office 2007 Release With Bill Gates

Bill Gates Celebrates Worldwide General Availability of Windows Vista and the 2007 Microsoft Office System

"January 29, 2007

1:45 p.m. PST / 4:45 p.m. EST

From Times Square in New York City, join Microsoft Chairman Bill Gates for a live webcast celebrating the worldwide launch of Windows Vista and the 2007 Microsoft Office System. The celebration pays tribute to the millions of Microsoft customers, partners and product testers around the world who provided input and feedback on these products -- helping Microsoft transform the way people communicate, create and share content, and access information and entertainment in the new digital age."

New Microsoft Vista and Office 2007 Resources

As the hours count down to zero, Microsoft has readied resources for Microsoft Vista and Office 2007 customers.

Groundbreaking Anti-Malware Settlement Involving DirectRevenue

I certainly am glad that I subscribe to Brian Krebs "Security Fix" blog on the Washington Post. I just read his posting from about an hour ago announcing that Cingular Wireless LLC, Priceline.com and Travelocity.com have agreed to settle their part in an ongoing investigation. In 2006, the New York State Attorney General's office sued DirectRevenue for deceptively and fraudulently installing its pop-up ad-serving and Web-tracking software on millions of PCs without approval or consent of consumers.
Since one of the things I "do" is help in online security forums, I certainly completely agree with Mr. Krebs statement about one of the reasons this settlement is important:

"Online help forums are awash in desperate messages from consumers whose machines were besieged by pop-up ads after visiting a Web site that used slimy drive-by tactics to install DirectRevenue's software, which is notoriously difficult to remove from a host machine."

It is certainly well past time that for this type of action. I hope other states follow the example of New York State's Attorney General, Andrew Cuomo. Mr. Cuomo's statement serves as a warning to other advertisers turning a blind eye to adware purveyors:

“Advertisers will now be held responsible when their ads end up on consumers’ computers without full notice and consent,” Cuomo said. “Advertisers can no longer insulate themselves from liability by turning a blind eye to how their advertisements are delivered, or by placing ads through intermediaries, such as media buyers. New Yorkers have suffered enough with unwanted adware programs and this agreement goes a long way toward clamping down on this odious practice.”

Issue regarding Windows Vista Speech Recognition

Following is the first part of my post at the Windows Connected forum from last night on the Windows Vista Speech Recognition "issue":

As reported on the MSRC Blog,

"An issue has been identified publicly where an attacker could use the speech recognition capability of Windows Vista to cause the system to take undesired actions. While it is technically possible, there are some things that should be considered when trying to determine what the threat of exposure is to your Windows Vista system."

This is another of those situations where it is "technically possible", however there are a lot of variables that would need to be met in order for an attack to be successful. There are those who will look for absolutely any angle they can find to question the security of Windows Vista.

There have been numerous repeats across the Internet today about this "issue". What I find most disturbing is the manner in which various services are headlining it; i.e., "Talking security vulnerability in Vista", "Hackers can whisper sweet nothings into Vista's ear", "Vista has speech recognition hole", and more of a similar nature.

Let's break the MSRC post down a bit and read more carefully what it would take for such an attack to be successful:

• the targeted system would need to have the speech recognition feature previously activated and configured

• the system would need to have speakers and a microphone installed and turned on

• the exploit scenario would involve the speech recognition feature picking up commands through the microphone such as “copy”, “delete”, ”shutdown”, etc. and acting on them

• the commands would be coming from an audio file that is being played through the speakers

Even if all of the above was likely and the user was not there to turn off the microphone or speakers or shutdown the computer, note the sentences below, particularly the two in bold:

• It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials.

• The UAC prompt cannot be manipulated by voice commands by default.

• There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation.

Know what I think? More sensationalism by the press and much ado about nothing.

Windows Live Hotmail and Firefox 3 Issue

It isn't only Firefox 3 cookie management with WinPatrol that is a problem. When attempting to access Windows Live (my.live.com), the page opened but when I clicked on the sign in link to check my mail:

"You can see your Windows Live Hotmail inbox here if you sign in."

the following message was displayed after signing in:

"The Windows Live Hotmail service is currently unavailable. Please try again."

Opening the page with an IE Tab allows me to continue with just one browser open. I really am dependent upon the Firefox add-ons when helping on the forums.

Microsoft Security Advisory 954462 Released

Microsoft has released Security Advisory 954462 – Rise in SQL Injection Attacks Exploiting Unverified User Data Input. This Advisory is a result of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.

The purpose of Security Advisory 954462 is to assist Web site administrators in identifying possible issues with their Web application code being susceptible to possible SQL injection attacks and to provide a stopgap solution to mitigate SQL injection attacks against the server while the applications are being fixed.

Web site owners and administrators are encouraged to review Microsoft Security Advisory 954462 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQ) and links to additional resources.

"Windows Vista Inside Out, Deluxe Edition"

I have been a fan of Ed Bott's two blogs, his Microsoft Report at ZDNet and Ed Bott's Windows Expertise. So, when Ed provided the opportunity to Win a free copy of Windows Vista Inside Out, Deluxe Edition by providing a link to one of his ZDNet posts, including a reason for the recommendation and a feature or capability in Window Vista that has improved your productivity, I jumped at the chance.

For the first part of the submission, I found it difficult to pick just one post but since I link to the Hands On Vista series in Windows Vista Bookmarks, I started there. The Hands On Vista collection of tips was very timely for early adopters of Windows Vista and continues to be very helpful. In looking at that collection, I selected my favorite within that category -- 10 tips and tweaks for Vista experts.

It was a lot easier to recommend a feature in Windows Vista that has improved my productivity. It was from 10 tips and tweaks for Vista experts that I learned about the Snipping Tool, a handy tool for making quick screen or partial screen captures. One use is when paying a bill online where the vendor e-mails a receipt of payment. I make a screen capture with the Snipping Tool as a record of payment. It is much easier than writing a long reference number by hand.

My submission was selected as one of the winners and my autographed copy of Windows Vista Inside Out, Deluxe Edition arrived yesterday. All I can say is, WOW! Even though I have been using Windows Vista for a little over a year, there are still many areas I have only touched on. The book is 36 chapters on 1202 illustrated pages, 7 appendixes, plus a companion CD that contains tools and resources, including downloadable gadgets and other tools, Microsoft resources and other resources, and so much more.

It is very helpful that many of the explanations include differences in Windows Vista from Windows XP. I have already tweaked some of the settings based on my readings thus far. If you need a handy reference, Windows Vista Inside Out, Deluxe Edition is one that I can personally recommend.

Microsoft Source Code Analyzer for SQL Injection

This is in direct response to the Microsoft Security Advisory 954462 posted today (see Microsoft Security Advisory 954462 Released for additional references and information).

In response to the recent mass SQL injection attacks, Microsoft has developed a new static code analysis tool for finding SQL Injection vulnerabilities in ASP code. Web developers can run the tool on their ASP source code to identify the root cause of the attack and address them to reduce their exposure to future attacks. The tool will scan ASP source code and generate warnings related to first order and second order SQL Injection vulnerabilities. The tool also provides annotation support that can be used to improve the analysis of the code.

Beware: Rogues and MediaTubeCodec at Free Hosting Site

Hot off the press:

See Donna's security alert at Calendar of Updates (CoU) regarding webpages being hosted freely by hostinggratisargentina.com and spreading malware. As Donna explains, this is because the pages use script and redirect the user to URLs with rogue/fake scanners and fake codecs. See Donna's report at Free hosting spread rogue products and MediaTubeCodec.

Microsoft Security Advisory 954960 Released

Microsoft released Microsoft Security Advisory 954960, "Microsoft Windows Server Update Services (WSUS) Blocked from Deploying Security Updates."

Although a security advisory, it is a non-security issue that prevents the distribution of updates deployed via WSUS (Windows Server Update Services) to systems that have Microsoft Office 2003 installed in their environment. Microsoft is aware of reports from customers who are experiencing this issue.

According to the advisory, upon completing the investigation, Microsoft will take appropriate action to resolve the issue within Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1.

Note:

• The issue affecting System Center Configuration Manager 2007 first described in Microsoft Security Advisory 954474, where System Center Configuration Manager 2007 systems were blocked from deploying security updates, is separate from the issue described in this advisory.

Windows XP SP3 Hotfix

Early this month, I reported that Symantec had addressed the issues customers using Norton 2008 experienced when installing Windows XP Service Pack 3 or Windows Vista Service Pack 1.

Based on a post by dickw at LandzDown Forum, I learned that Microsoft has provided a hotfix for users who have installed Windows XP Service Pack 3 with an antivirus application still running during the installation, which could result in Device Manager not showing any devices and/or and Network Connections not showing any network connections.

The hotfix is available at Update for Windows XP (KB953979).

Before installing SP3, I recommend reviewing the following:

• Recommendations before you install Windows XP Service Pack 3
• Windows XP SP3 - Read all prerequisites for a successful installation

July 2008 Microsoft Security Bulletin Advance Notification

On 08 July 2008 Microsoft is planning to release four new security bulletins. All four are rated as Important with an elevation of privilege as the impact of the vulnerability being fixed for three of the bulletins. The impact of vulnerability for Windows Bulletin 2 is Spoofing.

As usual, the Microsoft Baseline Security Analyzer can detect whether your computer system requires this update.

SQL Bulletin Affected Software:

• Microsoft Windows, Microsoft SQL Server. For more information, see the Affected Software section on the Advance Notification web page referenced below.

Windows Bulletin 1 Affected Software:

• Windows Vista, Windows Server 2008. For more information, see the Affected Software section on the Advance Notification web page referenced below.

Windows Bulletin 2 Affected Software:

• Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008. For more information, see the Affected Software section on the Advance Notification web page referenced below.

Exchange Server Bulletin Affected Software:

• Exchange Server 2003 and Exchange Server 2007. For more information, see the Affected Software section on the Advance Notification web page referenced below.

Update to Windows Update Mechanism

The Microsoft Update Product Team Blog reported that beginning at the end of July and continuing over the next few months, Microsoft will be rolling out an infrastructure update to the Windows Update agent (client).

According to the report, the purpose of this update is to provide improvements in the length of time it takes Windows Update to scan for updates and how quickly signature updates will be received. In testing, the improvements have reduced the scan times on some machines almost 20 percent.

In addition to the update announcement, Windows Update Product Manager, Michelle Haven, provided a review of the Windows Update options and how the settings effect your computer.


For additional information on Windows Updates, see my tutorial, Understanding Microsoft Updates. Also note that malware can change your Automatic Update settings. To protect those settings refer to Detect Changes to Windows Automatic Updates with WinPatrol.

Microsoft Security Advisory 955179

Microsoft has released Security Advisory 955179, "Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution".

The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003. The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer.

There are manual workarounds included in the Advisory which Microsoft has tested. However, those workarounds require editing the registry. A simpler solution is available for WinPatrol users.

1. Launch WinPatrol and select the ActiveX tab.
2. Be sure the "List non-Microsoft controls only" box is UNchecked.
3. Click on the CLSID column twice to sort in reverse order.
4. One-by-one, scroll to each of the CLSID entries below.
5. Select the line and click "Disable".
6. Accept the prompt.

{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}
{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}
{F2175210-368C-11D0-AD81-00A0C90DC8D9}

After Microsoft has issued an update, merely reverse the process.

For further information on this advisory, see Snapshot Viewer ActiveX Control Vulnerability and Security Advisory 955179.

Additional information about ActiveX control in WinPatrol 2008 is available in Announcing WinPatrol 2008 With ActiveX Control

Windows 7 Launch = Success!

Hello, Windows 7!

Windows 7 Default Desktop, designed by Chuck Anderson

Although the Windows 7 launch events were scaled down from the Windows Vista launch, there was no less enthusiasm on the part of Microsoft employees, partners and Windows fans. If you missed the launch event, it is available at Microsoft PressPass.

The full video is 54:02 in length, but worth the time. I particularly enjoyed the demonstration by Brad Brooks, corporate vice president located around the 29 minute mark. Of course, Kylie, the little girl who won hearts around the world, made everyone smile when she introduced Steve Ballmer.

Kylie, from the Windows commercials, introduces
Microsoft CEO Steve Ballmer at the launch event
in New York City on Oct. 22.
(Silverlight Required)

If you are in the market for a new PC, check what is available in Brandon’s Guide to Awesome New Windows 7 PCs. From there, move on to the refreshed Windows 7 web site, being sure not to miss the 7 days of Windows 7 savings .

Edit Note: As pointed out in the comments, if available in your country, the URL link for the "7 days of Windows 7 savings" offers will vary. The above link is to the U.S. site.

Firefox and Opera Browser Updates

Browser updates were released yesterday for Mozilla Firefox and today for Opera. Details and download links for both browsers follow:

Firefox 3.5.4

In addition to the security fixes listed below, the update to Firefox fixed several stability issues, added the ability to re-submit crash reports and addressed the issue where after using Clear Recent History some SSL sites would not load all images and styles without pressing reload.

To get the update, click Help -> check for updates.

Security Issues:

• MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
• MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
• MFSA 2009-62 Download filename spoofing with RTL override
• MFSA 2009-61 Cross-origin data theft through document.getSelection()
• MFSA 2009-59 Heap buffer overflow in string to number conversion
• MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
• MFSA 2009-56 Heap buffer overflow in GIF color map parser
• MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
• MFSA 2009-54 Crash with recursive web-worker calls
• MFSA 2009-53 Local downloaded file tampering
• MFSA 2009-52 Form history vulnerable to stealing

Advance Notice: Security Updates for Java SE

The Sun Security Blog published the following update announcement:

"On November 3, 2009, Sun will release the following security updates:

• JDK and JRE 6 Update 17
• JDK and JRE 5.0 Update 22
• SDK and JRE 1.4.2_24
• SDK and JRE 1.3.1_27

The following Sun Alerts corresponding to these updates will be released following the availability of these updates.

• 269868
• 269869
• 269870
• 270474
• 270475
• 270476"

Fix it Solution for Windows 7 Upgrade Hanging at 62%

When upgrading from Windows Vista to Windows 7, a number of people have experienced the situation where the upgrade stops responding at 62% and does not resume. In addition, Windows creates a file that is named system_drive:\$WINDOWS.~BT\Sources\Panther\setupact.log

As explained in Microsoft Knowledge Base Article 975253, Upgrade stops responding (hangs) at 62% when you upgrade to Windows 7, this is because the Iphlpsvc service stops responding during the upgrade. According to KB 975253, it could also be other services causing a problem which results in the upgrade process hanging at 62%.

Microsoft released today a Fix it to fix the problem automatically. Note the caveat below specifically indicating that this solution is only to be used if the upgrade stops at 62%.

Important

The Fix it solution is ONLY if the upgrade stops responding at 62%. Do NOT use it if the upgrade stops responding at a different percentage than 62% or if the log entries are not logged.

From KB 975253:

Fix it for Me

To fix this problem automatically, restart the computer where the upgrade to Windows 7 fails at 62%. Your computer will roll back to Windows Vista. Either download the following fix to a flash drive or to a CD or return to this article on the machine where the upgrade fails. If you return to this article on the machine where you experience this problem, click the Fix this problem link. Click Run in the File Download dialog box, and follow the steps in the Fix it wizard.

Critical Security Update for Sun Java JRE 6

Sun Microsystems released update 17 for Java SE JDK 6 and Java SE JRE 6. The update addresses multiple vulnerabilities. These vulnerabilities include arbitrary code execution, privilege escalation, denial of service, and information disclosure.

For detailed information on the updates, see Sun Alerts 269868, 269869, 269870, 270474, 270475, and 270476.

For English-lanugage operating systems, the download link is located at: Java SE Runtime Environment 6u17.



Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

Advance Notice: November 2009 Microsoft Security Bulletin Release

On November 10, 2009, Microsoft is planning to release six bulletins (three critical and three important), addressing 15 vulnerabilities to Remote Code Execution. The affected products include Windows and Microsoft Office products. A restart will be needed in order to install the updates.

According to the Advance Notification, Bulletins 1-4 are planned for Windows (three Critical, one Important). The remaining two bulletins are updates for Microsoft Office and are designated Important.

Microsoft Security Bulletin: November 2009

Microsoft released six security bulletins addressing a total of 15 vulnerabilities. Four affect Windows and Windows Server and two affect Microsoft Office products (Excel and Word). In-depth technical detail on MS09-063, MS09-064 and MS09-065, is available at the Security Research & Defense team blog at this link.
Microsoft also re-released MS09-045 to add detection for users who may be running JScript 5.7 on Windows 2000 Service Pack 4. MS09-051 was re-released to update Audio Compression Manager on Microsoft Windows 2000 Service Pack 4 to fix a detection issue.

• MS09-063 - addresses a vulnerability in Windows (KB 973565)
• MS09-064 - addresses a vulnerability in Windows (KB 974783)
• MS09-065 - addresses a vulnerability in Windows (KB 969947)
• MS09-066 - addresses a vulnerability in Windows (KB 973309)
• MS09-067 - addresses a vulnerability in Microsoft Office (KB 972652)
• MS09-068 - addresses a vulnerability in Microsoft Office (KB 976307)

Microsoft Security Advisory 977544 Released

Microsoft released Security Advisory 977544, "Vulnerabilities in SMB Could Allow Denial of Service", on November 13, 2009.

From the MSRC Blog:

"Today we released Security Advisory 977544 to provide information, including customer guidance, on a publicly reported Denial-of-Service (DoS) vulnerability affecting Server Messaging Block (SMB) Protocol. This vulnerability, in SMBv1 and SMBv2, affects Windows 7 and Windows Server 2008 R2. Windows Vista, Windows Server 2008, Windows XP, Windows Server 2003 and Windows 2000 are not affected.
I want to be clear that this is a DoS vulnerability that is unrelated to Microsoft Security Bulletin MS09-050 which addressed a remote code execution vulnerability in the SMBv2 protocol. This vulnerability would not allow an attacker to take control or install malware on a user’s system, but could cause the affected system to stop responding until manually restarted."

Mitigating factors are provided in Microsoft Security Advisory 977544:

"Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the SMB ports should be blocked from the Internet."

For complete information, see Microsoft Security Advisory 977544 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQs), and links to additional resources.

Passwords and User Names

Unfortunately, very little has change by computer users in selecting a password over the past several years. Compare the following list of the top 10 most passwords used in automated attacks reported by the Microsoft Malware Protection Center in Do and don’ts for p@$w0rd$, with the the PC Magazine list of the 10 most commonly used passwords online, published by Threadwatch.org in 2007:

Microsoft List - November, 2009:

1. password
2. 123456
3. #!comment:
4. changeme
5. F**kyou (edited)
6. abc123
7. peter
8. Michael
9. andrew
10. matthew

PC Magazine list - April, 2007:

1. password
2. 123456
3. qwerty
4. abc123
5. letmein
6. monkey
7. myspace1
8. password1
9. blink182
10. your first name)

Similarly, the MMPC provided this list of the top 10 list most common user names used in automated attacks:

1. Administrator
2. Administrateur
3. admin
4. andrew
5. dave
6. steve
7. tsinternetuser
8. tsinternetusers
9. paul
10. adam

From the report, Francis Allan Tan Seng and Andrei Saygo provide this advice:

"We just want to make users aware of the fact that passwords of around 8-10 characters (the average length of passwords that are normally used for Internet accounts) are used in attacks. Even a long password (10 to 15, or even 20 characters) isn’t good enough if it’s dictionary-based. As seen in the table above, there are passwords in dictionaries that are even using special characters (for example #!comment: ), not only numbers and letters.
You should take good care of what user name and password you're choosing. If your account has no limit on the number of login attempts, then knowing the user name is like having half of the job done. Especially for the user names from the top 10 (and mainly for the Administrator/Administrateur accounts), the passwords shouldn’t be picked lightly.
Usually we choose easy to type and/or easy to remember passwords, but please don’t forget that those passwords (for the moment) are the most commonly used or authentication on the Internet so they need to be strong.
The three basic things to remember when creating a strong password are the following:
1. Use a combination of letters, numbers and special characters. Also, remember that some dictionaries used in attacks have a "l33t" mode, which allows common letter/number-to-special character substitutions (like changing a-@, i-1 ,o-0 and s=$, for example, password = p@$$w0rd). Therefore, mix them in different ways so that they are not predictable.
2. Use a combination of upper and lower case letters.
3. Make it lengthy. A longer password does not necessarily mean it is strong but it can help in some cases."

Security Advisory for Adobe Flash Player

Adobe released Security Advisory APSB09-19 affecting Adobe Flash Player 10.0.32.18 and earlier versions and Adobe AIR 1.5.2 and earlier versions. Adobe has announced a security update to resolve critical security issues for these products on Tuesday, December 8, 2009.
As defined by Adobe, a critical security issue is a vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware.

Do You Need Java?

Shortly after Oracle released their quarterly update which addressed twenty-nine security flaws in Java SE, a frustrated forum poster asked, "How can I determine if I need Java?"  Along with removal instructions, my reply included the following reasons why someone may need Oracle Sun Java installed on their computer:

• Playing on-line games generally requires Java.
• With OpenOffice, Java is needed for the items listed  here . 
• It used to be that Java was needed for websites to be properly displayed. However, that is generally not the case now with Flash having taken over.
• There may be commercial programs that depend on Java. If Java is needed for a software installed on your computer, there should be a prompt for it.

There is no question that the forum poster's question was very timely. As reported by Holly Stewart in a MMPC Blog post, there has been "an unprecedented wave of Java exploitation."  The report continues:

"In fact, by the beginning of this year, the number of Java exploits (and by that I mean attacks on vulnerable Java code, not attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored.  See chart below for details:

The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.  The first two, in particular, have gone from hundreds of thousands per quarter to millions:

CVE	Attacks	Computers	Description
CVE-2008-5353	3,560,669	1,196,480	A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.
CVE-2009-3867	2,638,311	1,119,191	Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.
CVE-2010-0094	213,502	173,123	Another deserialization issue, very similar to CVE-2008-5353.

Whether you keep Java or decide to uninstall it from your computer, it is necessary to look not only for the Java(TM) 6 Update (number) but also for any installation with J2SE, Java(TM) 5, or Java(TM) SE Runtime Environment 6.  It is also advisable to remove the leftover files in your downloads folder.

In the event you keep Java installed, there should only be the current version in add/remove programs (as of this posting, Java(TM) 6 Update 22, available at Java SE Runtime Environment 6u22).

Since Java updates tend to leave leftovers, JavaRa is recommended.  Freð ðe Vries provided notice that JavaRa has been silently updated to reflect the publication of Oracle's Java JRE 1.6.0.22. Leftovers up to Oracle Sun Java 1.6.0.21 are now cleaned by JavaRa.  Simply download JavaRa and unzip it to your desktop.

• Double-click on JavaRa.exe to start the program.  (Windows Vista and Windows 7 users right-click JavaRa.exe > Select Run as Administrator)
• Click on Remove Older Versions to remove older versions of Java.

Mozilla Firefox 3.6.11 Security Update

Mozilla released Firefox version 3.6.11 to address a number of critical security issues as well as several stability issues.

If not prompted to update, existing users Firefox users can update via Help > Check for Updates.

Fixed in Firefox 3.6.11

MFSA 2010-72 Insecure Diffie-Hellman key exchange
MFSA 2010-71 Unsafe library loading vulnerabilities
MFSA 2010-70 SSL wildcard certificate matching IP addresses
MFSA 2010-69 Cross-site information disclosure via modal calls
MFSA 2010-68 XSS in gopher parser when parsing hrefs
MFSA 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter
MFSA 2010-66 Use-after-free error in nsBarProp
MFSA 2010-65 Buffer overflow and memory corruption using document.write
MFSA 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)

If not prompted to update, existing Firefox users can update via Help > Check for Updates.

Windows Live Essentials on Microsoft Update

With the release of Windows Live Essentials 2011, the Microsoft Product Update Team announced that it will be available through Windows Update, starting October 19, 2010.  (Note:  Windows Live Essentials 2011 is not compatible with Windows XP.)

Windows Vista and Windows 7 users will be offered the update as a "Recommended Update" if any one of the Windows Live software programs are installed.

If you do NOT have any of the Windows Live Essentials programs installed on your computer, it will still be offered but as an "Optional Update".   It is not necessary to install if you do not use any of the programs.

Live Mesh is being replaced by Windows Live Mesh.  As a result, support for Live Mesh ends March 31, 2011 and the beta will stop working.  After that date, you will not be able to access any files stored online in your Live Desktop or connect to your PCs remotely using the Live Mesh software. In addition, your files will also stop syncing between your computers and your Live Mesh online storage. 


The system requirements for Windows Live Essentials 2011 are provided in Microsoft KB Article 2434419:

Windows Live Essentials requires the following

• Operating system: 32- and 64-bit editions of Windows Vista Service Pack 2 with the Platform Update for Windows Vista; or Windows 7; or Windows Server 2008 with Service Pack 2 and the Platform Update for Windows Server 2008; or Windows Server 2008 R2.
• Processor: 1.6 GHz or higher
• Memory: 1 GB of RAM or higher
• Resolution: Minimum: 1024 × 576
• Internet connection: Internet functionality requires dial-up or broadband Internet access (provided separately). Local or long-distance charges may apply.
• Graphics or video card: Windows Live Movie Maker requires a video card that supports DirectX 9 or higher and Shader Model 2 or higher.
• For Photo Gallery and Movie Maker: Some required components of DirectX 9 may be installed for you if they're not already on your computer.
• For Windows Live Mesh: To run Windows Live Mesh on a Mac, you must have OS X 10.5 or newer installed. If you already installed an earlier version of Window Live Sync beta or Live Mesh beta, please see the detailed release notes (http://explore.live.com/windows-live-2011-release-notes) for additional requirements.Instructions

The Active Geek - Inaugural Edition

For those working behind the scenes, the long-awaited inaugural edition of The Active Geek has been published. 

"Driven by a community of tech bloggers and enthusiasts, The Active Geek is the perfect guide for all your tech needs."  Sample titles of articles in the inaugural edition of The Active Geek include “Internet Explorer 9 Beta”, “Turn your PC to a home theater”, “Windows 7 Super Guide”, and “Power Up your Office Work with Office 2010”.

Not to be missed is an interview of Robert Margel, the Microsoft Online Site Manager for Windows in  the U.K. by Microsoft MVP Lead and The Active Geek editor, Abhishek Baxi.  Of course, I  hope you also enjoy my article, “Cyber Security, Our Shared Responsibility”.

To celebrate the inaugural edition, over 50 licenses of amazing products from reputed companies are included in a giveaway.  To be eligible to participate in the Inaugural Edition Giveaway, subscribe to The Active Geek on or before 20 November 2010.  Details about the giveaway are available here. 

Microsoft Security Essentials Offered via Windows Update

One of the forums where I am active had a post asking about Microsoft Security Essentials (MSE) being offered as an optional update via Windows Update.  In checking the image posted leads to Microsoft KB Article 2267621 which explains that MSE is being offered as as an optional update to Windows XP, Windows Vista, and Windows 7 users who subscribe to Microsoft Windows Update.

The KB Articles continues to explain:

"If you are not currently running anti-malware software on your computer then you may be vulnerable to spyware, viruses, and other malicious software. Microsoft Security Essentials is free anti-malware software and it is strongly recommended that you download and install it. Microsoft Security Essentials is licensed for use on home PCs and by small businesses with 10 or fewer PCs."

If you do not have an antivirus software installed on your computer, you may elect to install MSE.  The software is free for personal use as well as small businesses with ten or fewer PCs. 

What do you do if you do not want to install MSE on your computer?

Hide the update.  Right-click the update and choose Hide Update. If you later change your mind, on the main Windows Update page, click Restore Hidden Updates.  Even if you elect to install MSE on your computer, you will probably want to hide any unneeded language packs.

Mozilla Firefox 3.6.12 Critical Update to Address Zero-Day

It was just yesterday that Mozilla reported a Critical vulnerability in Firefox 3.5 and Firefox 3.6.  As of this posting, although the release notes for Firefox version 3.6.12 are live, the update is not yet available on the servers.  (Edit Note:  The update is available now.)

Firefox users are advised to follow the instructions below from the Mozilla advisory to disable Javascript and install NoScript.

"Issue:
Mozilla is aware of a critical vulnerability affecting Firefox 3.5 and Firefox 3.6 users. We have received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild.

Impact to users:
Users who visited an infected site could have been affected by the malware through the vulnerability. The trojan was initially reported as live on the Nobel Peace Prize site, and that specific site is now being blocked by Firefox’s built-in malware protection. However, the exploit code could still be live on other websites.

Status:
We have diagnosed the issue and are currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested.

In the meantime, users can protect themselves by doing either of the following:

• Disabling JavaScript in Firefox
• Using the NoScript Add-on"

To manually check for the update, click Help and Check for Updates.

Windows Live Essentials 2011 Data Collection

I was rather surprised when the message below rolled up in front of my browser window today. 

Apparently, after installing Windows Live Essentials or the Bing Bar, you will be asked if you want to help Microsoft improve their products.  Strange that I just got the pop-up today.  I have had the Windows Live Essentials on this computer for some time and the Bing Bar was on, off, back on, off, again.

From the "Learn More" link, I discovered that the purpose is to improve Windows Live and the Bing Bar.  If you see this "pop-up" it is very important to note a few important points:

• Participation is complete voluntary. you can uncheck one, two or all three options.
• No data will be collected without your agreement to participate (leave the last box checked).
• All collected data is confidential.

What if you decide to opt-out after you agreed to the data collection?  You can change the setting for Windows Live Essentials by changing the "Help improve Windows Live" setting in the options of any Windows Live program.

Follow the steps below to stop participating in the Bing Bar program:

1. Launch your browser.
2. On the right side of Bing Bar, click the Toolbar options button .
   
3. Click Quality, select No, I don't want to participate, and then click OK.

Critical Zero-Day, Adobe Products Security Advisory

Yet again we are faced with another critical security advisory for Adobe products.  This time the vulnerability affects Adobe Flash Player, Adobe Reader and Adobe Acrobat.  From the Adobe Security Advisory:

"This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player."

As described at The Register, the Adobe Reader/Acrobat exploit can install a backdoor trojan known as Wisp, which steals sensitive data and installs a backdoor on compromised systems. The vulnerability in Adobe's Flash Player drops two malicious binaries onto Windows machines that open the document files.

Adobe provided mitigations for all platforms of Adobe Reader/Acrobat customers in the Security Advisory.  Personally, I prefer to use an alternate PDF reader and have been satisfied with the performance of Sumatra PDF.

Mitigations for Windows users:

"Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat."

Updates:

An update for Adobe Flash Player is expected by November 9, 2010.  Adobe Reader and Acrobat 9.4 are expected to be updated during the week of November 15, 2010.

The Office 2010 Beta Has Expired!

If you were using the Office 2010 Beta and discovered that it has suddenly stopped working, that is because the Beta officially expired yesterday, October 31, 2010.

It is necessary to uninstall the Beta software from your computer before you can use the released version of Office 2010. To do this, go to the Control Panel in Windows 7 (or Windows Vista) and click "Uninstall a Program". 

In the event you have not completed evaluating Office 2010, a fully functional 60-day trial version is available at Office.com. You can also purchase your licensed copy of Office 2010 from the same page or purchase the boxed version.

For anyone not familiar with the changes and new features in Office 2010, the "What's New" articles below will provide a helpful overview:

• What's new in Access 2010
• What's new in Excel 2010
• What's new in Outlook 2010
• What's new in OneNote 2010
• What's new in Publisher 2010
• What's new in Word 2010
• Office 2010 migration guides

Microsoft Security Advisory 2458511 Released

Microsoft released Security Advisory 2458511 which relates to a vulnerability in Internet Explorer that could allow remote code execution.  The vulnerability does not affect IE9 Beta but the other versions of IE are affected.

As indicated in the MSRC Blog, the impact of this vulnerability is extremely limited.  Microsoft is not aware of any affected customers. From the report it was indicated that the exploit code was discovered on a single website which is no longer hosting the malicious code.


It is important to note that all attack Microsoft has seen are all blocked by DEP which is enabled by default on IE8 and can also be enabled for earlier versions of IE. Additional mitigations are described in DEP, EMET protect against attacks on the latest Internet Explorer vulnerability  and the Security Advisory.

How to Use the New Microsoft Safety Scanner

The newly released Microsoft Safety Scanner is a replacement for the Windows Live OneCare Scanner.  The Windows Live OneCare Scanner was eliminated when support ended for Windows Live OneCare. 

If you think your computer has a virus that your current antivirus software missed or is unable to remove, the Security Scanner helps remove viruses, spyware, and other malicious software. The Microsoft Security Scanner will work with your existing antivirus software but it is not a replacement for a resident antivirus software program. There is no charge to use the Microsoft Safety Scanner.

Note

The Microsoft Safety Scanner expires ten (10) days after being downloaded. In order to scan after that time, download the Microsoft Safety Scanner again in order to get the latest anti-malware definitions.

As illustrated by the following images, the scanner is easy to use.  You can download the Microsoft Safety Scanner for running on your own computer or to removable media (i.e., a thumb drive) and transport it to another computer that is infected.

Download

Clicking the "Download" button, provides a prompt to select the 32-bit or 64-bit version. 

If you are downloading the scanner for use on a different computer, be sure you know the correct operating system (32- or 64-bit)

Save the file to a convenient location.  When launching, Windows 7 and Windows Vista users will be asked to approve a UAC prompt.

After launching, you are presented with an end user license agreement.  The terms must be accepted in order to run the scan.

Scanning

One more Next click to get to the point of selecting the type of scan you want the scanner run.

Knowing my computer is not infected, I selected a Quick scan. 

To provide "breathing space" on an infected computer, run a Quick Scan first and then follow with a Full scan.  If you have a lot of files, the scan may take up to several hours to complete.  Allow plenty of time for the scan to run to completion. 

The Quick Scan was indeed fast and only took a few minutes to complete.












After the scan has completed click Finish to close the program.

Remember, the Microsoft Safety Scanner is not a substitute for a resident antivirus software program.  It expires ten (10) days after being downloaded. In order to scan after that time, download the Microsoft Safety Scanner again in order to get the latest anti-malware definitions.