Navigation

You are here: Home Microsoft

Archive | Microsoft

OpenOffice.org security flaws identified, some patched

By on August 12, 2006 in OpenSource, Security, SourceSafe

Robert McMillan of InfoWorld: Top News reports OpenOffice.org security 'insufficient'. “With Microsoft Corp.'s Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses… “The general security of OpenOffice is insufficient,” the researchers wrote in a paper entitled “In-depth analysis of the viral threats with OpenOffice.org documents.” … “This suite is up to now still vulnerable to many potential malware attacks,” they wrote.”

Despite the negative tone of the beginning of this article, it's more good news for OO.o than bad. First, the one major flaw that was found has been patched – yeah, Open Source! – and you'll want to ensure you're running the latest OpenOffice.org. The second positive spin of the article is the tone: governments and companies are seriously evaluating OpenOffice.org as a replacement for their current office products. I wonder if this change in the tone has to do with the acceptance of the Office Document Format as a recognized international standard.

But don't just take my word for it…

By on August 10, 2006 in Microsoft, Security

Microsoft Watch from Mary Jo Foley reports Patch Windows Now, Homeland Security Warns. “The Department of Homeland Security has spoken. Apply the patches in the MS06-040 security bulletin for Windows, which Microsoft released on August 8, the agency is warning users.”

Microsoft's Monthly Security Patches for August 2006

By on August 10, 2006 in Microsoft, Security

I received the “Microsoft Security Bulletin Summary for August, 2006” in my inbox this morning. You'll want to sign up on the Microsoft site if you don't get this email and have responsibility for supporting and protecting Windows machines. You can find the bulletin here.

Nearly all the 12 items were rated critical and resulted in “Remote Code Execution” – in other words, someone else taking over your machine. Every version of Windows – those still supported – Windows 2000 SP4 through Windows Server 2003 – are affected. Individual applications getting patched include all the Office products, VBA-enabled products, and nearly anything with HTML: Internet Explorer, HTML Help, Microsoft Management Console. Get patching!

MS06-040 – Vulnerability in Server Service Could Allow Remote Code Execution (921883)

MS06-041 – Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)

MS06-042 – Cumulative Security Update for Internet Explorer (918899)

MS06-043 – Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)

MS06-044 – Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)

MS06-046 – Vulnerability in HTML Help Could Allow Remote Code Execution (922616)

MS06-047 – Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645)

MS06-048 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)

MS06-051 – Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422)

MS06-045 – Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398)

MS06-049 – Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)

MS06-050 – Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)

We're up to 51 patches on the 32nd week of the year. It's pretty apparent that whatever Trustworthy Computing brings us, it won't be a static thing.

Converting an existing Windows install into a VM

By on August 10, 2006 in Microsoft, Technology

Here is a clever solution to the problem of trying to remember all of your passwords, settings, configurations and so forth when converting your current OS into a VM: backup your old installation and restore it into a clean VM. There may be problems with drivers and such, since the VM “hardware” may not work with all the drivers you have installed, but it sure looks like it could be a timesave.

Microsoft: Our customers are dumb

By on August 8, 2006 in Linux, Microsoft, OpenSource, Technology

OSNews points to a ZDNet article, Microsoft: ‘Open Source Is Too Complex’. “Although open-source software can be customized to meet a company’s specific needs, its inherent complexity could dent the profitability of independent software vendors, says Microsoft. “One of the beauties of the open-source model is that you get a lot of flexibility and componentization. The big downside is complexity,” Ryan Gavin, Microsoft’s director of platform strategy, said.”

An ISV has to know what they are getting into, and have sufficient support to deal with the challenges of many platforms. The same is true if you choose to support Windows XP, XP Home, XP Media Center, XP Tablet, Windows 2000, Windows Server 2003 on standalone, networked, workgroup, domain and Active Directory models. The claim that supporting Linux is more difficult because there’s more than one vendor (all of the majors adhering to the Linux Standards Base) is FUD. If you have to support home users with Windows 95 or do-it-yourselfers with a hand-built Linux kernel, the challenges are the same. Their claim to ISVs that Windows is easier to work with may be easy to claim, but I’d like to see Microsoft prove it. Truth Happens. Unbend the Truth.

Microsoft claims that computer technology is complex, and they are smarter about making those decisions than their customers. If they are not careful, they’ll prove that: the smart customers will leave.

Microsoft to ship a dozen on Patch Tuesday

By on August 7, 2006 in Microsoft, Security

Microsoft Watch from Mary Jo Foley is reporting Windows Fixes to Dominate Patch Day Dozen. “Expect from Microsoft a dozen new security bulletins, with plenty of Windows patches [^] a number of which will be deemed “critical,” on August 8.”

Pencil in some time Tuesday or Wednesday for patching and rebooting.

Asta La Vista My Computer, now it's Their Computer

By on August 3, 2006 in Microsoft, Security, Technology

In Fun with User Access Control in Vista… Argh!!!, Microsoft MVP and Developer Extrodinaire Rick Strahl bemoans:

Vista Security is tight and I can understand the need to lock down the system to some degree. But UAC is nothing short of annoying, so much so that it becomes a totally worthless feature. After using UAC for a few minutes you won't be reading any prompts and blindly prompting every link spawned. This is not security – this is making things worse by giving people a false sense of security… It's relatively straight forward to turn off UAC, but as it turns out this doesn't quite get you all the way where you might expect.

He documents a situation in which the Administrator of the machine is unable to delete a directory. Is this a feature? When a skilled and experienced operator can't find a way to work through a system to repair a problem, there's something deeply wrong. Read Rick's entire post here.

PowerPoint Zero-Day Vulnerability in the Wild

By on July 16, 2006 in Microsoft, Security

Slashdot post PowerPoint ZeroDay Vulnerability Exploited. “whitehatlurker writes to mention a WashingtonPost.com article about another unpatched flaw with Microsoft Office. The bug, part of the PowerPoint software, has already been used in the wild, and may be connected to an industrial espionage case.”

1. Never EVER open an untrusted document, whether it is Word or PowerPoint or a PDF or a video.

2. There are no trusted documents.

What #2 means is that you should always confirm that, whenever a document arrives appearing to be from a friend or a co-worker, it really is from them. Most of the time, you've had a conversation in advance. Social engineering works by making you think that a document is part of a normal exchange. If Bob in accounting send a message with some non-descript “check this out” message and an attachment that appears to be a spreadsheet, it's worth taking a couple seconds to verify it's really from him. Malware steals other people's email addressbooks, so the mail could appear quite legitimate.

Microsoft Monthly Patch: 7 Patches, 5 Critical, Remote Code Execution – patch now!

By on July 12, 2006 in Microsoft, Security

OSNews also notes Microsoft Patches Seven Vulnerabilities. “Microsoft alerted us this time about seven vulnerabilities of which five were rated critical and two important. There are vulnerabilities in the Server service, the DHCP Client service, Excel and Office that could allow remote code execution.”

Seven patches, 5 Critical with Remote Code Execution possibilities, 2 Important, which includes Remote Code Execution within IIS. Bulletins MS06-033 through MS06-039 issued on the 28th week of the year. It looks like this kind of velocity, more than one per week, has been steady at Microsoft for nearly three years now. I would have expected the more secure IIS6 and Windows Server 2003 to stem the flow a bit. But these product continue to be listed in the affected systems list. Hmm.

MS06-033: Vulnerability in ASP.NET Could Allow Information Disclosure (917283)

MS06-034: Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537)

MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)

MS06-036: Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)

MS06-037: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (917285)

MS06-038: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)

MS06-039: Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (915384)

Security is not a feature, it's a process. Patch now to avoid more problems later.

Older posts Newer posts

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.