********************************************************************
Title: Microsoft Security Bulletin Summary for March 2007
Issued: March 13, 2007
Version Number: 1.0
Bulletin Summary: http://go.microsoft.com/fwlink/?LinkId=85543
********************************************************************
Summary:
========
Microsoft has not released any security bulletins on March 13, 2007.
Wow. Imagine that. Division by zero.
Recently, I received a diagram created in Microsoft Visio I wanted to examine and possibly edit. It turns out that OpenOffice.org Draw does not have an import module for the proprietary (and apparantly undocumented) .vsd format, nor can I find another FOSS product that does. This is one of the reasons to keep a Windows machine around – to read the proprietary format files. Or it should be. My version of Visio is a version or two old, and it wouldn’t read it either. I asked my co-worker to send the diagram in another format I could use. We tried a number of them. SVG (Structured Vector Graphics) is a standard format and OpenOffice.org has a filter for it. However, it turns out that Microsoft uses proprietary extensions to the format for items like word wrap and the filter won’t read them (Neither will Gnome image viewer nor FireFox nor Dia). EPS, EWF and WMF are more standard and were readable, but the graphics are reduced to primatives at that point with no larger structure. Drawing Exchange Format (.DXF), which might have come from AutoCAD, is equally illegible.
The .VDX format is XML, so I had some hopes for that. It looks like the Dia diagramming tool will work with .VDX files with a plugin. [Update: irony of ironies: the VDX plugin link is now dead. Good news: VDX is now a built-in import/export filter.]
What a disappointment. While we are not writing anything particularly profound that needs to be preserved for posterity, it would be nice to know we could read the files in a few months on our platforms of choice. Vendors need to get more serious about interoperable, open formats.
Over on Ed Leafe’s ProFox list, Bill Arnold describes the struggles with trying to get VNC to work on Vista and points to this step-by-step guide.
BBC NEWS | Technology | Microsoft fixes 20 security holes“Windows users are being urged to install Microsofts February security update which contains 12 patches for 20 vulnerabilities… The bumper package includes fixes for loopholes that malicious hackers are known to be already exploiting.”
An astounding list of “Remote Code Exploit” bugs includes HTML Help’s ActiveX control (who ever thought making the browser an “integral part of the operating system” was a good idea?), Word, MDAC, the Microsoft Malware Protection Engine (how’s that for irony?), and more. Security Bulletins MS07-06 through -016 detail the mess. (It’s the sixth week of 2007, for those keeping score.)
Windows users – get patching! http://www.microsoft.com/technet/security is a good place to start for more information.
In Brian Livingston’s “Windows Secrets” newsletter, Brian writes, “Windows Vista, in my opinion, is a big improvement over Windows XP in many ways. But the new operating system is distinctly overpriced.” and “But I’ve tested a method that allows you to clean-install the Vista upgrade version on any hard drive, with no prior XP or W2K installation — or even a CD — required.” While this is good news for all who want to upgrade their hardware while installing Vista, it points out a way to buy the cheaper Upgrade version and get the same effect as the more expensive Full version.”
If you choose to dance with the devil, you need to pay the devil his due. A far better choice to send a message to Microsoft that their software is overpriced is by purchasing a Mac or installing Ubuntu or Fedora or Red Hat or SuSE or Debian or just sticking with the software you have. That’s how the market works. Using Microsoft’s software in violation of their questionable licenses just puts you in a bad position. I’m surprised to see Brian presenting it this way: it’s a handy tip for upgraders (and a best practice for getting a stable system), but it’s not the right path for people building new machines. I wonder if Microsoft will be able to patch this behavior to detect this kind of “upgrade” or whether they’ll change their installer to prevent it.
IT Conversation‘s podcast pick-of-the-week: Phil Windley’s Technometria podcast. This week he, Scott Lemon and Matt Asay interview David Platt about his new book. “Why Software Sucks” Tell me what you really think. Ouch. Fun stuff.
CNET News.com is reporting Microsoft leaves Word zero-day holes unpatched. Hmmm… is it still a zero-day hole if it has been around for a while? I’m afraid the term has lost its punch. Nonetheless, Cnet goes on to say,
Microsoft on Tuesday released fixes for vulnerabilities in its Windows and Office software, but left several known Word zero-day flaws without a patch.
As part of its monthly patch cycle, Microsoft published four security bulletins with fixes for 10 vulnerabilities. Three of the bulletins are deemed “critical,” the company’s most serious rating; the fourth is tagged “important,” a notch lower. All bulletins, however, address flaws that could allow an attacker to commandeer a PC.
Nasty stuff. It’s the second week of 2007, and Microsoft patches are already up to MS07-08, although four of the patches were pulled from this release. I wonder if they’ll still be “zero-day” next month?
Hit the Microsoft site at http://www.microsoft.com/security if you need more information on these patches. Get patching!
On the FoxPro wiki, Alex Feldstein documents the most recent of many problems with New Hill Services, aka Eli Research, the latest purchasers of the FoxTalk newsletter, originally from Pinnacle Publishing. (Disclosure: FoxTalk published several articles of mine, starting in 1992 and ending in 2004). These people are just incredibly clumsy in the way they have worked with the community that once supported the newsletters. Terminating the editor, dropping or antagonizing their top-notch contributing writers, harassing former subscribers and failing to engage the community have ruined any chances of FoxTalk’s recovery. I wish they would just terminate the paper and spare us all the embarassment.
Just this morning, I received an email announcing “Your latest FoxTalk 2.0 is Available Online!” Curious if they were giving away free online content or offering a trial, I navigated to http://osslogin.com/login/pin, which asked for a login and displayed the Pinnacle (not Eli, not New Hill) logos and no links — no “Who we are,” “Read our other publications,” nothing. Really suspicious. Examining the HTML source, there were no signs of foul play (it does look like a phishing expedition, doesn’t it?), so I tried the “forgot your password” link and supplied my email address (I already get and squash 500 spams a day, so one more wouldn’t hurt). I promptly got an email with my password, and attempted to log in. “Account Expired” it told me, again with no other information or links. How annoying! If it was expired, why send the email notice? And wouldn’t this be a killer opportunity to ask me to re-up? Nothing. Bozos.
In the SANS – Internet Storm Center Handler’s Diary on December 29th 2006 they describe the troubles that can occur when a user innocently chooses a likely search result from a popular search engine in “Pain reliever with serious side effects.” A chilling story. The moral of the story: anti-virus and anti-malware and firewalls aren’t sufficient. You must also stay up to date on all the latest patches. What if the patch isn’t out yet?
In related news, Microsoft will unprotect millions of Windows 2000 users tonight as their version of “Windows Defender” expires, with no update planned for the “unsupported” operating system. If you’ve been a depender on defender, it’s time to be a decider and a finder and find another product. Good luck, and happy new year!
It’s a slow week in the tech world, nestled between Christmas and New Years, with nothing to read but insipid the-year-that-was technical review rehashes and pundits pontificating their predictions. But wait! A newsflash! Microsoft is trying to influence their unpaid champions, by slipping a couple of loaded laptops out there for “review,” no strings attached. Bribery? PR? Same old thing? In Bribing Bloggers, I think Joel nails it with:
This is the most frustrating thing about the practice of giving bloggers free stuff: it pisses in the well, reducing the credibility of all blogs. I’m upset that people trust me less because of the behavior of other bloggers.
eWeek opines “Microsoft’s Laptop Giveaway Rubs Some the Wrong Way” I think Microsoft’s retreat on this is about the worst thing they could do, nearly admitting some wrongdoing.