The SANS Internet Storm Center publishes Microsoft Black Tuesday – December 2006 overview — looks pretty grim. Seven patches focused on the OS: Internet Explorer, deeply embedded in the Operating System, and still generating monthly flaws, Outlook Express, Microsoft's bundled email client, Windows Media Player, Microsoft's bundled application as well. Other flaws include crss, SNMP, RIS, and one in Visual Studio 2005. All Windows users should review and patch asap.
So, for 2006, MS released 78 patches for Windows and included software, as well as some not included in this count for Office and other tools. That doesn't stack up too well against previous years. The “Trustworthy Computing” memo is getting long in the tooth, and Microsoft should have enough time to review and audit its software and remove a lot of these flaws. Instead, we see “new” versions of their software like Server 2003 still affected by common components with flaws. Hopefully, with the release of Windows Vista and Office 2007, many of the flaws will finally be plugged. But Microsoft's customers have to be growing tired of this.
Archive | Security
Security is not a feature; it’s a process. Notes on issues, patches and essays on security.
Word has new Zero-Day attack.
Microsoft warns of new Word attack. “There's now one more reason to be careful about opening Microsoft Office attachments.” By Robert_McMillan@idg.com (Robert McMillan).
Hmmm. Wonder how to avoid this?
<ol><li>Don't open an untrusted attachment.</li><li>There are no trusted attachments.</li></ol>
NIST says electronic voting isn't ready yet.
U.S. agency recommends e-voting paper trail.
(InfoWorld) – “The U.S. National Institute of Standards and Technology (NIST) has recommended that the U.S. government require touch-screen electronic voting machines to include independent audit technology, such as printouts.”
We can't just let the computer count the votes and then recount the votes with no feedback to the voters and no accountability nor audit trail. The HAVA act was well-intentioned, but throwing computers at the problem just makes the problem bigger and more efficient. Let's hope the new Congress will make some rational modification to the voting system.
Apple releases 7th major security update of 2006.
Over at InfoWorld, Robert McMillan is reporting that Apple patches AirPort wireless bug. “Apple Computer Inc. has fixed a number of flaws in the software that ships with its personal computers, including a bug in its AirPort wireless drivers that was disclosed earlier this month… Apple's Tuesday update also fixes several issues in products that ship with OS X, including flaws in the ClamAV antivirus software, Perl, PHP (PHP Hypertext Preprocessor) and Samba… In total, 22 patches were released in this update, named 2007-007 by Apple.” Double-oh-seven, eh? Get patching!
Apple Safari 'safe' files bitten again
SANS Internet Storm Center, InfoCON: green is reporting “Mac OS X Apple UDIF Disk Image Kernel Memory Corruption, (Wed, Nov 22nd). A vulnerability has been reported in the way OS X handles corrupt DMG images…(more)”
Apple did pretty well with their proprietary apps on top of OS X, but one real bozo bit flipped was have the option to open 'safe' files enabled by default in Safari. That ASSuMEs that 'safe' files can't have a flaw that leads to… well, exactly what this exploit does. Remember, never open an untrusted attachment, whether on a web page or an email. And there are no trustworthy attachments. Test, confirm, verify, then install or run. If using Safari, turn off 'safe' files, because they are not.
Microsoft Patch Tuesday
The SANS Internet Storm Center lists 6 patches released by Microsoft today, with two earning the “PATCH NOW” status: one for multiple exploits of Internet Explorer and the second an exploit of XML Core Services with exploits known to be out in public. Get patching!
Groklaw: Microsoft Patent Pledge Useless
Groklaw is reporting SFLC's Bradley M. Kuhn's Letter to the FOSS Development Community Regarding Microsoft's Patent Promise. The Software Freedom Law Center's CTO Bradley Kuhn has issued a statement regarding the Novell-Microsoft agreements and how they will impact FOSS developers. They have analyzed in particular Microsoft’s Patent Pledge for Non-CompensatedDevelopers and see little value and in fact say it's worse than useless, because it creates an illusion of safety and because it limits severely what that developer is allowed to do with his work: read more
Electronic Voting is still not ready for prime time…
InfoWorld: Top News is reporting Florida e-voting: 18,000 'missing' votes in close race.
“Government watchdog group Common Cause has called for an investigation of electronic voting machines used in Florida's 13th congressional district because of 18,000 missing votes…. About 18,000 people who cast votes in other races in Tuesday's election failed to record a vote for either candidate for the U.S. House of Representatives. At last count, Republican candidate Vern Buchanan led Democratic candidate Christine Jennings by less than 400 votes in the race to succeed Republican Katherine Harris, who ran unsuccessfully for U.S. Senate.”
… But her spirit lives on.
“This is part of the reason we've been calling for a paper trail,” Wilcox said… Ironically, Sarasota County voters on Tuesday approved a ballot measure requiring paper trail ballots to be used as a backup to the e-voting machines.”
Whether by programmer error (certainly possible), operator error (easy enough), configuration problem, or tin-foil-hat-conspiracy, electronic voting is not an improvement on paper ballots. Unless and until we can make a system than makes voting more accurate, we ought to just wait until the paper ballots get counted.
IE 7 is now an update, not an upgrade?
Slashdot notes IE7 Released As High-Priority Update. jimbojw writes, “Internet Explorer 7 was finally released this morning and is available via automatic update or download from Microsoft.”
IE7 Breaks Older QuickBooks
Over at Shedding Some Light, Rick Schummer blogs IE7 Breaks Older QuickBooks: “I use FireFox as my primary Web browser and really like it… A couple of weeks ago at Southwest Fox I learned a bunch of things about IE7 from Rick Borup. His session got me excited about some of the changes and new features. So I have been looking forward to the automatic update about to hit my machine. Then I accidentally ran across a blog from one of my technical partners about how IE7 breaks QuickBooks Pro. No email from Intuit (they hit me up with lots of offers to upgrade, but I guess this little detail was not that important, or I seriously overlooked it)… I use QuickBooks Pro to manage the accounting books here at White Light Computing. I have used this product for years to keep track of the hours I bill, invoicing, tracking accounts receivables, printing checks to my vendors and subcontractors, and reporting the financials to my wife and our accountant. I use this program all the time. It is almost as important to me on the administrative side of the business as Visual FoxPro is to the technical side of the business.”
Rick goes on to point out some work-arounds to prevent IE from “upgrading” itself and making your accounting system inoperable. Thanks for the tip, Rick!!!