Navigation

You are here: Home Microsoft

Tag Archives | Microsoft

GreaseMonkey security exploit

By on July 19, 2005 in OpenSource, Technology

Despite Microsoft’s attempt to, er, monopolize the security news…

Alex Feldstein posts Attention Greasemonkey Users. “There’s a serious security issue for Greasemonkey. Until I can study this in more detail, and as my use of GreaseMonkey is very minimal, I have chosen to disable it. (Via J-Walk)”

As best I’ve been able to ascertain, the problem occurs in versions before 0.34 and possibly also in the 0.4 alpha, but 0.35 is okay. The GreaseMoney add-in shows a little monkey face on the bottom of the browser. Click to toggle whether it is disabled, and only turn it on when you need it and trust the underlying page. You may also want to consider adding the NOSCRIPT add-on, which lets you specify which sites ought to be allowed to run JavaScript at all.

More on the RDP Exploit

By on July 19, 2005 in Microsoft

Microsoft Watch from Mary Jo Foley reports Microsoft Suggests Workarounds to Block SP2 Flaw. “Microsoft released a security advisory and some suggested workarounds for a new potential denial-of-service flaw in Windows XP SP2.”

It’s a good idea to double-check systems that ought to have RDP disabled. As part of chasing down a different problem, I was reviewing the Services tab of a WinXP workstations’s Adminstration interface, and noted all the Terminal Services items running. Disable Remote access on an individual box by right-clicking “My Computer” and selecting “Properties.” On the “Remote” tab, ensure the “Allow users to connect remotely to this computer” is off.

Remote Desktop Protocol flaw can lead to DOS and crashed servers

By on July 18, 2005 in Microsoft

Computerworld News notes Microsoft warns of remote access protocol flaw. “Microsoft is warning users that a flaw in the software used to remotely access computers running the Windows OS could leave them vulnerable to a denial-of-service attack.”

This is the RDP flaw I blogged last week. Affected machine include Win2K as well. It appears that scanning for the affected port is on the increase, too, according to the Internet Storm Center. I’m advising clients to turn off port 3389 at the firewall, and only enable it (via ssh, for example) when needed.

Too Many Choices! I can’t decide!

By on July 17, 2005 in OpenSource, Technology

Slashdot carries a discussion that starts Time for a Linux Consolidation?. An anonymous reader writes “Are there too many Linux distributions currently available?” As always, with Slashdot, there’s a tradeoff between how long you want to read the answers and how much you trust their system of peer ratings. I like a threshold of 4, myself.

This is an interesting syndrome I’ve seen happen a number of times. Folks who perceive themselves to be trapped in the “One Microsoft Way” choice of operating systems, office products, PIMs and development tools long for the “freedom” of choosing other packages, ignoring the fact that they are implicitly choosing Microsoft over WordPerfect, SmartSuite, Delphi, BASIC, PostgreSQL and dozens of other choices. But when faced with the actual choice — Red Hat Enterprise or SuSE? Mandrake? Connectiva? Debian or Ubuntu? — they complain that there are “too many choices.” Utter nonsense. People chose to create yet another PIM for a reason. They may not have liked the options available, they may not have gotten along with the developers, they may wanted one specific feature or they may just have been ignorant of what was available. It’s up to the discerning consumer to figure out their optimal choice. Me, I think there’s too much shelf space devoted to high-frutose corn syrup and colored water, but bottlers seem to keep “innovating.”

Windows RDP Exploit Discovered

By on July 17, 2005 in Microsoft, Technology

OSNews notes Windows RDP Exploit Discovered. “A denial of service vulnerability reportedly affects the Windows Remote Desktop Protocol.” OS News goes on to advise, “Either disable RDP or make sure you have a firewall enabled for port 3389 until a fix is available.” This is nonsensical advice. First, if you have “a firewall enabled for port 3389,” does that mean the process can’t go through the port. If so, what’s the point of running Remote Access?

The report does not identify the problem as something that could allow a malicious attacker to take over your machine, only inconvenience you with a denial of service issue, or possibly shutting down your machine. Obviously, you should turn off Remote Desktop access if you don’t need it.

There’s a stunning note on the Microsoft Security Advisory linked from the OSNews article: “Remote Desktop is enabled by default on Windows XP Media Center Edition.” What on earth were they thinking, by enabling a remote access interface on a OS designed to be used as standalone home media appliances? Is this Trustworthy Computing? Not even close.

Asa Dotzler: Linux not ready for the desktop

By on July 14, 2005 in Microsoft, OpenSource, Technology

Asa Dotzler opines that Linux not ready for the desktop, surely not the first to have that opinion, but he identified four areas where he felt improvement was necessary:

1. Migration: Asa suggests that Linux install side-by-side on a Windows machine and read all the settings and preferences and set the same on the Linux side. While this sounds like a killer feature, I’ve found most people haven’t even set much beyond the defaults, and those who have are comfortable enough with the concept to customize their software again. Switching from Windows to Linux (or Mac) is also not a one-for-one match and new capabilities in the software need to be discovered, too. A “Migration Wizard” could be a killer app for the Aunt Tillies of the world, who’d like it to just work for them, but for corporate environments where much is pre-set for the user, IT should be able to script a similar though perhaps not as thorough effect.

2. Stability: by stability, Asa is referring to what Windows users call DLL Hell: the problems with library dependency conflicts between different software installs. This is a universal problem with computers, and Linux is no further along a solution than Microsoft is. The simple answer is to stay within the lines and only install the software that your distribution’s installer has to offer. That’s a pretty frustrating answer, but the major distros do supply a vast array of software these days.

3. Complexity: Asa seems to be complaining that there are too many configuration choices. Freedom to configure the software the way you want is an advantage, but the difficulty of supporting clients who have tinkered with their settings is a counterbalance. Again, this is a universal challenge: have you taken a look at many tabs in Tools|Options in Word lately? Too many choices! Unless they don’t have the one you want…

4. Comfort: “The final major issue is comfort. Linux must feel comfortable to Windows users.” I have to respectfully disagree. People can learn to adjust, and most do. Witness the radical and sometimes trivially silly differences in UI between Windows 3.1, 95, 98, 2000 and XP. The world didn’t end because Microsoft installed a Teletubbies background on top of a Candyland theme, and hid common options five layers down behind difficult-to-navigate cascading menus and modal dialogs. People can learn to adjust, and that needs to be factored in to the transition process, along with a patient teacher and helpful support available. To duplicate the UI that Microsoft rolled out (and which version?) may aid in muscle-memory exercises, but it doesn’t open up the minds to new possibilities. Apple argues you should “Think Different” and the effect on many switchers — the It Just Works Effect – argues they have done a better job of the Computer-Human Interaction design than Microsoft did.

Patch Tuesday – everyone’s getting in on the act!

By on July 13, 2005 in Microsoft, Technology

Patches are flying in from everywhere! Mozilla patches FireFox and Thunderbird, Oracle issues 50 patches, and Microsoft releases its monthly batch, including a critical one (“Remote Code Execution” – from a word processor!) that affects Word 2000 and 2002. Also, Apple releases OS X Tiger 10.4.2 with its own security updates.

InfoWorld reports Mozilla patches bugs in Firefox, Thunderbird. “The Mozilla Foundation on Tuesday fixed a number of security bugs in its Firefox Web browser, many of which will also be patched in upcoming releases of Mozilla’s Thunderbird e-mail client and Mozilla Internet software suite.”

Also in InfoWorld, Oracle releases critical security updates. “Oracle has released its latest quarterly batch of security updates, offering fixes for several dozen security flaws in its database, application server, business applications, and other products.”

Microsoft re-released MS05-033, a patch for their Services for UNIX 2.0, as well as MS05-035, the Word 2000 and 2002 vulnerability, MS05-036, another remote code exploit vulnerability affecting Windows 2000 and later (and likely the unsupported Win98 and ME as well) and MS05-037, yet another remote code exploit vulnerability in JView. Read all the details in the Microsoft Security Bulletin Summary for July, 2005

[UPDATE] Office Watch (formerly Woody’s Office Watch) notes that the exploit affects Microsoft Works 2002, 2003, 2004 and Works Suite 2000 and 2001.

Not to feel left out, Apple joins in with an update to OS X Tiger to version 10.4.2. Here’s what the Software Update widget says:

“The 10.4.2 Update delivers overall improved reliability and compatibility for Mac OS X v10.4 and is recommended for all users. It includes fixes for:

  • file sharing using AFP and SMB/CIFS network file services
  • single sign-on authentication and reliable access to Active Directory servers
  • autologin for managed user accounts
  • AirPort and wireless access
  • Core Graphics, Core Audio, Core Image, including updated ATI and NVIDIA graphics drivers
  • Finder updates including finding on Kind and using Slideshow
    synchronizing your iDisk with .Mac

  • installation reliability
  • managing Dashboard widgets
  • Address Book, Automator, iCal, iChat, Mail, Safari, and Stickies applications
    compatibility with third party applications and devices

“For detailed information on this Update, please visit this website: http://www.info.apple.com/kbnum/n301722. For detailed information on Security Updates, please visit this website: http://www.info.apple.com/kbnum/n61798”

Whither .NET? by Andy Kramek

By on July 11, 2005 in Microsoft

Alex Feldstein blogs “Andy Kramek, a well-known software developer writes a very insightful article on why .NET could be a big problem and a failure for Microsoft. He contends, that aside from ASP.NET (which is what ASP should have been from the beginning), there is no compelling reason for developers to jump to .NET… I tend to agree.”

Partners: Crunchy and good with ketchup

By on July 11, 2005 in Microsoft

Microsoft Watch from Mary Jo Foley notes Feeding the Voracious Microsoft Beast. “Microsoft CEO Steve Ballmer may love Microsoft’s partners. But that doesn’t mean he has any trepidation about continuing to chip away at their markets.”

Microsoft has always loved their partners: they’re crunchy and taste good with ketchup.

It’s pretty well-known that announcing a “strategic partnership” with Microsoft means, if you’re lucky, the company will get swallowed whole and you might walk away with cash or, if you’re less lucky, Microsoft will suck the blood, sweat and tears out of the company and leave a cold dead husk. With maybe a shot at an intellectual property infringement suit and a billion-dollar out of court settlement. And maybe not.

Microsoft Longhorn Beta 1 to be released Summer 2005

By on July 8, 2005 in Microsoft

Microsoft Watch from Mary Jo Foley reports Microsoft Reconfirms Longhorn Targets. “Beta 1 of Longhorn is still on track for this summer, Sanjay Parthasarathy reiterated that Longhorn Beta 1, which will not include the new user interface bits, is due this summer. Beta 2, which will showcase the new interface, is due out some time in the first part of 2006. The final Longhorn client release is still, as of now, due out in the latter half of 2006.”

Isn’t that curious. Microsoft has previously used “Beta” like much of the rest of the software industry for a feature-complete product with testing required but all major features in place. In particular, Microsoft’s “Marketing Betas” to the public were primarily used by the MS Marketing teams to determine how to pitch the product and how to respond the the FAQs. This beta is more likely what most would consider an alpha, with features yet to be completed, making evaluation of the product more difficult. This comes across to me as primarily a PR effort to show that Microsoft is still in the game. With the dropping/delay of major features (WinFS), release of others separate from the Longhorn OS (Avalon and Monad) and the addition of others (RSS), Longhorn still feels like too much of a moving target and not a product with a fixed feature list. It will be interesting to read how the industry press reviews this “beta.”

Older posts Newer posts

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.