eWEEK.com Messaging and Collaboration is reporting Microsoft Confirms New Word Zero-Day Attack. “Malicious attackers are exploiting a new, undocumented flaw in Word 2000 to load back-door Trojans on Windows machines.” … “Security alerts aggregator Secunia rates the flaw as “extremely critical” and urged Word users to avoid opening Word documents from untrusted sources.”
Tag Archives | Microsoft
Internet Explorer a Monster No More? I don't think so.
Thom Holward posts this article on OSNews, linking to the this ZDNet blog post where Richard MacManus interviews Microsoft's Chris Wilson. I've read the article and I can't see where Thom's conclusion comes from. Chris says…
“…IE7 is going to be an important update in the automatic updates feature. This means it'll actually show up for everyone's [Windows] computer. It won't automatically install behind the scenes or anything, because it is going to change your user experience of the Internet quite a bit.”
I really can't see that anything has changed.
Microsoft won't play High-Definition content on 32-bit CPUs – or will it?
Slashdot post: No Full HD Playback for 32-bit Vista. snafu109 writes “Pity the Vista user with a 32-bit CPU. Senior Program Manager Steve Riley announced today at Tech.Ed Australia that full HD content shall only be played at the full resolution where only signed drivers are used — only in the 64-bit version of Vista.” And you thought that there were no features left to remove!
UPDATE: Today, OSNews reports Microsoft: 32Bit Vista Will Play Protected HD Video. The web exploded yesterday with the news that Microsoft would cripple 32bit versions of Vista so they would not play protected high-definition content. However, Microsoft was quick to respond, stating: “The community is buzzing with reactions to APC Magazine's article regarding playback of protected High Definition content in 32-bit versions of Windows Vista. However, the information shared was incorrect and the reactions pervading the community are thus (understandably) ill-informed. The real deal is that no version of Windows Vista will make a determination as to whether any given piece of content should play back or not.” Well, that certainly clears things up!
Novell working to implement VBA in OpenOffice.org
OSNews reports “Novell is still working on improving the VBA support of its OpenOffice submission, and is therefore open to all sumbmissions of VBA macros which are not working on the OOo version of SLED 10. In the meantime the question is when – or even if – Sun will accept the patches for OpenOffice to get VBA support.”
Hmm. I'm surprised. VBA is one of Microsoft's Achille's Heels, the weak spot where lots of security flaws can be exploited, via Automation, AutoOpen macros and so forth. I'll be interested in learning how OOo can implement these.
Why are computers so hard to use?
David Berlind's recent blog post pointing to Tim Bray's trials and tribulations on switching from a Powerbook to a Sun Ultra 20 running Ubuntu (!) has some interesting reflections on how hard all desktop switching is. David says,
[Tim] “used two words — “wrangling” and “gyrations” — in his last post that leap off the page as having long been (in my mind) desktop Linux's key stumbling blocks.”
I've got a half-dozen machines in the office I work at regularly: Dells, HPs, ThinkPads, Macs, running Win98 through XP, OS X, CentOS, Ubuntu, Fedora, Xubuntu and probably a couple of others. I am constantly wrestling with getting a PDF file just right on this one, or wrangling an icon to do what I want on the desktop of that one. They are all hard!
I got tired of using the supplied Apple keyboard with my iMac and thought I'd try a Microsoft Natural Keyboard I had spare around the office. It worked well, just plug it in and It Worked ™. However, the key labels and assignments had me stumped. On Windows and Linux, the control key is the lower, outer left key and I spend all day issuing ^X, ^V, ^F, ^T to cut, paste, fine and create a new FireFox tab. On the Mac, it's not the outer key, it's the option key, the middle of the three keys outboard the spacebar. Except when it's not. Subconsciously, I had gotten myself into the groove of using the different keyboard layout on the (different) Apple keyboard. When I swapped out the keyboard for the one I use on another machine, I lost the ability to touch type those characters on both keyboards.
In the above-cited blog post, Tim was annoyed when Ubuntu didn't follow the hand-patterns he had memorized on the PowerBook; I feel the same way when I use the Mac.
MS06-040 exploited, a few days
Slashdot post: Botnet Herders Attack MS06-040 Worm Hole. “Laljeetji writes “eweek reports that the first wave of malicious attacks against the MS06-040 vulnerability is underway, using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets. The attacks, which started late Aug. 12, use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote IRC (Internet Relay Chat) server and starts listening for commands from a remote hacker. On the MSRC blog, Microsoft is calling it a very small, targeted attack that does not (yet?) have an auto-spreading mechanism. LURHQ has a detailed analysis of the backdoor.”
Sounds nasty. An auto-spreading mechanism will turn this one into an epidemic. Patch now, if you haven't already.
OpenOffice.org security flaws identified, some patched
Robert McMillan of InfoWorld: Top News reports OpenOffice.org security 'insufficient'. “With Microsoft Corp.'s Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses… “The general security of OpenOffice is insufficient,” the researchers wrote in a paper entitled “In-depth analysis of the viral threats with OpenOffice.org documents.” … “This suite is up to now still vulnerable to many potential malware attacks,” they wrote.”
Despite the negative tone of the beginning of this article, it's more good news for OO.o than bad. First, the one major flaw that was found has been patched – yeah, Open Source! – and you'll want to ensure you're running the latest OpenOffice.org. The second positive spin of the article is the tone: governments and companies are seriously evaluating OpenOffice.org as a replacement for their current office products. I wonder if this change in the tone has to do with the acceptance of the Office Document Format as a recognized international standard.
But don't just take my word for it…
Microsoft Watch from Mary Jo Foley reports Patch Windows Now, Homeland Security Warns. “The Department of Homeland Security has spoken. Apply the patches in the MS06-040 security bulletin for Windows, which Microsoft released on August 8, the agency is warning users.”
Microsoft's Monthly Security Patches for August 2006
I received the “Microsoft Security Bulletin Summary for August, 2006” in my inbox this morning. You'll want to sign up on the Microsoft site if you don't get this email and have responsibility for supporting and protecting Windows machines. You can find the bulletin here.
Nearly all the 12 items were rated critical and resulted in “Remote Code Execution” – in other words, someone else taking over your machine. Every version of Windows – those still supported – Windows 2000 SP4 through Windows Server 2003 – are affected. Individual applications getting patched include all the Office products, VBA-enabled products, and nearly anything with HTML: Internet Explorer, HTML Help, Microsoft Management Console. Get patching!
MS06-040 – Vulnerability in Server Service Could Allow Remote Code Execution (921883)
MS06-041 – Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)
MS06-042 – Cumulative Security Update for Internet Explorer (918899)
MS06-043 – Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)
MS06-044 – Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)
MS06-046 – Vulnerability in HTML Help Could Allow Remote Code Execution (922616)
MS06-047 – Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645)
MS06-048 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)
MS06-051 – Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422)
MS06-045 – Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398)
MS06-049 – Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)
MS06-050 – Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)
We're up to 51 patches on the 32nd week of the year. It's pretty apparent that whatever Trustworthy Computing brings us, it won't be a static thing.
Microsoft: Our customers are dumb
OSNews points to a ZDNet article, Microsoft: ‘Open Source Is Too Complex’. “Although open-source software can be customized to meet a company’s specific needs, its inherent complexity could dent the profitability of independent software vendors, says Microsoft. “One of the beauties of the open-source model is that you get a lot of flexibility and componentization. The big downside is complexity,” Ryan Gavin, Microsoft’s director of platform strategy, said.”
An ISV has to know what they are getting into, and have sufficient support to deal with the challenges of many platforms. The same is true if you choose to support Windows XP, XP Home, XP Media Center, XP Tablet, Windows 2000, Windows Server 2003 on standalone, networked, workgroup, domain and Active Directory models. The claim that supporting Linux is more difficult because there’s more than one vendor (all of the majors adhering to the Linux Standards Base) is FUD. If you have to support home users with Windows 95 or do-it-yourselfers with a hand-built Linux kernel, the challenges are the same. Their claim to ISVs that Windows is easier to work with may be easy to claim, but I’d like to see Microsoft prove it. Truth Happens. Unbend the Truth.
Microsoft claims that computer technology is complex, and they are smarter about making those decisions than their customers. If they are not careful, they’ll prove that: the smart customers will leave.