Microsoft Watch from Mary Jo Foley is reporting Windows Fixes to Dominate Patch Day Dozen. “Expect from Microsoft a dozen new security bulletins, with plenty of Windows patches [^] a number of which will be deemed “critical,” on August 8.”
Pencil in some time Tuesday or Wednesday for patching and rebooting.
In Fun with User Access Control in Vista… Argh!!!, Microsoft MVP and Developer Extrodinaire Rick Strahl bemoans:
Vista Security is tight and I can understand the need to lock down the system to some degree. But UAC is nothing short of annoying, so much so that it becomes a totally worthless feature. After using UAC for a few minutes you won't be reading any prompts and blindly prompting every link spawned. This is not security – this is making things worse by giving people a false sense of security… It's relatively straight forward to turn off UAC, but as it turns out this doesn't quite get you all the way where you might expect.
He documents a situation in which the Administrator of the machine is unable to delete a directory. Is this a feature? When a skilled and experienced operator can't find a way to work through a system to repair a problem, there's something deeply wrong. Read Rick's entire post here.
Slashdot post PowerPoint ZeroDay Vulnerability Exploited. “whitehatlurker writes to mention a WashingtonPost.com article about another unpatched flaw with Microsoft Office. The bug, part of the PowerPoint software, has already been used in the wild, and may be connected to an industrial espionage case.”
1. Never EVER open an untrusted document, whether it is Word or PowerPoint or a PDF or a video.
2. There are no trusted documents.
What #2 means is that you should always confirm that, whenever a document arrives appearing to be from a friend or a co-worker, it really is from them. Most of the time, you've had a conversation in advance. Social engineering works by making you think that a document is part of a normal exchange. If Bob in accounting send a message with some non-descript “check this out” message and an attachment that appears to be a spreadsheet, it's worth taking a couple seconds to verify it's really from him. Malware steals other people's email addressbooks, so the mail could appear quite legitimate.
OSNews also notes Microsoft Patches Seven Vulnerabilities. “Microsoft alerted us this time about seven vulnerabilities of which five were rated critical and two important. There are vulnerabilities in the Server service, the DHCP Client service, Excel and Office that could allow remote code execution.”
Seven patches, 5 Critical with Remote Code Execution possibilities, 2 Important, which includes Remote Code Execution within IIS. Bulletins MS06-033 through MS06-039 issued on the 28th week of the year. It looks like this kind of velocity, more than one per week, has been steady at Microsoft for nearly three years now. I would have expected the more secure IIS6 and Windows Server 2003 to stem the flow a bit. But these product continue to be listed in the affected systems list. Hmm.
MS06-033: Vulnerability in ASP.NET Could Allow Information Disclosure (917283)
MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
MS06-036: Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)
MS06-037: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (917285)
MS06-038: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)
MS06-039: Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (915384)
Security is not a feature, it's a process. Patch now to avoid more problems later.
Via OSNews, Jem Matson asks “Is Desktop Linux Distros Headed in the Wrong Direction?.” “The impending release of Windows Vista with its fancy Aero Glass special effects, along with the hasty addition of the similar XGL and Compiz technologies to the latest SUSE Linux release makes me think that programmers have a warped idea of what desktop computing is about. For some reason, many GNU/Linux users are concerned about competing feature-for-feature with Vista, while Apple and Microsoft struggle to add more graphical extras to their already graphics-intensive desktop OSes. It's gotten so that you need a serious 3D video card (with proprietary drivers) and a fairly fast computer just to keep up with desktop environments. Whatever happened to being productive and having fun?”
Many of us dissed Windows XP when it shipped with the Candyland theme and the Teletubbies hill as a background. A little 3d shading and a shiny thing or two is fine, but eating up half your processing power creating a glittering frame for your black-and-white text is pretty silly.
I've recently installed the Xubuntu desktop package onto a couple of older machines running Kubuntu and I'm delighted with the snappy performance I'm getting out of 5 year-old hardware. The Xfce desktop is plain, clean simple and fast. While I'll ooh and ah as much as the next person over glassy transparent effects, they don;t do a lot for my day to day coding (in text), email (in text) and blogging (in text). Hmmm. Maybe someone should consider better looking… text.
Slashdot post: WinFS Gets the Axe. commander salamander writes “Over at the WinFS Team Blog, Quentin Clark states that Microsoft no longer plans to ship WinFS as a standalone software component. Instead, portions of the underlying technology will be included with the next release of SQL Server (codename Katmai) and ADO.NET. Does this spell the end for the true relational storage paradigm that Microsoft has been promising since Windows 95?”
Yet another disappointment. The best lesson to walk away with is that you can never count on commercial software that hasn't shipped yet. There are a vast array of shipping file systems you can consider. If you have a need for a relational database interface to a file system, you could look at Gnome Virtual File System, the Be File System (written by two guys in 1996 over 10 months), Apple's Hierarchical File System Plus (1998) — interestingly, the file system of the iPod. For a deep backgrounder, Wikipedia has an interesting and heavily annotated article on File Systems.
It also points to another advantage of Open Source and the principle of “ship early, ship often.” If an Open Source project wasn't going the way you wanted, you can fork the code and create a new project following your directions (with proper attention to the original licenses involved, of course). You might search SourceForge.net for “database file system” and see if there's anything of interest. Seems like plenty of neat stuff.
A corollary of the first lesson is to never depend on roadmaps. Dates slip, market demand shifts, plans change. As the Register points out in “MS poised to switch Windows file systems with Blackcomb,” the best laid plans of mice and men oft go awry.
eWEEK.com Messaging and Collaboration reports Microsoft Posts Excel 'Zero-Day' Flaw Workarounds. “Redmond's security response center is recommending that businesses block Excel spreadsheet attachments at the e-mail gateway to avoid targeted zero-day attacks.”
FoxPro developers recall that Microsoft Outlook security patches block attached Visual FoxPro programs because “they could contain malicious code” — provided the recipient downloads the code to disk, runs Visual FoxPro to compile the program file and then runs the resultant file. Outlook, however, will allow through Excel or Word documents containing malicious code with no objection.
People need to get over the binary view of “documents” versus “executables.” Web “pages” contain executable Javascript, ActiveX controls, Java and more. PDF files can run code – they are made out of Postscript, a programming language. HTML Help files include executable features. Screensavers are programs, not pictures. Some people like to send around “slideshows” of pictures, oftentimes a PPS (PowerPointShow) file that could run VBA scripts.
1. Don't open attachments from untrusted sources.
2. There are no trusted sources.
Vulnerability found in Microsoft Excel.
(InfoWorld) – “A new vulnerability has been found in Microsoft's Excel spreadsheet program, just a few days after the company fixed problems with several of its applications in its monthly patch distribution.”
“One customer reported an attack using the vulnerability, which comes from an e-mail with a malicious Excel document attached, wrote Mike Reavey, Microsoft Security Program Manager, on the company's security blog.”
1. Do not open attachments from untrusted sources.
2. There are no trusted sources.
Brian Livingston minces no words in his weekly Windows Secrets newsletter lead article, “Genuine Advantage is Microsoft spyware .” He goes on to say:
No PC-using company that values security and reliability can allow a program like WGA to send data to a distant server, download additional software, morph its behavior, or remotely change the functionality of Windows (as I describe below). I don't believe individuals should put up with this, either.”
This isn't a frothing-at-the-mouth, I-hate-Bill, Anything-But-Microsoft lunatic writing these words, rather it's someone who makes his living supporting Microsoft software.
Microsoft shipped its monthly security updates, and these are not superficial patches, but deep fixes, likely with ramifications for everyone using these products. Anticipate serious perturbations to your systems if you are depending on the behavior of these applications as part of your customer solutions. Microsoft ships patched code it classifies as “Critical” for:
MS06-021 – Cumulative Security Update for Internet Explorer (916281): this is supposed to include patches addressing the ActiveX behaviors in the Eolas suit. This is a good time to abandon ActiveX controls and IE if you are still supporting them.
MS06-022 – Vulnerability in ART Image Rendering Could Allow Remote Code Execution (918439)
MS06-023 – Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344): JScript? Are they still making that?
MS06-024 – Vulnerability in Windows Media Player Could Allow Remote Code Execution (917734)
MS06-025 – Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
MS06-026 – Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (918547)
MS06-027 – Vulnerability in Microsoft Word Could Allow Remote Code Execution (917336)
MS06-028 – Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (916768)
“Important,” perhaps less critical patches include:
MS06-029 – Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection (912442)
MS06-030 – Vulnerability in Server Message Block Could Allow Elevation of Privilege (914389)
MS06-032 – Vulnerability in TCP/IP Could Allow Remote Code Execution (917953)
One “Moderate” patch rounds out the bunch:
MS06-031 – Vulnerability in RPC Mutual Authentication Could Allow Spoofing (917736
In addition, MS06-011 Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798) has been re-released as version 2.0 with new patching information.
It's the 24th week of the year, and Microsoft is up to 31 patches.