|
|
| |
| |
Sorted by Date / Sorted by Topic
| |  From Gizmodo:
Apparently, around 2:00 AM today, the Zune models either reset, or were already off. Upon when turning on, the thing loads up and... freezes with a full loading bar (as pictured above). I thought my brother was the only one with it, but then it happened to my Zune. Then I checked out the forums and it seems everyone with a 30GB HDD model has had this happen to them
Happy new year, everybody!
UPDATE: If you own a 30 GB Zune, the problem went away. Ends up there was a slight, uh, programming problem. Years with 366 days - such as 2008 - drove the Zune's firmware nuts. The problem only lasted a day. By January 1, all was well: if you let the battery drain and re-start, your Zune started working again. Oy. | |
| |  It looks like the December crop of Black Tuesday patches are working out. MS08-070, -072 and -074 all had documentation changes, but the patches haven't caused any loud screams of pain.
For those of you who haven't installed Windows XP Service Pack 3, now is the time to do so. The biggest problem arises if you have an, uh, "ungenuine" copy of Windows XP - one that gets flagged by Microsoft's snooper as being a pirate copy. The downside: if you install XP SP3 and you have an ungenuine copy of XP, your desktop wallpaper will turn black and you'll get annoying messages down in the system tray - but that's it. There are no other ill effects. You can even change your wallpaper, but SP3 will check every hour and make it black again.
If you have problems installing XP SP3, take a look at Microsoft Knowledge Base article KB 950718 for suggestions.
I'm moving us down to MS-DEFCON 5: All's clear. Patch while it's safe. | |
| | Two days ago I reported on a new 0day vulnerability in Windows Media Player. I waffled quite a bit in that report, because SANS Internet Storm Center wasn't able to reproduce the reported flaw: they could get Windows to crash with a dodgy WAV, SND or MIDI file, but they couldn't get Windows to execute a program.
There's a reason why: the 0day isn't a 0day at all. It's just a bug that crashes Windows - a "Denial of Service" flaw, to use the politically correct terminology.
Jonathan Ness has a blog on the MS Security Vulnerability site that explains the problem. | |
| |  And I can see it right now on the alt.binaries.warez.ibm-pc.me-beta newsgroup. It's called working.one_microsoft.windows.7.beta.1.build.7000. I can't vouch for the file's authenticity - make sure the copy you get has an fsum of f9dce6ebd0a63930b44d8ae802b63825 - but it sure looks like the "gold" version of Win 7 Beta 1.
The warez sites get it before the beta testers, and Torrent traffic is undoubtedly up because of the beta. On the one hand, I bet some folks at Microsoft are furious. On the other hand, it's a very efficient and egalitarian distribution method. | |
| |  The Security Tracker site reports that there's a newly discovered security hole in Windows Media Player. Apparently it's possible to create a WAV, SND or MIDI file that, when played with Media Player, takes over your computer.
I say "apparently" because SANS Internet Storm Center says it has been able to reproduce a system crash, but hasn't yet gotten the bad WAV file to run anything.
For now, I wouldn't worry about it, but it'd be a good idea to avoid adding WAV, SND or MIDI files to your music collection for the next week or two. Since most of you are using MP3 (or [shudder] wma or aac files), that shouldn't pose too much of a burden. | |
| |  I just bumped into this fascinating blog entitled "More than 1,000,000 ways to infect your computer."
Gary Warner steps you through the infection process of (yet another) piece of Scareware, which the authors call "System Security." For the paltry payment of $51.45, you, too, can protect your computer from "38 Infections Found!".
The article includes a detailed analysis of how you might be tempted to download the little bugger, and what happens when you do. It's all quite innocuous. Amazing how well it all hangs together.
Anyway, if you have used a search engine recently to visit one of these sites:
microsoft.com, irs.gov, dbrecovery.com, togshop.com, wnbc.com, mrm.mms.gov, countrycurtains.com, portugal-info.net, cyberswim.com, nbcsandiego.com, thebostonchannel.com, thepittsburghchannel.com, hermanstreet.com, viadeo.com, nationalgeographic.com, barronscatalog.com, click2houston.com, lucy.com, wgal.com, rexart.com, kitv.com, bookmatestore.com, attarbazaar.com, titlenine.com, vermontteddybear.com, readthehook.com, theessentials.com, martlmadidebeli-gristianoba.com or "countless media outlets, magazines, universities"
you may have downloaded more than you bargained for.
Take a look - and have a safe Christmas, OK? | |
| |  And you should apply it immediately.
The big, bad IE 0day has been fixed with - get this - 300 separate patches. Don't waste a second downloading and installing MS08-078 / KB 960714.
The easiest way to get it is by clicking Start, Programs (or All Programs), Microsoft Update (or Windows Update) and following the prompts to install KB 960714.
There's an interesting history of the patch on the MS Security Response Center blog.
Note that there's still no reason to apply any of the December Black Tuesday patches. But you do need this one, even if you always use Firefox, because IE is woven so inextricably into the fabric of Windows itself. | |
| |  Microsoft has announced that it will post a patch to the Internet Explorer 0day attack I talked about last week. The patch covers essentially all versions of Internet Explorer, running on essentially all versions of Windows.
Microsoft itself admits that 2 million PCs have been bitten by this particular security bug. The Press Association reports that as of Saturday more than 10,000 Web sites contain malicious code that take advantage of the flaw. That was Saturday.
According to the SANS Internet Storm Center, one of Microsoft's recommended workarounds breaks Outlook Online Web Access. Even the BBC, for heaven's sake, has published a warning about using IE: "Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed."
My advice: for the first time in ages, I recommend that you download and install the IE patch the minute it becomes available. You'll see a notification pop up if you've set Windows Automatic Update to "notify but don't install." Otherwise, check the link at the beginning of this article every hour or two.
At the same time, obviously, surely, you're using Firefox by now, right? | |
| | Google just posted its 2008 Zeitgeist list, a fascinating compilation of all the searches done on Google over the past year.
For example, the "Fastest Rising" search terms - which is to say, the search terms with the largest percentage increase between the end of last year and the end of this year - worldwide are:
1. sarah palin
2. beijing 2008
3. facebook login
4. tuenti
5. heath ledger
6. obama
7. nasza klasa
8. wer kennt wen
9. euro 2008
10. jonas brothers
I confess, I had to look up several of those to figure out what in the world people seek.
Check it out. | |
| | Susan Bradley's column in the latest issue of Windows Secrets Newsletter talks about two new 0day attacks on Microsoft products.
First, the WordPad virus. No, I don't make this up. Microsoft discusses the problem in its Security Advisory 960906. If you're running Windows XP Service Pack 2, you may be at risk, if you open documents with WordPad. Vista and XP SP3 customers are safe.
Gad.
The other one is much more serious, for those of you who insist on using Internet Explorer. It seems that there's a hole in the way IE interprets XML files. It's so bad that you can get infected by simply going to a jiggered site. (Remember that some attacks latch on to well-known sites by rolling themselves into advertisements.) No click necessary.
Microsoft has issued an advisory on the hole:
Microsoft is investigating new public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.
SANS Internet Storm Center is keeping track of the latest. It's nasty, and most antivirus products don't catch it yet.
The solution? Use Firefox, of course. Sheesh. | |
| |  Microsoft released eight Security Bulletins , plugging a total of 28 individually identified security holes. When you multiply the 28 plugs times the number of different programs effected, there's a whole lotta patchin' goin' on.
For a complete list of patches, Knowledge Base numbers, and links, see the SANS Internet Storm Center December Patch listing.
The only killer at this point is MS08-070, which fixes at least six ActiveX controls that Microsoft made available with Visual Basic 6, and its close ally Visual Studio .NET 2002 and 2003. Unfortunately, many of those controls were distributed by companies other than Microsoft. There's a known exploit based on the security holes that's been around for the past four months.
Microsoft yanked its MS08-070 Web page a few minutes ago. At least, every attempt I've made to get at the page results in a "Service is Unavailable" error. When you read this, you might want to check and see if it's up, and if something major has changed.
As usual, my advice is to hold off patching, until we hear the screams of the pioneers, particularly for MS08-070. Make sure you're using Firefox, not Internet Explorer, to minimize your exposure to bad ActiveX programs. (Remember that Firefox doesn't run ActiveX.) Give it a couple of days. Hey, it took Microsoft four months to patch the six ActiveX holes. The world isn't going to come to an end any time soon.
We're going up to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it.
| |
| | SANS Internet Storm Center reports on a novel new Trojan that's sneaking into systems by pretending it's yet another patch for Adobe Flash.
[T]he pages hosting this malware actually do contain a real flash movie that is not malicious and plays in a Youtube-like embedded frame. After the movie has been running for a couple seconds though, a pop-up opens that indicates that a "Flash Player Update is available". It all looks credibly enough like one of those usual auto-update pop-ups, but if you click OK, you get an EXE which isn't really a Flash player update of course...
Antivirus packages are slow off the mark on this one. As of this writing, VirusTotal reports that 57% of the participating AV products don't detect this Trojan at all. | |
| | Paul Thurrott has weighed in with a surprising prediction for the release date of Windows 7:
It's pretty widely known that Microsoft will ship a beta release (and a public one at that) of Windows 7 in January. This beta will be the only beta and it will be followed by a single release candidate build, and then the final version, all in quick succession. I expect Windows 7 to be finalized by April 2009 at the latest, and to be completed simultaneously with Windows Vista/Windows Server 2008 Service Pack 2 (SP2), which is also due in April. (Windows 7 and SP2 share more code than people realize as well, by the way.) Windows 7 will be made broadly available to consumers and business customers no later than June 2009.
Many months ago, I guessed September 1 as the shrinkwrap-box-on-store-shelves date. Now I'm not so sure.
Steve Sinofsky shipped Office XP before it was fully baked, and he still thinks he did the right thing. He has a history of shipping early on all of his products: he puts them through very rigorous internal testing, but doesn't worry too much about testing outside of Redmond. The result is lots of incompatibilities, which he promptly patches - consumers turn into beta testers - and his sales don't suffer. I expect he'll do the same thing with Win7.
The move to unlink the Live Essentials was brilliant. Many of the cantankerous Windows programs can be released four or six months after Win7 ships, with new "beta" versions every month. Sharing the code base between Vista Service Pack 2 and Windows 7 means we get more glitz with the same old plumbing - but it's new plumbing.
The current pre-beta of Win7 is remarkably stable. I wouldn't be surprised if Win7 went gold in June.
| |
| |  Microsoft has nnounced that there are eight Security Bulletins in the wings, due to arrive on Black Tuesday.
This crop seems particularly worrisome: two "critical" Windows patches; yet another Internet Explorer patch; a Visual Basic patch; one each for Word, Excel and SharePoint Server; and one for Windows Media Player. Blech.
The November patches appear to be stable. I'm therefore recommending that you apply all outstanding Windows and Office patches EXCEPT if you're running Windows XP and you haven't yet upgraded to Service Pack 3, be sure you check out Susan Bradley's article in the current edition of Windows Secrets Newsletter. Yep, there's yet another problem with SP 3.
We're at MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you're affected and if things look OK, go ahead and patch.
| |
|
|
|
| |
|
|
|
