Newsletter Archives

  • Whole lotta shakin’ goin’ on

    Posted on April 14, 2006 at 10:37 CDT by Comment in the Forums

    The latest Windows Secrets newsletter just hit the stands, and as usual there’s a bunch of information about the latest crop of patches.

    Besides a pack of unfixed problems with Internet Explorer documented by Chris Mosby, Susan Bradly covers multiple gaffes with several patches. This one took me by surprise: MS06-015 may cause IE 6, Windows Explorer, or other components to hang on PCs with a driver for any of various HP printers, scanners, cameras, etc. She goes on to document a fix.

    You need to subscribe to the newsletter in order to get all the details. That’s the bad news. The good news: you get to pick how much you pay for the subscription.

    Check it out.

    Windows Patches/Security

  • Five Security Bulletins, a fix, a lie (uh, misleading description), and an update

    Posted on April 11, 2006 at 20:12 CDT by Comment in the Forums

    As expected, Microsoft has just released five Security Bulletins. There are lots of hairy issues with all of them – especially the downgrade to Internet Explorer that’s being distributed in conjunction with a massive group of security patches.

    I wasn’t expecting another bulletin and patch – a patch of the MS06-006 patch, which (as I described two months ago) caused Windows Media Player to act flakey. My advice then, as now, is to install the patch and if WMP starts to act up on you, get a better player, such as WinAmp.

    Bottom line: WAIT. Use Firefox to avoid the worst Internet Explorer holes (which have been widely exploited for almost a month now). Don’t install any of these patches, or patches of patches, until the pioneers figure out how to dig the arrows out of their backs.

    A quick rundown:

    MS06-013, a monster fix for Internet Explorer that plugs ten different security holes. This is the patch that includes the downgrade to IE, attributable to Microsoft losing the Eolas patent case.

    Knowledge Base article 917425 describes the patch that temporarily disables the downgrade, which I described last week.

    MS06-014, the MDAC fix, patches a gaping hole in an ActiveX control.

    MS06-015 plugs a “critical” hole in Windows Explorer.

    UPDATE: Looks like Microsoft was trying to slip a related, but different, patch into this mess. The unacknowledged patch fixes a hole that’s been known for two years. See “Misleading and Incomplete Information in MS06-015,” on the Securiteam blog for details. …the information as published is extremely misleading and Microsoft’s choice not to document a publicly-reported vulnerability is not one that will be for the benefit of its customers’ security.

    MS06-016 only rates as an “important” patch to Outlook Express.

    MS06-017 fixes a hole in FrontPage Server Extensions, which you probably don’t have to worry about.

    Keep watching my Patch Reliability Ratings page for updates. Gad. What an unholy mess.

    Windows Patches/Security

  • Patch Tuesday – hold off, for now

    Posted on April 10, 2006 at 18:07 CDT by Comment in the Forums

    We’re in for a wild ride on Tuesday, April 11. My guess is that the IE patch/downgrade is going to cause a lot of problems in completely unexpected areas.

    The Internet Explorer hole is a bad one, but you can largely circumvent it by using Firefox.

    My strong advice: don’t patch yet. Check back here, and comb Windows Secrets newsletter for important news.

    Windows Patches/Security

  • Green Light for patches prior to April 11

    Posted on April 9, 2006 at 08:47 CDT by Comment in the Forums

    If you haven’t yet applied all outstanding Windows and Office patches, now’s a good time to do so.

    Heaven only knows what thrills await on Patch Tuesday, April 11. So get yourself patched now, while it’s easy.

    Windows Patches/Security

  • Combined IE downgrade/patch coming

    Posted on April 6, 2006 at 19:42 CDT by Comment in the Forums

    Just when you thought it couldn’t get any more complicated…

    More than a month ago, I warned you about an Internet Explorer “Non-security Security Advisory” that was making the rounds. Microsoft used its Security Advisory channel to try to convince you to downgrade Internet Explorer. Why? Because the ‘Softies lost the Eolas patent lawsuit.

    Two weeks ago, I warned you about the Internet Explorer createTextRange() security hole, which is currently being exploited in many (hundreds?) of Web sites.

    Next Tuesday, Patch Tuesday, Microsoft plans to release five patches, including one patch for IE that – get this – plugs the createTextRange() security hole and downgrades IE, in compliance with the lost lawsuit. Can’t have one without the other.

    At least, if your a normal user, you can’t have one without the other. In the paid edition of Windows Secrets newsletter that appeared earlier this week, Susan Bradley explains that Microsoft will issue a hotfix for the patch on the same day that the patch is released. That hotfix will disable the downgrade – but only for 60 days.

    So… stay with me here… on April 11, you’ll get an IE patch that plugs a security hole and, at the same time, downgrades IE. But if you want to go to the hassle of installing a hotfix, you can nullify the downgrade, but only for 60 days.

    The best solution? Install the patch on Tuesday, but switch to Firefox now.

    Windows Patches/Security

  • Spoofing URLs

    Posted on April 4, 2006 at 19:02 CDT by Comment in the Forums

    Researcher Hai Nam Luke has posted two separate “spoofing” examples on the SecurityFocus BugTraq list. Both use the Flash add-in to display one address in your browser’s address bar, when in fact you’re sitting on a different site. Thus, you may be looking at www.IStealYourPassword.com, but your address bar may say that you’re at www.PayPal.com.

    It’s a tough problem that affects both Internet Explorer and Firefox. The only solution given at this point is to disable Shockwave Flash.

    As always, you should only trust yourself – type in the address yourself, or use your own bookmark – when visiting secure sites.

    Gad.

    Windows Patches/Security

  • eEye Free Patch for Internet Explorer createTextRange() security hole

    Posted on March 27, 2006 at 22:05 CST by Comment in the Forums

    There have been so many Internet Explorer holes exposed in the past couple of weeks (three of them, if I count right) that I’ve refrained from posting specific information about any of them, relying on my old admonition, use Firefox.

    Unfortunately, two events have transpired that bring me back, kicking and screaming, to the topic of patching IE.

    First, I was reviewing the access logs for this site, and was shocked – shocked – to discover that a fair percentage of you folks are still running IE. Please, please, please take the advice in my books, in my Windows Secrets newsletter columns, and the advice plastered all over this site: please change to Firefox. It’s free. It works great. You can install and run it without any interference with IE. Yes, there are security holes in Firefox, but they aren’t as frequent as those in IE, and they’re fixed much more rapidly. Bottom line: No matter who you are, no matter how much or how little you use the Internet, you need Firefox, now more than ever.

    Second, exploit code for the createTextRange() security hole has been making the rounds. It’s a 0day exploit, which means Microsoft doesn’t have a patch yet (although they’re working on it and expect to have a patch on or before the April 11 “Patch Tuesday”). And it’s a mean mutha: you don’t need to do anything besides surf to an infected Web page, and boom, this one will jump up and bite you, potentially taking over your computer without your knowledge or consent.

    The good folks at eEye Digital Security have just released a patch that protects against this particular hole. If you have to use IE, you should head over to their site and install the patch. They don’t guarantee the patch, and it’s bound to create some problems. But it beats hanging your tail out in the wind.

    Oh. Microsoft advises that “Microsoft Internet Explorer 7 Beta 2 Preview – released on March 20” doesn’t have the problem. (That’s IE 7 Build 5335.5.) If you’re running Vista build 5308 or earlier, you do not have the “Preview – released on March 20”. Vista Build 5308 hit the stands before March 20. To see what version of IE 7 you’re using in Vista, start IE, push the Alt key (yes, the Alt key), then click Help | About Internet Explorer. The version of IE 7 that I’m running – which came with Vista Build 5308 – is listed as 7.0.5308.17.

    You can download the IE 7 “Preview – released on March 20” (build 5335.5), should you feel so inclined, from the IE7 Beta 2 page. Unfortunately, that “Preview” is only meant to work with Windows XP Service Pack 2. If you have the Vista beta, I assume you’re SOL.

    Geeky note: the eEye site says this hole is exploitable via email and instant messaging. That’s literally true, but it looks like you’d have to open an HTML attachment to a message in order to get clobbered. Of course, you don’t open HTML attachments to email messages, do you?

    UPDATE: In a Microsoft Security Resource Center blog posting, ‘Softie Mike Reavey recommends that you not install the eEye patch. Mike say, “we’re still not seeing increased spread of attacks, and in fact have been very active in taking down sites as they come up with law enforcement.” On March 26, security firm Websense claimed that they had found 200 sites using the security hole to install “various forms of BOT’s, Spyware, Backdoors, and other Trojan Downloader’s.”

    A more cynical soul than I would ask if the attacks aren’t spreading, why is Microsoft enlisting the aid of gendarmes in taking down sites?

    Windows Patches/Security

  • Hotfix to patch the MS05-013 patch

    Posted on March 9, 2006 at 00:27 CST by Comment in the Forums

    Here we go again…

    Microsoft has just posted Knowledge Base article 906216 which describes a Hotfix for (yet another) bug in (yet another) security patch.

    It’s an obscure bug that only surfaces when an ActiveX program displays a specific kind of previously-hidden part of a dialog box. Still, it took the ‘Softies more than a year to acknowledge the problem and fix it.

    Chances are very good that you aren’t affected by the patch. Er, the patch of the patch. Don’t lose any sleep over it. But remember that when you apply security patches, weird things may go bump in the night. It isn’t your imagination; it isn’t gamma rays. It’s just another buggy patch.

    Windows Patches/Security

  • MS06-005 may clobber Windows Media Player 10

    Posted on March 9, 2006 at 00:03 CST by Comment in the Forums

    Microsoft has just posted Knowledge Base article 912226 which says, inter alia:

    After you apply some updates to Microsoft Windows Media Player 10, you may experience the following issues when you try to seek, to fast rewind, or to fast forward:

    The position slider jumps back to the start of the media file.
    Content playback freezes, even though the status shows that the content is playing.

    The KB article lists three known causes for the problem: security patch MS06-005; Update Rollup 2 for Media Center Edition 2005; and a specific WMP patch that enables DirectX Video Acceleration.

    Oddly, the KB article lists two fixes – but they both involve patching a server running Windows Media Services 9. I have no idea if the bug is strictly limited to streaming playback from a Media Services 9 server (which would make a server patch reasonable), or if it’s a more widespread problem, and Microsoft doesn’t have a generally applicable fix.

    For now, I’ll just say, HUH?

    Windows Patches/Security

  • Internet Explorer “Non-Security” Security Advisory

    Posted on March 5, 2006 at 23:28 CST by Comment in the Forums

    Helen Bradley has an important short article in this week’s Windows Secrets newsletter. The article is in the “paid edition” content, so you have to sign up for the newsletter and pay (you decide how much) in order to read her column.

    The gist: Microsoft has posted Security Advisory 912945 which is entitled – get this – “Non-Security Update for Internet Explorer”.

    Why does a Microsoft Security Advisory advise you to install a non-security update? Because Microsoft lost another lawsuit. In this case, the powers-that-be in Redmond are trying to scare you into downgrading Internet Explorer by issuing a “Security Advisory” that imposes the changes mandated by the lost lawsuit. Hey, it could be worse. At least the IE team didn’t follow the Office team’s lead and try to convince you that eliminating features because of lost lawsuits is an “upgrade”. What drivel.

    Self-proclaimed Ex-Security-MVP Alun Jones hit the nail on the head in his blog.: Eolas won the lawsuit against Microsoft, not against you. Microsoft has to release this update, but you don’t have to install it. Don’t.

    Trustworthy computing.

    Windows Patches/Security

  • Visual Studio 6.0 0day Exploit

    Posted on March 5, 2006 at 23:04 CST by Comment in the Forums

    If you have Visual Studio 6.0 installed on your machine, beware.

    (Brief history lesson: Visual Studio is Microsoft’s gigantic multiple language programming system. Visual Studio 6.0 is an old version – released in 1998, and supplanted by Visual Studio .NET in various incarnations, then Visual Studio 2005. VS 6.0 included the last real version of Visual Basic – the .NET version of VB doesn’t look anything like real VB. If you don’t program, you probably don’t have Visual Studio installed. But if you cling to classic VB, Visual Studio 6.0 may still be on your computer.)

    FrSIRT has posted working exploit code that takes advantage of (yet another) buffer overflow screw-up when Visual Studio 6.0 opens .dbp files (Visual Studio Database Project files) or .sln files (Visual Studio Solution files).

    It’s a 0day exploit, which means that Microsoft hasn’t released a patch, and there are working programs “in the wild” that take advantage of the problem. Apparently a fellow called Kozan at spyinstructors came up with the first working exploit.

    If Visual Studio 6.0 is installed on your computer, be careful opening .dbp and .sln files. Expect Microsoft to respond, sooner or later, on the
    Security Response Center blog.

    Windows Patches/Security

  • Seven Patches – Including a Stinker

    Posted on February 14, 2006 at 22:09 CST by Comment in the Forums

    Microsoft has just released seven Security Bulletins, two rated critical, five that are merely “important”. It looks like one of them, MS06-007, is causing problems.

    The official list:

    MS06-004 – 910620 – Critical – Yet another cumulative update for Internet Explorer. “A vulnerability exists in the Graphics Rendering Engine that could allow remote code execution.”

    MS06-005 – 911565 – Critical – Yet another patch for Windows Media Player. “A vulnerability exists in the way that Windows Media Player processes certain files that could allow remote code execution.”

    MS06-006 – 911564 – Important – And a patch for the WMP plug-in for other browsers, including Firefox. “A remote code execution vulnerability exists in the Windows Media Player plug-in for non-Microsoft Internet browsers that can allow remote code execution.” If you use Firefox, you need this patch.

    MS06-007 – 913446 – Important – “A vulnerability exists that could allow an attacker to send a specially crafted IGMP that could cause an affected system to stop responding.” Lots of people report problems installing this patch automatically. (If you woke up this morning and found that automatic updates died with a weird 0x80242006 error, at least you now know what’s happening.) For a solution, see my Microsoft Patch Reliability Rating page on MS06-007.

    UPDATE: As expected, Microsoft has patched the patch. You shouldn’t have any problem installing it.

    MS06-008 – 911927 – Important – “A vulnerability exists in the Windows Web Client Service that could allow an attacker to take complete control of an affected system. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.”

    MS06-009 – 901190 – Important – Although Microsoft bills this as a Korean language problem, that’s only part of the story. If you bought and installed the Microsoft Office 2003 Proofing Tools package, you need to read my Microsoft Patch Reliability Rating article.

    MS06-010 – 889167 – Important – “A vulnerability exists PowerPoint that could allow information disclosure.”

    As always, full details and the latest analysis are on my Microsoft Patch Reliability Ratings page.

    Windows Patches/Security
  • « Older Entries
    Newer Entries »
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    June 2025
    S M T W T F S
    1234567
    891011121314
    15161718192021
    22232425262728
    2930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.