Newsletter Archives

• Eolas enters the borg

  Posted on November 10, 2007 at 03:04 CST by woody • Comment in the Forums

  Remember the Microsoft/Eolas patent lawsuit? The one that Microsoft initially lost in August 2003 – to the tune of $521 million. The one that led to a forced downgrade in Internet Explorer, first via security bulletin MS06-013, then MS06-021?

  Looks like the chickens have come home to roost.

  Pete LePage just made a semi-official announcement that Microsoft finally paid for the patent, made up with Eolas, and the downgrade will be upgraded again. How?

  The first chance will be with an optional preview release, called the Internet Explorer Automatic Component Activation Preview, available in December 2007 via the Microsoft Download Center. Additionally this change will be made part of the next pre-release versions of Windows Vista SP1 and Windows XP SP3. After giving people enough time to prepare for this change, we’ll roll this behavior into the IE Cumulative Update in April 2008, and all customers who install the update will get the change.

  The downgrade isn’t – and wasn’t – an earth-shattering problem; at worst, IE users had to click through another dumb dialog box when they visited certain sites. But it’s nice to know that Microsoft paid a fortune for stealing a patented process. Nobody knows for sure how much the ‘Softies paid Eolas (not to mention their legal bills for an appeal all the way to the US Supreme Court), but the University of California, which was party to the suit on the Eolas side, disclosed that it received $30.4 million for its claims.

  Windows Patches/Security

• Two patches next Tuesday

  Posted on November 9, 2007 at 10:41 CST by woody • Comment in the Forums

  It looks like we only have two security patches coming next week.

  Rumors abound that one of the patches will fix the secdrv.sys hole I mentioned a few days ago.

  If you haven’t yet patched your system(s), do so now. Then make sure automatic updating is turned off. Let’s see what next Tuesday will bring.

  Windows Patches/Security

• Macrovision/secdrv.sys zero-day

  Posted on November 6, 2007 at 20:00 CST by woody • Comment in the Forums

  Would somebody please tell me why Microsoft included the file secdrv.sys in Windows XP, 2003 and Vista?

  secdrv.sys, better known as the Macrovision Security Driver, is the key program behind Macrovision’s copy protection scheme, known as SafeDisc. Macrovision licenses SafeDisc primarily to game publishers.

  Anyway, there’s a security hole in secdrv.sys. Gregg Keizer at Computerworld has posted an
  analysis.

  Microsoft’s Security Advisory 944653 suggests that you review and apply Macrovision’s fix.

  I’m going to give it a couple more days for all the problems to shake out. But I’m still wondering why in the blue blazes Microsoft includes the Macrovision copy protection program in Windows XP, 2003 and Vista…

  Windows Patches/Security

• Time to get caught up on your patches

  Posted on November 4, 2007 at 23:37 CST by woody • Comment in the Forums

  I’m giving the go-ahead, and recommending that you apply all outstanding Windows XP and Vista patches, except the Core 2 Duo microcode patch, KB KB 933576. You should also avoid the .NET Framework megapatch, MS07-040 / KB 931212, unless you have a program that specifically requires it.

  The rest of the September and October patches for both Windows XP and Windows Vista appear to be relatively benign (several have been re-patched) and at this point should do more good than harm. In particular, the Vista “compatibility, reliability, and stability” patches have stabilized significantly.

  I also recommend that you install Office 2003 Service Pack 3, plus any odd patches offered for other versions of Office. The initial problems appear to have worked themselves out. Realize that SP3 changes the way several Office features work, and clobbers others, but the zapped features really can make your life more difficult. There’s a long list of changes in the “Known Issues” section of Knowledge Base article 923618.

  Finally, it’s vitally important that you patch Firefox, QuickTime and Java. All three should be offered to you automatically. Go ahead and accept the offer to patch.

  Once you’ve caught up on your patching, make doubly sure that you have Automatic Updates turned off. (Note that installing Windows Live Payola OneCare turns on automatic updates.) November’s Black Tuesday isn’t far away.

  We’re at MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

  Windows Patches/Security

• Flogging the dead KB 936357 horse

  Posted on November 2, 2007 at 19:02 CDT by woody • Comment in the Forums

  Microsoft has re-released, once again, its “microcode reliability update” patch known as KB 936357. I talked about the poorly documented, apparently ill-conceived, and laughably implemented patch more than a month ago.

  I strongly recommend that you NOT apply the patch if it’s offered to you. Instead, figure out how to flash your BIOS, and solve the problem the old-fashioned way.

  Thanks to EP, who noticed that the Knowledge Base article 936357 has just been updated to version 4.3. For reasons I don’t understand, several sites are recommending that folks install the patch.

  It’s a load of garbage. Don’t put it on your machine.

  Windows Patches/Security

• What’s up with the Vista Service Pack 1 Release Candidate?

  Posted on November 2, 2007 at 18:45 CDT by woody • Comment in the Forums

  In the hare today, gone tomorrow category…

  Neowin reports

  Microsoft has posted download links to Windows Vista SP1 RC Preview on the MSDN homepage for MSDN subcribers. “Get the latest preview of Windows Vista SP1 on MSDN Subscriber Downloads. This new release of SP1 addresses reliability and performance issues, and provides support for new hardware and several emerging standards.” Windows Vista SP1 is slated for an early 2008 release but beta testers can get their hands on early preview builds. Users have reported that the service pack not only includes many bug fixes but several performance enhancements as well.

  Update: For reasons yet unknown, Microsoft has pulled the announcement at MSDN. Microsoft were unavailable for comment.

  I have no idea what happened.

  CNET confirms that it was a mistake.

  “The MSDN notice about a Windows Vista SP1 RC Preview was posted mistakenly,” Microsoft said in a statement provided to CNET News.com “No code was released today and the MSDN notice has since been removed from the MSDN site.”

  Windows Patches/Security

• Windows Update automatically changes settings? Nope

  Posted on October 25, 2007 at 17:41 CDT by woody • Comment in the Forums

  Two weeks ago, I wrote about reports that this month’s “Black Tuesday” Windows Update patches were changing XP’s “notify but don’t install” automatic update settings. At the time I said it was hogwash.

  Guess what?

  It’s hogwash.

  Scott Dunn, in the latest issue of Windows Secrets newsletter points to the most likely culprit: the people who say that the Black Tuesday patches changed their “notify but don’t install” settings most likely installed Windows Live OneCare on their systems.

  Among its many other endearing qualities, Microsoft’s Windows Live OneCare takes it upon itself to change your automatic update settings. What I find odd about the whole affair is that Microsoft didn’t immediately point to the likely culprit in ‘Softie Nate Clinton’s discussion of the problem. The most likely scenario: Nate didn’t realize that Windows Live OneCare takes it upon itself to change automatic update settings. That strikes me as odd, because Windows Live OneCare’s proclivity to over-ride Automatic Update settings is well-known, well documented, and has been that way for more than a year. (See, for example, this article in Smart Computing.). The fact that Microsoft doesn’t explicitly warn about this behavior on Live OneCare installation is a dumb oversight, not a Big Brother conspiracy.

  Don’t get me wrong. I think Windows Live OneCare amounts to little more than a giant protection racket, and anybody who pays Microsoft to protect its own products deserves whatever he or she gets. I see this “feature” as yet another key reason for avoiding Live OneCare altogether.

  Windows Patches/Security

• MS07-033 bug

  Posted on October 20, 2007 at 22:42 CDT by woody • Comment in the Forums

  Microsoft has acknowledged yet another bug in the June Black Tuesday patch for Internet Explorer. Knowledge Base article 933566, which is supposed to contain details about problems with MS07-033 (and is now up to version 4.0), should contain a reference to this latest bug. At the moment, I don’t see anything.

  The bug is detailed in Knowledge Base article

  943120. Apparently if you use Internet Explorer 6, and you’ve applied MS07-033 (or any subsequent IE rollup), IE will crash as soon as you leave a Web page that contains a reference to a style sheet.

  At least, I think that’s what the KB article says.

  Of course, you aren’t using IE 6. You aren’t using IE 7, either. Right?

  Windows Patches/Security
• « Older Entries

  Newer Entries »