Adobe Flash, Apple QuickTime security patches

If you’re using Apple QuickTime (and if you use iTunes, or you have an iPod, you probably do), head over to Apple’s web site and download and install the latest security patches.

If you’re using Adobe’s Flash (and if you can see the animated ad at the top of this page, you are), head over to Adobe’s web site and download and install the latest version of Flash.

Do it now, while you’re thinking about it.

September Security Bulletins – and a couple of surprises

Tell me, grasshopper. When is a security patch not a security patch?

Microsoft just released the anticipated three Security Bulletins – but they also re-issued MS06-040 (to solve the big memory allocation problems I described earlier) and MS06-042, to handle a completely new security hole.

When Microsoft “re-releases” a Security Bulletin (for IE, no less) that addresses a new vulnerability, how is that different from releasing yet another (for IE) Security Bulletin?

Ah. What is the sound of one hand clapping?

I was also surprised by the fact that the Office Security Bulletin deals with Front Page, and not with the newly discovered Word 0day hole.

The line-up:

MS06-052 / KB 919007 is an “important” update for WinXP that probably won’t affect you at all. (It patches a program called the MSMQ service, which isn’t normally installed on XP machines.)

MS06-053 / KB 920685 is a “moderate” update for WinXP that replaces MS05-003. It patches a very obscure hole in the Windows Indexing Service, which would take a whole lotta effort to compromise.

MS06-054 / KB 910729 patches Microsoft Publisher 2000, 2002 (the version in Office XP) and 2003. If you don’t use Publisher, there’s no reason to worry. Microsoft already lists a bug in the patch – if you install it, you can’t open Publisher 2.0 files. Sometimes I wonder what these guys use for test regimens.

In addition, there’s a Security Advisory, KB 925143, telling you, once again, to update Macromedia Flash Player. And there’s another Security Advisory, KB 922582, that says all of Microsoft’s automatic update tools are broken and need to be fixed. That’s why you’ll see a download available for KB 922582.

Finally, I’m also getting an update notification for KB 920872, “Audio playback does not play the audio file from the correct position after you pause it, and you randomly receive a Stop error message when you try to play audio files in Windows XP Service Pack 2 (SP2).” I have no idea why that’s being pushed as a high priority update.

I’m moving us up to MS-DEFCON 2. Don’t patch yet. Wait for the other guys to get arrows in their backs. Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

UPDATE 9/12: Several of you have written asking about the re-issued MS06-040 and MS06-042 patches. I don’t recommend that you install the latest re-issued versions, assuming you’ve already installed the original MS06-040 and MS06-042 patches. There’s no pressing need for either of the updates. On the other hand, if you didn’t install MS06-040 and MS06-042 last month, you need to install the updated versions now – and suffer the consequences, if there are any. You really need to stay on top of this stuff, eh? Microsoft re-releasing a Security Bulletin to patch a completely new vulnerability in IE doesn’t help matters any….

MS06-049 bug?

Hoooo boy.

On August 24, Andy Schmidt posted a message on the Windows 2000 newsgroup saying that he had problems with corrupt JPG files.

Fast forward a couple of weeks and, as you can see in that newsgroup posting, it now appears that August security patch MS06-049 / KB 920958 may be at fault. It looks like the patch causes intermittent corruption in all kinds of compressed files – ZIPs, JPGs, MP3s, and the like – and it occurs on Windows 2000 Pro and Windows 2000 Server machines.

No acknowledgment, one way or the other, from Microsoft as yet, although the problem was apparently reported to them about August 24. It may be a red herring, but it sure looks like a bug in the patch.

As a precautionary measure, if you have a Windows 2000 machine, I urge you to go into Control Panel’s Add/Remove Programs and remove the 920958 patch, until we hear something definitive from the ‘Softies. (MS06-049 / KB 920958 only applies to Windows 2000.)

The relatively small batch of September patches are due in the next day (or two or three, depending on how overloaded MS’s servers might be with Vista RC1 downloads, I would guess), so it’s a good time to triple-check to make sure that you have Automatic Updates disabled.

We remain at MS-DEFCON 4.

September’s Patch Tuesday should be relatively calm

Microsoft has just posted its usual advance warning for this month’s Security Bulletins, due on September 12.

Looks like there are eight patches coming (plus the usual update to the Malicious Software Removal tool), but only two security patches for Windows and one for Office. Maybe they nabbed the Word 2000 0day?

Included in the list are two non-security high-priority updates for Windows, plus three other non-security high priority updates – but Microsoft doesn’t say what they’re for.

We’re currently at MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch. If you haven’t yet updated your system, now would be a good time to do so. And make sure that you have Automatic Updates turned off, eh?

Window Snyder joins the good guys

Security mahaguru Window Snyder – the Microsoftie who was responsible for the security part of Windows XP Service Pack 2 and Windows Server 2003 – is jumping ship.

She’s going to work for Firefox. More accurately, she’s going to work for Mozilla Foundation, the for-profit arm of Mozilla Foundation, which produces Firefox.

That’s good news for everybody, methinks.eWeek has details.

Windows Vista Release Candidate 1 now available for download

That scorching smell in the air is the cumulative effect of millions of servers melting down.

Microsoft just posted Vista RC1, and you can get it from their download site.

If you need a key (you probably do), drop by the Customer Preview Program site and follow the instructions to sign up and get your key.

Brian Valentine going to Amazon

It’s the end of an era.

Brian Valentine, one of the most… human… Microsoft managers, and a guy I admire greatly for his ability to motivate developers (developers, developers, developers), is leaving Microsoft and headed to Amazon, where he’ll be a senior VP.

As anticipated, Jon deVaan (the creative genius behind much of what’s great about Office) will be taking over development for Windows and Windows Live.

New Word 2000 0day exploit

Juha-Matti reports on his SeucriTeam blog that there’s a new 0day exploit making the rounds.

Fortunately, it looks like very few people have been infected. Unfortunately, it’s a tricky beast: you open an infected Word document, and a backdoor gets installed on your PC.

McAfee calls it W32/MoFei.worm.dr; Symantec calls it Trojan.Mdropper.Q; TrendMicro calls it TROJ_MDROPPER.BR; Kaspersky calls it Trojan-Dropper.MSWord.1Table.bv. All of those companies have updated their signature files to detect and remove the threat.

UPDATE: Microsoft has finally acknowledged the problem.

The SANS Internet Storm Center posted a good riposte to Microsoft’s Billy-come-lately suggestions: They offer two pieces of advice. 1) Don’t open Word files from people you don’t know. (This goes back to not eating candy until your parents look at it at Halloween, and not opening the door for strangers.) 2) Use Word ‘viewer’.

Of course Microsoft publishes great “Suggested Actions”: “Protect your PC by enabling a firewall” (which, btw, does not keep Word files out). In fact one of Microsoft’s suggested actions is: “Keep Windows Updated”… we’d love to. If there was a fix for the problem! Let’s hope they get it patched as soon as possible.

Windows Vista Beta 3, er, Release Candidate 1 is out

Microsoft has just delivered Windows Vista build 5600. Although the company calls it “Release Candidate 1“, you and I can think of it as the “first relatively stable, feature complete beta” without loss of generality.

It isn’t on the newsgroups yet. TechBeta participants get the build first. Then, next week, MS plans to release it for MSDN and TechNet subscribers. After that – say, the middle of the month – the beta should be posted for downloading by the unwashed masses.

How do you spell “server meltdown”? I just hope they don’t try to charge for the download, like MS is doing for the Office 2007 beta. Charging people to test your buggy software. Somewhere, a marketing team is laughing its butts off.

I’ve been using the “Pre-RC1” build 5536 for a week now, and it’s impressive. I hit the odd bug now and then, but by and large Vista no longer sucks.

Much more to come in the days and weeks and months ahead.

Office 2007 appears on Amazon – but when will it ship?

You can now belly up to the bar and order Office 2007. Just drop by Amazon and search for Office 2007.

When Amazon originally posted the Office 2007 products, about 12 hours ago, they listed the availability date as January 30, 2007. But if you go to the Amazon order page, you can see that it now says “This item has not yet been released. You may order it now and we will ship it to you when it arrives.” and “Estimated to be available early in 2007”.

At least, that’s what the site says at this moment.

Microsoft appears to be willing to price itself out of the market. Office 2007 Ultimate goes for a paltry $679 (the upgrade’s only $539). Professional is $499 ($329 upgrade). The “regular” version sells for $399 ($239 upgrade). Home and Student runs $149 (you can’t upgrade the old Student and Teacher Edition). A new Word-only Home and Student will set you back $119.

It’ll be interesting to see how much Google offers – for free – by the time the Office 2007 dinosaur lumbers out of Redmond.

Firefox 2 Beta 2 now available

I’ve had a chance to play with the latest beta test version of Firefox, called Firefox 2 Beta 2. There are a few minor changes and improvements from Beta 1.

I urge everyone to download and use this new beta version. It’s good. And it ain’t Microsoft.

For those of you who are already using Firefox 1.5 (or 2.0 beta 1), I suggest you uninstall 1.5 (Start | Control Panel | Add or Remove Programs) before you install 2.0 beta 2. While it’s entirely possible to run both 1.5 and 2.0 beta 2 at the same time, ping-ponging between the two can be a pain in the neck. In my experience, 2.0 beta 2 is good enough to use all the time. (Thanks to GW for pointing that out.) Also, when you uninstall Firefox 1.5, it keeps your favorites hanging around. Firefox 2 picks them up. Not to worry, your Favorites come through intact. (Thanks for asking, Claudia!)

For what it’s worth… there’s another

publicly available exploit for Internet Explorer making the rounds. Looks like it’ll be able to take over your PC. Don’t use IE. Switch to Firefox – whatever version – please!

Many of you are afraid to try Firefox. Not to worry. It installs alongside IE – you don’t have to turn off IE, or modify it in any way. Firefox will import all of your IE Favorites, with just a click. If you don’t like Firefox, you don’t need to do anything – just go back to using IE. At worst, it’ll take up a little bit of space on your hard drive. At best, it’ll keep you from getting clobbered.

Amazon reveals Vista prices and confirms January 30 availability

Hot on the heels of my last post…

Amazon has just listed prices for the most common retail versions of Vista. (For example, the Vista Ultimate DVD price is listed here.)

The short list: Home Basic (which you don’t want) costs $199 on a new machine, or $99.95 to upgrade from XP Home. Home Premium (which you probably will want) costs $239, or $159 to upgrade.

Business (which you might want if you don’t plan on using any Media Center apps) runs $299, or $199 for an upgrade. Ultimate (which has a few niceties, but not enough to justify the price for almost all consumers) lists at $399, or $259 for an upgrade.

Amazon says Vista will be available on January 30, 2007. I remain skeptical.