Archive for October, 2006

New Windows Vista Multimedia and Productivity Icons

What do you think of the new Multimedia and Productivity icons?

They are okay, I like more detail and realism, but the colors kind of suck.

IE7 Window Injection Vulnerability, Again

Okay, this is the third time I have written about this vulnerability, twice today, so I can probably say for sure, this will be the last time, until next time, hehe.

It must be important to Secunia, because they opened up a blog today, just for this I assume, since it is the only post.

On Monday 30th October, Secunia published an advisory describing a vulnerability in IE7, which appears to be a legacy from IE6 – and which back in 2004 turned out to affect virtually every single browser on the market.

The vulnerability allows a malicious site to change the content of arbitrary pop up windows.

In 2004 the organizations behind Firefox, Netscape, Opera, Konqueror, OmniWeb, and Safari all confirmed the “Windows Injection” issue to be a vulnerability and subsequently issued fixes for this issue.

IE6 users had to change the “Navigate sub-frames across different domains” setting to protect themselves.

Today, in IE7 this setting has been disabled by default – that is a good thing – but it doesn’t work – that is a bad thing!

That in itself qualifies for at least a “security bug”. Source: Secunia “Security Watchdog” Blog

Microsoft said in their blog entry this wasn’t a vulnerability then and it isn’t one now, even so, they added the address bar so you could actually see the url, in case someone did try to hijack your browser, and in 2004, users could change the “Navigate sub-frames across different domains” setting to protect themselves. This is disabled in IE7 by default, yet the browser is still vulnerable to the window injection.

We believe that Microsoft ought to take responsibility for the bugs, weaknesses, and vulnerabilities in their browser to ensure that it really protects against phishing and similar scam attacks – isn’t this what Microsoft advertises that IE7 does better than it’s predecessors?

Yes they should. But, this can’t be to serious of a problem for people, Secunia’s solution says,
“Do not browse untrusted sites while browsing trusted sites.”
Umm, can I be the first to say, duh huh. If you don’t trust a site, why are you there to start with?

Anyway, will be interesting to see what Microsoft says, etc, etc. Welcome to the blogosphere Secunia.

Windows XP ICS DOS oDay?

Saw this post on PCWorld talking about how published code could disable the firewall on Windows XP based systems. Okay, that doesn’t sound good, so, checking it out I notice it refers to ICS, or Internet connection Sharing, which is a program that allows one pc to share it’s internet connection with other computers on the LAN.

The exploit requires Internet Connection Sharing to be enabled and requires that the attacker be on the shared interface (from what I?ve seen in my playing thus far, the Windows Firewall was disabled).

Malicious Person ? Computer with ICS ? Internet.

So, you have to be on the same LAN, ie in the same building to exploit this. If there is a hacker in your house or place of business, then you have got bigger problems than not having your personal firewall working.

By knocking off the Windows Firewall, a criminal could open the door to new types of attacks, but there are a number of factors that make such an attack scenario unlikely, Reguly said.

For example, the attacker would have to be within the LAN in order to make the attack work, and, of course, it would only work on systems using ICS, which is disabled by default. Furthermore, the attack would have no effect on any third-party firewall being used by the PC, Reguly said.

I guess someone needs to post this somewhere, but it seems like such a non issue, buy yourself a wireless router if you have to use ICS, you can turn the wireless off and still get all of the benefits of the wireless router, NAT, sharing of the internet connection, etc. Anyway, that’s the info, do with it what you will.

Microsoft Responds to Latest IE7 Vulnerability

Microsoft responds to the latest vulnerability report from Secunia, we covered it here yesterday, in a post at the Microsoft Security Response Center Blog titled Information on New Address Bar Issue. Apparently, this was a known issue with the way browsers are designed in that browsers are allowed to load pages in browser windows from other sites, this allows them to reuse windows. You’ve all seen it, you click a link, it opens in another window, you go back to click another link, or go to another page and click a link and it opens in the same window, unless you’ve closed it.

Like we always do, we investigated that claim thoroughly in 2004. We found that in all cases, for this to represent a threat for phishing or spoofing attacks, a user would have to decide to trust the authenticity of the page without verifying the page?s address (because there was no address bar) and without verifying an SSL connection (like we recommend on our website). In other words, the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks. Because of that, we said in 2004 that this issue doesn?t represent a security vulnerability as we have defined it on our website. Source: Microsoft Security Response Center Blog

Microsoft even said in their post that they looked at how they could make this better for users, and since the user would have to ignore or not see the address bar, if the page changed, that they would add the address bar even in popup windows, so you could always the actual url. A lesson to be learned would be you can’t always trust every website you are on.

Now, yesterday, when I posted it, I admit I did not read the whole posting, so I did not realize that it was an old “vulnerability”, I assumed, as many did I’m sure, that it was a new issue. So, I helped spread a little bit of this nonsense, but Secunia should bear most of the responsibility. In their quest to report vulnerabilities, they made it look like it was a new one, at least in my eyes. I will be more observant in the future when looking at their reports. Thanks to Spyware Sucks for letting me know I did not report the whole story.

Get Microsoft Office Accounting 2007 Beta

Microsoft is giving the Office Accounting 2007 B2TR copy of it’s software away for free, or free until June 2007, that is. Haven’t tried this myself, but saw some good reviews on it, but, it’s free for eight months, long enough to try it out yourself. Includes integration with Paypal and eBay, create quotes, invoices, purchase orders, manage payroll, inventory and more.

Start up easily. Microsoft Office Accounting 2007 installs easily, without the help of Information Technology professionals. Using the Company Setup, you will be managing your business with Office Accounting 2007 in less than an hour. Source: Microsoft

Download it from here.

Google: We Do Know Evil

If you’ve read the latest posting by Mark Cuban today, a post that contained lots of info concerning Google’s buyout of YouTube.com, while it is not fact checked, and contains some speculation from the writer himself, Cuban says he trusts the source. Everyone remember when Google’s motto was “Do No Evil”? I don’t think that is necessarily the case anymore, and not just because they removed it from their site.

While this seemed good on paper Google attorneys were still uncomfortable with the enormous possible legal claims and speculated that maybe even 500 million may not be enough – remember were talking about hundreds of thousands of possible copyright infringements. Youtube attorneys emphasized the DMCA safe harbor provisions and pointed to the 3 full timers dedicated to dealing with takedown notices, but couldn’t get G comfortable. Google wasn’t worried about the small guys, but the big guys were a significant impediment to a sale. They could swing settlement numbers widely in one direction or another. So the decision was made to negotiate settlements with some of the largest music and film companies. If they could get to a good place with these companies they could get confidence from attorneys and the ever important “fairness opinion” from the bankers involved that this was a sane purchase.

The second request was to pile some lawsuits on competitors to slow them down and lock in Youtube’s position. As Google looked at it they bought a 6 month exclusive on widespread video copyright infringement. Universal obliged and sued two capable Youtube clones Bolt and Grouper. This has several effects. First, it puts enormous pressure on all the other video sites to clamp down on the laissez-faire content posting that is prevalent. If Google is agreeing to remove unauthorized content they want the rest of the industry doing the same thing. Secondly it shuts off the flow of venture capital investments into video firms. Without capital these firms can’t build the data centers and pay for the bandwidth required for these upside down businesses.

So, before Google signed the YouTube deal, YouTube signed content deals with major media companies, record labels, effectively giving them a piece of the pie Google was about to serve up, I saw somewhere it was about $50 million per large company. Part of the deal was the media companies couldn’t sue Google for six months, because, as they already knew from Google Video, you can’t flourish like YouTube was and protect copyright laws at the same time. They also requested, if this story is true, that the media companies pile the lawsuits on YouTube competitors, so they can’t flourish since they will have to protect copyright laws, and Universal did just that by suing two capable Youtube clones Bolt and Grouper.

Another paragraph in the post mentioned the media companies only had one problem, figuring out how not to have to share any of the money with any of the artists who ACTUALLY CREATED THE CONTENT. If the money was received as part of a licensing deal, they would have to share it, usually 50/50, so what could they do? They decided that the would receive an equity position as an investor that Google would then by from them. That way they could classify it as gains from an investment position.

Whew, no wonder they removed the Do No Evil, they would’ve had to have changed it to “We Do Know Evil”.

Infringement lawsuits will be served on Youtube and the new proud parent Google in the coming months. Google will respond with two paths: an expensive legal fight or a quick and easy settlement with most choosing the latter. Are there any larger copyright holders such as music publishers, movie studios, or unlicensed record label EMI that put up a fight rather than accepting the check?

Google’s motto would be more correct to be, “Your Internet Are Belong To Us.”

Windows Media Player 11 for Windows XP

Microsoft just released Windows Media Player 11 for Windows XP.

Windows Media Player 11 offers great new ways to store and enjoy all of your digital media. It’s easier than ever to access all of your music, video, pictures, and recorded TV on your computer. Play it, view it, organize it, and sync it to a portable device for enjoying on the go, or share with devices around your home – all from one place. Windows Media Player 11 is designed to work with all versions of Windows XP with Service Pack 2, including Windows XP Home Edition N and Windows XP Professional N.

Supported Operating Systems: Windows XP Home Edition N; Windows XP Media Center Edition; Windows XP Professional N; Windows XP Service Pack 2; Windows XP Tablet PC Edition. Source: Microsoft

Will Microsoft Release Windows XP SP3?

Just finished reading an article from InfoWorld titled Windows XP SP3 suffers uncertain future, which talks about the recent delay of Service Pack 3 for Windows XP because of a delay in Windows Vista. SP3 was pushed back to the first half of 2008, a vague range to start with, with no real commitment from Microsoft.

The latest delay has some wondering whether the upgrade will ever see the light of day.

?The fear is Service Pack 3 will just get killed off,? said Jeff Centimano, an IT consultant at Levi, Ray & Shoup.

Directions on Microsoft analyst Michael Cherry agreed that Microsoft may very well decide to drop XP Service Pack 3. ?It absolutely could happen. Microsoft is under no obligation to produce any service packs, ever,? he said. ?They feel that because these fixes are available through the auto-update that there?s less need to create a service pack.? Source: InfoWorld

I try to stay away from some of these guessing games, maybe if I was an insider and had some kind of personal knowledge, as I have no real idea when stuff is coming out other than these type of stories and press releases. I sure hope they come out with a Service Pack 3, would make lots of people lives easier, since they could download the service pack once and install it on pc’s instead of installing SP2 and then all of the security updates, etc, that have been released in the years since SP2. Only Microsoft knows for sure, but hopefully they will do the right thing by IT people.

Third IE7 Vulnerability Found

Secunia has posted another vulnerability in Internet Exlorer 7, this one is called Internet Explorer 7 Window Injection Vulnerability, and this is related to a previous vulnerability from IE 6.0, here.

A vulnerability has been discovered in Internet Explorer 7, which can be exploited by malicious people to spoof the content of websites.

The problem is that a website can inject content into another site’s window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website. Source: Secunia via Faill.com

They have constructed a vulnerability test here, and this has been tested on a fully patched system running Windows XP SP2 and IE7.

Hidden Windows XP Theme Discovered

Hot on the trails of the hidden program in Windows XP, there has now been discovered an unfinished theme for Windows XP called Royale Noir. Apparently, this was just now discovered, unless we find out otherwise.

During Royale?s development (the XP Media Center theme), the graphic artists also produced a black version of the skin, sans the overused ?glass? effect. The result is an aesthetic black skin named ?Royale Noir?, it even works with Office 2003.

Since the skin was never released (or reached final adjustments) there are a few issues with it: some of the colors don?t meet the overall ?feel? (they?re too purple-ish compared to the greys of the bitmaps) and the inactive title bars are a little too dark.

You?ll find it?s been signed by Microsoft and doesn?t require a custom UxTheme.dll in case there are any doubts as to its authenticity.

If you already have Royale installed, you?ll need to remove it as both of these skins share the same name.

This skin has not been released to anyone outside Microsoft, until now. Source: istartedsomething.com

Download the theme from here, save the files to a folder called royale noir in your c:\windows\resources\themes folder. Once extracted, double click the filed called luna in that folder, select the royale noir color scheme, hit apply and you are using the new theme. I kind of like it, I’m going to run it for a few days and see if anything is missing. Digg the story here.