It turns out that Windows 98 is just too hard for Microsoft to support with a security patch for MS06-15 now. The official support period ends in July, but they’ve announced that this one won’t be getting a patch as the changes would be just too substantial. Some of the mitigation suggestions involve using restricted zones settings to limit ActiveX and Active Scripting. (Of course, installing something other than Windows 95/98/ME might be considered a mitigating factor as well.)
Category: Windows Software
-
Bye bye ethereal — hello wireshark
Ethereal has quite a reputation for itself, I’ve used it in analyzing traffic on the home network and experimenting with virtual images… anyway, it’s a packet sniffer and network protocol analyzer and it now has a new name and new home…. wireshark.org. Apparently the lead developer did not own the rights to the name ethereal and is transfering to a new job, the old company keeps the ethereal name. He said in the explanation that he is NOT going through a namechange like that again for the project and is in the process of trademarking and will ask for input shortly as to how the development team wants to hold the trademark.
-
Cross browser javascript vulnerability
It sounds like this vulnerability would take a great deal of user interaction, but cio-today is reporting on a browser vulnerability that affects pretty much every javascript enabled browser. According to Symantec …. “This issue is triggered by utilizing JavaScript ‘OnKeyDown’ events to capture and duplicate keystrokes from users,” and is a way that the attacker could scrape/log things that are typed in (bank information, passwords, etc.) Also, they say “In one scenario, a crafty programmer might be able to trick users into entering personal data into a seemingly secure field on an online payment form, giving the hacker access to anything typed within the field.”
-
Microsoft June Patch Cycle heads up
It’s about that time again folks…. Monthly Microsoft patch cycle – June patches will be released on the 13th (next Tuesday) and it looks like a big batch. There should be 12 patches this time and at least one of the Windows updates is Critical and at least one of the Office updates is critical. It’s widely expected that an update will be released for the Word vulnerability that’s been talked about previously here. Also, there will be a change in the ActiveX behavior in Internet Explorer. That change had been scheduled to come out a few months back, but was postponed.
-
Bad malware storms brewing
ADTMAG.com has an interesting article talking of the convergance of spyware and more sophisticated phishing attacks. They talk about the convergance of viruses and spam engines that happened in 2003 as a real shift in the dynamic of WHERE junk mail was coming from. Today botnets account for about 90% of the spam online, and of course, the botnets are the zombie armies that can be (and are being) utilized to bully web pages off the net, or extort large amounts of $$ due to denial of service attacks.
-
The “secure software” dilemma
It’s quite a dilemma when a software product is billed as more secure than another…. several days back when Mozilla Firefox released v. 1.5.0.4 which fixed a number of security issues, I saw someone comment “I thought firefox was supposed to be secure.” I think there’s a misunderstanding when it comes to software. I think the misunderstanding is that one piece of software can be secure and another not. Out of the box. Let’s take a stab at clarifying…. Security is not a product, it’s not a feature, it’s a way of doing things. Along those lines….
-
Windows Vista Beta download
Yes, this is legitimate and officially sanctioned. Microsoft is releasing the beta version of Vista Ultimate for download. This page gives details on the download. It is also possible to request a dvd. (The download is a dvd iso – a bit over 3 GB). It will expire June 1, 2007 (I assume Vista will be out by then…) It should be able to upgrade an existing XP install or do a fresh install (PLEASE DO NOT DO THIS WITH YOUR MAIN DESKTOP WITHOUT SERIOUS BACKUP FIRST.) It will be unable to roll back to the previous OS (fresh wipe and install would be required.)
-
Firefox Sync plugin
Google has released a new plugin for firefox that synchronizes various settings from one pc to another making use of a google account. Essentially, it saves certain preferences from your browser to your Google account, then when the browser is launched again it retrieves any changes from the Google Account. This sounds like a great solution for people trying to keep bookmarks synced across multiple pcs. I wonder if it could track what extensions are installed and make sure you have the same set of extensions on all pcs?
-
Microsoft Genuine Advantage phones home daily
Microsoft says they need to do a better job about disclosing this, but the Genuine Advantage tool contacts Microsoft daily. It doesn’t do this to track your browsing or downloading habits, but to check and see if it’s ok that it’s still running. According to this article, they have some concern that it might not work properly and wanted to be able to tell it to shut down if there were widescale problems with the proof of legitimate windows copy. I did glean a few more details from the article that correct an assumption that I made a week ago.
-
Big trouble – you don’t have any viruses….
You know, I’ve seen soooo many antivirus vendors that are somewhat ethically challanged claim that cookie files are a big threat, or in worse cases files that the “free” antivirus test downloaded are dangerous “you should be glad we got here in time – where’s our $30 to fix things…” kind of message, but from a mainline, well known antivirus vendor you expect better…. Over at Spyware Confidential, after an online scan at a leading AV vendor, they’ve received a couple of emails explaining the great danger their computer is in after the scan turned up 0 viruses and 0 infected files.