Windows Genuine Advantage claim fails to reach Class Action status

Emil Protalinski at Ars Technica reports that a complaint about Windows Genuine Advantage has failed to reach Class Action status.

A lawsuit that accused Microsoft of misleading consumers to download and install an update for Windows Genuine Advantage (WGA) under the guise that it was critical security update will go forward, but not as a class action. A federal judge has refused to certify the lawsuit as a class action, which would have meant anyone who owned a Windows XP PC in mid-2006 could join the case without having to hire an attorney. As Windows XP was easily the most popular operating system at the time, the move means Redmond has managed to avoid hundreds of millions in potential damages.

The lawsuit hinges around WGA’s disturbing propensity – severely curtailed in recent times – to “phone home” on a regular basis.

Thanks for the heads-up, yangs!

Still at MS-DEFCON 2: MS10-002 is out, but you don’t need it

Microsoft has released MS10-002 / KB 978207 as expected. You don’t need it right away unless you’re running IE 6. And if you’re running IE 6, what you really need is Firefox, not this patch.

None of the current patches are worth worrying about. We remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Firefox 3.6 final released, and NO Firefox is NOT “doomed” at all

Several months since Firefox 3.5 was released back at the end of June 2009, the final release of Firefox 3.6 has just been posted today. Read this Softpedia article on the details of this latest Firefox release.

Firefox 3.6 can be obtained from the official Mozilla Firefox page.

And a few days ago, I stumbled onto this Infoworld.com article speculating Firefox’s imminent demise or “doom”, which many Firefox users find hard to believe.

UPDATE: A blog was published on the Gigaom.com site about the middle of last week in rebuttal to that Infoworld.com article.

New hole in Windows discovered 17 years after it appeared

Man, this has been one helluva week for 0day exploits.

Tavis Ormandy at Google reports that there’s a hole in the way Windows NT and later handle functions that were designed to support 16-bit applications.

All 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to be affected, including but not limited to… Windows 2000, XP, Server 2003, Vista, Server 2008 and Windows 7.

Travis goes on to say:

Microsoft was informed about this vulnerability on 12-Jun-2009, and they confirmed receipt of my report on 22-Jun-2009.  Regrettably, no official patch is currently available. As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch. It should be noted that very few users rely on NT security, the primary audience of this advisory is expected to be domain administrators and security professionals.

Seven months without a resolution, and he’s gone public. Hard to blame him.

Yesterday, Microsoft released Security Advisory 979682, acknowledging the hole.

Protecting yourself against Aurora

Windows Secrets Newsletter just hit the stands, and the lead story by Yardena Arar has many details about the “Aurora” security hole.

There are ways to patch yourself without Microsoft’s big IE cumulative patch MS010-02, which is due any minute, but before you get your knots in a knicker, make sure you understand the scope of the problem:

Security analysts and Microsoft agree that the attacks have a high social-engineering component: the targeted victims have to trigger the attacks by clicking a link or infected attachment (commonly an Adobe PDF or Flash file) delivered in e-mail, instant messages, or other electronic communication appearing to come from a trusted source.

Stay calm. The sky isn’t falling. If this is what it takes to get Google out of the censorship business, kowtowing to a big paycheck, hey, I’m not complaining.

UPDATE: Brian Krebs just posted a very interesting article that explains why “Aurora” probably did originate in China. Actually, the evidence cited in the article tends to support the idea that the people who wrote part of Aurora are able to read Simplified Chinese, but the circumstantial evidence is compelling.

Aurora patch update

Looks like Microsoft is going to release an out-of-band patch for the “Aurora” security hole made (in)famous by unknown Chinese assailants, Google, and various dissidents.

Ed Bott has a full report, with anticipation that a release date for the out-of-band patch (which is to say, a security patch that doesn’t wait for the Black Tuesday cycle) today.

The Web site Darkreading has had a string of articles on the topic. Good reading if you’re concerned.

UPDATE: Microsoft has released advanced notification which says the patch – a cumulative IE rollup – should be available in the next few hours. If it’s like most cumulative IE rollups, it’ll be full of bugs, some of which may affect Windows itself. We remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Now (almost) everybody is advising you to stop using Internet Explorer

I’ve been saying it for years. I’ll say it again.

Upgrade Internet Explorer to the latest version. Keep it patched. But don’t use it. Use Firefox or Chrome or Opera or any other Web browser you fancy.

Sorry if I sound like a broken record. I’ve been advising on this blog since November, 2006, that you should dump IE and use Firefox.

Ed Bott has come down hard on IE 6. “Any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice.” I wouldn’t go quite that far with IE 7 and IE 8, but with rare exceptions there’s absolutely no reason to continue using any version of IE. The German government and French government have both recommended abandoning IE, and I’m with them.

If your company absolutely insists on sticking with IE for compatibility reasons, they should be focusing most of their development resources on bringing their internal systems up to snuff. There are no good excuses left. Switch.

Firefox 3.6 RC2 and Google Chrome 4.0 Beta (4.0.249.64) now available

The next generation of Firefox and Google Chrome web browsers are almost ready to be finalized and released to the public.

Firefox 3.6 Release Candidate 2 can be downloaded here while the latest Google Chrome 4.0 Beta build (version 4.0.249.64) can be downloaded here.

Update: The Firefox RC web page now mentions Firefox 3.6 RC2 instead of RC1.