|
|
| |
| |
Sorted by Date / Sorted by Topic
| |  Last week I suggested that you get caught up on all outstanding patches except two - Windows XP Service Pack 3, and an odd "reliability and performance update" for Vista SP1 known as KB 952709.
Now it seems that KB 952709 has been implicated in messed-up synching with a Palm device.
I'll keep you posted. Thanks to EP for the heads-up. | |
| |  Microsoft has just released its Seucirty Bulletin summary for July.
We're being treated to four "important" security bulletins, two of which only apply to servers.
Of the two bulletins that may interest you, one is a DNS Spoofing hole that should elicit loud yawns. The other, MS08-038, closes a number of security holes in Vista's version of Windows Explorer. At least one of the problems is well-known, and there's exploit code available. US-CERT describes it this way:
Windows Vista fails to properly handle the NoDriveTypeAutoRun registry value. According to Microsoft's documentation, setting NoDriveTypeAutoRun to 0xFF should disable AutoPlay for all types of drives. However, when this registry value is present, Vista enables some AutoPlay features that may not have been enabled prior to setting that registry value. For example, if NoDriveTypeAutoRun is set to 0xFF, Vista may execute a program specified in the Autorun.inf file when the device icon is clicked. Other values for NoDriveTypeAutoRun may also enable certain AutoPlay features in Vista.
SANS Internet Storm Center rates MS08-038 as "critical." I haven't heard much hue or cry about it, and thus recommend (as usual) that you hold off on applying this - and the other - updates.
UPDATE: I'm seeing reports of Windows XP systems getting kicked off the Internet after installing MS08-037 / KB 951748. ZoneAlarm may be involved. DON'T INSTALL MS08-037/ KB 951748. | |
| | With four (very) boring patches expected on Black Tuesday, now is the time to make sure all of your computers have Automatic Update turned off.
I'm cranking us up to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. | |
| |  Microsoft has just posted Knowledge Base article 955179, which details a 0day hole in an ActiveX control that allows you to view an Access report snapshot without running the Access runtime.
Microsoft is investigating active, targeted attacks leveraging a potential vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
The obvious solution? Don't use Internet Explorer. If you're running Firefox, you can't get bitten by security holes in ActiveX controls. | |
| |  Several of you have written and asked about Equipt, the new Microsoft software-as-a-service package due to debut next week. Mary Jo Foley has a good synopsis on her blog.
I haven't bothered to comment. Why? Because chances are good you won't be tempted to try it. Not even a little bit.
Equipt is a $70-per-year subscription for Office Home & Student 2007, Windows Live OneCare (which Microsoft should be providing for free anyway, IMHO), and a bunch of lesser products that don't ring my chimes. You can install the bundle on up to three PCs, just like Office Home & Student 2007.
At least initially, Microsoft will only offer the bundle at Circuit City, which appears to be on its last legs. Tell me the truth. When was the last time you went into a Circuit City for anything other than a clearance sale?
Microsoft has tried to sell Office via subscription for many years, in various countries around the world. None of the attempts worked. Why pay $70 per year for Office when you can buy it for $110 to $120? Do the math.
Microsoft apologists like to emphasize the point that with Equipt you're getting so much more than just Office. I say, yeah, sure, show me something I really want. They say you'll qualify for an immediate upgrade to the next version of Office - whereas Office Home & Student 2007 won't have upgrade pricing. I say, man, if you really want to move onto the next version of Office as soon as it's available, yer a better man than I, Gunga Din.
Now that free alternatives to Office are finally coming of age, I don't expect to see too many consumers busting down the doors to get locked into an annual renewal fee. Do you? | |
| |  Looks like we have a real snoozer of a Patch Tuesday coming up.
There are four patches anticipated, all of them "important" (which means, of course, that they aren't). One's for Exchange, another for SQL Server. You can safely ignore them for several weeks.
Get patched up (see the next post), then make sure Automatic Updates are turned off. Go read a good book. | |
| | Looks like Microsoft has fixed the last big-time problems with June's "Black Tuesday" patches. The re-release of MS08-030 - which, golly, didn't even patch Windows XP SP2 or SP3 machines - seems to have brought the big bad patch back into line. Other Black Tuesday patches seem to be OK.
I'm recommending that you install all outstanding Microsoft patches, with two exceptions:
If you run XP, don't install Windows XP Service Pack 3. I tried to run the SP3 upgrade on a laptop over the weekend and ran into all sorts of problems. Ultimately I simply wiped the disk and re-installed Windows from scratch. Not a pretty picture. SP3 doesn't have anything you need, and it can cause grief. Avoid it.
If you run Vista, don't install KB 952709, the "reliability and performance update" for Vista SP1. I haven't seen enough results on that patch to make me feel the least bit warm or fuzzy.
With those two exceptions, get yourself updated. I'm moving us down to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you're affected and if things look OK, go ahead and patch. | |
| | I started choking when I read the op-ed piece in yesterday's New York Times called "Windows Could Use a Rush of Fresh Air."
The article is so.... not right. I can't even begin to list all the erros. The idea that Microsoft Research - the home of several of my current and former friends - is "where scientists and their heretical thoughts are safely isolated" beggars even my imagination.
I could start ranting here, but Ed Bott has done a
thorough job.
Word to the wise: if you have heart problems, or are easily swayed by self-appointed experts, skip the NY Times piece and go straight to Bott's analysis. | |
| | The entire WOPR website is about to take the plunge, from its old server to the one that also hosts AskWoody.com and KhunWoody.com.
Starting tomorrow at 7:00 pm Eastern Standard Time (that's Eastern US, for those of you who live in far-flung realms), WOPR and the Lounge will be frozen - turned read-only while we wait for the Domain Name Servers to catch up.
Then on Monday or Tuesday, when everything's in synch, we'll bring the Lounge back online.
Keep your fingers crossed - and burn a candle for Mike and Claude. Oh. Wait a sec. Not for Claude. He already has all the fires he can handle... | |
| |  Microsoft has just released a patch for Vista Home Premium and Ultimate, fixing several problems with Media Center in Vista.
They've also released an extender that allows Vista Media Center to work with newer set-top boxes.
I haven't heard of any problems yet, but you might want to wait a while before installing these guys - particularly if you aren't experiencing the problems they deal with. | |
| |  I just noticed that Adobe has issued yet another critical patch for Acrobat and Adobe Reader. (You use Foxit to read PDF files, right? If so, the Adobe patch shouldn't concern you.)
Instead of trying to follow individual program patches (of which there are many every month), I strongly urge you to download and run a simple, free program from Secunia called Personal Software Inspector.
It'll scan your computer and warn you about obsolete, hole-ridden versions of many, many different applications. More than that, PSI points you to the latest fixes, and gives you hints on how to bring all of your potentially insecure apps up to speed.
Great program. Absolutely free. | |
| |  Yes, you read that right. Microsoft has just released a patch for Vista Service Pack 1.
The plugged problems? According to Microsoft, this patch tackles:
Crashes when you run Windows Mail or Mozilla Thunderbird (mail program) and you have both ZoneAlarm and Spybot running.
Hangs when you delete user accounts.
Excel 2007 reporting "EXCEL.EXE is not a valid Win32 application". (I particularly like that one.)
"Reducing the number of crashes that may be caused by the Apple QuickTime thumbnail preview in Windows Live Photo Gallery." Microsoft must've eaten a lot of crow on that one.
Reducing the amount of "stuttering [which] may occur when the audio or video component is streaming high definition content from a Windows Vista SP1-based computer that has a NVIDIA network adapter nForce driver version 67.5.4.0 that is installed to a Windows Media Center Extender device."
If you have SP1, and you've fallen victim to any of those problems, mosey over to Microsoft's site and install the fix. But realize that (based on historical precedent) there's at least a 50-50 chance Microsoft will patch this patch, too. | |
| | Thanks to the wizardry of Mike Wolfman and Claude Almer, and an able assist from Seth Bareiss, AskWoody is back, better than before. Better? Yes, the Lounge is now on the AskWoody server. We've cranked it all up a bit to make your Lounging experience a little, uh, less leisurely. Your old links should work, and everything appears to be going gangbusters.
It'll still take a little while for Khunwoody.com to come back on stream, and I'm having a Real Fun Time (TM) getting email going again, but by and large it went pretty well.
Stay tuned. I'll get back to posting shortly. | |
| | Ever wondered why I suggest that you wait to install Black Tuesday patches?
Here's yet another example.
Microsoft just re-released MS08-030 (that's the Bluetooth patch). It took 'em nine days to figure out that the patch wasn't working at all for Windows XP, and to get an updated patch posted. Patch spokesman Christopher Budd has the details on the MS Security Response Center blog:
After we released MS08-030 we learned that the security updates for Windows XP SP2 and SP3 might not have been fully protecting against the issues discussed in that bulletin. As soon as we learned of that possibility, we mobilized our Software Security Incident Response Process (SSIRP) to investigate the issue.
Our investigation found that while the other security updates were providing protections for the issues discussed in the bulletin, the Windows XP SP2 and SP3 updates were not.
We remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it.
As long as you're using Firefox, and not Internet Explorer, you have nothing to fear. | |
| | Mozilla Foundation's John Lilly just announced that:
There were more than 8.3 million downloads of Firefox 3 in the first 24 hours.
At one day old, Firefox 3 commanded a 4% market share among all browsers.
People from 200 different countries downloaded Firefox 3.
Their peak mirror throughput was 20 gigabits per second.
Stunning. And it only melted down a few times, at the beginning. Congratulations and thanks to all of you who participated. | |
|
|
|
| |
|
|
|
