11 Security Bulletins coming – batten down the patches hatches

Microsoft has announced, rather tersely, that we will receive eleven Security Bulletins on October 10.

While we usually get some sort of indication about the relative severity of most of the Security Bulletins, all MS has said for sure is that there will be six Windows bulletins, at least one of which is rated Critical; five Office bulletins (quite a crop by recent standards), at least one of which is Critical; and one Moderate patch for the .NET Framework.

Time to make sure all of your systems have automatic updates turned off, and are set to “notify”. I’m moving us up to MS-DEFCON 2.

Vista Release Candidate 2 (Build 5743?) coming this week?

Paul Thurrott reports that Windows Vista “Release Candidate 2” is due out on Friday. It’s supposed to go to MSDN and TechNet subscribers, and a random number of additional Consumer Program Preview members.

“Release Candidate 2”? You ask. Yes, that’s what Paul says they’ll call it. While Office 2007 is in its “Beta 2 Technical Refresh” phase, Vista – which is in similar straits – appears as “RC2”. Apparently RC2 isn’t much different from RC1. That’s a good sign.

0day exploit in Firefox – NOT!

Just when you thought it was safe to get back in the surf….

Yesterday, at the ToorCon 2006 conference in San Diego, Mischa Spiegelmock and Andrew Wbeelsoi demonstrated a live 0day exploit in Firefox 1.5.0.7.

Ain’t much you can do about it. Details here.

UPDATE October 3: Is it a mistake? A hoax? Ryan Naraine, writing in eWeek quotes Spiegelmock as saying, “”I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.”

Given the source, it looks like the Firefox 0day was a bit, uh, overblown.

Diagnosing bad hard drives

OK, this one’s out in left field. I almost never run hardware news stories. But I just bumped into a site that’s so amazingly useful, I just had to post it.

Do you have a noisy hard drive? I hit them all the time – you know, click-click, hum, click. That kind of thing? Usually a noisy drive is about to head south, but I’ve had some hard drives that keep on, uh, humming for years. I’ve never been able to figure out exactly which sounds indicate that the end is near.

WServerNews newsletter just published a link to a Hitachi Global Storage web page that offers six downloadable files with “bad disk” sounds.

Amazing. Each of the sounds is very distinct, and signifies something different. While the site doesn’t try to predict how long a hard drive with a particular click pattern will last, knowing that your drive has, say, a slow spindle motor can let you prepare for the worst in a timely way.

Bookmark the Hitachi Global Storage site.

Another IE 0day hole – WebViewFolderIcon

Way back on July 18, Microsoft nemesis HD Moore posted an Internet Explorer hack that crashed IE 6 and even the new IE 7 Beta 2.

Recently, it’s been determined that the crash is actually exploitable – bad guys can use this hole to break into your computer. Bleeding Edge Snort has just posted full exploit code .

The solution? Naw, you really don’t want to hear me say it again, do you?

UPDATE September 29: Microsoft has just posted Security Advisory 926043, warning about this gaping hole in Internet Explorer.

The SANS Internet Storm Center has raised a yellow alert.

You can go through a complicated procedure to set killbits that will disable the offending program – see the SANS ISC entry above – but (as long as you haven’t diddled with Outlook’s security zone settings) it’s much smarter, much easier to switch to Firefox.

New/old bug in Vista build 5728/MS06-045?

I’ve been battering away on Vista build 5728 – the post-Release-Candidate build that’s been floating around for a week or so.

When I drag and drop a file from a Windows XP computer onto a Vista 5728 computer, I keep getting this weird message: “This page has an unspecified potential security risk. Would you like to continue?”. It’s innocuous: click Yes, and nothing else happens. But the message sure sounded familiar. Then it struck me.

This is nearly the same error message people hit with the (buggy, unfixed) MS06-045 / KB 921398 security patch.

The message goes away in Windows XP. It isn’t going away in Vista 5728. I wonder if the two are related?

Microsoft vs Viodentia

It’s Goliath vs Samson – and Samson is winning.

If you’ve read any of my recent books, you know how to avoid Microsoft’s “Plays For Sure” copy restrictions. The only music that “Plays for Sure” are plain, old, everyday MP3 files, which you can rip from your own music CDs, or buy or download from various not-quite-legal locations.

If you go to a “Plays For Sure” web site like Rhapsody or Napster and you pay for music that “Plays For Sure” the only thing you can be absolutely sure of is that the music you buy won’t play for sure on an iPod, on Microsoft’s new Zune music players, on your other computers (give or take a waffle or two), on your CD player, or just about anywhere else. “Plays For Sure” is a marketing ploy, designed to separate you from your money, and lock you into obsolete Microsoft-only technology – Microsoft at its most cynical.

A very bright guy who goes by the name “Viodentia” hacked Microsoft’s Plays For Sure technology, basically unlocking music that you bought or rented, removing Microsoft’s restrictions. Viodentia’s first cracking program, which he called FairUse4WM, drew a lot of attention in Redmond. Microsoft posted a forced-download fix about a week after FairUse4WM appeared – record time for the prince of patchers.

Viodentia responded with a second crack, FairUse4WM 1.2, which bypassed the patch. Engadget posted a great, short interview with Viodentia that explains his (her?) point of view.

Microsoft responded by trying to sue Viodentia, on September 22, a fairly complex process that starts by forcing Google and Yahoo to divulge information about email accounts that may or may not be ones Viodentia used. Microsoft released another update to its software on September 23.

Viodentia’s response? Let ’em eat cake. On September 27, he released FairUse4WM 1.3, an all-new and improved version that cracks “Plays for Sure” again.

It’s important to note that FairUse4WM only unlocks keys on music that you’ve already bought or rented. It doesn’t work on music files that someone else has downloaded. It doesn’t crack any other locked file format. But if you got suckered into “Plays For Sure” you might want to look for the program. It isn’t easy to find – apparently Microsoft is being very vigilant in tracking down web sites where it’s available – but you can get it if you’re persistent. Oh, and if it’s legal to download and run such a program where you live. Wouldn’t want you to violate any anti-freedom-of-speech legislation.

Engadget posted a news item about the gutsy webmaster at BG4G.net who has FairUse4WM version 1.2 available in his download area. I haven’t seen version 1.3 there yet. Patience, grasshopper.

What’s going on with Windows Genuine Advantage?

Ed Bott has a series of blog entries about the stupidities of Microsoft’s Windows Genuine Advantage program – the program I prefer to call “Windows Genuine Spyware”. Seems that WGA is getting the wrong results with increasing frequency, embarrassing and bedeviling Microsoft customers.

Now I’m hearing that Microsoft has quietly re-released WGA, as part of the mid-month patch that just went out. So in addition to receiving MS06-055 to patch the 0day Internet Explorer exploit around VML, it seems that Microsoft is also pushing a re-re-re-released MS06-049 patch and some sort of patch to Windows Genuine Advantage.

No details yet….

Another PowerPoint 0day hole?

FrSIRT has just posted a report on a new 0day hole in PowerPoint.

Details are sketchy at the moment, but it looks like you can have your computer taken over if you open a bad PPT or PPS file in PowerPoint 2000, 2002 (the version in Office XP) or 2003.

FrSIRT recommends that you use the PowerPoint viewer to open any PowerPoint file of unknown pedigree.

Will keep you posted – but don’t open any PowerPoint files you get in email, OK?

Firefox 2 Release Candidate 1

RC1 of Firefox 2 just hit. If you haven’t already received notification, head over to the official download page and get your copy.

The RC1 installer offers to re-start Firefox and install itself. No need to manually uninstall whatever version you have running – just go ahead and follow the instructions.

Time to Patch, especially the new MS06-055 / KB 925486 VML fix

A few hours ago, Microsoft started pushing a fix for the VML hole in Internet Explorer that I describe in the following news article.

I’ve been watching the September Patch Tuesday patches, and haven’t seen any significant problems. Thus, I’m dropping us down to MS-DEFCON 4, urging you to check out the Patch Reliability Ratings page to see if there are any known problems that’ll affect you, and go ahead and install all outstanding patches.

If you took my advice and ran the Registry fix, spend a moment now and undo the fix before you apply the MS06-055 / KB 925486 patch. It’s very easy to undo the fix, and nothing bad will happen if you run this “undo” on a machine that wasn’t fixed in the first place. Here’s what you should do:

Click Start | Run.

Type:

regsvr32 “%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll”

and push Enter.

You can copy that line straight from your browser into the Windows Run box.

Apparently Microsoft is re-re-releasing the ultra-botched MS06-049 / KB 920958 Windows 2000-only Kernel buffer overflow patch. If I count correctly, that counts as the third significant re-re-release.

Get patched up now, while the gettin’s good. We’ll have another crop of patches in a couple of weeks.

Thanks to JT for pointing out my typo in an earlier version of this article. The new VML patch is MS06-055.

Time to manually patch the VML hole

Microsoft insists that the Internet Explorer Vector Markup Language hole isn’t a big deal: “Attacks remain limited. There’s been some confusion about that, that somehow attacks are dramatic and widespread. We’re just not seeing that from our data, and our Microsoft Security Response Alliance partners aren’t seeing that at all either.”

The SANS Internet Storm Center sees things differently, advising “The VML exploit is now becoming more widespread.”

I haven’t seen many reports about in-the-wild exploits. It looks like Outlook is vulnerable (remember that Outlook uses Internet Explorer behind the scenes), but my guess is that you’d have to manually change Outlook’s “security zone” before any damage can occur. Since you use Firefox, you don’t need to patch IE for IE’s sake. But there’s a tiny chance that somebody’s changed your security settings in Outlook, so you need to patch IE. Kind of guilt by association, I guess.

At any rate, the solution is so simple, I recommend that you go ahead and run the patch that I discussed on Thursday:

Click Start | Run.

Type:

regsvr32 -u “%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll”

and push Enter.

You can even copy the line above into the “Run” box.

You’ll disable Internet Explorer’s Vector Markup Language, which should break, oh, maybe ten sites on the Web. At least, ten sites that you’re likely to see in the next decade.

Microsoft should post a patch for the VML vulnerability soon – it sounds like they aren’t going to wait around for October’s Patch Tuesday.

I’m keeping us at MS-DEFCON 2. I see no reason at all to install the September patches.