Vista Build 5728 is up

The last expected beta version of Windows Vista, build 5728, was just posted for Microsoft Connect members.

Yes, I said “beta.” You can call it “Release Candidate 1 Refresh,” if you want to. Far as I’m concerned, it’s still a beta – and I expect we’ll see lots and lots of changes before the retail version hits store shelves. Heck, Microsoft still hasn’t shown us anything about the Alohabob transplant for the Files & Settings Transfer wizard, and nobody has a clue what’ll be included in Vista Ultimate. Not to mention all the bugs in build 5600/RC1.

I haven’t seen 5728 on the newsgroups yet, but it’ll be up soon.

UPDATE: It’s on the newsgroups…

Mary Jo Foley’s new adventure

Bookmark this site.

Ace reporter and Microsoft insider extraordinaire Mary Jo Foley no longer runs “Microsoft Watch”. She’s moved over to the ZDNet blogs, joining Ed Bott, George Ou and other tremendous writers.

MS06-049 finally fixed

Microsoft just posted the fix for their botched and re-botched MS06-049 patch. It only applies to folks running Windows 2000. You can get the updated version via Knowledge Base article 925308.

The history, in case you’re keeping track:

August 8: Microsoft released MS06-049.

August 24: Reports about problems with clobbered compressed files first appeared on Andy Schmidt’s file_system newsgroup.

September 11: I posted a warning here.

September 13: Microsoft finally acknowledged the bug, in KB article 920958, and by updating the Security Bulletin. A hotfix was available, if you were willing to call Microsoft and ask for it, but (per James Akroyd) “It took two e-mails as well as 23 minutes on the phone to get it.”

September 16: Microsoft released yet another Knowledge Base article, KB 925308 that describes the bug and the hotfix.

September 20: Microsoft finally posted the patch. (Yeah, I know the KB article says September 19, but I didn’t see anything about it until September 20.) One little problem. Although the patch is only appropriate for Windows 2000 machines, some folks needed to download the patch with Windows XP or 2003 Server machines. If you tried to download it with WinXP or 2003, you were required to pass the “Windows Genuine Advantage” hurdle.

September 21: Microsoft removed the WGA requirement.

I think/hope that Susan Bradley will have more details in her “Patch Watch” column in Windows Secrets newsletter next week.

It took Microsoft five weeks to acknowledge a data-clobbering bug in a security patch, and another week to post the patch for download. Not exactly stellar, eh?

Thanks to James Akroyd for the timeline update….

“Porn Sites Exploit New IE Flaw” and fixing the Vector Markup Language hole

I just love yellow journalism.

CNET / ZDNet are running a story with the headline “Porn Sites Exploit New IE Flaw”. While the story itself sticks to the facts, man, whoever’s writing the headlines there would’ve felt at home working for William Randolph Hearst a century ago.

Here’s the facts. There are two widely known 0day holes in Internet Explorer 5 and 6. One in particular, the Vector Markup Language security hole, seems to have caught the media’s attention. The best solution to the VML problem, of course, is to use Firefox. The second best solution is to use Internet Explorer 7 beta 2.

But if you’re stuck with Internet Explorer 6 for whatever obtuse reason, you can make your machine immune by taking the simple steps outlined in Microsoft’s
Security Bulletin 925568:

Click Start | Run.

Type:

regsvr32 -u “%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll”

and push Enter.

You can even copy the line above into the “Run” box.

But save yourself a lot of headaches, and just get Firef… oh, nevermind…

Still at MS-DEFCON 2

I see absolutely no reason to install the September patches.

If you didn’t install the August version of MS06-040 / KB 921883, you should go ahead and patch.

If you didn’t install the August version of MS06-042 / KB 918899 and you absolutely must use Internet Explorer, go ahead and install that patch. While you’re at it, tell the person who’s requiring you to use IE 6 that there are two new 0day exploits for IE running around.

Personal – the coup in Thailand

Many of you know that I live in Phuket, Thailand. Moved here five and a half years ago. I love it.

Several of you have written about the coup in Bangkok. Just wanted to report that there’s no noticeable effect here in Phuket, except today has been declared a holiday, so the banks are closed, and the kids are out of school. Those of you who were concerned about the government being overthrown should realize that (a) the military kicked out the Primer Minister, not the King; and (b) there is no militant Islamic faction in the military in Thailand.

Thai TV was off for a few hours, but it’s back on now. CNN, BBC and MSNBC were taken off the air, and as of this moment they aren’t back. In a wonderfully Thai moment, I was watching a local news report a few minutes ago and the Thai TV station was broadcasting clips from CNN, with a voice-over in Thai, while CNN itself was still being blocked.

I’m very happy to report that Caretaker Prime Minister Thaksin Shinawatra appears to be out, and the democratic process should be back to normal as soon as elections are held. The King is still the country’s most stabilizing influence- a truly remarkable monarch.

Second active Internet Explorer 0day exploit

We now have two active 0day Internet Explorer exploits: one that uses the the daxctle.ocx control, the other involving Vector Markup Language.

SANS Internet Storm Center reports that, as of this moment, only “Microsoft” detects it, reporting the bad code as HTML:Levem.C. Microsoft has posted Security Advisory / KB article 925568, which says that the free Windows Live OneCare Safety Center scan and the decidedly-not-free Windows Live OneCare detect the beast (MS calls HTML:Levem.C). The other antivirus software vendors are, no doubt, scrambling. Expect updates in the next few hours.

Of course, you’re using Firefox, and you need not be concerned…..

It’s official: MS06-049 re-patch coming

On September 11, I warned you about a bug in Security Bulletin MS06-049 / KB 920958 that clobbered data in compressed files. If you installed MS06-049 on a Windows 2000 machine (it only applies to Windows 2000), suddenly certain compressed files got completely, irretrievably screwed up.

On September 13, I posted a note here that said Microsoft had acknowledged the bug in KB article 920958.

Now, on September 16, Microsoft has released yet another Knowledge Base article, KB 925308 that describes the bug and a hotfix. It also says, “if you are not severely affected by this problem, we recommend that you wait for the next version of security update 920958.”

In other words, there’s a re-patch of MS 06-049 / KB 920958 in the works. No idea why it hasn’t been released already – why Microsoft released a hotifx and didn’t simply re-issue the patch. I’ll let you know when it’s out.

Microsoft Works online?

I’m still trying to read the tea leaves, but apparently Microsoft is going to transfer the Works Suite over to the “Live” Web site. At least, that’s what Jay Green at Business Week says.

Reports like this one leave me wondering what in the %$#@! is really going to happen.

For example, Microsoft has claimed for years that Hotmail, er, MSN Hotmail, uh, Windows Live Mail is getting to be “just like Outlook”. Of course, aside from a vaguely – very vaguely – similar interface, Hotmail doesn’t look anything at all like Outlook. Doesn’t act like Outlook, either.

OWA (Outlook Web Access) looks a bit like Outlook, sorta, if you squint and tilt your head, but it doesn’t work like Outlook. In the end online applications can’t work the same way as “local” applications. Even if you could get them to work the same way, you wouldn’t want to: the delays while you’re online are completely different from the delays you hit on a local machine. A great design on a PC isn’t a great design on the Web, and vice-versa.

So what is Microsoft really doing? I have a guess.

My guess is that they’re building a Web-based suite, from the ground up. My guess is that they’ll call it “Microsoft Live Works” or something equally inane, to try to make money from the “Works” name. My guess is that it’ll have a few parts – certainly the main screens – that look a little bit like Works. And my guess is that, internally, it won’t work anything at all like Works. Not even close.

In other words, “Microsoft Live Works” will transform a product that doesn’t make any money (Works, which hasn’t really been updated in five years) into an ad-based online product which may or may not make money. It’s the same approach Microsoft has taken with Outlook Express/Windows Mail/Windows Live Mail. Ozzie gets the ball. We’ll see if he can run with it.

We’ll find out more in the months and years to come. But my money’s on Google.

Firefox gets a minor patch

If you use Firefox 1.5, you undoubtedly have already installed version 1.5.0.7, which includes a bunch of security patches and a couple of “stability improvements.”

Personally, I’ve been using Firefox 2 Beta 2 for the past three weeks. I’ve had it redline a couple of times (that is, Firefox takes over the computer and doesn’t let anything else run), and that’s a pain in the neck. But in general I don’t have any big complaints at all.

If you’re feeling adventurous, give the Firefox 2 beta a try.

Office 2007 RC-1 – er, 2007 Microsoft Office System Beta 2 Technical Refresh – is up

Microsoft just posted the final public beta of Office 2007.

You have to have Office 2007 Beta 2 installed on your machine already before you can apply this patch.

It’s a whopper. Just under 500 MB.

Should be up on the newsgroups soon, too.

Another 0day exploit in Internet Explorer

Somebody who goes by the name “nop” has posted what appears to be fully functional program code that will take over Internet Explorer.

Nop has been banging away on the Internet Explorer DirectAnimation.PathControl COM object, also known as daxctle.ocx, for a couple of months. Looks like he found a live 0day exploit that uses (yet another) heap overflow.

No idea how long it’ll take Microsoft to confirm the hole, acknowledge which versions of IE are affected – or post a fix, for that matter.

The moral? Use Firefox!

UPDATE September 15: Microsoft has issued Security Advisory 925444 with details. Apparently IE 5 and 6 running on Windows 2000 and WinXP are vulnerable. Outlook could be, if you changed the “Zone” for HTML (formatted) email messages, or if you click a link to an infected site.

The SANS Internet Storm Center lists the chronology thusly:

* Aug 28th: 1st exploit released publicly
* Aug 29th: CVE-2006-4446 assigned
* Sept 13th: 2nd exploit released publicly
* Sept 13th: CVE-2006-4777 assigned
* Sept 14th: Microsoft Security Advisory (925444) released

It remains to be seen how long we’ll have to wait for a fix. If you subscribe to Windows Secrets newsletter, you’ve already read my analysis of Microsoft’s response times: three to four months to patch a “responsibly” disclosed security hole, on average; six weeks for a 0day hole like this one; and about a week for holes that costs Microsoft real money.