Where’s Martin? (and Ted?)

Rumors are flying about the sudden departure of Microsoft Live head honcho Martin Taylor. Was he pushed out by Ray Ozzie, so Oz could bring in some of his own people? Did he get fed up? Martin’s only been in the job since March.

I also haven’t heard anything more about Ted Hase, one of the brains behind Media Center and the Xbox. He left quickly, too, last week.

If you know anything, drop me a line, OK? woody (at) ask woody (dot) com….

The facts behind “Bush Hid the Facts”

If you haven’t seen it yet:

1. Start Notepad (Start | All Programs | Accessories | Notepad).

2. Type this line (no carriage return):

Bush hid the facts

3. File | Exit out of Notepad, save the file in some convenient location.

4. Open the file again. Bet you’ll be surprised. Most Windows XP users will see a bunch of boxes; some see a string of Chinese characters. If you do the same thing in Vista Beta 2, you’ll see a string of Chinese characters.

Here’s what’s happening behind the scenes. It all has to do with ASCII text – the normal, everyday text that you work with all the time – and Unicode text – the fancy, extended alphabet that includes many, many non-Latin characters. There’s a bug in the Windows function IsTextUnicode(). When you tell Notepad to Save a new file (or Save As), Notepad uses the IsTextUnicode() function to find out if the text you’ve type is plain old ASCII, or Unicode.

When IsTextUnicode() sees text that consists of words of this form:

ee ooo ooo ooo

Where:

ee contains an even number of letters
ooo contains an odd number of letters, and the length of ooo is three or more

the IsTextUnicode() function erroneously reports that the text is in Unicode format. Notepad, none the wiser, stores the text as Unicode. When Notepad opens the file again, the characters are all in Unicode, and they don’t show up correctly on screen: the old ASCII text characters get swapped with fancy, new – and totally incorrect – Unicode characters.

I’m not sure precisely how Notepad chooses the text to feed to IsTextUnicode(). But what you’re seeing is a bug in a Windows function, not a political statement by a disgruntled programmer, or a conspiracy by a Redmond cabal.

It looks like this bug has been around since the days of Windows NT, at least, and it certainly does appear in Vista Build 5384.4. You can create your own ee ooo ooo ooo text and see it morph into something illegible, no political overtones required. Try it….

Moving down to MS-DEFCON 4

It’s been a week since Microsoft released that passle of 21 patches, and in most cases it looks safe to go ahead and install them. Accordingly, I’m lowering us to MS-DEFCON 4 “There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.” Details, as always, are on my MS Patch Reliability Ratings page.

Of course, you should NOT install the Windows Genuine Spyware patch, identified as KB 904574.

If you have a dial-up Internet connection, you should avoid MS06-025 / KB 911280, unless you know for an absolute fact that your dial-up connection doesn’t require a script. Some day Microsoft will get around to fixing MS06-025. But don’t hold your breath. Dial-up script users aren’t on the priority list, eh?

I also recommend that you avoid Windows Media Player 9 and 10. Move up to the
Windows Media Player 11 beta or, better, use WinAMP (or even iTunes, if you must).

Note that none of these patches will help against the original Excel 0day hole, the second 0day Excel hole (which appears to be more general than just Excel), or the rumored Shockwave Flash hole, which may or may not be associated with Excel.

Sheesh. You need a scorecard to keep up, eh?

OH. In case you’re keeping track… if you had applied all of the Patch Tuesday patches on the day they were offered, you probably would’ve been OK, unless you had a dial-up Internet connection. On the other hand, if you waited until today to apply them, you wouldn’t have had any patch-related problems at all. In spite of what you may have read elsewhere, there have been no reported exploits for the June patches identified in the wild.

Turn off Automatic Updates.

Another 0day hole – in hlink.dll – and a Shockwave Flash hole?

The Web is abuzz about a second 0day security hole in Excel. (I talk about the June 12 0day hole here. This second hole didn’t appear until June 18 or so.)

Don’t get your toes in a wringer. As far as I can tell, this new problem isn’t confined to Excel. It appears to be a Windows-wide hole. And it only rears its head if you click on a link inside a spreadsheet. There’s a very simple proof of concept program posted on Bugtraq.

Moments ago, Christopher Budd at the Microsoft Security Response Center posted some information about the hole. Quoth Christopher:

…our investigation so far has shown that while the posting claims this is a vulnerability in Excel, it actually is a vulnerability in hlink.dll which is a Windows component that handles operations involving hyperlinks.

Juha-Matti has updated his blog posting to incorporate both the original June 12 0day exploit, and this new one.

On a related note, apparently somebody has figured out a way to trigger a malicious Shockwave Flash program when you open a “bad” spreadsheet. No details yet. If true, this one has the potential to be far more destructive than either the June 12 or the June 18 “Excel” 0day exploits. Why? Because it’s pretty easy to put together – and you get stung if you just open the spreadsheet.

On the other hand, the Flash exploit may just be a, uh, Flash in the Pan. (You knew I’d say that, didn’t you?)

At this point, Microsoft, Symantec, and most of the sentient antivirus software programs claim to protect against the June 12 0day. I don’t know of any company that claims to have a solution to the June 18 0day. And I bet a couple of antivirus researchers are going to read about the Flash exploit here first, scratch their heads, and say, “Wuh?”

Windows Live Messenger goes live

Microsoft has just posted the new, improved Windows Live Messenger, and you can download it now.

It’s a decent enough program, with many interesting features: PC-to-PC calling (much like Skype); PC-to-telephone calling (much like Skype – do you see a pattern here?); SMS text messaging (much like Skpe); live video calls with 640 x 480 screen resolution, if your connection can handle it (twice as big as… oh, you know).

Unlike Skype, the new Live Messenger also includes Windows Live Alerts which look a whole lot like simple text RSS feeds, to my untrained eye.

The one feature you won’t get? The long-promised ability to use Windows Live Messenger with Yahoo! Instant Messenger. Of course, Trillian has been interoperating forever – in spite of Microsoft’s, Yahoo’s and AOL’s, uh, co-operation.

If you and your friends are all committed to MSN Messenger, Windows Live Messenger represents the next step forward. If you aren’t so easily swayed by cutesy icons and rumbling desktops, try Trillian. And if you want to make a call, for heaven’s sake, get Skype. You’ll even get free calls from the US/Canada to any phone in the US/Canada.

Microsoft patent infringement upheld on appeal

A little over a year ago, I posted a news article that said:

Seems that, in 1990, a Stanford grad student came up with a way to link Excel spreadsheets to Access data. Carlos Amado says he filed an application for a patent covering the technology, then showed it to Microsoft, and the ‘Softies stole his idea. Is that what really happened? I guess we get to rely on a jury to figure it out. But I’ll tell ya this. The Office dev team has stolen so many ideas from so many people (present company most definitely included) that somebody, somewhere is going to assemble a credible case in court. My mistake is that I didn’t try to patent anything.

Last June, Carlos won the lawsuit – more accurately, the jury found that Microsoft had stolen one of the patented methods Carlos created. (He didn’t convince the jury on the other nine counts.) In late January, Microsoft started requiring corporate customers to install Office 2003 Service Pack 2 and Office XP Service Pack 3, specifically because they contain downgrades that take away the offending Excel/Access data sharing feature.

Last Friday, Microsoft lost its appeal, with the US Court of Appeals for the Federal Circuit in Washington affirming the jury’s verdict. Although the original judgment was for $6,100,000, Amado’s lawyers are trying to convince the Court of Appeals to hand over the $65,000,000 currently held in an escrow account, to cover Microsoft’s ongoing intransigence.

The latest on that Excel 0day security hole

Let me emphasize, first and foremost, that there’s no indication that last week’s 0day Excel exploit has made it out into the real world. That said, it’s prudent to be cautious about spreadsheets that you receive from other people.

In particular, you should:

* Keep your antivirus software updated. Right now, it isn’t too fanatical to manually update your antivirus software signature file once during the day – and let it update itself at night.

* Don’t open any Excel spreadsheets you receive unless you’re absolutely sure that the person who sent you the spreadsheet did so intentionally. It’s worth a call or confirming email. Remember that the bad guys now routinely “spoof” the return address of infected messages.

* Save and scan any Excel spreadsheets before you open them, whether you get them by email, off a Web site, or via your sainted great aunt’s award-winning carrier pigeons.

There’s no patch to Excel that plugs the security hole, and I don’t expect to see one until next month. Microsoft claims that its Windows Live OneCare antivirus program will catch infected files; Symantec also makes that claim; and most other antivirus vendors either have updated their signature files, or will do so momentarily. I strongly suggest that you consider the consequences of your actions if you’re thinking of subscribing to Live OneCare and paying Microsoft $50 to fix a program that you bought from them already,

Juha-Matti, blogging for the SANS Internet Storm Center, has up-to-the-second news about the hole. You don’t need to take his advice for blocking the 0day hole – it’s a bit over-the-top, in my opinion, for a threat that hasn’t yet materialized. But it won’t hurt to come up to speed on the nuances of the problem.

UPDATE: Microsoft has posted Security Advisory 921365, which sheds some light. In particular, it says that Excel 2003, Excel Viewer 2003, Excel 2002 (the version in Office XP), and Excel 2000 are alll vulnerable. That means almost all editions of Microsoft Works will be vulnerable, too.

There’s also some exploit code floating around that may or may not take advantage of this particular hole. My recommendations stand, though: check your spreadsheets and don’t do anything dumb, like refusing to open all .XLS files.

Still at MS-DEFCON 1

Just a reminder that we’re still at MS-DEFCON 1.

Current Microsoft patches are causing havoc. Don’t patch.

There are no massive attacks that take advantage of the security holes that Microsoft patched last Tuesday. Heck, there aren’t even any tiny attacks.

Contrariwise, there’s every reason in the world to prevent your machine(s) from Automatic Updates: both Microsoft’s infamous Windows Genuine Spyware and the script-destroying MS06-025 patch await the unwary.

Give it a few more days. Let’s see if any other problems shake out.

Show me the Beef

I keep seeing reports about all of these horrible exploits for Microsoft’s most recent crop of security patches. “Attack code comes on heels of Microsoft patches” reads one headline. “Just one day after Microsoft shipped its monthly security patches this week, hackers had already released code to exploit some of the flaws,” says another. Sorry folks, but it’s all waaaaaay overblown.

The day after Microsoft pushed the patches out to millions of machines, SANS Handler’s Diary published this list of known exploits. It’s an accurate list. And it’s the source of all the Chicken Little reports I’ve been reading. I don’t know of any other exploits that have made it into the wild.

If you look closely at the SANS list, you’ll find:

There were two “Exploit(s) released by penetration testing vendor to customers.” Those exploits aren’t in the wild; they are demos, created by the companies that submitted the original hole reports, and they haven’t bitten anybody.

Exploit code for the 0day Word hole was “available before release of patch.” We’ve all known that for a long time: that’s what made it a 0day hole. Antivirus software makers have been protecting against that problem for weeks. More than that, I haven’t seen any reports of attacks other than the original, extremely limited attack. Have you?

The MS06-030 patch had “Two exploits released to the public.” But in order to run the exploits, the bad guy has to be able to log on to your system and run a program – and if a cretin can do that, your system’s toast anyway.

The MS06-032 patch has “DoS exploits released privately (trivial exploit)”.

That’s it. No zapped PCs. No exploits running amok. No reason to duck and cover. Chicken Little may swear the sky’s falling, but I just see a bunch of unfounded fearmongering. Bottom line: nobody’s been bitten (YET!) by any of the holes covered by last Tuesday’s patches. Nobody.

But plenty of people have been hit by the MS06-025 dial-up scripting bug. If you installed that patch, and you need a script to get onto the Internet, you’re SOL, until you figure out that you have to uninstall the patch in order to get back online.

Yes, you should patch eventually. Yes, you should switch to Windows Media Player 11 beta and you should run Firefox, for the reasons given in my summary of the current crop of patches. No, there’s no pressing need for plain ol’ Windows customers to install last Tuesday’s crop right now.

So when you see a statement like, “Microsoft’s track record with security patches is pretty darn good. Let’s stop being silly and just protect our systems and our data. Turn on Automatic Updates,” you have my permission to guffaw. If you had Automatic Updates turned on, you’d be running Windows Genuine Spyware right now – and if you needed a script to get online, you wouldn’t be running at all!

Outlaw Chris Pirillo

Those of you who don’t know Chris Pirillo and his Lockergnome “Windows Fanatics” newsletter are missing a real treat. Chris has been a cornerstone of the irreverent PC community for more than a decade.

In a flash of brilliance, Chris noted that Microsoft’s servers weren’t keeping up with the task, so he posted a fully functional, 100% genuine copy of Windows Vista Beta 2 (build 5384.4) on BitTorrent. To ensure that his posting remained pristine, he also posted a hash code on his Web site, so Torrent folks could double-check and make sure nobody had messed up their copy. Chris didn’t ask for permission, but he didn’t hide anything, either.

Even though Chris’s approach makes a world of sense – P2P technology rocks where central servers buckle – Microsoft shut him down after a couple of days.

A noble effort. Good on ya, Chris.

0day exploit in Excel

A few hours ago, Mike Reavey at the Microsoft Security Response Center blogged a warning about a new hole in Excel.

In what appears to be a new pattern, now that Microsoft is charging for protection against flaws in its own products, Reavey writes:

We’ve activated our security response process and we have added detection to the Windows Live Safety Center today for up-to-date removal of malicious software that attempts to exploit the vulnerability… We’re also actively sharing that information with our Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks. We’ve got the Office team engaged of course and they are hard at work investigating the vulnerability.

Permit me to translate that into English for you. If you pay Microsoft fifty bucks, you get protection now. Wait a day and you’ll get protection from the other antivirus vendors. Wait a month or two, and Microsoft will finally patch Excel for free.

Something is terribly wrong here.

UPDATE: Secunia calls this hole extremely critical, its most dire rating.

Symantec’s Security Response center has a few details.

Apparently there’s at least one in-the-wild exploit, which comes in the form of an Excel spreadsheet called okN.xls attached to a spoofed email. Symantec considers it to be a “very low” threat.

It looks like all of the major antivirus firms have posted (or are in the process of posting) updates for this hole.

Vista’s problems, from a developer’s point of view

Are Vista-scale software projects essentially uncontrollable by nature? Or has Microsoft been beset by one too many broken windows?

Former Windows development team manager Philipsu has posted a fascinating blog entry looking at Vista’s delays, from in the trenches. Well worth a look.