 |
|
|
|
 |
 |
|
|
 |
|
||
 |
|
||
 |
|
||
 |
 |
|
|
 |
|
||
Did the BugBlog help you? Donate via PayPal to say thanks.
Even better, subscribe to the BugBlog Plus for even more coverage of bugs and their fixes.
Jump to the BugBlog archives
Dec 06Nov 06
Oct 06
Sept 06
Aug 06
July 06
June 06
May 06
Apr 06
Mar 06
Feb 06
Jan 06
Dec 05
Nov 05
Oct 05
Sept 05
Aug 05
July 05
Jun 05
May 05
Apr 05
Mar 05
Feb 05
XP SP2
Jan 05
Dec 04
Nov 04
Oct 04
Sep 04
Aug 04
Jul 04
June 04
May 04
Apr 04
Mar 04
Feb 04
Jan 04
Dec 03
Nov 03
Oct 03
Sept 03
Aug 03
July 03
June 03
May 03
April 03
Mar 03
Feb 03
Jan 03
Dec 02
Nov 02
View vintage BugNet coverage here
*there are more blogs in Cleveland, these are just from people I've met or know. Some of the above are actually farther away, but are bloggers I've met here.
What I'm Reading
Macromedia
ColdFusion MX Web Application Construction Kit
The BugBlog uses monthly archives. All the September bugs will be on this page. Use the links on the left or below to jump back to past months.
The BugBlog is free- but if you want to help support its existence, subscribe
to the BugBlog Plus. A three month subscription is only $5.
Read the Special Report on bugs, fixes, and incompatibilities in Windows XP Service Pack 2
Welcome to all the PC World readers!
9/30/2004 IE Pop-up Blocker Doesn't Play Favorites
After installing Windows XP Service Pack 2, if you have the Internet Explorer 6.0 Pop-up Blocker settings set to High, the pop-up blocker will block some features of the Microsoft Office Online web site. Clicking the Help link in the upper-right hand corner of that web page normally opens up a Help window, but it is blocked by IE. You can override the pop-up blocker by pressing the CTRL key when you click that link. You can also configure the pop-up blocker to allow pop-ups from Microsoft.com.
9/29/2004 RealOne and RealPlayer Bugs are Cross-Platform
RealNetworks says that there is a bug in RealPlayer 8,10, and 10.5 for Windows, RealOne Player 1 and 2 on Windows, the Mac RealOne Player and RealPlayer 10 Beta, and Linux RealPlayer 10 and Helix Player on Linux. This bug can be used by attackers when you are playing a local RM file to run their code on your system. Real says to get the latest updates, which are at http://www.service.real.com/help/faq/security/040928_player/EN/.
9/28/2004 Faded Photographs and Rotted CDs
Regular photographs fade, and pretty soon we will know if photographs printed from an inkjet printer last longer or not. Hewlett-Packard has a page of tips on how to help preserve these printed photos at http://h30015.www3.hp.com/hp_dpc/create_share/prevent_photo_fading.asp?jumpid=info/hho-ng-prevent-photo-fading. Not surprisingly, some of the tips center around buying and using HP products, but there is some useful information there. If you are worried about how long photos stored on DVDs and CDs will last, you may want to read the National Institute of Standards and Technology's guide at http://www.itl.nist.gov/div895/carefordisc/CDandDVDCareandHandlingGuide.pdf.
9/27/2004 Running Out of Room for SP2
Microsoft says that if you do not have enough hard disk space to install
Windows XP Service Pack 2, an express or custom installation of the Service
Pack may just stop, without giving you any error message. However, there
will be clues in the Svcpack.log file, if you examine it. (It should
be in your \Windows folder.) If you go to the end, you may see these
entries:
150.782: There is not enough space on the disk.
150.782: Service Pack 2 installation did not complete.
150.782: Update.exe extended error code = 0x70
Microsoft says you need space on both the drive that holds your \Windows
folder, plus you need 30 MB on the first primary system partition --
that's the drive that holds Ntldr and Boot.ini. If you need details on
the space requirements, see http://support.microsoft.com/?kbid=837783.
9/26/2004 Hotfix for SP2 Loopback Bug is Downloadable
The hotfix for Windows XP Service Pack 2 that takes care of the incompatibilities with programs that connect to IP addresses in the loopback range (127.0.0.1) is now freely available for download. (Before, you had to contact Microsoft Technical Support to get it, as the 8/18/2004 BugBlog explained.) Go to http://support.microsoft.com/?kbid=884020 for the link and explanation.
9/25/2004 Patch for ColdFusion Servers
Macromedia has released a cumulative security patch for ColdFusion MX 6.0, ColdFusion MX 6.1, and ColdFusion MX 6.1 J2EE. This patches a buffer overflow in the Jrun server, plus a flaw in the Microsoft IIS connector that may allow someone to see the source code for files. You can get the patch at http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html.
9/24/2004 Holes in Symantec Firewall/VPN
Symantec says they have patched three bad bugs in their Symantec Firewall/VPN Appliance 100, 200 and 200R models. These bugs may allow a remote attacker to mount a denial of service attack or to determine the firewall's configuration and then change it. Symantec credits Rigel Kent Security & Advisory Services for finding these bugs. You can find the fixes by going to http://www.sarc.com/avcenter/security/Content/2004.09.22.html.
9/23/2004 JPEG Exploit Code is Released
An example program that shows how to attack Windows computers via the JPEG security hole is now circulating on the Internet. Patches for a long list of Microsoft products, including Internet Explorer and Office, were announced 9/14/2004 by Microsoft. Now that a "how-to" explanation is out there, you can expect attacks to commence. Go to http://www.microsoft.com/security/bulletins/200409_jpeg.mspx to see the list of vulnerable software and patches.
9/22/2004 Windows Media Player and Live Meeting
If you are running Microsoft Windows Media Player within Microsoft Office Live Meeting, make sure you stop playing any file before you close Windows Media Player. If you don't, you will risk locking up Windows Media Player, and may have to restart your computer to get everything working again. That won't be very convenient in the midst of a live meeting.
9/21/2004 Ad Program Trips up Service Pack 2
Microsoft says there are incompatibilities between the third-party advertising
program Total Velocity Corporation T.V. Media and Windows XP Service
Pack 2. If you install the service pack, the computer may crash with
this error
STOP: c0000135 {Unable To Locate Component}
This application has failed to start because winsrv was not found. Re-installing
the application may fix this problem.
Microsoft says you will need to use the Recovery Console to uninstall
the service pack, then you will need to uninstall T.V. Media. Microsoft
says that "T.V. Media is a third-party advertising program that
you may not want to continue running." See http://support.microsoft.com/?kbid=885523 for details on how to do that.
9/20/2004 PowerMac Fans Never Sleep
Apple says that after you install the Mac OS X 10.3.5 update on a Power Mac G5 (Single Processor 1.8 GHz model), the computer's fans may keep running even after the computer goes into sleep mode. If you want the fans to sleep too, then get the Power Mac G5 Uniprocessor Firmware Update 5.1.5f1 from http://www.apple.com/support/downloads/powermacg5uniprocessorfirmwareupdate.html. It includes other system reliability fixes, too.
9/17/2004 Norton AntiVirus Won't Scan at Startup
If you have configured Symantec Norton AntiVirus 2003 to do a scan for viruses on startup, this will no longer work when you have upgraded to Windows XP Service Pack 2. Manual scans will still work, as well as daily, weekly, and monthly. For now, Symantec says to switch to some option other than scan at startup.
9/16/2004 Red Hat Patches an OpenOffice Bug
Red Hat has an updated openoffice.org package for Red Hat Enterprise Linux 3. This fixes a security hole in the office suite OpenOffice.org. Because of the way OpenOffice handles temporary files, a local user may be able to break in and read the contents of another user's documents. You can get this update at https://rhn.redhat.com/errata/RHSA-2004-446.html.
9/15/2004 Microsoft Vulnerable to JPEGs
Microsoft says that their component that processes JPEG images has a buffer overrun that may allow an attacker to completely take over your system (if the JPEG image was viewed by a user with Administrator privileges.) This affects: Windows XP Service Pack 1; Windows Server 2003; Microsoft Office XP Service Pack 3; Microsoft Office 2003; Internet Explorer 6;Visual Studio .NET 2002 and 2003; Microsoft Picture It; Microsoft Greetings; and more. Essentially, it's a company-wide bug, although older products aren't affected. This is a critical vulnerability, and Microsoft says to patch immediately. See the full list of vulnerable products, and find links to patches for these products at http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx.
9/14/2004 Back to School for Microsoft Class Server
Microsoft says that if you install Windows XP Service Pack 2, you may disrupt the Preview feature and the Find Feature in Microsoft Class Server 3.0. They say the Learning Resource and Assignment Preview feature and the Find Learning Resource feature won't work correctly, and the Teacher may stop responding. (We've all had teachers who do that.) There is a Class Server 3.0 update of 8/25/2004 that fixes this. It's available in the Microsoft Download Center.
9/13/2004 Maxtor One-Touch Drives and Windows 98/ME
If you use a Maxtor One-Touch External Hard Drive on a Windows 98SE
or Windows ME computer, there may be incompatibilities with the standby
or hibernate modes if you are connected via the USB interface. (And most
Win 98/ME computers won't have Firewire.) In addition to your computer
locking up, you may get an error message like
Failed drive needs format.
Maxtor suggests disabling the standby and hibernate modes on these systems.
9/12/2004 New US-CERT Warning on Internet Explorer
The Computer Emergency Response Team (CERT) of the US Department of Homeland Security has a new alert about Microsoft Internet Explorer. Microsoft has a function called window.createPopup() that can be used to create another IE window, but it can be made to look like another application. (They refer to it as "chromeless", which means a lack of toolbars, etc.) This could be used to trick a user or spoof another program. They also say that that it can be used in conjunction with other vulnerabilities to copy attacker's files to the user's machine. CERT credits Georgi Guninski and Andrew Clover for reporting the vulnerabilities. Most of the original vulnerability reports date to 2001, although this bulletin was posted 9/10/2004. The US-CERT report at http://www.kb.cert.org/vuls/id/490708 has a number of workarounds, including the suggestion of using another browser.
The BugBlog is free- but if you want to help support its existence, subscribe to the BugBlog Plus. A three month subscription is only $5.
9/10/2004 Windows XP SP2 and UMAX Scanners
If you upgrade to Windows XP Service Pack 2 on a computer that has a UMAX scanner driver installed, you will be prompted to restart the computer, and then the computer will go into a cycle of continous restarts. Microsoft says you need to start the computer in safe mode, get rid of the UMAX driver, remove Windows XP Service Pack 2, and then reinstall Windows XP Service Pack 2. They say you need to check with UMAX for information on the UMAX driver.
9/10/2004 Red Hat Patches IM Holes
Red Hat has an update for their gaim package, which is an instant messenger client for Red Hat Desktop, and Red Hat Enterprise Linux 3. This update fixes a buffer overflow in the Gaim MSN protocol handler, URL decoder, local hostname resolver, and the RTF message parser. It also fixes a shell escape bug in the Gaim smiley theme file installation. You can get the update at https://rhn.redhat.com/errata/RHSA-2004-400.html.
9/9/2004 Windows XP Service Pack 2 Gets Confused with USB 2.0
When you upgrade to Windows XP Service Pack 2, Microsoft says the USB 2.0 drivers will appear with the earlier version numbers. However, Microsoft does say the files have been updated. Microsoft does have a series of steps on how to reinstall the drivers at http://support.microsoft.com/?kbid=873169. However they also say you can just unplug any of your USB device, and then plug them back in. This should start the Plug and Play utility, and you can pray that this will update the driver numbers correctly.
9/8/2004 Apple Security Fix for CoreFoundation
Apple's 9/7/2004 security update for Mac OS X fixes two bugs in the CoreFoundation. One bug may trick OS X into loading a user-supplied library with plug-ins. This could lead to a privilege elevation. Apple credits Kikuchi Masashi for finding this. Another bug could cause a buffer overflow, which may allow a local attacker to run their own code. This bug was discovered by aaron@vtty.com. These fixes are for Mac OS X 10.2.8, OS X 10.3.4, OS X 10.3.5, OS X Server 10.2.8, OS X Server 10.3.4, and OS X Server 10.3.5. There's more coverage of the 9/7/2004 Security Fix in the BugBlog Plus.
9/8/2004 Lexmark Printer Bug is Shocking
There's been a recall of Lexmark laser printers because of an electrical defect that may cause short circuits and a chance of electrical shock. The printers may have the Lexmark brand, or may have been sold under the Dell or IBM Laser Printer name. The models are: Lexmark E232, E232t, E330, E332n, E332tn; IBM Infoprint 1412, 1412n; Dell 1700 and 1700n. You can find out more at the Consumer Products Safety Commission at http://www.cpsc.gov/cpscpub/prerel/prhtml04/04211.html.
9/7/2004 Madden NFL 2003 and ATI RADEON Lockup
If you are trying to play EA Sports Madden NFL 2003 on a Windows XP computer with an ATI RADEON 9800 graphics card and the ATI CATALYST 4.7 or earlier software, the game might lock up if you try to set the Truform slider to Application Preference. ATI says they have fixed this in CATALYST 4.8.
9/6/2004 Dell Updates for Windows XP SP2
If you are going to upgrade your Dell computer to Windows XP Service Pack 2, make sure to read the important set of cautions from Dell at http://support.dell.com/support/topics/global.aspx/support/kb/en/document?dn=1090448. In particular, you will need to update the drivers for the ATI Mobility Radeon 9800 graphics card, which is in some Inspiron laptops, and the driver for the Dell TrueMobile 300 Bluetooth Internal card.
The BugBlog is free- but if you want to help support its existence, please make a donation via PayPal using the button at left. Better yet, subscribe to the BugBlog Plus. A three month subscription is only $5.
9/4/2004 SP2 Pop-Up Blocker May Block Windows Update
After installing Windows XP Service Pack 2, the pop-up blocker that
is installed may interfere with the Microsoft Windows Update Site. Visit
there and you may see this error in Internet Explorer
HTTP Error 500 - Internal Server Error, Error 0x8ddd0010
To see a workaround for this, go to http://support.microsoft.com/?kbid=883820.
9/3/2004 IBM ThinkPads are Hot
Computer bugs are bad, fires can be worse. IBM is recalling 553,000 AC adapters that were sold mostly with ThinkPad i Series notebook computers and ThinkPad 390 and 240 series notebook computers. There is a danger of overheating that may melt plastic and char circuit boards. These notebook computers were sold between January 1999 and August 2000, so they have been out there for awhile. If you bought a ThinkPad, or replacement AC adapter, around that time, go to http://www.adapterprogram.com for more details.
9/2/2004 WinZip Closes Some Security Gaps
There's been a maintenance release of WinZip Computing's WinZip 9. The new WinZip 9.0 SR-1 fixes some security problems, including a buffer overlow that could be triggered by what they term "specially-crafted invalid input on the WinZip command line." WinZip users can get the upgrade at http://www.winzip.com/upgrade.htm.
9/1/2004 Problems with Kerberos 5
MIT says that there are a number of bugs in their Kerberos 5 authentication tool, which is used for establishing secure identities between clients and servers. The first is a bug in the their double-free implementation that may allow remote attackers to run their own code on their server. The second is a bug in the ASN.1 decoder library, that may allow a denial of service attack. You can find out more directly from MIT at http://web.mit.edu/kerberos/www/. In many cases, this technology is implemented in third-party packages, so you may be getting a fix from those vendors.
The BugBlog is free- but if you want to help support its existence, subscribe to the BugBlog Plus. A three month subscription is only $5.
8/31/2004 Windows XP SP2 Unrolls Driver Rollback
Once you install Windows XP Service Pack 2, any information saved by Device Manager about previous drivers is lost. Microsoft says no backup file is created for third-party drivers, and thus you won't be able to roll back to a previous driver. Microsoft says if you need to go back, you will have to reinstall the third-party driver. If you need a refresher course for that, see http://support.microsoft.com/?kbid=873171.
| June 05 | May 05 | Apr 05 | Mar 05 | Feb 05 | Jan 05 | Dec
04 | Nov
04 | Oct 04 | Sept
04 | Aug | July
04| June 04 | May
04 | April
04 | Mar
04 | Feb
04| Jan
04 | Dec
03 | Nov 03 | Oct
03 | Sept 03 | August
03 | July
03 | June
03 | May 03 | April
03 |
March 03 | February
03 | January 03 | December
02 | November 02