BugBlog Home
BJK Research Home
BJK Research Home

Did the BugBlog help you? Donate via PayPal to say thanks.

Even better, subscribe to the BugBlog Plus for even more coverage of bugs and their fixes.

Jump to the BugBlog archives

Dec 06
Nov 06
Oct 06
Sept 06
Aug 06
July 06
June 06
May 06
Apr 06
Mar 06
Feb 06
Jan 06
Dec 05
Nov 05
Oct 05
Sept 05
Aug 05
July 05
Jun 05
May 05
Apr 05
Mar 05
Feb 05
XP SP2
Jan 05
Dec 04
Nov 04
Oct 04
Sep 04
Aug 04
Jul 04
June 04
May 04
Apr 04
Mar 04
Feb 04
Jan 04
Dec 03
Nov 03
Oct 03
Sept 03
Aug 03
July 03
June 03
May 03
April 03
Mar 03
Feb 03
Jan 03
Dec 02
Nov 02

XML

View vintage BugNet coverage here

Cleveland-area blogs*:

Backup BugBlog

Economic Development Futures

Brewed Fresh Daily

Cleve-blog

Working with Words

Gassho

Sardonic Views

Filtering Craig

Hotel Bruce

Blogcritics.org

Up Yours

Kevin Holtsberry

Steve Goldberg

Red Wheelbarrow

Anita Campbell

Swerb's Blurbs

Rachel's Law

*there are more blogs in Cleveland, these are just from people I've met or know. Some of the above are actually farther away, but are bloggers I've met here.

Blogcritics

 

 

BugBlog

Here is the daily bug, incompatibility or other computer problem from the BugBlog

The BugBlog is free- but if you want to help support its existence, subscribe to the BugBlog Plus. A three month subscription is only $5. XML The BugBlog uses monthly archives. All the current March bugs are here. Use the links on the left or below to jump back to past months.

3/31/2006 IE Component May Cause Crash

Microsoft says that if the Discuss toolbar is enabled in Microsoft Internet Explorer, on a computer where Microsoft Ofice 2003 is also installed, IE may crash when you first start it up. Microsoft has two workarounds to fix this. The first is a Registry edit; the second is to unregister Owsclt.dll, a COM component that adds the Discuss toolbar. See the details for both at http://support.microsoft.com/kb/915726.

3/30/2006 Microsoft Changing IE's ActiveX Behavior

Because Microsoft lost a patent suit, it is changing the way that Microsoft Internet Explorer deals with ActiveX controls. This is important to webmasters who use online advertising and streaming media content. Microsoft says those webpages will need to be rewritten to conform to the new way that IE works. If webpages aren't rewritten, ActiveX Controls and Java Applets will need to be activated by the user before they work. This is scheduled to happen with an April 11 security update to IE, but it will be delayed for 60 days. Some of the add-in software affected by this will include: Adobe's Reader and Flash, Apple's QuickTime Player, Microsoft's Windows Media Player, RealNetworks' RealPlayer and Sun's JVM (Java Virtual Machine). Web developers need to check out http://msdn.microsoft.com/library/?url=/workshop/author/dhtml/overview/activating_activex.asp.

Today's BugBlog Plus has five more bugs and fixes for Apple, Adobe, Microsoft, and Sun Microsystems.

3/29/2006 iTunes Music Store Video Download Error

If you go to the iTunes Music store, with either a Mac OS X computer or a Windows 2000/XP computer, to download a purchased video, you may see this error message:
There was an error downloading your purchased music. An unknown error occurred (0xFFFE7958).
Apple says you will have to report this to the Music Store's customer service. Scroll to the bottom of http://www.apple.com/support/itunes/musicstore/video/ and find Ask a Video Question. Make sure you tell them the artist and title as well as the error message.

Today's BugBlog Plus has ten more bugs and fixes for Adobe, Blizzard, Microsoft, Red Hat, Sun Microsystems, and Symantec.

3/28/2006 Unofficial Patch, and Official Workaround, for IE

There are reports that Microsoft is considering another early release patch for the latest Internet Explorer bug. As many as 200 websites have been identified that try to exploit the bug in the way that IE handles HTML objects. The next regularly scheduled Patch Tuesday is April 11. In the meantime, security researchers at eEye Digital Security have released their own temporary and unofficial patch at http://www.eeye.com/html/research/alerts/AL20060324.html. Microsoft warns that they have not tested this patch, so consumers are on their own. Microsoft's own workaround is to disable Active Scripting.

Today's BugBlog Plus has five more bugs and fixes for Adobe, IBM, Microsoft and Novell.

3/27/2006 The Future of Digital Rights Management

In the future, more and more incompatibility problems are going to be caused by Digital Rights Management, or DRM. David Berlind, the Executive Editor at ZDNet, suggests a replacement name for DRM. He says to call it Content Restriction Annulment and Protection, which would go by the acronym of CRAP. He has a video explaining it -- read a transcript at http://news.zdnet.com/html/z/wb/6035707.html, or click a link to watch his original video presentation. (I had to switch to Microsoft Internet Explorer to watch the video. The ZDNet site didn't like my selection of media player plug-ins on Mozilla Firefox.)

Today's BugBlog Plus has five more bugs and fixes for Adobe, Apple, IBM and Microsoft.

3/25/2006 Did a Bug Break Up an Engagement?

What the victim has termed a "privacy flaw" in Mozilla Firefox but may actually just be a misconfiguration of multiple user accounts, is being blamed for the breakup of an engagement after five years of dating. (She found out he was going to online dating sites.) You can follow along the thread discussing this at https://bugzilla.mozilla.org/show_bug.cgi?id=330884. Maybe the only thing worse than having your engagement end this way is having to endure relationship advice from a bunch of computer geeks.

3/24/2006 Microsoft Says It Is a Bug

Microsoft has confirmed earlier reports of a bug in Microsoft Internet Explorer. The bug is in the way that HTML objects handle certain calls. A malicious website would be able to exploit this bug to run their code on your computer. You will need to visit such a website to be in danger. At the moment, Microsoft's suggested workaround is to avoid bad websites. Keep an eye on http://www.microsoft.com/technet/security/advisory/917077.mspx for updates.

Today's BugBlog Plus has five more bugs and fixes for Adobe, Apple, Microsoft and Sendmail.

3/23/2006 RealNetworks Finds More Security Holes

There are a number of bugs in the way that RealNetworks software handle different media files and webpages. Attackers may be able to exploit these bugs to run their code on your system. The affected software includes: RealPlayer 8, 10, and 10.5; RealOne Player 1 and 2; RealPlayer Enterprise; Rhapsody 2 and 3; and Mac RealOne Player and RealPlayer 10. Patch information is at http://service.real.com/realplayer/security/03162006_player/en/, along with links to patches for other languages. Real credits: John Heasman, NGS Software; Greg MacManus, iDEFENSE Labs; and Sowhat for finding these bugs.

3/22/2006 NVIDIA Upgrades ForceWare Drivers

NVIDIA has released the ForceWare Graphics Driver 84.21. According to the release notes, there aren't any bug or compatibility fixes since version 84.20. The big difference, however, is that Version 84.21 is WHQL certified, which means it passed Microsoft's Windows Hardware Quality Labs compatibility tests, so you won't send Windows XP or Windows XP Media Center into a tizzy when you upgrade the driver. If you've ever wondered about the WHQL program, you can read about it at http://www.microsoft.com/whdc/whql/.

Today's BugBlog Plus has eight more bugs and fixes for Adobe, Apple, Cisco, and Microsoft.

3/21/2006 Another Overflow for IE

There are reports that another bug has been found in Microsoft Internet Explorer. This one can crash the browser, if you view a web page that has multiple event handlers attached to HTML tags. If there are too many attached, IE gets overwhelmed and crashes. This affects the most up-to-date fully patched version of IE running on Windows XP Service Pack 2. For now, it does not appear that the attackers can use this to break in to your computer. Microsoft says they are investigating. Security researcher Mical Zalewski reported this bug.

Today's BugBlog Plus has seven more bugs and fixes for Adobe, Apple, Microsoft Novell, and Symantec.

3/20/2006 Safari Blanks Out After Update

If you happened to move Apple Safari out of the Applications folder before you installed the Security Update 2006-002 v1.0, then after the update Safari might have a blank icon and it won't start. Apple has a new Security Update 2006-002 v1.1 to fix this. Before you install it, see the instructions for deleting the damaged version at http://docs.info.apple.com/article.html?artnum=303472.

Today's BugBlog Plus has five more bugs and fixes for Apple, IBM, Microsoft and Symantec.

3/17/2006 Spreading a Virus Through RFID

You may soon be able to catch a computer virus at WalMart, or at other retailers who may use RFID tags. Dutch researchers presented a paper at an IEEE conference that showed how the memory in an RFID tag can be corrupted, and then used to corrupt databases. Read more at the Security Pipeline at http://www.securitypipeline.com/181504096.

Today's BugBlog Plus has five more bugs and fixes for Adobe, Apple, and Microsoft.

3/16/2006 Critical Update for Flash Player

Adobe has patched some critical bugs in the Macromedia Flash Player. A remote attacker could design a Flash file that, when played on the victim's computer, could take complete control of the system. Everybody using [Edit]Flash Player 8.0.22.0 and earlier should update to Flash Player 8.0.24.0. [End Edit - thanks to Roseman for catching an error]Get the update at http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html. Note that Flash Player is distributed with Microsoft Internet Explorer, so that most people using IE will be vulnerable to this. If you are still using Flash Player 7, see http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=d9c2fe33.

3/15/2006 Windows XP Bug Allows Privilege Elevation

There is a bug in the discretionary access control list (DACL) for Windows XP Service Pack 1. If permissions are set by default, then users with low privileges may be able to change some of the properties of this service. Users with valid logon credentials may thus be able to take over the complete control of a Windows XP SP1 computer. If you are in a multi-user environment, and haven't upgraded to Windows XP Service Pack 2, then go to http://www.microsoft.com/technet/security/bulletin/ms06-011.mspx for a patch. Microsoft considers this an Important update. They credit Andres Tarasco of SIA Group for finding this bug.

Today's BugBlog Plus has ten more bugs and fixes for Adobe, Apple, ATI, McAfee, Microsoft and Novell.

3/14/2006 Bugs Crawling Out of Microsoft Office

Microsoft has released a Critical security update for most versions of Microsoft Office. This includes Office 2000, Office XP, Office 2003, and Microsoft Works. There are serious vulnerabilities (plural!) in Microsoft Excel, in addition to problems with Word and PowerPoint. These vulnerabilities could allow remote attackers to take complete control of your system. Office users should go to http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx and download the appropriate patches. Microsoft has a long list of people to thank for finding the bugs in Office.

3/12/2006 McAfee calls Excel a Virus

If you use McAfee antivirus products, there is a chance that you experienced some goofiness with Microsoft Excel on 3/10/06. That's because McAfee updated their virus definition files in a way that they suddenly started flagging Microsoft Excel as the W95/CTX virus. In most cases, the Excel executable files were quarantined, meaning they were renamed and moved. It didn't take long for McAfee to find out (screaming customers can have that effect) and they reverted to their older definitions in the afternoon. If you are still using virus definition file 4715 from McAfee, make sure you update.

Updates to the BugBlog may be a little sporadic until late on Tuesday, March 14.

3/11/2006 The Outlook for Indiana

Any BugBlog readers from Indiana -- you probably already know that the state is finally moving to daylight savings time. If you live in Indiana and use Microsoft Outlook, you may want to check out http://support.microsoft.com/kb/915577 to see how the time zone changes are going to affect the program.

Today's BugBlog Plus has five more bugs and fixes for Adobe, Apple, ATI, and Red Hat.

3/10/2006 Windows Media Player Fix Causes Problems

Microsoft's security patches for Windows Media Player, released in February, 2006, may cause problems when you rewind or fast-forward video files. Instead of doing what you want, Windows Media Player may take you to the beginning of the clip, or it may just lock up. Microsoft has some workaround information, that for now only applies to Windows Server 2003, at http://support.microsoft.com/kb/912226. However, they will probably also be updating that page with more info if they have other fix information.

Today's BugBlog Plus has ten more bugs and fixes for Adobe, Apple, ATI, Intuit, Microsoft, and Red Hat.

3/9/2006 Virus Works Against MS InfoPath Files

It's not a serious threat yet (mostly because not too many people use it), but the first virus that goes after Microsoft Office InfoPath files has been detected. InfoPath is the new XML-based (eXtensible Markup Language) file format for sharing information in forms. AV vendors mark the threat as low, saying it is mostly a proof-of-concept that shows this type of attack can work. Read more at http://www.computerworld.com/securitytopics/security/story/0,10801,109322,00.html.

3/8/2006 TurboTax Fixes Forms

According to Intuit, the TurboTax 2005 Version 5.00 H, released on 3/3/2006, fixes a bad reference on the Partrnership K-1 form; fixes th cash donation input list display; and now correctly asks for the taxpayer's name instead of the spouse name when filling in the amount of a taxpayer's IRA account. If you can't get the automatic updating in TurboTax to work, see https://support1.turbotax.com/cgi-bin/turbotax.cfg/php/enduser/std_adp.php?p_faqid=35.

Today's BugBlog Plus has ten more bugs and fixes for Adobe, Apple, Intuit, Microsoft, Novell and OpenOffice.

3/7/2006 Mozilla Thunderbird Discloses Information

There is a bug in the way that Mozilla Thunderbird 1.5 handles external resources (images and CSS) in inline HTML attachments. According to a posting at SecurityFocus, also picked up by US-CERT, a remote attacker may be able to find out things about your system, including whether an email has been read. As of yet, there is no fix nor confirmation from Mozilla. Read all the info, from crashfr, at http://www.securityfocus.com/archive/1/426347.

Today's BugBlog Plus has five more bugs and fixes for Adobe, Apple, Microsoft and Red Hat.

 

3/6/2006 Rights Management Stops Excel Shutdown

When you use Information Rights Management (IRM) on a Microsoft Office Excel file, make sure you save and close the file before you exit Microsoft Excel. The IRM protection may interfere with the shutdown process, and you may get an error message saying that Excel cannot access the file path. See http://support.microsoft.com/kb/913770 for more.

Today's BugBlog Plus has five more bugs and fixes for Adobe, Apple, Microsoft and Sun Microsystems.

3/5/2006 And the Winner Is ......... Microsoft

The twin flaws in the Windows Media Player wins Microsoft the March Bug of the Month Award

3/5/2006 ZoneAlarm Updates Their Firewall

Zone Labs has released the latest freee version of their ZoneAlarm firewall. The version 6.1.744.000 has a number of unspecified bug fixes, does a better job communicating with the centralized server, and fixed a cosmetic problem where text overlapped in the support and update information. Get the free update at http://download.zonelabs.com/bin/free/information/znalm/zaReleaseHistory.html

Today's BugBlog Plus has five more bugs and fixes for Apple, Dantz and Microsoft.

3/3/2006 Symantec Has an IRC Bug

A report in the Washington Post said that Norton Internet Security and Norton Personal Firewall have a bug that allows others to kick them off Internet Relay Chat (IRC) networks. It seems that if someome types in either "startkeylogger" or "stopkeylogger" on an IRC channel, then anyone else on the channel using those products get kicked off immediately. Symantec says this only affects a small number of their customers, because IRC isn't all that popular. In any case, they will be fixing this via their automatic updates. Read the whole thing at http://blog.washingtonpost.com/securityfix/2006/03/keylogger_utterance_spooks_nor.html.

3/2/2006 Apple Fixes Mail Attachment Bug

There is a bug in the way that the Mail client in Mac OS X 10.4 processes email attachments. Attackers may be able to take advantage of this and disguise their malware so that it bypasses Download Validation and enters the system. Apple says the Security Update 2006-001 fixes this by making sure the entire file is examined.

3/1/2006 Non-Security Update for Internet Explorer

Microsoft has issued Security Advisory 912945 to advise us that they have issued a non-security update for Internet Explorer on Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. You can read this security advisory that talks about the non-security update at http://www.microsoft.com/technet/security/advisory/912945.mspx. A number of the issues discussed there mirror the ones in a BugBlog Plus item of 2/15, which talks about an ActiveX update for Internet Explorer.

Today's BugBlog Plus has ten more bugs and fixes for Adobe, Apple, Microsoft, Novell, Oracle and Red Hat

2/28/2006 Attacks Against PayPal Mounting

A security company, BlackSpider Technologies, estimates that several million copies of a Trojan horse program targeted at PayPal users were mailed last week. The subject line will say "Notification: Your Account Temporally Limited" and if you follow the link an log in, they will steal your username and password. An estimate of several million may be low, since the BugBlog has been getting about 10 of those a day, as well as another version that says that some other email address has been added to your account. The workaround is simple - never follow a link from your email to PayPal. Always log in from a fresh browser window. Read the whole thing at http://www.securitypipeline.com/181400633.

Today's BugBlog Plus has seven more bugs and fixes for Adobe, Apple, Microsoft, Mozilla, and Sun Microsystems.

2/27/2006 Mail-Merged Hyperlinks in MS Word are Lost

If you do a mail merge to email using Microsoft Word 2002 or Word 2003, and your data source fields contain hyperlinks, they might be converted into plain text in the email messages, and won't be clickable. Microsoft says they have two different workarounds for this. See the details at http://support.microsoft.com/kb/912679.

Today's BugBlog Plus has eight more bugs and fixes for Apple,Microsoft, Mozilla, and Sophos.

2/24/2006 Shockwave Installer Bug

Adobe has patched a critical vulnerability in the Macromedia Shockwave Player ActiveX installer. If you were prompted to download the vulnerable version from a malicious website, the attackers could have run hostile code on your system. This vulnerability doesn't affect you if Shockwave is already installed, and the new version available for download has been patched. Be careful if you have downloaded but not yet installed an earlier, vulnerable version of Shockwave. Adobe credits the Zero Day Iniative of Tipping Point for finding this bug.

2/23/2006 Infrared Update for Windows XP Media Center

There is an Update Rollup 2 for the Microsoft Windows XP Media Center Edition eHome Infrared receiver. This update includes compatibility fixes for some new hardware, including the Microsoft Media Center infrared (IR) keyboard and some new remote controls. It will also add support to some keys that previously didn't work on existing remote controls. It is a cumulative update, so it also contains all the previous fixes for the Infrared receiver. Get the update at http://support.microsoft.com/kb/912024 or through Windows Update.

2/22/2006 Star Wars Update Fixes Bugs

LucasArts has fixed a number of bugs in various weapons in the Star Wars Empire at War 1.02 update. This includes: fixing the proton torpedos so they don't ignore hardpoints; fixing the magnapulse cannon so it doesn't have to be double-clicked; and fixing a bug that allowed the Death Star to fire even after a battle. However, they did not get to at least one bug: according to reports, there is still a thermal exhaust, right below the main exhaust, that leads right to the Death Star's core. A remote attacker may be able to trigger a denial of service attack through this port.

Today's BugBlog Plus has six more bugs and fixes for Adobe, Apple, IBM, Microsoft, and Novell.

2/22/2006 DVD Review: Hitchhiker's Guide to the Galaxy

The movie can't match the book

2/21/2006 Apple Safari Vulnerable to Shell Exploit

There are reports of a bug in Apple Safari running on Mac OS X systems. Users who do no more than visit a website may trigger a shell command, so that attackers can run code on your system with you having to do no more than visit a malicious website. The Sans Internet Storm Center has a summary at http://isc.sans.org/diary.php?storyid=1138. The original report came from Juergen Schmidt at heise.de. They have an English version at http://www.heise.de/english/newsticker/news/69862.

Today's BugBlog Plus has five more bugs and fixes for Adobe, LucasArts and Microsoft.

 

2/20/2006 McAfee AntiVirus Problems with Adobe Photoshop

There is an incompatibility between McAfee VirusScan 8.0i and Adobe Photoshop CS2. According to Adobe, that version of McAfee may lead to missing text on menus or buttons, or problems with the registration window. One solution is to upgrade McAfee to Patch Version 10. Another is to disable the Buffer Overflow function in McAfee VirusScan. A third is to exclude Photoshop CS2 from Windows Data Execution Prevention (DEP). See the details at http://www.adobe.com/support/techdocs/326371.html.

Today's BugBlog Plus has five more bugs and fixes for Apple, Corel, and Microsoft.

2/19/2006 Windows Media Player Exploits Are Seen

If you haven't yet installed the patch for the Microsoft Windows Media Player that was released Tuesday by Microsoft, you may want to move that job higher on your To-Do list. Exploit code that shows how to take advantage of this security bug is now circulating on some of the black-hat sites on the Web. Read about this code at http://news.zdnet.com/2100-1009_22-6040746.html. Get the patch at http://www.microsoft.com/technet/security/bulletin/MS06-005.mspx

Today's BugBlog Plus has five more bugs and fixes for Apple, IBM, and Microsoft.

2/17/2006 AOL Mail May Crash Apple Safari

If you are using Apple Safari on a Mac OS X 10.4.4 or earlier computer to go to AOL webmail and then delete AOL mail messages, Safari may crash. This has been fixed in the Mac OS X 10.4.5 update.

Today's BugBlog Plus has five more bugs and fixes for Apple, Microsoft, Mozilla and Sun Microsystems.

2/16/2006 Toshiba Laptops Don't Like iPods

If you plug your Apple iPod into a Toshiba laptop computer with a USB cable, you might have problems. According to Apple, iTunes for Windows running on the laptop won't recognize the iPod, or the iPod Updater will recognize the iPod, but you will get a disk error if you try to restore the iPod. Apple has some workaround steps to try at http://docs.info.apple.com/article.html?artnum=300836. They do note that these are only for laptops, and not for desktop computers that use USB keyboards and mouse.

2/15/2006 Adobe Fixes PDF Browser Crash

On a computer with Adobe Acrobat 7.0.x Standard or Professional installed, if you have a browser with the Google toolbar visible, loading a PDF file into the browser and then exiting may cause the browser to crash. Adobe says this has been fixed in the Acrobat 7.0.7 update for Acrobat Standard and Professional. Get the update at http://www.adobe.com/support/techdocs/332877.html.

Today's BugBlog Plus has eight more bugs and fixes for Adobe, Apple, ATI, Microsoft, and Red Hat.

2/14/2006 Microsoft's Patch Tuesday

The plug-in version of Microsoft Windows Media Player, which is designed to work within a web browser, appears to open up a serious security hole when it is used with non-Microsoft browsers from Mozilla and Netscape. If you are using the browser, and come upon a maliciously designed webpage that has content set up to play in Windows Media Player, and that content has a very long embed src tag, the attacker may be able to overwrite memory and run their code on your computer. Get the update from Microsoft at
http://www.microsoft.com/technet/security/bulletin/MS06-006.mspx. As a workaround, you can make sure that Windows Media Player is not the default plug-in for media files that you may run across. Microsoft credits iDefense for finding this bug. Note that the plug-in doesn't cause problems for the Opera browser, nor from Microsoft Internet Explorer. (Does this mean if Microsoft can't beat you in the market, they will destroy you from within? Nah, couldn't be.)

Today's BugBlog Plus has seven more bugs and fixes Microsoft's Patch Tuesday bugs.

2/13/2006 Microsoft Anti-Spyware Zaps Norton AntiVirus

According to a story in the Washington Post (not one of my usual sources) the latest version of Microsoft Anti-Spyware labels Symantec Antivirus as spyware, and instructs users to delete some of the Norton files. If the users do so, it will disable the anti-virus protection. Restoring Norton afterwards is a complicated process. There are quite a few threads on Microsoft's discussion forums talking about this. Read the full report at the Post at http://blog.washingtonpost.com/securityfix/2006/02/microsoft_antispyware_deleting_1.html, which also links to some of the discussions. It would appear that Microsoft is changing the signature definitions for Anti-Spyware, to prevent this from happening anymore.

Today's BugBlog Plus has five more bugs and fixes for Apple, IBM, Microsoft and Red Hat.

2/11/2006 ActiveX Update for Internet Explorer

Microsoft has an ActiveX update for Microsoft Internet Explorer 6 for Microsoft Windows XP Service Pack 2 and for Microsoft Windows Server 2003 Service Pack 1. This should help to improve security for ActiveX controls, which is good news. However, there may be some bad news. After applying this update, you may have compatibility problems at some websites, where you won't be able to use the ActiveX feature until you manually click the control. The web developers at these sites may need to make some changes too. See http://msdn.microsoft.com/ieupdate for details on those.

Today's BugBlog Plus has six more bugs and fixes for Adobe, Apple, Google and Microsoft.

2/10/2006 Multiple Bugs in Lotus Notes

Secunia Research details at least six bugs in IBM Lotus Notes 6.5.4 and 7.0. These bugs may allow remote attackers to run their code on your system, with the attacks coming from malicious content in emails, in HTML, in TAR archives, in ZIP files, and in UUE files. These bugs have been fixed in Notes 6.5.5 and in 7.0.1. Read the details at http://secunia.com/advisories/16280/. Their article also points to an IBM tech note, which at the moment appears to be missing.

2/9/2006 Exploits Aimed at Firefox Bugs

Code that can be used to take advantage of bugs in Mozilla Firefox have been released and are circulating on the Internet. They would exploit bugs that have been patched in the Firefox 1.5.0.1 update. According to a story on ZD Net, this code would work against Linux and Mac OS X systems running Firefox 1.5, but not earlier versions. Read the whole thing at http://news.zdnet.com/2100-1009_22-6036771.html.

2/8/2006 Lots of Bugs in Java

There are seven different bugs in various versions of the Sun Microsystems Java Runtime Environment (JRE) and Java Software Development Kit (SDK). These bugs affect the Windows, Solaris, and Linux platforms and may allow an untrusted applet to give itself elevated privileges, and then cause damage to your system. Sun shows which of the bugs affect the different versions of Java at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1. That page also shows how to determine which version of Java you have, and has links to updates. Sun credits Adam Gowdiak for finding five of the seven bugs.

Today's BugBlog Plus has eight more bugs and fixes for Adobe, Apple, IBM, Microsoft, and Mozilla.

2/8/2006 Apple Wins the Bug of the Month

It's a little bit belated, but the Apple Quicktime 7.0.4 Update to fix security holes in graphics files, wins the February Bug of the Month.

2/7/2006 Missing Driver Messes Up iPod Connection

When you plug an iPod nano or Fifth Generation iPod into a Mac OS X computer, you may get this error message when you open the iPod updater:
You must connect using FireWire to restore this iPod.
The Updater may also be displaying the wrong iPod model. According to Apple, this happens because the iPodDriver.kext file didn't load correctly. See http://www.info.apple.com/kbnum/n61937 for instructions on how to fix this.

Today's BugBlog Plus has seven more bugs and fixes for Adobe, AOL, Apple, IBM, Microsoft, and Mozilla.

2/6/2006 Security Problem in Microsoft Help Workshop

There is a security bug in the Microsoft HTML Help Workshop, according to a report on the Secunia website. If there is an overlong string in the Contents field of an .hhp, an attacker can create a buffer overflow and run their own code on a system, if they can get the victim to open the poisoned .hhp file. There are exploits available that show how to do this. Secunia credits bratax for finding this bug. Read their whole report at http://secunia.com/advisories/18740/. The only workaround at the moment is to avoid .hhp files of uncertain origin.

2/5/2006 Adobe Files Can Be Switched

There is a bug in the file and folder permissions for Adobe Photoshop CS2, Illustrator CS2 and the Adobe Help Center. According to Adobe, this may let not-privileged users change some important Adobe system files. This is not going to affect a standalone user, but in a multi-user environment it may allow a local user to replace the Adobe files with malicious files that could damage other parts of the computer system. Get fixes from http://www.adobe.com/support/techdocs/332644.html. Adobe credits Sudhakar Govindavajhala and Andrew Appel of Princeton University for finding this bug.

Today's BugBlog Plus has five more bugs and fixes for Apple, ATI and Mozilla.

2/3/2006 Firefox 1.5.0.1 Fixes Security Problems

Mozilla has released Firefox 1.5.0.1, which is a bug-fix and stability release, with no added features. The most critical bug fixed is a hole in the way XULDocument.persist() validates. Remote attackers may be able to inject XML that could trigger JavaScript commands that would run at the same permission level of the browser.

Today's BugBlog Plus has six more bugs and fixes for Apple, Microsoft and Mozilla.

2/2/2006 Camera Prevents Windows XP Shutdown

If you have a camera connected to a Windows XP computer's USB root hub or USB port, and you have configured the option to Allow the computer to turn off this device to save power, the camera might prevent the computer from either going into hibernation or shutting down. Instead, the computer will hang during the shut-down. Microsoft has a hotfix for this, which will be in a future Windows XP service pack. If you are affected by this, and don't want to unplug the camera before shutting down, see http://support.microsoft.com/kb/909667 for information on getting the hotfix from Microsoft.

2/1/2006 Don't Take MyWife, Please

A mass-mailing email worm given different names by various security researchers, may be able to do a significant amount of damage on 2/3/2006, and then the third day of subsequent months. It's called MyWife by McAfee and Microsoft, Nyxem by Kaspersky and Sophos, and Blackmal.E by Symantec. It will come as an email attachment, and probably shouldn't detonate if you don't open the attachment. It is set to delete files and alter your Registry, and will send emails to addresses it finds in your address book. Symantec's write-up is at http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html, and McAfee's is at http://vil.nai.com/vil/content/v_138027.htm. Make sure your anti-virus signatures are up to date.

Today's BugBlog Plus has ten more bugs and fixes for Adobe, Apple, Microsoft Mozilla, and Sun Microsystems.

1/31/2006 Get the Bugs Out of Your iPod

Apple has a new iPod Updater available. The new versions are new iPod Software 1.1 for iPod nano, new iPod Software 1.2.1 for iPod with color display, new iPod Software 1.4.1 for iPod mini, and new iPod Software 3.1.1 for iPod with Click Wheel. This upgrade has a number of unspecified (by Apple) bug fixes, and it also supports the iPod Radio Remote for iPod with video and iPod nano. Get it at http://www.apple.com/support/downloads/ipodupdater20060110.html.

Today's BugBlog Plus has five more bugs and fixes for Adobe, Apple, Microsoft and Nullsoft.

 

1/30/2006 Black and White Turns Gray in Office 2003

Printing out a black and white image from a Microsoft Office 2003 Service Pack 2 application may not work correctly. According to Microsoft, some printers may print the white color as a light gray. They don't list which printers are affected, but presumably you will know if you see it. Microsoft has a hotfix for this, which will be in a future service pack. If you are affected, see http://support.microsoft.com/kb/913164 for information on how to get it sooner.

Today's BugBlog Plus has five more bugs and fixes for Adobe, Apple, and Microsoft.

Home | Contact | Writing | Online | News | Tips | CABE |

© 2005 BJK Research LLC