BugBlog October 2006

Did the BugBlog help you? Donate via PayPal to say thanks.

Even better, subscribe to the BugBlog Plus for even more coverage of bugs and their fixes.

Amazon Honor System

Jump to the BugBlog archives

Dec 06
Nov 06
Oct 06
Sept 06
Aug 06
July 06
June 06
May 06
Apr 06
Mar 06
Feb 06
Jan 06
Dec 05
Nov 05
Oct 05
Sept 05
Aug 05
July 05
Jun 05
May 05
Apr 05
Mar 05
Feb 05
XP SP2
Jan 05
Dec 04
Nov 04
Oct 04
Sep 04
Aug 04
Jul 04
June 04
May 04
Apr 04
Mar 04
Feb 04
Jan 04
Dec 03
Nov 03
Oct 03
Sept 03
Aug 03
July 03
June 03
May 03
April 03
Mar 03
Feb 03
Jan 03
Dec 02
Nov 02

View vintage BugNet coverage here

Cleveland-area blogs*:

Backup BugBlog

Economic Development Futures

*there are more blogs in Cleveland, these are just from people I've met or know. Some of the above are actually farther away, but are bloggers I've met here.

BugBlog

Here is the daily bug, incompatibility or other computer problem from the BugBlog

The BugBlog is free- but if you want to help support its existence, subscribe to the BugBlog Plus. A three month subscription is only $5. The BugBlog uses monthly archives. All the current October bugs are here. Use the links on the left or below to jump back to past months, or use the search form.

10/31/2006 Xbox 360 May Not Like Windows Media Player 11

If you first install Microsoft Windows Media Player 11 on a Windows XP computer, and then you try to authorize your Microsoft Xbox 360 to use it with Windows Media Connect, you may get an error message and the authorization won't take place. Microsoft has a workaround for this listed at
http://www.microsoft.com/windows/windowsmedia/player/11/readme.aspx#ErrorwhensettingupXbox360softwareafter
WindowsMedi

Today's BugBlog Plus has eight more bugs and fixes for Apple, IBM, Microsoft, Mozilla and Sophos.

10/30/2006 Resetting an Unresponsive iPod Shuffle

If you have a First Generation 512MB or 1GB iPod shuffle, when you turn it on you may see amber and green LEDs flashing for a few seconds, but you won't be able to get the iPod to play music. You also won't be able to get it to play music. To fix this on a Windows computer, get the iPod shuffle Reset Utility 1.0 for Windows at http://www.apple.com/support/downloads/ipodshuffleresetutility10forwindows.html. If you've got a Mac, get your download at http://www.apple.com/support/downloads/ipodshuffleresetutility10formac.html. Note that the utility will erase all the music on the iPod and reinstall the iPod 1.1.4 software.

Today's BugBlog Plus has five more bugs and fixes for Apple, Microsoft, Mozilla and Red Hat.

10/27/2006 Anti-Phishing Features in the New Browsers

Adam Smith's "invisible hand" of competition has brought real benefits to the world of browsing. The new Mozilla Firefox 2 and the new Microsoft Internet Explorer 7 both have anti-phishing filters built in. They should help in keeping you from being tricked into giving information to fraudulent sites. The explanation of how Mozilla does this is at http://www.mozilla.com/en-US/firefox/phishing-protection/. The Microsoft explanation is at http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx.

Today's BugBlog Plus has five more bugs and fixes for Adobe, Apple, Microsoft, and Mozilla.

10/26/2006 Address Bar Spoofing in IE 7

Secunia has a report of a bug in Microsoft Internet Explorer 7. It may be possible for attackers to create a pop-up window that will have a spoofed and misleading address bar, with only part of the address displayed. This could be used as part of a phishing scheme to trick users into disclosing information to a malicious website. You can see the details at http://secunia.com/advisories/22542/, including a proof of concept.

10/25/2006 Firefox 2 Can Restore Your Session (Even If You Don't Want To)

The newly-released Mozilla Firefox 2 includes a Session Restore feature. This means that connections to some sites that log you in via cookies, like Gmail, will automatically be restored after a browser crash. You may not want that to happen if you share a computer. If so, you will need to turn off this feature via the browser.sessionstore.resume_from_crash setting. If you are not familiar with changing your Mozilla settings, see http://kb.mozillazine.org/About:config.

Today's BugBlog Plus has eleven more bugs and fixes for AOL, Apple, Microsoft, Mozilla and Novell.

10/24/2006 False Positive from Symantec AntiVirus Causes a Problem

Anti-virus signatures for Symantec AntiVirus were shipped that apparently triggered a false positive alert that the sfc.dll file in Windows XP and 2000 (which powers Windows File Protection) was the Infostealer.Banpaes virus. Symantec then disabled sfc.dll, and prompts you to reboot the computer. When you try to reboot, a Windows XP computer may reboot continuously, and Windows 2000 may blue screen. Symantec has posted a Knowledge Base article at http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006102011570548 to help anyone whose computer they wrecked. The Internet Storm Center also has information at http://isc.sans.org/diary.php?storyid=1799.

10/23/2006 Microsoft Re-Releases XML Security Bulletin

Microsoft has re-released their MS06-061 Security Bulletin, which fixed a bug in Microsoft XML Core Services. The first version of their patch did not correctly kill off the flawed version of the Microsoft XML Parser 2.6 if you are running Windows 2000 Service Pack 4. This is a critical security update that helps prevent remote attackers from running their code on your computer. If you haven't gotten the fix yet, or are affected by the re-release, get it at http://www.microsoft.com/technet/security/bulletin/ms06-061.mspx.

Today's BugBlog Plus has five more bugs and fixes for Apple, Microsoft Internet Explorer 7, and Symantec.

10/20/2006 First IE 7 Bug is a Leftover

The first bug in Microsoft Internet Explorer 7 is being discussed. It is a problem in redirection handling with the "mhtml:" URI handler. However, according to the Internet Storm Center, this bug is actually something left over from IE 6. It appears that for compatibility reasons, Microsoft included an older MSXML ActiveX component that had this bug, which they say was announced at http://secunia.com/advisories/19738. You can read the full analysis at http://isc.sans.org/diary.php?storyid=1797.

Today's BugBlog Plus has ten more bugs and fixes for Microsoft Internet Explorer 7.

10/19/2006 IE 7 Cracks Down on ActiveX Controls

Microsoft Internet Explorer 7 can no longer be considered beta software - so it's time for the BugBlog to start taking a look. The good news is that IE 7 imposes a lot more security on ActiveX controls. That's good -- although it was Microsoft who foisted ActiveX on us in the first place. This review of IE 7 at eWeek talks about the increased security, which is a definite bug fix. Read the whole thing at http://www.eweek.com/article2/0,1895,2033704,00.asp.

10/18/2006 Flawed Opera Causes some Dissonance

Opera 9 has a heap overflow bug that may cause the browser to crash when it tries to handle a very large link. Opera says they have fixed this in Opera 9.02, and that the impact of the bug is a denial of service attack. They also credit iDefense for finding this bug. According to iDefense, the size of the link only has to top 256 characters, and it can be hidden in an iframe. They also say that attackers can use the bug to run their own code on your computer. See their explanation at http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=424.

Today's BugBlog Plus has ten more bugs and fixes for Apple, IBM, McAfee, Microsoft, NVIDIA, Oracle, and Sun Microsystems.

10/17/2006 Netflix Fixes a Cross-Site Hijacking Bug

Netflix has fixed a bug on their site that may allow an attack called Cross Site Request Forgery. This type of attack may allow an outsider to change your address, add movies to your queue, and otherwise manipulate your account. An attack like this works if you normally stay logged in to a site, and you visit another hostile website that includes code to take advantage of the weakness. Other Web 2.0 sites may also be at risk for this attack, according to the story on ZD Net at http://news.zdnet.com/2100-1009_22-6126438.html.

Today's BugBlog Plus has five more bugs and fixes for Adobe, Apple, and Microsoft.

10/16/2006 Excel 2003 May Yield the Wrong YIELD

One of the Microsoft Excel 2003 financial functions will give you the wrong answer under a particular set of inputs. If you are using the YIELD function, and the security settlement date is the 30th or 31st of the month, the maturity date is the 30th or the 31st of the same month, and the Basis parameter is 4. Microsoft has a hotfix at http://support.microsoft.com/kb/925797, which must be applied on top of some previously released hotfix packages, described on that page.

Today's BugBlog Plus has five more bugs and fixes for Apple, Clam, Google, and Microsoft.

10/13/2006 Lower Your Defenses When You Install IE 7

With the official release of Microsoft Internet Explorer 7 soon upon us, you may want to know that Microsoft's IEBlog is reminding everyone that they recommend that you temporarily turn off all you anti-virus and and anti-spyware applications before you install IE7. They say that the installation makes so many Registry changes that it may look suspicious to your AV software, which may interfere with the installation. (If you are paranoid, you could probably come up with some other reasons for this.) If you want to be an early adopter, read the blog post and comments at http://blogs.msdn.com/ie/archive/2006/10/11/IE7-Installation-and-Anti_2D00_Malware-Applications.aspx.

Today's BugBlog Plus has six more bugs and fixes for Adobe, Microsoft and Symantec.

10/12/2006 Bug in AOL Control

When you install America Online 9.0 Security Edition, it installs an ActiveX control, AOL.PicDownloadCtrl.1t, that is marked as being safe for scripting. Security researchers at iDefense discovered a buffer overflow in this control, which means it is not safe for scripting. A malicious website could take advantage of this to run code on your computer. If you use AOL 9.0 or AOL 9.0 Security Edition, log in to the AOL service and you will be automatically updated. See the details at http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=420.

10/11/2006 Bugs in Microsoft Server Services

There are two bugs in Microsoft Windows Server Services, that affect Windows 2000, Windows XP, and Windows Server 2003. According to Microsoft, these bugs may allow a remote attacker to trigger a denial of service attack via a network message. According to eEye Digital Security, there is also a risk of the attacker running their code on your computer. By default, most firewalls are configured to block the ports through which these attacks are launched, thus Microsoft considers this only an Important security patch. Get the update at http://www.microsoft.com/technet/security/bulletin/ms06-063.mspx. Microsoft credits Gerardo Richarte of Core Security Technologies, NS Focus, Fortinent, and Matthew Amdur of VMWare for finding these bugs.

Today's BugBlog Plus has eight more bugs and fixes for Adobe, Apple, Microsoft and Novell.

10/10/2006 Another Critical ActiveX Bug for Microsoft

Another bug in an ActiveX control puts users of Windows 2000, Windows XP, and Windows Server 2003 in jeopardy. The bug is in the WebViewFolderIcon ActiveX control, and if you visit a malicious website (using Microsoft Internet Explorer) that tries to exploit this bug, the bad guys may take complete control of your system. This is rated a Critical bug for Windows 2000 and Windows XP by Microsoft, and a moderate bug for Windows Server 2003. Get your patch at http://www.microsoft.com/technet/security/bulletin/ms06-057.mspx, (although there may be some problems with patch availability on 10/10).

Today's BugBlog Plus has seven more bugs and fixes for Microsoft.

10/10/2006 Waiting for Microsoft

The BugBlog will be updated later this afternoon, after the Patch Tuesday Security Bulletins have been released.

10/9/2006 Mac OS X 10.4.8 RAID Update May Cause a Panic

If you are updating to Mac OS X 10.4.8 or OS X 10.4.8 Server on a Mac Pro with a software RAID boot volume, Apple says you need to take special precautions. Don't update if the machine has been booted from the RAID volume. If you do, you may end up with a kernel panic. Boot the Mac Pro from some other volume, and then do the update. See http://docs.info.apple.com/article.html?artnum=304511 for the details.

Today's BugBlog Plus has five more bugs and fixes from Apple, EA Sports, Linksys and Symantec

10/7/2006 A Big Patch Tuesday

October 10 is Patch Tuesday, and it will be an extra special one. Microsoft has announced that there will be six security bulletins for Windows, and at least one of them is rated Critical. There will be four security bulletins for Microsoft Office, and at least one will be Critical. There will also be one security bulletin for the Microsoft .NET Framework. That one is only rated Moderate. Look for full coverage in the BugBlog Plus on Tuesday.

Today's BugBlog Plus has five more bugs and fixes from Apple, EA Sports, Microsoft, Red Hat and Symantec.

10/6/2006 Buffer Overflow Bugs in CA BrightStor

Security researchers at Tipping Point found a number of buffer overflow bugs in CA BrightStor ARCserve Backup R11.5, BrightStor Enterprise Backup 10.5, BrightStor ARCserve Backup v9.01, and CA Server Protection Suite r2. The bugs may let remote attackers run code against the various CA products. Fix information is at http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp

10/5/2006 Microsoft VML Bug Earns the Bug of the Month Award

If it's worth an early patch, it's worth the Bug of the Month

10/5/2006 ATI TV Guide May Lose Its Listings

When using the ATI Multimedia Center 9.15 software with an ATI multimedia card, you may sometimes get a corrupted database for the TV listings. This may prevent the TV Guide software from starting. Fix this by going to the Windows XP Control Panel Add/Remove Programs applet. Select the Gemstar GUIDE Plus+ program, and then select Repair. After repairing, when you run the GUIDE again you will need to enter your name, ZIP Code, and email address again.

10/4/2006 Mozilla Bug Report Was a Hoax

The 10/2 Mozilla JavaScript bug report was a hoax. While there is a bug that may be used to crash your browser, attackers can't use it to run hostile code on your computer. Any other claims by the two researchers, who probably won't be invited back to make any more presentations, should also be considered fraudulent. While the BugBlog often reports on what independent researchers say (and these reports also included quotes from Mozilla's security spokesman that lent some credence to their claims) rest assured that these two will no longer be considered valid sources.

Today's BugBlog Plus has fifteen more bugs and fixes from Adobe, Apple, Cisco, IBM, McAfee, Microsoft, Skype, Sony and Sun Microsystems.

10/3/2006 McAfee Protection Had a Hole

There is a bug in McAfee ProtectionPilot 1.1.0 and McAfee ePolicy Orchestrator 3.5.0 that may allow remote attackers to run their own code on the "protected" computer. This happens via a boundary error when dealing with long source errors. You can find links to the patches at http://secunia.com/advisories/22222/. According to at least one news story, McAfee was alerted to the bug in July, but the patch was very complex, so that it took till October to fix. Read more at http://www.crn.com/showArticle.jhtml?articleID=193101216.

10/2/2006 JavaScript Bug in Mozilla- Not?

10/3 There appears to be a major retraction in the claims about this JavaScript bug in Mozilla. It appears that all the bug will do is crash the browser -- so far, no one has gotten it to run malicious code. See http://developer.mozilla.org/devnews/index.php/2006/10/02/update-possible-vulnerability-reported-at-toorcon/. Mozilla will continue to investigate.
Yesterday's bug --There is a bug in Mozilla Firefox's implementation of JavaScript, The bug was found by Mischa Spiegelmock, of SixApart, and Andrew Wbeelsoi. A spokesperson for Mozilla said that the issue looks genuine.

Today's BugBlog Plus has five more bugs and fixes from Adobe, Apple, Microsoft, and Sony.

10/1/2006 JPEG Image Bug in Mac OS X

There is a bug in the way that Mac OS X 10.4.x computers view JPEG2000 images. An attacker may be able to construct one of these images that can either crash the application viewing it, or run hostile code on your machine. Apple has fixed this in the Security Update 2006-006 and have also patched it in Mac OS X 10.4.8. They credit Tom Saxton of Idle Loop Software Design for finding this bug.

Today's BugBlog Plus has five more bugs and fixes from Apple's OS X update.

9/29/2006 Dreamweaver Says Your Parameter Is Incorrect

Adobe says that you may get an error message in Macromedia Dreamweaver that says:
Parameter is incorrect.
(That happens to be an error message that I run into a lot in Dreamweaver.) Adobe says this may happen when you try to save a file to an offline mapped networked drive, when you do a File>New>Templates tab command, or when you Put, Get or Synchronize files to or from a remote server. (Alas, none of those situations cover my experience.) The first two can be fixed by installing the Dreamweaver 8.0.2 update. The third comes about by a corrupt time stamp. Adobe has some workaround information at http://www.adobe.com/go/fbfd45c3.