The BugBlog is a daily look at computer bugs, incompatibilities, and other things that can go wrong with your computer.
The BugBlog is free- but if you want to help support its existence, subscribe to the BugBlog Plus. A three month subscription is only $5. The BugBlog uses monthly archives. All of the current month's bugs are here. Use the links on the left to jump back to past months, or use the search form.
A bug in the WebCore for Apple Mac OS X 10.3.9 and 10.4.9 may allow a website to launch a cross-site scripting attack, tricking you into revealing personal data to the wrong website. Apple has fixed this in the 2007-006 Security Update. Read more about it at http://docs.info.apple.com/article.html?artnum=305759. Apple credits Richard Moore of Westpoint Ltd.for finding this bug.
Information Week tells us a sure-fire way to crash Windows Vista -- hold down the Windows key and the E key together for ten seconds. Read about it at http://www.informationweek.com/blog/main/archives/2007/06/how_to_crash_wi.html. Not having a Vista machine, I can't test it. There's also a link to an article on crash recovery techniques.
If you've been wondering where the BugBlog has been -- a combination of some hardware problems that caused a bunch of platform and software shuffling, some unexpected personal travel, and an influx of high-paying work have all intervened in a perfect storm. That storm is slowly abating (although the high-paying work is still around.)
According to Microsoft, because of the way the the Trusted Installer has changed in Windows Vista, third-party System Restore tools probably won't work correctly in Windows Vista. You won't end up with a completely restored system. Microsoft has a hotfix for this, which will be in a future service pack. Need the fix right away? See http://support.microsoft.com/kb/935606/.
Apple has included a number of USB fixes in their OS X 10.4.10 update. The IR remote controller should now work better after waking the computer from sleep; external USB drives should be more stable when mounted; and the bug that kept the TomTom GO 910 from being recognized is fixed
If you play games at RealNetworks GameHouse website, you use an ActiveX control called dldisplay. There are multiple bugs in this control that may allow a remote user, by constructing a booby-trapped website, to run hostile code on your computer. There is no fix yet, other than disabling the ActiveX control. The bug was found by Will Dormann of US CERT. They show how to disable the control at http://www.kb.cert.org/vuls/id/179105.
The three things in the title -- vertical fonts, Postscript, and Windows Vista -- don't go together. If you mix a regular font and a vertical font (typically an Asian font whose name starts with the @ sign) and try to print to a Postscript printer from Vista, and the printing won't be correct. If you do this often, you may want to get the hotfix that Microsoft discusses at http://support.microsoft.com/kb/937018
Today's BugBlog Plus has five more bugs and fixes for Apple, Cerulean, Google, and Microsoft.
Just to point out the obvious -- the recently-released Apple Safari for Windows is still a beta product. Beta products are supposed to have bugs. In this case, Symantec (and others) point out that Safari for Windows is vulnerable to a number of well-known browser exploits, including denial of service and remote code exploits. Read more at http://www.symantec.com/enterprise/security_response/weblog/2007/06/vulnerabilities_for_safari_on.html.
Today's BugBlog Plus has five more bugs and fixes for Apple, IBM, Microsoft and Sun Microsystems.
Connect a USB telephony device to a Windows Vista computer, and Vista may decide to make it the default audio device. That should play havoc with audio/visual applications. Microsoft says this is because Vista sees that the device has audio capabilities, but doesn't determine the correct kind. There is a hotfix for this, which will be in a future service pack. If you need it right away, see http://support.microsoft.com/kb/936004.
Today's BugBlog Plus has five more bugs and fixes for Adobe, Apple, and Microsoft.
Red Hat has patched the kernel for Red Hat Enterprise Linux 5. This fixes a number of bugs that may have allowed: denial of service attacks from local users via mount handling; denial of service attacks from remote users via PPP over Ethernet; information leaks to local users via Bluetooth. See all the bugs that are fixed, and get the patch, at https://rhn.redhat.com/errata/RHSA-2007-0376.html.
Today's BugBlog Plus has five more bugs and fixes for Adobe and Microsoft.
There is a bug in the way that OpenOffice handles RTF (Rich Text Format) documents. An attacker can design an RTF document, that when launched in OpenOffice 2.2 or earlier, runs hostile code on the computer. This has been fixed in OpenOffice 2.2.1, which you can get at http://www.openoffice.org/. John Heasman of NGSSoftware found this bug.
According to the Adobe Dreamweaver CS3 for Windows Read Me, if you create a CSS (Cascading Style Sheet) file in Dreamweaver that is exactly 8192 bytes, or some multiple of 8192, in size, then Dreamweaver will crash. It also won't restart until you change the size of that stylesheet. Luckily, you don't have to use Dreamweaver -- any text editor, including Windows Notepad, will do. Open the file there, and add or subtract a few characters or comments.
Today's BugBlog Plus has ten more bugs and fixes for Adobe, Apple, IBM, Microsoft, and Sun Microsystems.
There is a bug in the Windows Mail application within Windows Vista that an attacker can use to take complete control of the system. The bug is in the way Windows Mail deals with UNC navigation requests. Because of the scope of the damage, which can be triggered by reading an email, Microsoft considers this a critical update. Microsoft has patch information at http://www.microsoft.com/technet/security/bulletin/ms07-034.mspx. In the meantime, reading mail as plain text can serve as a workaround.
Today's BugBlog Plus has five more bugs and fixes for Microsoft's Patch Tuesday.
Today's BugBlog Plus has ten more bugs and fixes for Apple, Linux, Microsoft, Red Hat, TI, and Symantec.
Try to activate Windows Vista, and you may see this error message:
Activation Error: Code 0x8007232b DNS Name does not exist
Microsoft says this error would tend to occur if volume-licensed media was used to install Windows Vista, and not an ordinary retail purchase and upgrade. There are three workarounds: set up a Key Management Service server; use a Multiple Activation Key (MAK); or use a license key. See the details at http://support.microsoft.com/kb/938107.
There are two bugs in the Yahoo! Messenger that may allow attackers to take complete control of your system. The bugs are in ActiveX controls -- one in the Yahoo! Webcam Upload (ywcupl.dll) ActiveX control, and the other in the Yahoo! Webcam Viewer. See more at http://secunia.com/advisories/25547/. Credit for finding these bugs goes to Danny.
Switching from the secure desktop in Windows Vista to the unsecured desktop may trigger this Stop error message:
Stop 0x00000001 (0x00000000, 0x7ffdc000, 0x0000ffff, 0x00000000)
where the first, second, and fourth numbers in parentheses may have different values. This will happen if you are using the Windows Aero color scheme, and you entered your logon credential to unlock the secure desktop. Microsoft says that an event hook must also be running to trigger the bug, which is in Win32k.sys. They have a hotfix, which will be in a future service pack. If you can't wait for the fix, see http://support.microsoft.com/kb/935936 for information on getting it right away.
Today's BugBlog Plus has five more bugs and fixes for Adobe, Apple, CA and Microsoft.
If you start a Windows Vista computer in diagnostic startup mode, you may be prompted to activate your copy of Windows Vista. This will happen even if you've done this before. If you don't comply, Microsoft considers you a pirate (arghh!) and will switch Vista in reduced functionality mode. Given that you are probably using diagnostic mode because of a problem, this is about the last thing you want to deal with. It happens because Windows Licensing depends on Plug and Play, which is disabled when you use diagnostic startup mode. It appears that Microsoft realizes how brainless this is, because they have a hotfix for it. Either wait for a future service pack, or go to http://support.microsoft.com/kb/937426 for the fix.
Today's BugBlog Plus has five more bugs and fixes for Apple, Ebooks, Lotus, Microsoft, and Mozilla.
Mozilla says there is a bug in the way that Thunderbird handles APOP authentication. Because of this, attackers may be able to interpose a malicious mail server between you and your real server, and use it steal your password. Depending on how your authentication system is set up, it may take some programming skill to steal the password. This has been fixed in Thunderbird 188.8.131.52 and 184.108.40.206. Mozilla credits Gaëtan Leurent for finding this bug.
Today's BugBlog Plus has seven more bugs and fixes for Apple, Microsoft, and Symantec.
Mozilla released the Firefox 220.127.116.11 and Firefox 18.104.22.168 updates, to fix a number of bugs in the layout engine. Some of these bugs could crash Firefox and corrupt memory, which means they could be exploited as a means of installing malware. Mozilla credits Boris Zbarsky, Eli Friedman, Georgi Guninski, Jesse Ruderman, Martijn Wargers and Olli Pettay for finding these bugs. You can get the update via the Mozilla update function (Help, Check for Updates) if you haven't gotten notified automatically.
Adobe Flash Player 22.214.171.124 for Windows may have compatibility problems with some sound cards. According to Adobe, the drivers for some Realtek and SoundMax cards may not support WaveOut, which will lead to audio problems. There is no workaround from Adobe -- you'll probably have to wait for a driver update.
Copyright 2003-2007 BJK Research LLC