The BugBlog Plus -December 2005

BugBlog Plus Archives
Current month
Nov 06 by company
Nov 06 by date
Oct 06 by company
Oct 06 by date
Sep 06 by company
Sep 06 by date
Aug 06 by company
Aug 06 by date
July 06 by date
June 06 by date
May 06 by date
Apr 06 by date
Mar 06 by date
Feb 06 by date
Jan 06 by date
Jan 06 by company
Dec 05 by date
Dec 05 by company
Nov 05 by date
Oct 05 by date
Sept 05 by date
Aug 05 by date
July 05 by date
June 05 by date
June 05 by company
May 05 by date
May 05 by company
Apr 05 by date
Apr 05 by company
Mar 05 by date
Mar 05 by company
Feb 05 by date
Feb 05 by company
Jan 05 by date
Jan 05 by company
Dec 04
Dec 04 by company
Nov 04
Oct 04
Sept 04 by date
XP SP 2
Aug 04 by company
Aug 04 by date
Jul 04 by company
Jul 04 by date
June 04 by company
June 04 by date
May 04 by company
May 04 by date
Apr 04 by company
Apr 04 by date
Mar 04 by company
Mar 04 by date
Feb 04 by company
Feb 04 by date
Jan 04 by company
Jan 04 by date
Dec 03 by company
Dec 03 by date
Nov 03 by date
Nov 03 by company

Jump to the BugBlog archives (October 03 and earlier are public archives)

Dec 06
Nov 06
Oct 06
Sept 06
Aug 06
July 06
June 06
May 06
Apr 06
Mar 06
Feb 06
Jan 06
Dec 05
Nov 05
Oct 05
Sept 05
Aug 05
July 05
Jun 05
May 05
Apr 05
Mar 05
Feb 05
XP SP2
Jan 05
Dec 04
Nov 04
Oct 04
Sep 04
Aug 04
Jul 04
June 04
May 04
Apr 04
Mar 04
Feb 04
Jan 04
Dec 03
Nov 03
Oct 03
Sept 03
Aug 03
July 03
June 03
May 03
April 03
Mar 03
Feb 03
Jan 03
Dec 02
Nov 02

Cleveland-area blogs*:

Backup BugBlog

Economic Development Futures

*there are more blogs in Cleveland, these are just from people I've met or know. Some of the above are actually farther away, but are bloggers I've met here.

BugBlog

Subscription portion of the BugBlog. The first bug of the day listed is always the free bug available to non-subscribers, followed by the subscription-only bugs.

12/31/2005 New Microsoft Graphics Vulnerability

Microsoft interrupts everyone's vacation with news of another vulnerability that could load hostile content onto your computer via a Windows Metafile graphic. The graphic would be hosted on a website, but Microsoft says a user would have to visit the website by clicking on a link -- they could not be forced onto the site. There are reports that code to exploit this are already circulating on the Internet. Microsoft has a bulletin at http://www.microsoft.com/technet/security/advisory/912840.mspx, which will get updated later.

12/23/2005 More Spyware Charges Against Sony

Some of the Sony BMG music CDs loaded copy protection software onto user's computers even if users said No to the licensing agreement. This is according to the Texas Attorney General, who filed one of the first lawsuits against Sony back in November, over the spyware that was secretly loaded onto user's computers, including rootkits that kept themselves hidden from the operating system. You can read about the new charges at http://news.com.com/2100-1030_3-6005042.html.

12/22/2005 Microsoft Software Update Service Gets Confused

Running the Microsoft Software Update Services 1.0 with Service Pack 1 on a Microsoft server after 12/12/2005 may cause a problem. According to Microsoft, previously approved updates may revert to unapproved, but their status may changed to Updated. This won't happen to all servers, but it is more likely to happen to newer ones, mobile systems, or systems that had been turned off. See http://support.microsoft.com/kb/912307/ for details and for some possible workarounds. There is also an Approval Analyzer Tool that can be downloaded from that page that may help sort things out.

12/21/2005 It's Not Santa in the Instant Message, It's a Worm

A new worm disguised as a Santa Claus graphic is travelling through the America Online, Microsoft MSN, and Yahoo instant messaging networks. If you see a message from someone you now that's supposed to contain a picture of Santa, don't click. While you will see Santa, what you won't see is a rootkit being installed behind the scenes. That rootkit will then try to send the Santa message to people on your contact list. See more at http://news.com.com/2100-7349_3-6002790.html.

When installing iTunes for Windows, you may see one of these error messages Disk is locked or iTunes folder cannot be found. Apple says the most likely cause for this is because you've changed your default music folder. The default location is \Documents and Settings\username\My Documents\My Music. If you've moved it, you may need to see http://docs.info.apple.com/article.html?artnum=302398 to get things straightened out.

We've just hit the two year anniversary of the CAN-SPAM Act, and the US Federal Trade Commission is celebrating by suing three spam operators. In addition to the FTC, the Attorneys General in Florida, North Carolina and Texas and the Competition Bureau of Canada are all getting in on the fun. Read the details at http://www.eweek.com/article2/0,1895,1903893,00.asp. Note to spammers -- I'm not planning on buying any watches in the near future.

Try to start Microsoft Outlook 2003 and you may see this error message
Cannot start Microsoft Outlook. Unable to open the Outlook window. The set folders could not be opened. The server is not available. Contact your administrator if this condition persists.
According to Microsoft, this may happen if Outlook 2003 was deployed with a Microsoft Office 2003 Custom Installation Wizard. If you specified a file name rather than a file path for the default location of the PST folders, you will run into this problem. See Microsoft's fix at http://support.microsoft.com/kb/822503.

When using a use the Custom Installation Wizard (CIW) to install Microsoft Office 2003, don't use the wizard to edit and then save over an existing MST file. If you do, the Product Key information may be lost, and the installation program may think you are trying to install a pirated version of Office 2003. Microsoft has a number of workarounds for this. See the details at http://support.microsoft.com/kb/831178.

Microsoft says that if you have configured a printer to use Internet Printing Protocol, then some of the options that you would normally see when you click Printing Preferences may not be there. Microsoft says these printer connections are more limited than a normal connection. They do have some workarounds that may restore some of the options at http://support.microsoft.com/kb/819763.

While most people find that the Mozilla Firefox browser is better behaved than Microsoft Internet Explorer, every once in a while it can start acting goofy. There are some troubleshooting steps you can try at http://kb.mozillazine.org/Standard_diagnostic_%28Firefox%29 if you start to run into problems.

The Red Hat Hardware Test Suite (rhr2) is a set of diagnostic test that let you know whether your hardware is compatible with Red Hat Enterprise Linux. A test suite loses some value, however, when it has bugs. Red Hat has an updated rhr2 package that fixes a number of bugs in the NETWORK, STORAGE, CORE, and MEMORY tests. Get it at https://rhn.redhat.com/errata/RHBA-2005-871.html

Red Hat released an xpdf package update on December 6 to fix a number of security bugs in the PDF viewer for X Windows systems. However, they say that this initial fix was incomplete. On December 20, they re-released this fix, and this time they think they got it right. Get the latest version at https://rhn.redhat.com/errata/RHSA-2005-840.html.

There are a number of bugs in kpdf, a PDF viewer for the K Desktop Environment. At the least, an attacker could use these bugs to cause a denial of service attack. It may also be possible to exploit these bugs so that the attacker could run their own code on a system. Red Hat has an updated package for Red Hat Enterprise Linux 4 that fixes these. Get the fix at https://rhn.redhat.com/errata/RHSA-2005-868.html.

Security researcher Alex Wheeler has found a bug in Symantec Norton AntiVirus, which may be exploited by attackers so that they can smuggle hostile content onto a computer system. The problem is in the way that the antivirus software checks RAR archives. The bug is in a particular DLL, Dec2Rar.dll 3.2.14, which is shared in many of the Symantec AV products. There is no fix information yet. See a complete list of what products may be vulnerable at http://secunia.com/advisories/18131/.

12/20/2005 It's Not Just E-Commerce That Leads to Credit Card Fraud

Computerworld says that too many merchants aren't following the correct security procedures when it comes to storing credit card data. This might have been the problem in a number of well-known incidents lately. If you were worried about using your credit card for an online purchase, maybe you should be worried about using it at traditional merchants, too. Read the whole thing at http://www.computerworld.com/securitytopics/security/story/0,10801,107183,00.html.

12/19/2005 Dasher is a Worm, Not a Reindeer

A computer worm called Dasher.B is starting to make itself known on the Internet. It explits a bug in Windows Distributed Transaction Coordinator that Microsoft patched in October. However, there were also some problems with that patch, especially on Windows 2000 computers. The worm itself will install a backdoor on your computer, and then install a keystroke tracker. You can read Symantec's writeup at http://www.symantec.com/avcenter/venc/data/w32.dasher.c.html.

Adobe/Macromedia has a cumulative security update for the JRun 4.0 Server. This includes all previous patches for the server, and also new ones to fix bugs that may allow remote attackers to obtain web application source code, or to trigger a denial of service attack. Get the update at http://www.macromedia.com/devnet/security/security_zone/mpsb05-13.html.

If a PDF file has been created in Adobe InDesign CS2, and you are trying to edit it with the TouchUp Text tool in Adobe Acrobat 7.0, you may see the error message saying The font could not be embedded because the font stored on the page and the system fonts are encoded differently and the encodings could not be resolved. Adobe says to update to Acrobat 7.0.5 to fix this.

In Apple Mac OS X Server 10.4, if you are a group member, you may not be able to save to a CIFS (Common Internet File System) share on the network, if that is on a volume without ACL (access control lists) turned on. Apple says that you are either going to have to enable the ACL, or disable the ACL in /etc/smb.conf. See how to do this at http://docs.info.apple.com/article.html?artnum=302957.

Security researchers at iDefense say that Citrix Presentation Server Client 9.0 has a bug that may allow remote attackers to run their own code on the server via a heap overflow. They also think earlier versions of this software are vulnerable. Citrix has fixed this in versions 9.150. See http://support.citrix.com/kb/entry.jspa?externalID=CTX108354 for details.

If one DXL import operation was running in IBM Lotus Notes/Domino 6.5.4 and earlier while a second DXL import operation was terminating, a race condition could develop that would cause the first operation to fail. IBM says they have fixed this in Notes/Domino 6.5.5.

12/18/2005 Flash Media Server Administrator Bug

The Adobe/Macromedia Flash Media Server 1.5 and 2.0 has a remote administrator interface with a security bug. A remote attacker may be able to send bad data to this interface, which listens on TCP port 1111, and crash the administrator service. Adobe does note that the Flash Media Server will still be able to stream content. While there is no fix yet, Adobe has some workaround information at http://www.macromedia.com/devnet/security/security_zone/mpsb05-11.html.

If you are working in Adobe Designer 7, and you are trying to create a new form field, you may find that the field isn't created, or that it doesn't flow into the correct area. Adobe has two possible workarounds: either save the file as a Dynamic PDF form or an Adobe XML Form file, or set all ancestor subforms to Flow Content.

According to Apple, if you try to use Finder's File, Duplicate command on a CD or DVD in Mac OS X 10.4, you may see this error message error -8058 You may not be able to get the Eject key to eject the disk either. If you need to get the disk out, restart the computer and hold down the mouse button until the disk ejects. It goes without saying, of course, that you don't want to be using this command to duplicate a copyrighted disk. BugBlog readers surely aren't pirates.

If some of your favorite blogs (but not the BugBlog) were not reachable on December 15-16, they may have been hosted at TypePad, which had a fairly large server crash that took its customers' blogs offline. The growing popularity of blogs is starting to cause some strains at the hosting companies, and not just Typepad. (If you are wondering, the BugBlog doesn't use any blogging software - it is "made by hand").

Microsoft Outlook 2003 may end up with duplicate birthday reminders if you change a birday date using a Microsoft CRM application. The duplication will show up after the date is changed and you synchronize your data. For now, there is no fix -- so I guess you'll need to send two birthday cards.

If you attach a Microsoft Word document that is stored in the Temporary folder to an email message, and the filename has more than one period in it, the document may lose the .doc extension, and will no longer have a file association with Microsoft Word. Microsoft has a hotfix for this particular freak occurance. It will be in a future service pack, but if you need the fix right away contact Microsoft Technical Support and ask for the hotfix described at http://support.microsoft.com/kb/910727. Note that you may get charged for this call.

12/17/2005 Dell Recalls Batteries

Dell is recalling laptop computer batteries that were sold with these models: Latitude D410, D505, D510, D600, D610, D800, D810; Inspiron 510M, 600M, 6000, 8600, 9200, 9300, XPS Gen 2; Precision M20, M70. Some of the batteries in question were also given as replacements in service calls. The batteries were manufactured between 10/5/200 and 10/13/2005. See the complete details at https://www.dellbatteryprogram.com/.

12/16/2005 Microsoft OneCare Is Too Careful

There is an incompatibility between Microsoft Windows OneCare Live and Absolute Software's Computrace LoJack. The Microsoft product is a new antivirus security program that has been available as a beta version since November 29. LoJack is a program that acts as a tracer program if a laptop is stolen. It is designed to contact Absolute Software over the Internet, and can be used by law enforcement officials to track down a missing computer. Unfortunately, the Microsoft program identifies it as malware, and quarantines it from the Internet, thus preventing it from being located. A Microsoft spokesperson says that this problem has been fixed, and updates are available for it. Read more at http://news.com.com/2100-1002_3-5995763.html.

Adobe/Macromedia has a cumulative security update for Macromedia ColdFusion MX 7. It fixes a number of bugs, including in the Jrun Clustered Sandbox Security, a security bug in the CFMAIL function, and a password problem with the ColdFusion Administrator. Get the update at http://www.macromedia.com/devnet/security/security_zone/mpsb05-14.html.

Adobe/Macromedia has a cumulative security update for Macromedia ColdFusion MX 6.x. It fixes a number of bugs, including in the JRun Clustered Sandbox Security, and a security bug in the CFMAIL function. Get the update at http://www.macromedia.com/devnet/security/security_zone/mpsb05-12.html.

If you find you can't adjust the brightness or resolution on an Apple PowerBook running Mac OS X 10.4 through 10.4.2, Apple says you need to get the Mac OS X 10.4.3 update. They also say that neither manual adjustments, nor adjustments via an application, may work without the update.

A report at US-CERT says that the Avaya Wireless Access Points (AP) AP-3 through AP-6 2.5 to 2.5.4, and AP-7/AP-8 2.5 and other versions before 3.1, all ship with a static WEP key of 12345. This may make it rather easy for remote attackers to break in to your network. Check at http://support.avaya.com/elmodocs2/security/ASA-2005-233.pdf for fix details.

An unconfirmed report at SANS Internet Storn Center says that users might have problems installing the Microsoft MS05-054 Cumulative Update for Internet Explorer if you've manually changed the drive letter of your system drive. This will make a Registry entry point to a place that the Microsoft installer won't like. Read the details at http://isc.sans.org/diary.php?storyid=936.

12/15/2005 Don't Give the Gift of a Root-Kit

The last thing you want to give someone for Christmas is a music CD that installs a root-kit on their computer. While Sony-BMG is recalling millions of CDs, there's still the chance that you could find one. Rather than memorizing a long list, the Electronic Freedom Foundation has a handy Spotters' Guide that shows what kinds of labels you need to watch out for on the CD jewel box. The guide at http://www.eff.org/IP/DRM/Sony-BMG/guide.php covers both DRM schemes from Sony that can cause problems, the XCP as well as the SunnComm MediaMax method.

12/14/2005 Chopped Off Charts in Excel

If you create a chart in Microsoft Excel 2003, and then resize the chart to make it larger, it may not display correctly if you save the Excel spreadsheet as a web page. Microsoft says the chart may appear cut off on the right or the bottom. This has been fixed in the 11/10/2005 hotfix from Microsoft. You'll need to contact Microsoft to get the hotfix, and then you will also need to do a Registry edit. See the details at http://support.microsoft.com/kb/905875.

Try to install or update Adobe Acrobat 6.0 or later, or the Adobe Reader 6.0 or later, and you may see the error message
The feature you are trying to use is on a network resource that is unavailable. Click OK to try again, or enter an alternate path to a folder containing the installation package 'Adobe [product] .msi' in the box below.
You may also see the simpler error message
Error 1714. The older version of Adobe [product] cannot be removed. Contact your technical support group.
In general, this error happens when some different versions of Acrobat get mixed up, or if some existing files get deleted. Adobe has some workarounds at http://www.adobe.com/support/techdocs/320310.html.

According to a report at US-CERT, there is a bug in the Administration Service (FMSAdmin.exe) in the Adobe Macromedia Flash Media Server 2.0 r1145. It may allow a remote attacker to crash the Media Server with a denial of service attack by sending a single character bad request to port 1111. There is no fix yet. US-CERT credits a security researcher known only as dr_insane.

A bug in Safari for the Apple Mac OS X 10.3.9 and Mac OS X 10.4.3 may allow for an attack through JavaScript. According to Apple, the vulnerability in the way that the JavaScript engine handles regular expressions may allow an attacker to run their code on your computer. This has been patched in the Apple Security Update 2005-009.

According to a report in ComputerWorld, customers who purchased gasoline at a Sam's Club warehouse store between September 21 and October 2, 2005 may have had their credit card numbers stolen. Details are sketchy, but it appears that it may affect both Visa and MasterCard. Read more at http://www.computerworld.com/securitytopics/security/story/0,10801,107014,00.html. (Glad I shop at Costco.)

If a system administrator makes certain configuration changes in a Windows XP Registry, ordinary users will not be able to change security levels in a Microsoft Office 2003 program. The option actually won't be grayed out, as an unavailable option should be. Instead, they will be allowed to make the change, but when they quit the program the security level will revert back to what it was before. Microsoft has more details at http://support.microsoft.com/kb/910817, including how to undo the configuration.

A report at SecurityFocus.com says that there is a bug in the Motorola SB5100E Cable Modem. Remote attackers may be able to trigger denial of service attacks via TCP LanD packets. At this time, there does not seem to be a fix. You can check for updates at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-4215. Alexey Sintsov gets credit for finding this bug.

The latest BugBlog collection -- all the bugs that have appeared in both the BugBlog and in the BugBlog Plus over the Sony DRM controversy, are at http://www.bjkresearch.com/bugblog/sony.cfm.

12/13/2005 Latest Patch for Microsoft Internet Explorer

Microsoft has released the latest cumulative security update for Internet Explorer. The new update, MS05-054, fixes four bugs of which two are deemed critical. The critical ones are a bug in the COM Object Instantiation and one that Microsoft calls a Mismatched Document Object Model Objects Corruption Vulnerability. Both of these could lead to a remote attacker running their own code on your computer. Get the update at http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx. Microsoft notes that this patch replaces the MS05-052 Internet Explorer Cumulative Update.

If you have an Apple iPod hooked up to a Windows computer, and the drive letter for the drive that comes immediately after your iPod is a mapped network drive, it may cause both iTunes or Windows Explorer to act goofy. Some of the symptoms may include the iPod not showing up in iTunes, the wrong amount of free space being reported for the iPod, or music getting copied to the mapped network drive instead of the iPod. Apple says that changing the drive letter of the mapped networked drive should fix this. See http://docs.info.apple.com/article.html?artnum=93499 for more.

Hewlett Packard says that both HP-UX running IPSec and the HP Jetdirect 635n IPv6/IPsec Print Server are both vulnerable to denial of service attacks due to the cross-vendor Internet Key Exchange version 1 (IKEv1) bug. See http://www.kb.cert.org/vuls/id/MIMG-6J6QS4 for details and fix information.

Microsoft says there is a bug in the kernel of Windows 2000 Service Pack 4. This bug may allow any logged-on user to gain elevated privileges that could be used to load their own programs onto the computer or change the configuration. This won't be a big issue with a home computer, but could be a problem with shared computers such as at a library or school. Get the update at http://www.microsoft.com/technet/security/bulletin/ms05-055.mspx. Microsoft credits eEye Digital Security for finding this bug.

The configuration settings on Windows XP for a wireless network include a check box for Enable IEEE 802.1x authentication. If you check this box, but there is no server on your wireless network to do the authentication, your computer may disconnect from the network after some random time, somewhere between a couple of minutes to an hour, according to Microsoft. The workaround is simple -- if you aren't on a server-based network, don't check that box.

After you install the Cumulative Update for Microsoft Internet Explorer in MS05-054, you may have some problems getting some chapters to play on a Windows Media High Definition Video (WMV HD) DVD. Click on them with a mouse, and the chapter won't play. However, if you press the Enter key when the chapter is selected, it will play. If you are using a Windows XP Media Center Edition computer with Service Pack 2, you can select the chapter with the remote control.

After you install the Cumulative Update for Microsoft Internet Explorer in MS05-054, some ActiveX controls may not load correctly. Also, if you try to open the Add/Remove Programs in the Control Panel, you may see this error message Object doesn't support this property or method See http://support.microsoft.com/kb/909889/ for a Registry edit to fix this. This problem also happens if you install the previous Cumulative Update for Internet Explorer in MS05-052.

According to some media reports, the Cumulative Update for Microsoft Internet Explorer in MS05-054 will also clean up some of the problems that may have been installed by Sony BMG's DRM software.

Exploit code that can be used to attack older versions of the Mozilla Firefox browser have been posted on the Internet. This code will take advantage of a bug in Mozilla Firefox 1.0.4. However, the bug was fixed in Firefox 1.0.5 that was released this past summer, and is also fixed in the new version of Firefox 1.5. Therefore the only people vulnerable are those who haven't taken advantage of the free updates. Read more at http://www.pcworld.com/news/article/0,aid,123910,00.asp

There is a post-Support Pack 2 patch for the Novell Client 4.9 for Windows NT/2000/XP. The patch includes a new NOVNPNT.DLL module, that fixes a number of bugs relating to passwords. It also fixes an incompatibility with IBM laptops with built-in finger print reader. Get the patch at
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972575.htm.

Sun Microsystems says that both Solaris 9 and Solaris 10 operating systems are vulnerable to denial of service attacks due to the cross-vendor Internet Key Exchange version 1 (IKEv1) bug. Sun has some preliminary patches available for this bug at
http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-102040-1.

12/12/2005 The Carnival of Computing

One of the newer blog carnivals is the Carnival of Computing. The sixth edition is up at Scott Milener's Blog at http://browster.typepad.com/scott_milener_blog/2005/12/carnival_of_com.html. What's different about this -- it's the first to have an entry from the BugBlog.

12/12/2005 ATI Update Fixes Everquest Problem

The latest drive update from ATI, the Catalyst Software Suite 5.12, fixes an incompatibility between a Windows XP computer with the ATI Radeon X1800 series graphics card and Sony Everquest II. Without the update, there is a chance the operating system will lock up after you've played the game for about five minutes. Get the update at http://www.ati.com/support/driver.html.

12/11/2005 Netscape Affected by Firefox History Bug

Netscape 7.2 and 8.0.4 are also vulnerable to the long title bug that can cause Mozilla Firefox 1.5 to crash. (This bug was covered in the 12/9 BugBlog.) Mozilla.org says that their testing indicates that this bug can only be used in a denial of service, and can't be used by a hostile website to run code on your computer. There are detailed instructions on how to clear your history data, in case you are affected, at http://www.mozilla.org/security/history-title.html.

If you are running adobe Bridge 1.0 on a Mac OS X computer, Bridge may crash if you try to create a Version Cue project on a remote server. This happens if that server isn't on the same subnetwork as your Version Cue Workspace. Adobe says this incompatibility has been fixed in Adobe Bridge 1.0.3. Get it at http://www.adobe.com/support/downloads/.

If you try to connect your fifth-generation iPod or iPod nano to audio accessories using the dock connector port, you may not be able to hear any of the audio. Apple says that in most cases, all you need to do is reset the iPod. See how to do that at http://docs.info.apple.com/article.html?artnum=61705.

The Security Pipeline has a worrisome story -- attacks on newly created vulnerabilities are now happening so fast that anti-virus companies are having trouble keeping up. That may make it easier for new malware to spread. Read the whole thing at http://www.securitypipeline.com/174910419.

It appears that those of us living in the US have a new cyberspace defender. According to the new mission statement of the US Air Force, their goal is to deliver sovereign options for the defense of the United States of America and its global interests--to fly and fight in Air, Space, and Cyberspace." Read more at http://www.af.mil/news/story.asp?id=123013440.

Try to connect a Windows XP or Windows Server 2003 computer to the Microsoft Update webpage, and you may see this error message: Error number: 0x800A01AE Microsoft has a fairly long fix for this. See the details at http://support.microsoft.com/kb/910359.

Security researchers at iDefense say that Ethereal, an open source network tool, has a bug that may allow remote attackers to launch a denial of service attack. They also say that it may be possible for the attackers to also run their code on the vulnerable system. The version of Ethereal in Red Hat Fedora Core 3 is vulnerable, and it may be used in other versions of Linux. iDefense has workaround information at http://www.idefense.com/application/poi/display?id=349.

12/9/2005 Firefox Has a History Bug

There is a bug in the newly released Mozilla Firefox 1.5 that may cause it to crash if you visit a malicious website. That site would need to exploit a bug in Firefox's history.dat file, which keeps track of the pages you visited. If you visit a site that has a page with a long topic, you will crash Firefox. To get it working again, you will need to erase its histry.dat file, which will be in a users Documents and Settings folder, in Application\Mozilla\Firefox\Profiles\{active profile}. As a workaround, you could go to Tools, Options, Privacy, History, and set the days history saved to 0.

A number of Cisco devices are vulnerable to the IPSec Internet Key bug discussed in the BugBlog on 12/6. These include those devices running Cisco IOS 12.2SXD, 12.3T, 12.4 and 12.4T, the PIX Firewall earlier than 6.3(5), the Cisco firewall Services Module, and the Cisco VPN 3000 Concentrator. The bug makes these devices vulnerable to a denial of service attack. See the full list of vulnerable products, and links to fix information, at http://www.cisco.com/warp/public/707/cisco-sa-20051114-ipsec.shtml.

Finnish anti-virus vendor F-Secure says that one of the leading sources of rootkit installations (other than Sony BMG music CDs, I assume) is the adware/spyware company ContextPlus. The rootkit features are used to keep the spyware hidden from users and spyware scanners. Read more in eWeek at http://www.eweek.com/article2/0,1895,1897728,00.asp.

Google says they have made a fix to the Google Desktop to fix a bad interaction between it and Microsoft Internet Explorer that may lead to an attacker to be able to steal information from the browser. According to Google, users don't have to install any fixes -- it was all done on the Google servers. This bug was discussed in the 12/3 BugBlog, and was discovered by Israeli hacker Matan Gillon.

An anonymous security researcher tried to sell information about an unpatched flaw in Microsoft Excel via an eBay auction. Microsoft confirmed that it was an actual bug, and evidently got eBay to remove the auction. Before that, bidding was up to $53, according to eWeek. Read the whole thing at http://www.eweek.com/article2/0,1895,1899697,00.asp.

A Windows XP computer may have compatibility problems with the MicroQuill SmartHeap heap management software. According to Microsoft, you may see this error message
MEM_BAD_POINTER.
However, Microsoft says you will only see it if you have selected the Install files for East Asian languages in the Control Panel's Regional and Language Options applet. They have a hotfix for this, which will be in a future Windows XP service pack. If you use East Asian languauges as well as the heap management software, you may want to get the fix right away. Contact Microsoft Tech Support and ask for the fix described at http://support.microsoft.com/kb/910466. Note that you may get charged for this call.

Microsoft will be releasing two patches on December's Patch Tuesday this December 13. At least one is critical, and most people are guessing it will be a fix for some well-publicized Internet Explorer bugs.

12/8/2005 Sony Says "Oops, We Did It Again"

Sony BMG now says they used another digital rights management (DRM) scheme on other music CDs. This software, SunnCom MediaMax 5, also has a bug that may allow for privilege elevation. Sony and SunnCom have provided a patch, but independent security researchers say the patch itself has problems and you shouldn't use it. The list of bad CDs is at http://www.sunncomm.com/support/faq/releases.asp, (there are some Britney Spears CDs on the list, so the title is appropriate) although it may be more effective to just avoid Sony altogether. The Electronic Frontier Foundation has a FAQ page with many details at http://www.eff.org/IP/DRM/Sony-BMG/mediamaxfaq.php#2.

12/7/2005 PC World Reader Survey on Reliable Tech Brands

Sometimes it is not a bug, it is a breakdown. You want to avoid both, of course. One way of dodging the latter is to buy a reliable brand. Every year, PC World does an extensive survey to determine the winners and losers in categories such as desktops, notebooks, printers, cameras, and MP3 players. This year's survey is online, starting at http://www.pcworld.com/reviews/article/0,aid,123409,00.asp. A preview -- they don't pick a winner in the desktop category.

If you are using Adobe PageMaker 7.0.2 on a Mac OS X computer, trying to create a PDF file may trigger this error message
Could not send PostScript to Normalizer.
Adobe's workaround is to print to a PostScript file, and then use Adobe Distiller to create the PDF file.

Adobe says that if you try to install Acrobat 7.0 on a Windows XP 64-bit system, you won't be able to install the Adobe PDF printer. That will stop you from creating PDFs in Microsoft Office. Adobe says to go to http://www.adobe.com/support/techdocs/331732.html for support information.

There is a new worm on AIM, AOL's Instant Messenger, that actually conducts a "conversation" with the intended target. It works by sending an IM that says "lol that’s cool" and has a URL to a file called clarissa17.pif. If you respond by inquiring about the attachment, the worm may reply "lol no its not it’s a virus." Of course if you click on the attachment, the worm will install a backdoor on your system and then contact everyone on your buddy list.

If you can hear the audio playback on an iPod with video capabilities, and you see a progress bar for the playback but you don't see the video, Apple says you may have inadvertantly turned the TV Out video setting to On, which will prevent playback on the iPod screen. Fix this by giving the iPod a Videos, Video Settings command, and then set TV out to Off.

Set the alarm clock on an Apple iPod nano or Fifth Generation iPod, and it may seem the alarm is going off at the wrong time. Apple points out that these iPods support multiple alarm clocks, and you may be setting the alarm on a clock that is set to a different time zone. Apple says to make sure to use the correct clock.

Security researchers at iDefense say they have found a bug in the Dell TrueMobile 2300 wireless router. This bug may allow an attacker to reset the authentication credentials, which could lock out the rightful owners. According to iDefense, they contacted Dell but got the reply "The vendor is no longer selling this product and has replaced it with newer models that do not exhibit the defect. Therefore, a patch will not be released to address this issue." That's not a very helpful answer if you already own it.

Microsoft says a bug in Internet Explorer 6 may cause the browser to lock up if you try to get it to load a child window from a parent. This will happen on bothe Windows XP with Service Pack 1, as well as Windows Server 2003. Microsoft has a hotfix for this, which will be in a future service pack. If you need the fix right away, contact Microsoft Tech Support and ask for the hotfix described at http://support.microsoft.com/kb/905297. Note that you may get charged for this call.

eEye Digital Security has put out an abbreviated report saying that there are two bugs in RealNetworks media player that may allow your system to be attacked if you open a specially-designed media file. However, they won't release details until a fix is ready, and they also say they don't think the bugs are being exploited now.

Red Hat has an updated xpdf package for Red Hat Enterprise Linux 2.x, 3, and 4, as well as the Red Hat Desktop. The update fixes a number of security bugs in the PDF viewer for X Window systems. You can get the update, labeled Important, at https://rhn.redhat.com/errata/RHSA-2005-840.html. Red Hat credits Derek B. Noonburg for finding the bugs.

12/6/2005 Key Problem Bugs Multiple Vendors

A bug in the protocol called Internet Key Exchange version 1 will cause vulnerabilities in products from a number of vendors. The key exchange is a method that Internet Security Association and Key Management Protocol (ISAKMP) may use to get computers to authenticate each other over a network. With the bug, a remote attacker may be able to gain access to a computer system. According to US CERT, these vendors may have vulnerable products: Check Point, Cisco, QNX, Stonesoft, and Sun Microsystems. More companies may be added to the list. See http://www.kb.cert.org/vuls/id/226364 for updates.

Adobe says that when you install InDesign CS2 on a Microsoft Windows XP 64bit system, the custom icons that represent .indd, .indb, .indt or .indl files won't show up. However, if you click on one of these files to launch it, it will launch the proper application.

If you are playing a video on a Fifth Generation Apple iPod, stop the video and then start playing an audiobook, the audio may be garbled, or you may actually hear audio from the video that you just stopped. Apple suggests as a workaround not to move directly from an video to an audiobook, but to briefly play a music file for a few seconds. Must be the iPod equivalent of cleansing your palette.

The SANS Internet Storm Center says there is a new worm trying to spread on AIM, the AOL Instant Messaging System. If you get a link that says
"This AIM user has sent you a Greetings Card, to open it visit: http://greetings.aol.com/index.pd?source=christmastheme?my_christmas_card.COM"
you don't want to open it. It actually sends you to another site, where you will actually download a worm, not a card. The worm is another variation of the SDBot worm.

IBM says that if you save an attachment from Apple iCal in Lotus Notes 6.5.4, it may get saved with the wrong compression. This has been fixed in Notes 6.5.5.

A group program manager for Microsoft's Anti-Malware Technology Team says that twenty percent of the malware removed by their anti-malware utility are rootkits, software that hides itself from the operating system while running on your computer. Not too surprising, when even a "respected" company like Sony spreads them. Read the whole thing at http://www.eweek.com/article2/0,1895,1896605,00.asp.

If you have a damaged worksheet in Microsoft Excel 2003, using the Open and Repair option will remove all Dynamic Data Exchange (DDE) links from the worksheet. Microsoft has fixed this in the 11.7/2005 hotfix for Excel. This will be available in the next service pack for Excel 2003. If you want the fix earlier, call Microsoft Technical Support and ask for the hotfix described at http://support.microsoft.com/kb/903240/. Note that you may get charged for this call.

Sun Microsystems says that a bug in Sun Java System Communications Services 6 Delegated Administrator 2005Q1 may let a remote attacker gain access as a Top-Level Administrator, where they would be free to do all kinds of bad things. This bug affects SPARC, x86 and Linux versions of the software. See http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-102068-1 for information on the updates.

12/5/2005 Excel Function Makes Mistake

If you use the LINEST function in Microsoft Excel 2003, be wary of the results. Microsoft says that this function may give the wrong answer if there are more than nine significant digits in the source range values. There is a hotfix for this bug, which will be included in a future Office 2003 service pack. If you need the fix right away, contact Microsoft Technical Support and ask for the Excell 2003 post-Service Pack 2 Hotfix of 11/7/2005. See http://support.microsoft.com/kb/887964/ for more, including a Registry edit that you will need to make.

If you try to install Adobe Creative Suite 2.0 on a Windows XP x64 (64-bit) computer, you may see this error message Your user name, organization, or serial number is missing or invalid. The application cannot continue and must now exit. According to Adobe, you can't use the default installation path for CS 2. See http://www.adobe.com/support/techdocs/332523.html for details on how to install it on a different path.

On a housekeeping note, the Adobe acquisition of Macromedia is complete and official, so any bugs in Macromedia Dreamweaver, ColdFusion, Flash, etc, will now show up in the Adobe section, rather than Macromedia. However, I won't do an Orwell and go back and change all the old bugs to reflect the new corporate parentage. (As a longtime Macromedia user, I've got a bad feeling about this whole merger.)

In a phishing attack, the bad guys might send out hundreds of thousands of emails, hoping to land a few targets. Now there is a new kind of attack, which is called "spear-fishing." In this case, a particular victim or company is targeted, rather than a broad-based scheme. C Net reprints a story from the New York Times from an example in Israel. Read the whole thing at
http://news.com.com/2100-1029_3-5981917.html

IBM says that when you use Lotus Notes to open an archived mailfile database on a server, you may see this error message RRV bucket is corrupted. Many of the commands that you may normally use to recover a corrupted database may not work in this situation. See
http://www-1.ibm.com/support/docview.wss?uid=swg21195113 for some help from IBM.

Australia is making some changes in when they switch into and out of Daylight Savings Time in 2006 -- they are doing it because Melbourne is hosting the Commonwealth Games in March, 2006. A number of Microsoft products that automatically compensate for DST won't catch this change. This includes Microsoft Exchange 2000 Server and 2003 Server; Microsoft Outlook 2000, 2002, 2003; Microsoft Outlook Web Access for Exchange Server; and all versions of Microsoft Windows.

Programs in Microsoft Office 2003 may have some problems with compressed TIFF images. These images may show up only as a blank box, or they may appear corrupted or with missing text. Microsoft has fixed this in the November 7, 2005 hotfix for Microsoft Office. It will be included in the next service pack, but if you need it right away, you will have to call Microsoft Technical Support to ask for the hotfix. See http://support.microsoft.com/kb/900612 for details.

12/3/2005 Internet Explorer Combines Badly with Google Desktop

An Israeli hacker has published an example of how Internet Explorer users who also have the Google Desktop running are vulnerable to a phishing attack. If you visit a malicious website, they may be able to steal things like passwords or credit card numbers that users have stored on their harddrive. It does not affect users of other browsers, such as Mozilla Firefox or Opera, who use the Google Desktop. Turning off Javascript (Active Scripting) in IE should stop the possibility of attack. PC World has more at http://www.pcworld.com/news/article/0,aid,123826,00.asp.

If you create a PDF file from a JPEG file using Adobe Acrobat 7.0, you may get an application error. Adobe says this has been fixed in Adobe Acrobat 7.0.5.

A local attacker may be able to forge system log entries on a Mac OS X 10.4.3 client or server. The problem is that the system log server doesn't handle some control characters correctly. The extent of this attack may be to plant messages that confuse the system administrators because of the fake messages. Apple has fixed this in the Security Update 2005-009. They credit HELIOS Software GmbH for finding this bug.

According to Apple, CoreFoundation in Mac OS X 10.4.3 client and server doesn't do a good enough job validation URLs. That means an attacker may be able to craft a URL that could trigger a heap buffer overflow, which will either crash the Mac, or possibly get it to run malicious code. This has been fixed in the Security Update 2005-009.

When you install Macromedia Dreamweaver 8, you have the option of making it the default editor for XML files. If you do, then you won't be able to open an XML file in Microsoft Internet Explorer. If you do, Dreamweaver may open instead of the XML file appearing in the browser. Worse, Dreamweaver may hang when trying to run Preview in a browser. Or else Dreamweaver will keep on displaying a File Download prompt but the file doesn't appear. For now, this appears to only happen on Windows 2000, Windows XP and Windows XP SP1. As of now, there is no fix from Macromedia, but they have some workaround suggestions at http://www.macromedia.com/go/a2000450.

If Comcast was your ISP (Internet Service Provider) and you had trouble getting to your Hotmail account or MSN the first few days of December, the Sober worm was the problem. It appears that Hotmail and MSN servers were getting snowed under by messages generated by Sober.

12/2/2005 Sound Problems in Windows XP

In Windows XP, if an application makes adjustments to Microsoft DirectSound or SetSpeakerConfig, it may cause the Sounds and Audion Devices applet in the Control Panel to show the wrong Speaker Setup information. Normally, users won't know when a program does the former, but they will be able to see the latter if they visit that applet. Microsoft has a hotfix for this, which will be in a future Windows XP service pack. If you can't wait, contact Microsoft Technical Support and ask for the hotfix described at http://support.microsoft.com/kb/909441. Note that you may get charged for this call.

12/1/2005 Sony Wins the Bug of the Month

Sony wins the Bug of the Month for the rootkit they hid on their music CDs.

12/1/2005 Phishers Use Fake IRS Email

Bad programming on a government web site is allowing a phishing scheme to look more legitimate than it really is. If you receive an email that says it is from the IRS, and click on a link, you will be passed through the govbenefits.gov website and then sent to the fraudulent site, where they try to get your Social Security and tax return data. Be wary about any email that says it is sending you to govbenefits.gov, which is an amalgamation of different government agencies trying to ease access to e-government.