BugBlog Home
BJK Research Home
BJK Research Home

BugBlog Plus Archives
Current month
Nov 06 by company
Nov 06 by date
Oct 06 by company
Oct 06 by date
Sep 06 by company
Sep 06 by date
Aug 06 by company
Aug 06 by date
July 06 by date
June 06 by date
May 06 by date
Apr 06 by date
Mar 06 by date
Feb 06 by date
Jan 06 by date
Jan 06 by company
Dec 05 by date
Dec 05 by company
Nov 05 by date
Oct 05 by date
Sept 05 by date
Aug 05 by date
July 05 by date
June 05 by date
June 05 by company
May 05 by date
May 05 by company
Apr 05 by date
Apr 05 by company
Mar 05 by date
Mar 05 by company
Feb 05 by date
Feb 05 by company
Jan 05 by date
Jan 05 by company
Dec 04
Dec 04 by company
Nov 04
Oct 04
Sept 04 by date
XP SP 2
Aug 04 by company
Aug 04 by date
Jul 04 by company
Jul 04 by date
June 04 by company
June 04 by date
May 04 by company
May 04 by date
Apr 04 by company
Apr 04 by date
Mar 04 by company
Mar 04 by date
Feb 04 by company
Feb 04 by date
Jan 04 by company
Jan 04 by date
Dec 03 by company
Dec 03 by date
Nov 03 by date
Nov 03 by company

 

Jump to the BugBlog archives (October 03 and earlier are public archives)

Dec 06
Nov 06
Oct 06
Sept 06
Aug 06
July 06
June 06
May 06
Apr 06
Mar 06
Feb 06
Jan 06
Dec 05
Nov 05
Oct 05
Sept 05
Aug 05
July 05
Jun 05
May 05
Apr 05
Mar 05
Feb 05
XP SP2
Jan 05
Dec 04
Nov 04
Oct 04
Sep 04
Aug 04
Jul 04
June 04
May 04
Apr 04
Mar 04
Feb 04
Jan 04
Dec 03
Nov 03
Oct 03
Sept 03
Aug 03
July 03
June 03
May 03
April 03
Mar 03
Feb 03
Jan 03
Dec 02
Nov 02

 

Cleveland-area blogs*:

Backup BugBlog

Economic Development Futures

Brewed Fresh Daily

Cleve-blog

Working with Words

Gassho

Sardonic Views

Filtering Craig

Hotel Bruce

Blogcritics.org

Up Yours

Kevin Holtsberry

Steve Goldberg

Red Wheelbarrow

Anita Campbell

Swerb's Blurbs

Rachel's Law

*there are more blogs in Cleveland, these are just from people I've met or know. Some of the above are actually farther away, but are bloggers I've met here.

Blogcritics

BugBlog

Subscription portion of the BugBlog. The first bug of the day listed is always the free bug available to non-subscribers, followed by the subscription-only bugs.

9/29/2006 Dreamweaver Says Your Parameter Is Incorrect

Adobe says that you may get an error message in Macromedia Dreamweaver that says:
Parameter is incorrect.
(That happens to be an error message that I run into a lot in Dreamweaver.) Adobe says this may happen when you try to save a file to an offline mapped networked drive, when you do a File>New>Templates tab command, or when you Put, Get or Synchronize files to or from a remote server. (Alas, none of those situations cover my experience.) The first two can be fixed by installing the Dreamweaver 8.0.2 update. The third comes about by a corrupt time stamp. Adobe has some workaround information at http://www.adobe.com/go/fbfd45c3.

9/28/2006 Another ActiveX Problem for Microsoft

At the risk of turning the BugBlog into "All Microsoft, All of the Time" -- US-CERT reports on another bug in an ActiveX control, which will cause a security problem for Microsoft Internet Explorer. This time it is the Microsoft Windows WebViewFolderIcon ActiveX control, and because of an integer overflow a remote attacker may be able to run their code on your computer. There is no fix for Microsoft yet, but US-CERT says you can disable this ActiveX control by setting its kill bit. See more at http://www.kb.cert.org/vuls/id/753044.

9/27/2006 Microsoft Issues Early Patch for VML Bug

Microsoft has issued an out-of-cycle security bulletin (meaning they didn't wait for Patch Tuesday) for the VML Buffer Overrun bug in Microsoft Internet Explorer. This bug was being actively exploited by hostile web sites, and could completely take over your computer, as shown in the 9/26 and 9/20 BugBlogs. Get the patch at http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx.

Apple has already issued an update for iTunes 7. The new iTunes 7.0.1 fixes some bugs in Cover Flow, CD importing, syncing with an iPod, and other bugs. Get the update at http://www.apple.com/support/downloads/itunes701.html.

According to a report at ZD Net, some banks do a better job than others at guarding against identity theft for their depositors. Bank of America, JP Morgan Chase and Washington Mutual get the top grades, followed by KeyBank and Marshall & Ilsley Bank. Read the whole thing at http://news.zdnet.com/2100-1009_22-6119424.html.

Every month I give my dog a heartworm pill. Now it looks like users of Microsoft Windows Live Messenger may have to do the same to their IM client. A worm called W32.heartworm.a may be the actual payload if you get a message with a link to a website that says you have a virtual greeting card. The card, which has a picture of a heart, and a poem in Portuguese, will then deliver a payload that will try to steal personal and financial information. See more at http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003623.

If you have an HD DVD-Video disc drive in a Windows XP computer, your Autoplay window may not pop up when you put an HD DVD-Video disc into the drive. Microsoft has a hotfix , as well as a Registry edit, to fix this. The fix will be in a future service pack, but if you can't wait for that, see http://support.microsoft.com/?kbid=918649.

If you have a USB hub connected to a Windows XP computer, and a USB device plugged into the hub, your computer may no longer recognize the device if you unplug it from the hub, and then plug it back in. The device may not work, and if you look in Device Manager, it will be listed as an unknown device. Microsoft has a hotfix for this. The fix will be in a future service pack, but if you can't wait for that, see http://support.microsoft.com/?kbid=920875.

Microsoft has re-released Security Bulletin MS06-049. This fixes a bug on Windows 2000 computers that, when mixed with NTFS file compression, may corrupt your data files. Get the update at http://support.microsoft.com/kb/920958

US-CERT has a report of a new, unspecified bug in Microsoft PowerPoint which may affect Office 2000, Office XP, and Office 2003. A malicious PPT file may be designed to run malware such as Win32/Controlppt.W, Exploit:Win32/Controlppt.X, and Exploit-PPT.d/Trojan.PPDropper.F. There's no word from Microsoft yet, but you can check out what the Feds have to say at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4694.

While Microsoft has said that attacks via the VML bug (patched on 9/27 in a special security bulletin) were "limited", security researchers at iDefense calculate that at least 2000 domains were hijacked and/or modified so that visitors were sent to domains that exploited the VML bug. At least one ISP says their servers were compromised via an unrelated bug which then planted the VML exploit. Read more at http://www.eweek.com/article2/0,1895,2020889,00.asp.

Red Hat has an updated squirrelmail package for Red Hat Enterprise Linux 3 and 4. This fixes a number of bugs in SquirrelMail that may let one user read another user's mail or attachments. Get the fix at http://rhn.redhat.com/errata/RHSA-2006-0668.html.

Sun Microsystems says that there is a bug in the Solaris 10 kernel SSL (Secure Socket Layer), if a Kernel SSL Proxy service instance is turned on, that may allow a remote user to trigger a panic and cause a denial of service. Sun has details and links to a patch at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102563-1.

9/26/2006 Internet Explorer VML Attacks Increasing

The Internet Storm Center reports that there is much more hostile activity targeting the VML security bug in Microsoft Internet Explorer. They say "The exploit is widely known, easy to recreate, and used in more and more mainstream websites." Actions you can take include using some browser other than IE, or deregistering the problem DLL file, Vgx.dll. They show how to do that at http://isc.sans.org/diary.php?storyid=1727, and have a further series of reports.

Apple says that if you are using iChat AV for video or audio conferencing, and you are using a router with Network Address Translation (NAT) and/or firewalls, you may need to open a few more ports. However, Apple does say that in some cases iChat AV works with the router's default settings. See http://docs.info.apple.com/article.html?artnum=93208 for details on how to set up your router, and to see a list of compatible routers.

iDefense notes a bug in the wasy that FreeBSD 5.4 deals with signed integers. Local users could exploit this bug to cause a denial of service attack. iDefense quotes the FreeBSD team (it's an open source project) "The policy of the FreeBSD Security Team is to not issue security advisories for local denial of service attacks; since we have not been able to demonstrate that this bug can result in anything more severe than a denial of service, we will not be issuing a security advisory relating to this problem."

Microsoft has issued an out-of-cycle security bulletin (meaning they didn't wait for Patch Tuesday) for the VML Buffer Overrun bug in Microsoft Internet Explorer. This bug was being actively exploited by hostile web sites, and could completely take over your computer. Get the patch at http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx. (This will be Wednesday's free Bug of the Day -- subscribers get it early.)

An investigation by ZD Net of problems with the Microsoft Windows Genuine Advantage program shows that over the period studied by ZD Net, 42 percent of the people who had problems with WGA actually had valid copies of Windows XP. It appears that at least some people at Microsoft are admitting they have a problem (that's the first step, right?). Read the whole thing at http://blogs.zdnet.com/Bott/?p=142 to find out more.

Some more information from Symantec's study of Internet security. PC World cites the study to say that while Mozilla had more overall bugs, they were fixed much faster, on average within one day of public disclosure. Microsoft took nine days, on average, to patch theirs, while Opera took two days, and Safari five. See the details at http://www.pcworld.com/article/id,127245-pg,1-RSS,RSS/article.html.

9/25/2006 The Big Picture: Symantec's Internet Security Report

Symantec has released the latest version of their semi-annual Internet Security Threat Report. Targeted attacks, especially phishing attacks, are becoming more popular than broad-based attacks such as the Blaster worm. Microsoft Internet Explorer is the most targeted browser, although they say Mozilla has more bugs. Get the report at http://www.symantec.com/enterprise/threatreport/index.jsp/ (although Symantec's web servers are very busy this morning.)

9/23/2006 Red Hat Has PHP Patch

Red Hat has an updated PHP package for Red Hat Enterprise Linux 3 and 4. This fixes a number of bugs in PHP that may allow cross-site scripting attacks, or may allow remote attackers to run their own code on the server by taking advantage of buffer or integer overflows. Get the updated package at https://rhn.redhat.com/errata/RHSA-2006-0669.html.

Adobe has a patch for older versions of Macromedia ColdFusion (5.x and earlier as well as 6.x) to fix a bug the may allow cross-site scripting attacks via the ColdFusionMX Site-Wide Error Handler page. This is classified as an Important update, and you can get it at http://www.adobe.com/devnet/security/security_zone/mpsb03-06.html.

Cisco says that a hard-coded DOCSIS Read-Write Community String has been included in some Cisco IOS software release trains running on the Cisco IAD2400 series, 1900 Series Mobile Wireless Edge Routers and Cisco VG224 Analog Phone Gateways. Since knowledge of this string may be floating around the Internet, it is possible for some attackers to be able to gain access to the device. See http://www.cisco.com/warp/public/707/cisco-sa-20060920-docsis.shtml for patch information, and to see if your device is vulnerable.

There are a series of articles at the Symantec Security Response blog talking about security issues that must be considered in any municipally-run Wi-Fi networks. The last part of the series is http://www.symantec.com/enterprise/security_response/weblog/2006/09/muni_wifi_security_part_iv.html, and it includes links back to the earlier articles. (Of course, this may be FUD on the part of cable and telco companies worried about competition.)

Microsoft says that having a Windows XP Media Center Edition computer that goes into hibernation, wakes up to record a show via the DVR, and then go back into hibernation, may miss its opportunity to synchronize with an Internet time server. This means that future scheduled activity may not happen when its supposed to. There will also be no error message telling you that the time hasn't been synchronized. Microsoft has a hotfix for this. See http://support.microsoft.com/kb/909279 for details on how to get it.

Microsoft has an entry on their Security Blog talking about the VML bug in Internet Explorer. They say the bug isn't being exploited as much as other people say, and they are also worried about third-party patches. Of course, one of the reason people turn to third-party patches is because they don't want to wait for October's Patch Tuesday. The blog post, at http://blogs.technet.com/msrc/archive/2006/09/22/458266.aspx, at least hints that a patch may be released sooner.

9/22/2006 Buggy AirPorts on Power-PC Based Macs

Apple has found a couple of buffer overflow bugs in their AirPort wireless drivers. Attackers on a wireless network may be able to exploit the bugs to run their own code on your computer. According to Apple, affected products include Power Mac, PowerBook, iBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers equipped with wireless, but not the Intel-based Mac mini, MacBook or MacBook Pro. This has been fixed in the AirPort Update 2006-001 and Security Update 2006-005.

Apple says that the AirPort API for third-party wireless software has bugs that may allow attackers within wireless range to run hostile code on Intel-based Mac mini, MacBook, and MacBook Pro computers. Note that this confirms a controversial report in the Washington Post this summer that Apple laptop computers were susceptible to this sort of attack. (A report disbelieved by many.) This has also been fixed in the AirPort Update 2006-001 and Security Update 2006-005.

There are bugs in the CA eTrust Security Command Center 1.x. Attackers may be able to exploit these bugs to either disclose information, delete arbitrary files, or trigger false-positive alerts. See http://supportconnectw.ca.com/public/etrust/etrust_scc/downloads/etrustscc_updates.asp for patch information.

Cisco says that a bug in their Cisco Guard Appliance 3.x and 5 or Blade 4.x may allow a cross-site scripting attack to be mounted, even if the Guard is supposed to be performing anti-spoofing service. Go to http://www.cisco.com/warp/public/707/cisco-sa-20060920-guardxss.shtml to find information on available fixes.

A bug in the Cisco Intrusion Prevention System (IPS) 4.1(x), 5.0(x), and 5.1(x) may allow attackers to trigger a denial of service attack via SSL (Secure Socket Layer) packets. The denial of service attack will turn off these functions: Reporting alerts to remote monitoring systems; Automated modification of access control lists (ACLs) on remote firewall systems (PIX and IOS); Sending SNMP traps. This may open the door to other attacks. See http://www.cisco.com/warp/public/707/cisco-sa-20060920-ips.shtml for patch information.

Insert a new footnote between existing footnotes in either Microsoft Word 2002 or 2003, and the footnote's number may have a 1 inserted in front of it. Also, the footnote formatting may not conform to your other footnotes. Microsoft offers up some macro code that is supposed to fix this. Get it at http://support.microsoft.com/kb/924943.

 

9/21/2006 iTunes Update Breaks QuickTime

Once you upgrade to iTunes 7 or later on your Mac OS X computer, problems with QuickTime may occur. Try to play a movie, and you may get this error message: "You need to authorize this movie to play it on this machine" Apple says that upgrading to the latest version of QuickTime should fix this. You can use Apple's Software Update for this, or go to the Apple QuickTime page at http://www.apple.com/quicktime/. This error won't affect iTunes for Windows, because that version automatically updates QuickTime.

9/20/2006 Buffer Overflow Being Exploited in Microsoft Internet Explorer

There is another buffer overflow in Microsoft Internet Explorer 6. This one occurs in the way that IE handles Vector Markup Language (VML), and will let attackers run their own code on your computer. Fully-patched versions of IE are affected, and it is reported that this bug is being used on Russian porn sites, and will probably spread. If Microsoft Outlook or Outlook Express are configured to automatically open HTML messages, they are also vulnerable. It looks like Microsoft is aiming for October's Patch Tuesday for issuing a fix. In the meantime, you can either switch to an alternative browser like Mozilla Firefox (which isn't affected), turn off JavaScript, or unregister vgx.dll. Computerworld shows how to do this at http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003468

There is a new bot program that can attack via the AOL IM network. This worm is called the AIM Pipeline worm, and connects together a number of modular executable files that will infect the machine once they are connected. See http://www.securityfocus.com/brief/305 for more.

Apple says that Intel-based Macs may not be "morning people". If you put one to sleep, and then wake it up just before a scheduled backup, the backup may not run on time. Instead, it will be delayed by the amount of time that your Mac was asleep. Apple says that if you don't want to wait, do a manual backup.

If you update to Apple iTunes 7 for the Mac, you may find that you won't be able to connect to remote speakers via your Airport Express base station. According to Apple, you will need to turn on the IPv6 protocol on your network interface. See how at http://docs.info.apple.com/article.html?artnum=304371.

After installing Apple iTunes 7 for Windows, you may get this error message when you try to start iTunes: The iTunes application could not be opened. An unknown error occurred (0x666D743F). Apple has two different fixes you can try for this error. See the details at http://docs.info.apple.com/article.html?artnum=304318.

Microsoft says that ICQ Express may interfere with Microsoft Office Outlook 2003. If you try to send a message, but it stays in your Outbox without being sent, try removing ICQ Express from the COM Add-ins in Outlook. Microsoft shows you how to do this at http://support.microsoft.com/kb/924788.

The SANS Internet Storm Center doesn't want to wait for Microsoft to fix the the Microsoft Multimedia Controls ActiveX control bug, detailed in the 9/15 BugBlog Plus. A patch probably won't be coming till the second Tuesday in October. Therefore, they have developed a small patch to block hostile content from exploiting this bug. See the details at http://isc.sans.org/diary.php?storyid=1706.

Red Hat has an updated gzip package for Red Hat Enterprise Linux 2.1, 3, and 4. It fixes two bugs that could cause a denial of service attack when gzip opens archived files. Red Hat credits Tavis Ormandy of the Google Security Team for finding these bugs. Get the fix at https://rhn.redhat.com/errata/RHSA-2006-0667.html.

The Electronic Frontier Foundation passes along word from investigators in the Texas Attorney General's office have found other ways that the Sony BMG digital rights management (DRM) rootkit may foul up your computer. If it is installed on a computer that is either using the AOL Safety and Security Center or the CA PestPatrol, these two will try to eliminate the Sony DRM as spyware (which it is), which will incapacitate your CD-ROM drive. See more at http://www.eff.org/deeplinks/archives/004917.php.

Symantec has discovered a bug that affects most of the consumer and enterprise security products, including Norton Internet Security, Norton AntiVirus, and Norton SystemWorks, as well as Symantec AntiVirus Corporate Edition. Local authenticated users may be able to exploit this bug to trigger a denial of service attack. An affected system would need to be rebooted to recover. Symantec says they are rolling out fixes via LiveUpdate. See the details at http://securityresponse.symantec.com/avcenter/security/Content/2006.09.20a.html.

Toshiba is recalling 340,000 laptop batteries for their Dynabook and Dynabook Satellite models. The manufacturer of the batteries is, you guessed it, Sony. Toshiba says there is not a fire risk, but a risk of the batteries dying. See if your battery is affected at
http://www.csd.toshiba.com/cgi-bin/tais/su/su_sc_dtlView.jsp?soid=1482878.

9/19/2006 Microsoft Patch May Destroy Data

Microsoft says that their MS06-049 security patch for Windows 2000 may possibly corrupt some of your data in certain circumstances. The dangerous situation is when you install MS06-049 on an NTFS formatted drive and you have NTFS compression being used on some folders. If the compressed files are bigger than 4 K, they may become corrupted and unreadable. While Microsoft is working on a re-release of the patch, Windows 2000 users should turn off data compression if they install the patch, which was originally released in August, and fixes a kernel bug. See more at http://blogs.technet.com/msrc/archive/2006/09/15/456646.aspx.

9/18/2006 Internet Explorer GETs Busy

If you have the Microsoft Internet Explorer 6 Content Advisor turned on, and you visit a website with scripts, IE may send a stream of GET requests to the Web site, which will tend to bog things down. Microsoft says this happens if the scripts on the website aren't associated with any Content Advisor rules. Microsoft's only workaround is to turn off the Content Advisor. See how to do this at http://support.microsoft.com/kb/924456.

Apple says that after you update to Xsan 1.4, you should run the cvfsck command on each of your volumes. If you don't do that after the MDCs have been updated, you may end up with an inconsistent volume state.

IBM says that if you use the iSeries Save/Restore scripts with the IBM Workplace Collaboration Services 2.6, and you also have the IBM Workplace Web Content Management installed, the scripts won't act on the Workplace Web Content Management data. IBM has updated scripts that will include that. Get them at http://www-1.ibm.com/support/docview.wss?uid=swg24013481.

There is a bug in the Ipswitch WS_FTP Server 5.x that may allow a buffer overflow if you send the server a very long command argument. The buffer overflow may then allow the attack to run their own hostile code on the server. Ipswitch has a patch for this at http://ipswitch.com/support/ws_ftp-server/releases/wr505hf1.asp.

You may have problems linking a Microsft Excel 2003 chart object in a PowerPoint presentation back to the original spreadsheet. This means that automatic updates may be lost. This happens if the QFE_ONTARIO registry DWORD value is enabled, and you open the chart to update it by right-clicking and then selecting Chart Object. You can avoid the problem by double-clicking the chart object instead of right-clicking.

Mozilla says that there is a possibility of frame-spoofing in both Firefox and SeaMonkey. This spoofing can happen if a malicious website is able to open a new window or tab, which could then be made to look like the target site. Any sensitive information entered into the spoofed fram could then be stolen. Mozilla thinks the security threat from this is low, and they have fixed it in Firefox 1.5.0.7 and SeaMonkey 1.0.5.

The Opera 9.01 web browser is also susceptible to the RSA bug that has surfaced in a lot of other applications that also rely on RSA for security certificates. In this case, if a signing certificates uses an RSA public exponent of 3, it could be spoofed. For now, the only workaround is to avoid using CA certificates with a RSA public exponent of 3.

9/15/2006 JavaScript Bug in Mozilla

There is a heap buffer overflow in the JavaScript Engine in Mozilla Firefox, Thunderbird, and SeaMonkey. A malicious website may be able to create a regular expression in JavaScript that could read beyond the end of the buffer, which could cause a crash or corrupting memory. This has been fixed in Firefox and Thunderbird 1.5.0.7, and in SeaMonkey 1.0.5. Mozilla credits CanadianGuy, Girts Folkmanis and Catalin Patulea for finding this Critical bug.

Researchers at Princeton University say there are bugs in the Diebold Election Systems touchscreen voting systems. This may make it easier to engage in ballot fraud compared to all the tried and true ways that have been done in the past. Read the whole story at http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003310.

There is a new bug discovered in Microsoft Internet Explorer. A hostile website may be able to construct a page that uses the the Microsoft Multimedia Controls ActiveX control (daxctle.ocx). The bug will then enable them to run their code on your computer. Microsoft is "investigating" the bug at http://www.microsoft.com/technet/security/advisory/925444.mspx. For now, make sure only trusted sites are allowed to run ActiveX controls, or turn off ActiveX altogether.

Mozilla points out that the auto-update feature in Firefox and Thunderbird uses SSL (Secure Socket Layers) to prevent DNS (Domain Name System) spoofing. This means that you shouldn't be tricked into downloading an imposter version of Firefox or Thunderbird. However, if during your browser session you accepted an unverifiable SSL certificate from another site, it may be possible for that other site to hijack the Mozilla update process. As a safeguard, always start a new browser session after accepting such as certificate, especially if you are then going to auto-update.

A third-party bug, discovered by Daniel Bleichenbacher that affects RSA signature verification is present in Mozilla's Network Security Services (NSS), and affects Firefox, Thunderbird and SeaMonkey. Because of this bug, man-in-the-middle attacks that may be able to steal data during a secure transaction are possible. This Critical bug has been fixed in Firefox and Thunderbird 1.5.0.7 and in SeaMonkey 1.0.5. Mozilla credits Philip Mackenzie and Marius Schilder of Google for finding that the bug affects Mozilla.

There is a bug in Symantec AntiVirus Corporate Edition 8.1, 9.x, and 10 that may allow local users to gain privileges and run code that they otherwise would be prevented from running. This bug cannot be exploited by remote attackers. Symantec has fixed this bug. Details are at http://securityresponse.symantec.com/avcenter/security/Content/2006.09.13.html.

9/14/2006 Flash Bugs Allow System Takeover

There are bugs in the Adobe Flash Player 8.0.24.0, along with earlier versions, that may allow a remote attacker to take control of a computer. They can do this via a maliciously-designed SWF file that they must lure you into playing. As a fix, get the latest Flash Player 9.0.16.0 (or later) from http://www.adobe.com/go/getflashplayer.

If you are running the Adobe ColdFusion Flash Remoting Gateway, note that someone will be able to develop a command that can send the gateway into an infinite loop, which creates a denial of service attack. Adobe says either upgrade to ColdFusion MX 7.0.2 or get the update at http://www.adobe.com/support/security/bulletins/apsb06-12.html.

A malicious user may be able to make an Apple QuickTime movie that when played in either the Mac or Windows version of QuickTime, can either crash the application showing the movie, or possibly run their own code. Apple says they have fixed this in the QuickTime 7.1.3 update. They credit Mike Price of McAfee AVERT Labs for finding this bug.

A malicious user may be able to make an H.264 format movie that when played in either the Mac or Windows version of Apple QuickTime, can either crash the application showing the movie, or possibly run their own code. Apple says they have fixed this in the QuickTime 7.1.3 update. They credit Sowhat of Nevis Labs, Mike Price of McAfee AVERT Labs, and Piotr Bania for finding this bug.

There is a bug in the Microsoft Indexing Service which, when queried through a specially designed query on Microsoft Internet Information Server, may allow the disclosure of information, or may allow a client-side script to run. This could possibly affect Windows 2000, XP, or Windows Server 2003. However, this is not installed by default in 2000/XP, and is not turned on by default in Server 2003. However, if you use it, get the update at http://www.microsoft.com/technet/security/Bulletin/MS06-053.mspx.

If you want to use conditional formatting on a string in Microsoft Excel, it will only work on characters that are in the first format you did to the string. In other words, if first you make a selection and made it bold, and then later made a selection and changed the font, you won't be able to make the font change conditional. Microsoft says this is how they designed it, so you'll need to work around the limitation.

Red Hat has an updated package for their Flash plug-in that is included with Red Hat Enterprise Linux Extras v. 3. This plugs a security hole that may let outsiders take control of your computer via a malicious Flash movie. Get the update at https://rhn.redhat.com/errata/RHSA-2006-0674.html.

9/13/2006 Bug in Windows Pragmatic General Multicast

There is a bug in the MSMQ service in Windows 2000, Windows XP, and Windows Server 2003 that may allow a malicious user to send a multicast message that can take over a system. However, Microsoft points out that this service is not installed by default on Windows systems. If you are using this service, which also goes by the name Pragmatic General Multicast (PGM), you should get the patch at http://www.microsoft.com/technet/security/bulletin/ms06-052.mspx. Microsoft credits David Warden of NuPaper Inc. for finding this bug.

Adobe says that Macromedia ColdFusion MX 6.1, MX 7.01, and MX 7.02 are affected by a bug that may let an attacker launch a cross-site scripting attack using a ColdFusion error page. Get the patch at http://www.adobe.com/support/security/bulletins/apsb06-14.html to fix this. Adobe labels this an Important bug.

Adobe says there is a bug in the ColdFusion MX 7 and ColdFusion MX 7.0.1 sandbox security. Because of the bug, CFML templates that are outside a sandbox may call components (CFC) within a sandbox. Fix this by upgrading to ColdFusion MX 7.0.2 or getting the patch at http://www.adobe.com/support/security/bulletins/apsb06-13.html.

Apple says that QuickTime 7 has a heap buffer overflow bug. An attacker may be able to exploit this bug via a specially-designed FLC movie that can crash QuickTime and possibly run hostile code. This has been fixed in QuickTime 7.1.3. Apple credits Ruben Santamarta of reversemode.com working with the iDefense VCP Program, and Mike Price of McAfee AVERT Labs for finding this bug.

The new Apple iTunes 7 has a new enhanced backup feature that should let you backup songs to disk. There may be some differences between the Windows and Apple version of backup -- the Apple version is covered at http://www.tuaw.com/2006/09/12/how-to-back-up-your-music-using-itunes-7/.

Microsoft has re-released their MS06-040 security patch that was originally released on 8/8/06. After installing the earlier version of the patch, you may run into problems with programs that need lots of contiguous memory, such as some Microsoft Business Solutions applications. Get the new version at http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx.

On a Microsoft Windows XP Media Center Edition 2005 computer, if you are running Media Center in full-screen mode, or you are watching TV or a DVD, you put the computer into hibernation, wake it up, and then try to preview a 3D screen saver, you may get the error message:
Could not create the Direct3D device.
Microsoft says to close the Media Center before hibernation.

Microsoft has re-issued, for the second time, their MS06-042 Security Patch, which is a cumulative security update for Microsoft Internet Explorer. That makes it the third version for this patch since its 08/08/06 release. The reason this time is that eEye Digital Security found another bug in the way that IE handles long URLs. So its time for everyone to go back to http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx once again and get the patch. Chances are, Microsoft is working on the next cumulative update, so they probably won't have to do this one a fourth time.

The Internet Storm Center reports that there are ways that PHP running on shared hosting machines can have scripts evade some script security that is set in Apache httpd.conf files. As a workaround, use security settings in the php.ini file if you can. See http://isc.sans.org/diary.php?storyid=1697 for more.

Red Hat has an updated X.org x11 package for Red Hat Enterprise Linux 4. There are two integer overflow bugs in the way the X.org server does CID font files processing. Authenticated users may be able to exploit this to crash the server and disrupt other users. Get the update at https://rhn.redhat.com/errata/RHSA-2006-0665.html. Red Hat credits iDefense for finding these bugs.

The developers at Second Life found that their user database was hacked, and all the Second Lifers account names, passwords, and payment information may have been accessed. See their blog at http://blog.secondlife.com/2006/09/08/urgent-security-announcement/ for more information.

 

9/12/2006 Critical Bug in Microsoft Publisher

This month's critical vulnerability in Microsoft Office is in one of its less popular applications, Microsoft Publisher. A remote attacker may be able to construct a Publisher file with a maliciously designed string. When this file is opened, it could trigger hostile code to be run, and the attacker could possibly take over the computer. Microsoft has a fix at http://www.microsoft.com/technet/security/Bulletin/MS06-054.mspx. Even if you don't have Publisher installed, Windows Update may offer this patch, because Publisher shares some files with other Office applications. Microsoft credits Stuart Pearson of Computer Terrorism for finding this bug.

9/9/2006 On the Road Again

Will be on the road for a few days, so updates will be light.

9/8/2006 It Will Be a Smaller Patch Tuesday

Microsoft has announced their Patch Tuesday list for September. On September 12, they will release one Critical security bulletin for Microsoft Office. There will be two security bulletins for Windows, but they are only rated as Important. There will also be two high-priority updates released via Windows Updates, and three more on Microsoft Update, but these are not security-related.

If you use characters that can be mistaken for math operators (like - or +) in a Adobe Macromedia Flash Player SWF movie file, these characters may confue Microsoft Internet Explorer. Adobe says to be safe, stick with the alphabet, numbers, and the underscore.

Researchers at Core Security have found two vulnerabilities in the AOL and ICQ Toolbar 1.3 for Microsoft Internet Explorer. These bugs may let remote attackers change your configurations and inject scripting code. Upgrade to ICQ 5.1 for a fix. Read more at http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1510.

In August the BugBlog reported on a Washington Post story about how two security researchers were able to exploit flaws in third-party wireless drivers to hack into an Apple MacBook. However, details have not been disclosed (except to Apple) and some other researchers think the flaw isn't there. You can read more about this at http://www.securityfocus.com/brief/294.

PC World has a handy explanation of how some phishers try to disguise a suspicious link to make it look legitimate. Read about it at http://www.pcworld.com/article/id,126742-page,1-c,browsersecurity/article.html.

McAfee says they are now seeing advertising messages from spammers being included into Microsoft Word attachments or HTML file attachments, instead of being in the body of the email message. This may circumvent anti-spam filters. One would hope that users avoid opening attachments from unknown senders, so this may not be the most effective way of spamming.

Microsoft says that if Microsoft Outlook is how users are connecting to Exchange Server 2003 or Exchange 2000 Server, and there are third-party search engines integrated into the Outlook desktop, then you run the risk of a big increase in Exchange database size that will cause performance to drag. Microsoft has a couple of ways to avoid this. See http://support.microsoft.com/kb/919207 for details.

If Windows XP Service Pack 2 gets installed twice onto a computer, after the second installation Remote Assistance may no longer work. Microsoft says this is because DCOM gets unregistered, and removes the Remote Assistance Helper group permissions. Microsoft has a hotfix for this, which will be in a futures Windows XP Service Pack. If you need the fix right away, see http://support.microsoft.com/kb/923214.

On both 64-bit versions of Windows XP, and on Windows Server 2003, if you refresh the wireless network list you may sometimes get an access violation that crashes Windows Explorer. Microsoft has a hotfix for this, which will be in a future service pack. If you refresh the list a lot, and are getting crashes, see http://support.microsoft.com/kb/920155 for information on how to get the fix right away.

The Security Focus website reports that are seeing lots more activity by the SDBot program, an older piece of malware that has been reconfigured so that it can exploit the flaw that has been fixed in MS06-040. So there's another reason to make sure that patch is in place. See http://www.securityfocus.com/brief/293 for more.

Novell has announced that as of October 31 they will no longer be supporting or updating SuSE Linux 9.2. That's because that version has reached its second birthday. So users may want to think of upgrading to SuSE Linux 9.3, 10.0, or 10.1.

9/7/2006 Encrypted Malware a New Type of Threat

McAfee reports that they are now seeing malware that takes advantage of the EFS (Encrypting File Systems) capabilities of Windows. The encrypted files ultimately do what other trojan software does -- install a backdoor onto your system, often with a newly-created administrator login account. The encryption just adds an extra layer of defense. See McAfee's report at http://www.avertlabs.com/research/blog/?p=77 for more on how it works, and what IP addresses the malware tries to contact.

9/6/2006 ZoneAlarm Update Fixes Domestic and International Bugs

Zone Labs has released ZoneAlarm 6.5.737.000. This version clears up a bug that sometimes prevented users couldn't change the default home page in their browser. It also fixes some bugs in international versions that were either truncating text displays or causing some random crashes. If you haven't been affected by these problems, you may want to wait a couple of days before upgrading at http://download.zonelabs.com/bin/free/information/znalm/zaReleaseHistory.html, to make sure the upgrade itself doesn't have problems.

If you are trying to uninstall your Apple iTunes software from your computer, you may see this error message: Cannot delete iPodService.exe: It is being used by another person or program. While we can assume you have shut down the iTunes software before trying to uninstall it, something else like the iPod Updater utility may be running in the background. See http://docs.info.apple.com/article.html?artnum=93976 for information on how to shut everything down.

If you are using the ATI Multimedia Center on a Windows XP Media Center Edition computer, ATI warns that you shouldn't change your color depth or display resolution while the ATI Multimedia Center is running. You may crash either the Multimedia Center or Windows XP. Close down the Multimedia Center, make your changes, and then start up the Multimedia Center.

On a Windows XP Media Center Computer with the ATI Multimedia Center 9.14 and an ATI graphics card, trying to do a still capture won't work. There will be no crash and no error message, but nothing will be saved, either. This has been fixed in the ATI Multimedia Center 9.15 update.

If you are running a picture in picture display within the ATI Multimedia Center 9.14 on a Windows XP Media Center Edition computer, and you togle multiple times between the two, you may get a crash of the Multimedia Center and an error message in aticore.dll. This has been fixed in the ATI Multimedia Center 9.14 update.

If you open up a Microsoft Word 2003 document from a SharePoint document library, and that document is based on a template that is based on another template, any start-up macros will run twice. If those macros do something like set up a toolbar, it will do those twice. Microsoft has a hotfix for this, which will be in a future Office 2003 service pack. If you can't wait for the fix, see http://support.microsoft.com/kb/923825.

Microsoft has confirmed the report by Symantec from 9/5 about a new security bug in Microsoft Word 2000 that is being actively exploited. However, they did not say when they will be fixing the bug. Since the next Patch Tuesday is six days away, it won't be part of the regular September cycle. Read more at http://www.pcworld.com/article/id,127046-pg,1-RSS,RSS/article.html.

When using Microsoft Office XP on a network, you may not be able to successfully digitally sign documents. Microsoft says this may happen if the system administrator uses an autoenrollment Group Policy object to deploy the certificate. Microsoft has a hotfix for this, which will be in a future service pack. If you can't wait for this fix, see http://support.microsoft.com/kb/924122 for details on getting it right away.

Novell says that after you apply the August PRU to the ZENworks Asset Management 3.2DE, you may get this error message when you run the network discovery scan: Ignoring Network Discovery fingerprint file, NDREC.TKB The scan will continue running, but not all the devices will be correctly recognized. This has been fixed in the zam32netdiscfix.exe patch from Novell. Get it at http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974361.htm.

Red Hat has an update for the OpenSSL package for Red Hat Enterprise Linux 2.1, 3, and 4. This update fixes a bug that may allow attacks via PKCS #1 v1.5 signatures that may result in incorrect authentication. This bug was discovered by Daniel Bleichenbacher. Get the new Red Hat packages at https://rhn.redhat.com/errata/RHSA-2006-0661.html.

Red Hat has a new Mailman package for Red Hat Enterprise Linux 3 and 4. This update fixes a bug in the way Mailman handles MIME multipart messages. A remote attacker may be able to exploit this bug as a way of shutting down the mailing list. Red Hat credits Barry Warsaw for finding this bug. Get the update at https://rhn.redhat.com/errata/RHSA-2006-0600.html.

9/5/2006 New Problem for Microsoft Word 2000

Symantec is reporting a new vulnerability in Microsoft Office 2000. If you open an infected Word doc a Trojan Horse program will run and create another program, Backdoor.Femo, which will give access to your computer. There is no patch from Microsoft yet, although Symantec says that their AV software will detect it. Read more at http://www.symantec.com/enterprise/security_response/weblog/.

If you created a Flash SWF file with Swish MAX, you may not be able to play that file in Adobe Macromedia Flash Player 9. According to Adobe, SWiSHZone fixed this incompatibility in a new version of Swish MAX released 6/29/06. Look for it at http://www.swishzone.com/.

When you plug an external video camera into an Apple Power Mac G3 via FireWire, your camera may not be recognized by Apple Final Cut Pro 1.0. It may be because your camera is incompatible with Final Cut Pro. Check the list at http://www.apple.com/finalcutpro/techspecs/io.htm to see. If it's not incompatible, the problem may be that the correct extensions haven't been installed for it. See http://docs.info.apple.com/article.html?artnum=31093 for information on fixing that.

IBM says that in Lotus Notes 6.5.4 and earlier, if you try searching backwards in Calendar view, Notes may crash once it can no longer find items. This has been fixed in Notes 6.5.5.

After you install the MS06-008 security patch from Microsoft, you may not be able to stop the Remote Registry service. According to Microsoft, that's because it shares a a Svchost.exe process with the SSDP Discovery Service, the TCP/IP NetBIOS Helper, and the WebClient. Until you stop all those services, you won't be able to stop Remote Registry. Microsoft has a fix for this, which will be in a future service pack. See http://support.microsoft.com/kb/923416 for information on how to get the fix right away.

Here's a Panasonic battery recall -- only 6000 of them, from Panasonic Let's Note CF-W4G laptops. A spring from the battery cover may end up inside the battery, which can cause bad things to happen. See http://gizmodo.com/gadgets/laptops/panasonic-recall-laptops-because-of-battery-problems-198423.php for more.

9/4/2006 Sony Wins the Bug of the Month

Sony wins the September Bug of the Month, because they are the manufacturer for all the Dell and Apple batteries being recalled.

9/4/2006 Outlook Printing Problems

There is a new hotfix package for Microsoft Outlook 2003 that fixes two printing bugs. The first bug may prevent email messages that are printed using the TIFF format from being saved correctly. The second bug may affect someone with two printers connected to their system. Trying to print to the non-default printer may not always work. This hotfix is for Office 2003 systems with Service Pack 2 installed. This new hotfix will be in a future service pack, but if you need it right away see http://support.microsoft.com/kb/924435.

If you are using Adobe Premiere Elements 2.0 to work on a project in the PAL format, if you export a clip to a camcorder the audio may get lost. According to Adobe, this can be fixed by getting the Adobe Premiere Elements 2.0 PlayerStandard plug-in update, which you can find at http://www.adobe.com/support/downloads.

If you install Adobe Flash Player 9.0.16.0 or higher, and then install Adobe Flex Builder 2, you may get this error message when you go into debug mode: Installed Flash Player is Not a Debugger. Flex Builder cannot locate the required debug version of the Flash Player…. Adobe says that the Flex Builder installation sometimes gets it Flash players confused, and doesn't install the Debug Flash player. See http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=758bf58b for a fix.

The 1.04 update for LucaArts Star Wars Empire at War had a bug that may cause problems when you try to save a game. (Or as Yoda might say "A bug the game has"). They fixed this in the 1.05 patch, which you can get at http://support.lucasarts.com/patches/EAW1_5.htm.

SuSE has a new update that fixes a number of bugs that affect all versions of SuSE Linux. One of the bugs is in openldap. Because of the bug, Access Control is lax and may allow users to change more things than they should be allowed to touch.

US-CERT notes a problem with VMware ESX Server. The Server Management tool that comes with Wmware will store any password changes from users in an unencrypted log file that makes it easy for passwords to get borrowed. Keep an eye on http://www.kb.cert.org/vuls/id/822476 for updates.

9/1/2006 Only four?

There have been a number of news stories about TippingPoint's new Zero Day Initiative's Upcoming Advisory List. This list shows when the TippingPoint alerts a vendor to a bug. The details of the bug aren't released to the public, only the company name and severity level of the bug. There's some criticism that this helps alert malware authors to potential vulnerabilities, but it's very limited help. For instance, the list says that there are four high severity bugs in Microsoft products. Is that news to anyone? (My reaction was "Only four?") On the other hand, when a company with a small number of offerings, like WinZip, makes the list, the target is narrower. See the full list at http://www.zerodayinitiative.com/upcoming_advisories.html.

Another example of cultural imperialism from Apple -- if you are using Mac OS X Text to Speech you will only be able to preview in the English language version. If you are using another language version of Mac OS X, the play button is grayed out.

CA eTrust Antivirus apparently had a bug in their latest antivirus signatures that flagged the legitimate Windows Server 2003 service LSASS.EXE as infected. What's worse, in many cases the AV software then deleted the file, which is needed in most cases for the computers to re-boot. CA has fixed the antivirus signatures, and if they managed to cripple your server, they've got fix instructions at http://supportconnect.ca.com/sc/kb/techdetail.jsp?searchID=TEC405236&docid=405236.

There is a new publication from the National Institute of Standards and Technology (NIST) called "Guidelines for Media Sanitation." It does not call for wiping down your hard drive and CD-RWs with bleach. It means seeing what's needed to make sure any sensitive data is not only deleted but written over on any media that you are throwing out. Get it at http://csrc.nist.gov/publications/nistpubs/800-88/SP800-88_Aug2006.pdf.

US-CERT says there is a bug in Microsoft Visual Studio 6.0 that may let remote attackers trigger a bug via the ActiveX controls tcprops.dll, fp30wec.dll, mdt2db.dll, mdt2qd.dll, and vi30aut.dll. It may only lead to a denial of service attack, but there's a chance that they could run hostile code as well. There is no fix yet. See http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4494 for more.

The Internet Storm Center has been seeing lots of recent activity directed at port 139. It appears to be some new malware trying to exploit the vulnerabilities that Microsoft patched in MS06-040, but for good measure also tries to exploit older bugs fixed in MS04-007, MS05-017, and MS05-039. So far, every AV vendor is calling it something different: McAfee is calling it W32/SDbot.worm!MS06-040, Sophos is calling it, W32/Vanebot-A, and Symantec is calling it W32.Randex.GEL. Read more at http://isc.sans.org/diary.php?storyid=1660.

8/31/2006 Word 2003 May Take a 30 Minute Break

Try to open a Microsoft Word 2003 XML document, and Word may lock up for anywhere from 10 to 30 minutes. Microsoft says this may happen when the Word doc is linked by another Microsoft Office document, and that other document is on a network share and is opened by someone else. There aren't any configuration changes that can avoid this. Microsoft has a hotfix for this, which will be in a future Office service pack. See http://support.microsoft.com/kb/923826 if you need to get the fix right away.