|
We guarantee your privacy: 1. We will never sell, rent, or give away your address to any outside party, ever. 2. We will never send you any unrequested e-mail, besides newsletter updates. 3. All unsubscribe requests are honored immediately, period. Privacy policy 
|
|
TOP STORY — info you need to make Windows work This is a special news update to the Windows Secrets Newsletter. This short bulletin contains only a few news items and an index of reviews. Our next regularly scheduled, full newsletter will be published on Aug. 11. Greasemonkey fix is released By Brian Livingston The developers of Greasemonkey, a popular "extension" for the Firefox browser and other Mozilla Foundation software, released on July 30 a new version that corrects a serious security flaw. I warned about this risk in a brief news update on July 21, 2005. The add-in enables users to redefine how Web sites look and behave. Unfortunately, older Greasemonkey versions, such as 0.3.4, allow hacker sites to read the names and contents of any files on users' hard disks. According to Aaron Boodman, one of Greasemonkey's developers, the new beta version 0.5 closes the worst security holes. Other developers who've looked at the new code agree. Some glitches exist with the beta release, however. Although 0.5 makes it difficult for a rogue Web site to read the source code of a Greasemonkey script, it's not impossible, the team says. Boodman recommends that people who don't want to watch out for these gotchas use version 0.3.5 of Greasemonkey instead. That version was released on July 19 and also eliminates the security flaws. Because of the possibility that a Web site might be able to read the contents of a script you're running, you should never hard-code a password into such a script. In addition, some sloppily-coded Greasemonkey scripts that work under Firefox 1.0.x will not work under Deer Park, the code name for Firefox 1.5, a major release that's expected later this year. For information on the 0.5 beta, including several caveats, see Boodman's entry in the project's Greaseblog. For comments by other developers and users, see the entry at Mozillazine. Wallpaper bug bites Firefox The Greasemonkey problem was not a weakness in Firefox per se. The open-source browser supports hundreds of extensions, any of which may have bugs. In a separate issue, however, a weakness in Firefox 1.0.x itself was recently discovered. This flaw allows a hacked wallpaper file to silently install a virus if the Desktop image is loaded via the browser's Set as wallpaper context menu item. What to do: I'm not aware of a workaround for this, so don't use Firefox to set your wallpaper until a new version fixing the problem is released. Meanwhile, you should update Firefox to version 1.0.6 to protect against other risks, using the procedure I described on July 21. Exploit code for the wallpaper flaw was posted by the French Security Incident Response Team (FrSIRT) on July 12. Despite the existence of irritations such as the ones mentioned above, Firefox continues to rank as a much more secure browser than Microsoft's Internet Explorer 6.0. Mozilla-based browsers had security patches available for all known security issues in calendar year 2004 before a single threat made it "into the wild," according to a timeline by European security firm Scanit.be. By contrast, IE 6 currently suffers from 20 unpatched security holes, according to a Secunia advisory. The most serious are rated "highly critical," which is the security service's second-most-severe warning level. Secunia says Microsoft has never patched the two holes that pose the worst dangers to users, in spite of being notified about the problems in April 2004 and August 2003. |
 Windows Secrets Newsletter News Update — 2005.08.04 TOP STORY • Greasemonkey fix is released • Wallpaper bug bites Firefox • Time to update your Cisco routers • Windows validation easily circumvented • Re-release near for W2K update rollup INDEX OF REVIEWS • Laptops make news with new test results • Ultimate Mobility names favorites of 2005 • New notebooks make PC Mag's list • Mobile Mag awards six portable PCs • Three laptops impress PC World • Four tablets rise to Pen Computing awards NEWSLETTER CONTROL PANEL • Windows Secrets home page • How to subscribe • Change your delivery address • Change your preferences • Access past free issues • Access past paid issues • Upgrade to paid version • Search for info (WinFind) • Submit a Windows tip • Get subscription help • How to unsubscribe CIRCULATION: over 147,000 |
|
Time to update your Cisco routers Headlines rocketed around the world last week when security analyst Michael Lynn quit his job at Internet Security Systems (ISS) rather than obey an order to cancel a presentation ISS and Cisco had earlier asked him to make on July 27 at Black Hat Briefings, an annual Las Vegas computer conference. Lynn showed attendees a PowerPoint slide show suggesting that vulnerable Cisco routers could allow a rogue insider to repeatedly reboot them, run any desired program, or even permanently disable the equipment. Unlike copies of this slide show that are now available on the Web, such as a PDF file at Security.nnov.ru, Lynn's presentation responsibly blacked out some crucial code and omitted ISS's trademarked logo from the slides. Lynn on July 28 settled a lawsuit filed against him by Cisco and ISS, agreeing not to discuss or disclose the presentation again. According to reports in Wired News and elsewhere, Cisco released in April a patch for its router software, the so-called Infrastructure Operating System (IOS), and stopped offering the older version on its site. Many owners of these routers have not updated their firmware, however. Cisco also released on July 29 a separate security advisory about related weaknesses that affect routers configured to process Internet Protocol version 6 (IPv6) traffic. This attack, Cisco said, could be carried out only within a local network, not remotely. But Lynn noted in his slides that upcoming versions of IOS would make such attacks easier. What to do: If you own Cisco routers, study the company's July 29 advisory and also its list of all security notices that might affect you. Then install the latest upgrades or use the workarounds that are suggested. And, if you're so inclined, ask Cisco about the "virtual processes" in future IOS versions that Lynn said would make its routers more hackable. For more information, the best roundup I've seen is from O'Reilly Radar. This site's article is largely a critique of a previous, inaccurate article at BusinessWeek.com but also provides links to many authoritative resources. Windows validation easily circumvented Microsoft last week made validation of its operating system mandatory for all Windows XP and 2000 users. As of July 26, downloading software via Windows Update, the new Microsoft Update, or the Microsoft Download Center requires a PC to pass a real-time test for an authorized, licensed OS. (The Redmond company is making exceptions for patches it labels "critical" for security.) The validation test had been optional since late last year, when Microsoft initiated its "Windows Genuine Advantage" program to reduce piracy. It took only one day for programmers to demonstrate that the new testing mechanism was poorly implemented. The BoingBoing.net tech blog reported on July 28 that entering a single line of JavaScript into a browser's address bar bypasses the validation routine. Using a different approach, Rafael Rivera of Extended64.com released similar methods that involve installing small user scripts. Shortly thereafter, Ryan Foley published on his Technomyst blog an even simpler trick. Users receive a Windows Genuine Advantage ActiveX component when downloading software for the first time under the new regime. After closing and restarting Internet Explorer, users can then click Tools, Internet Options, Programs, Manage Add-Ons. Merely clearing the check box next to Windows Genuine Advantage prevents the test from taking place. Another easy method was also published by Sinhack Research Labs. As explained in a posting to the Full Disclosure discussion list, downloading Microsoft's own GenuineCheck.exe program, and configuring it to run in "Windows 2000 compatibility mode," makes the test always succeed in Windows XP. I don't advocate pirating software, and in fact I recommend that you take advantage of Microsoft's Genuine Windows Offer if you find that you somehow purchased a counterfeit Windows CD. The Redmond company will send you a licensed copy of Windows XP for free if you submit a piracy report and the disc. Those with a bogus OS but without a black-market CD can get XP for the discounted price of $99 USD (XP Home) or $149 (XP Pro). Microsoft announced that the flaws would be corrected. They may even have been fixed by the time you read this. But the weak stress testing that the software giant obviously conducted on Genuine Advantage — an initiative it knew would be high profile — is disturbing. If Microsoft allows such elementary weaknesses to ship in its most visible campaigns, how many holes still exist in Windows' less-well-known software components? Re-release near for W2K update rollup Microsoft announced this morning (Aug. 4) that its recent "update rollup" for Windows 2000 Service Pack 4 will be re-released soon to correct more than half a dozen incompatibilities. The company recommends that anyone affected by these problems not install Update Rollup 1 (UR1) until fixes for the specific issues are released or the new rollup becomes available. The most common issue is that Microsoft Office programs cannot save files to floppy disks in some cases after UR1 is installed. Other issues involve Microsoft Exchange 5.5 and software from Citrix, Sophos, and Internet Security Systems (ISS). Windows dynamic disks are also affected, displaying two system drives instead of one and alternating drive letters after each reboot. W2K SP4 was released on June 26, 2003, after which UR1 was released on June 28, 2005. For information on currently suggested workarounds and the availability of hotfixes, see Microsoft Knowledge Base article 891861, which has been frequently updated with known problems. To obtain W2K SP4, see article 260910. —————— To send us more information on the above topics, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You'll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print. Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books. ^ INDEX OF REVIEWS — our directory of product shootouts Laptops make news with new test results
|
|
FORWARDING INSTRUCTIONS — news gains value when it's shared Please share this information with your friends You're encouraged to refer your friends and colleagues to this free news update. Because most e-mail programs don't correctly display a formatted message that's been forwarded, simply call people's attention to the permanent Web address of this issue: WindowsSecrets.com/comp/050804. ^ |
|
HERE'S A TIP — you'll get a better newsletter if you choose the paid version You're reading the free version of the Windows Secrets Newsletter Subscribers to the paid version receive additional information in each regular issue. Get the latest from Windows experts Brian Livingston, Paul Thurrott, Chris Mosby, Susan Bradley, Mark Burnett, and more. Paid subscribers can access all old and new paid newsletter content Make a contribution to support our research into Windows and you'll immediately be able to read and search through scores of valuable articles. In addition, paid subscribers are entitled to download valuable content that we license for you at least once every calendar quarter. To upgrade, simply make a contribution of any amount you choose If you do this by Aug. 10, 2005, you'll instantly be sent the paid version of the latest full newsletter. To upgrade to the paid version of Windows Secrets, please visit WindowsSecrets.com/upgrade. Thanks in advance. ^ |
|
ABOUT YOUR SUBSCRIPTION — we're here to serve you The Windows Secrets Newsletter (formerly Woody's Windows Watch and Brian's Buzz on Windows) is published twice a month, except for breaks in August and December. The newsletter is published on the Thursday after Microsoft Patch Tuesday (the 2nd Tuesday of each month) and two Thursdays after that. A short "newsletter update" is sometimes published between regular newsletters, if breaking news occurs. Publisher: WindowsSecrets.com LLC, 300 Queen Anne Ave. N. #456, Seattle, WA 98109 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editor: Brian Livingston is the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books. Associate Editor: Paul Thurrott is the author of Windows XP Home Networking and Great Digital Media with Windows XP and the author or coauthor of several other books. Contributing Editors: Susan Bradley, Mark Burnett, Chris Mosby. Research Director: Vickie Stevens. Program Director: Brent Scheffler. Trademarks: Windows is a registered trademark of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Index of Reviews, Briefing Session, Windows Patch Watch, Update Management, and Wacky Web Week are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. How to subscribe: Anyone may subscribe to this newsletter by visiting WindowsSecrets.com/info. Our Ironclad Privacy Guarantee: (1) We will never sell, rent, or give away your address to any outside party, ever; (2) We will never send you any unrequested e-mail, besides newsletter updates; and (3) All unsubscribe requests are always honored immediately, period. Privacy policy HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter, Copyright © 2005 by WindowsSecrets.com LLC. All rights reserved. ^ |
