"It's yet another in a long series of diversions in an attempt to avoid responsibility." - Chris Knight
Archive for the ‘Security Patches’ Category
January 24th, 2008 by iDunzo
It’s not been a great year for Web security, so far. First we learn that Hackersafe isn’t so hacker safe, after all. Then we find out that hackers have found a way to automatically redirect most home routers to wherever they wish. And now it seems that so-called legitimate Web sites may not be so “legitimate” (or at least safe) after all.
It’s apparently so easy to infect existing Web sites that there’s decreasing need for criminals to set up shill sites. At least that’s the takeaway from a recent report published by security vendor Websense, which attempts to examine security trends for the second half of last year.
In fact, 51% of Web sites infected with malicious code are actually legitimate, but compromised, Web sites. This is actually a stark increase from the 30% or so of infected legitimate sites the company reported for the first half of 2007.
So this means that miscreants — because the Web site security and development practices of conventional businesses are negligent — don’t even have to go through the trouble of developing and hosting a Web site, or even the bother of deluging everyone with spam designed to lure folks to a Web site trap.
No, all they have to do is find a trusted site that’s already vulnerable and that, unfortunately, seems all too easy.
January 8th, 2008 by iDunzo
Geeks.com, a Web site that still displays a banner from McAfee’s ScanAlert certifying that it is “Hacker Safe,” on Friday sent a letter to customers saying that it was hacked last month.
“Genica dba Geeks.com (‘Genica’) recently discovered on December 5, 2007 that customer information, including Visa credit card information, may have been compromised,” said a letter posted on The Consumerist from Jerry L. Harken, Genica’s chief of security, to an undisclosed number Geeks.com customers.
“In particular, it is possible that an unauthorized person may be in possession of your name, address, telephone number, e-mail address, credit card number, expiration date, and card verification number. We are still investigating the details of this incident, but it appears that an unauthorized individual may have accessed this information by hacking our e-commerce Web site.”
Geeks.com has reported the incident to federal authorities and Visa, and is encouraging customers to review their credit card statements for unauthorized charges.
The company has set up two help numbers — 1-888-529-6261 or 1-212-560-5108 for non-US customers — that will be active starting this morning for those with questions about the incident.
It is also providing contact information for the major credit agencies to make it easier to report any identity theft fraud arising from the incident.
Geeks.com describes itself as a direct-to-consumer e-commerce site that specializes in computer-related excess inventory, manufacturer closeouts, and popular and esoteric products for the tech-savvy.
McAfee acquired ScanAlert in October and describes it as the world’s leading provider of e-commerce Web site security services.
The Hacker Safe certification, McAfee explains on its Web site, lets “shoppers of ScanAlert customer sites instantly know that they are a secure Web site and respond by buying more from them.”
The ScanAlert Web site explains that the Hacker Safe certification doesn’t mean 100% safe.
“Research indicates sites remotely scanned for known vulnerabilities on a daily basis, such as those earning ‘Hacker Safe’ certification, can prevent over 99% of hacker crime,” the site says.
January 4th, 2008 by iDunzo
Way back in 2004, Microsoft released a little OS upgrade they called Service Pack 2. Windows XP owes much of its current popularity to the changes made in SP2.
Although Vista is grabbing all the front page attention with its soon-to-be-released Service Pack 1, XP hangers-on are hopeful that the upcoming Service Pack 3 can solve the nagging problems of software middle age.
Early results show that SP3 might even provide a performance boost. So Vista may be hip, but XP is getting a hip replacement.
The XP SP3 Release Candidate is available now, with the final version set to ship in the second quarter of this year. Whatever the actual date, you can bet that Vista SP1 will ship before XP SP3)
XP SP3 adds four new features. Only two seem really significant, one for corporate environments and one for the small-business/consumer side.
For the corporate world, XP SP3 will support the Network Access Protection (NAP) feature that is already available in Vista and Windows Server 2008.
It allows IT managers to deny a PC access to network resources based on whether they are configured according to company policies.
For example, if a PC does not have the latest antivirus signatures installed, NAP can limit its access so that it can only contact a remediation server that contains up-to-date signatures to be downloaded.
Given the concern that many companies have about security, the NAP feature could have been one that pushed them to upgrade to Vista. Now, they can stay put with XP and still reap the benefits.
It seems so much like the right thing to do that I can hardly believe that Microsoft has done it. Perhaps the goal is to sell more Windows Server 2008 licenses?
Consumers get a Vista feature transplant in XP SP3 with the ability to install without the need to enter a license key during setup.
Within 30 days of installation, the user needs to enter a product key or XP will go in to a reduced-functionality mode similar to Vista.
The final two XP SP3 features seem relatively trivial: additional cryptographic providers, and enabling black hole router detection by default.
XP already has the ability to detect black hole routers with a single change in the registry, so the feature here just seems to be that the setting will be enabled by default in SP3.
So if these are the only new features and the rest of the changes are patches, why would SP3 be faster? It’s a bit of a puzzle.
Maybe the tests were anomalous, or perhaps there is a benefit from several non-security-related patches rolled into SP3 that haven’t been previously released.
Whatever the reason, it actually leaves me looking forward to this mid-life OS boost.
December 19th, 2007 by iDunzo
Microsoft has released to the public a near-final version of a major update to its Windows XP operating system.
As of early this morning, the ‘Release Candidate’ for Windows XP Service Pack 3 was available as a 336 MB download from Microsoft’s Web site. The software had previously been available only to participants in Microsoft’s official test programs.
Microsoft says it considers the Release Candidate for Windows XP SP3 to be trial software and warns users to download with caution and at their own risk.
This pre-release software is provided for testing purposes only. Microsoft does not recommend installing this software on primary or mission critical systems.
Microsoft recommends that you have a backup of your data prior to installing any pre-release software.
For the adventurous, however, Windows XP SP3 Release Candidate offers a number of enhancements over the current version of the OS. It includes all updates issued since Windows XP Service Pack 2 was released in 2004, and some new elements.
Among them: A feature called Network Access Protection that’s borrowed from the newer Windows Vista operating system. NAP automatically validates a computer’s “health,” ensuring that it’s free of bugs and viruses, before allowing it access to a network.
Windows XP SP3 also includes improved “black hole” router detection — a feature that automatically detects routers that are silently discarding packets. In XP SP3, the feature is turned on by default, according to Microsoft.
Windows XP SP 3 also steals a page from Vista’s product activation model, meaning that product keys for each copy of the operating system doesn’t need to be entered during setup.
The feature should prove popular with corporate IT managers, who often need to oversee hundreds, or even thousands, of operating system installations.
Microsoft is in a bit of a Catch-22 with XP. The more it strengthens the OS, the less reason users have to upgrade to the newer Windows Vista, which by many accounts has failed to catch on with computer users in both the home and office since it debuted in January.
A final version of Windows XP SP3 is expected to ship early 2008.
October 29th, 2007 by iDunzo
Well that didn’t take long. Apple has already pushed out some Leopard-related upgrades that reportedly fix issues with Keychain passwords, Wi-Fi support, Aperture and Backup.
The most significant upgrade, and the only one that applies to all Leopard users, is the Login & Keychain Update 1.0.
The update addresses a rather obscure Keychain issue that affects accounts originally created in OS X 10.1, but also includes fixes for those having trouble “connecting to some 802.11b/g wireless networks.”
A couple of commenters on our Leopard first look story and other posts I’ve seen around the web reveal that the Wi-Fi troubles have plagued a fair number of users. Hopefully this update will fix the problem.
The other Leopard-related update released today is Aperture 1.5.6 which improves reliability when recovering Aperture libraries from a Vault (Aperture’s backup files) on Leopard, as well as a few other small fixes.
The updates are available through Software Update or directly from the Apple site using the links above.
October 19th, 2007 by iDunzo
Mozilla released Firefox 220.127.116.11 late last night and it’s highly recommended that you upgrade your install right away because of a nice list of security fixes.
The following security issues were fixed:
- URIs with invalid %-encoding mishandled by Windows
- XPCNativeWrapper pollution using Script object
- Possible file stealing through sftp protocol
- XUL pages can hide the window titlebar
- File input focus stealing vulnerability
- Browser digest authentication request splitting
- onUnload Tailgating
- Crashes with evidence of memory corruption (rv:18.104.22.168)
Firefox 22.214.171.124 is also compatible with Mac OS X 10.5 (Leopard), although there are some known issues affecting some media plugins.