Digital Choke Daynotes

 Monday, September 13, 2004       mail    link

As we have said before, somewhere, Friday the 13th came on Monday this month. And, notice that the 'th' in the '13th' is not superscripted, even though this document was created on a computer. (Besides, I'm not smart enough to figger out how to superscript in html.)

Red alert! Sunday Friday, September 16th, is "International Talk Like a Pirate Day". Yes, a real, world-wide event. More details on the official "Talk Like a Pirate" web site here: http://www.talklikeapirate.com/ . Accept no substitutes. And you'll want to bookmark the Pirate Blog here: http://talklikeapirate.blogspot.com/ . Both sites, and all their links, are bound to take up a lot of your time.

Aarrrgh, matey!

A correction to the phone number to stop credit card numbers that I mentioned in the Tuesday post of last week. I left off the last numeral. The correct number is 888-567-8688 . Good only in the States, I'd bet. Thanks to Dan Seto. (By the way, you ought to visit Dan's site; good stuff. Even though we are all jealous of where he lives. You'll have to visit his site to figure out where.)

And if last week's posts seemed a bit sparse, there was really a full week's of posts there. It may be that the main index page had a wrong link even after I fixed it. I'm not admitting to anything, but I've got to have a serious talk with the quality control group here.

So, if you are like Nick H and missed a few days, skip over to last week and catch up. There was a post every day last week. (As opposed to this week...I'm already a day behind.)

Now, it's off to the local frozen yogurt place. Pam's in the mood for a treat. (No, not me, although that happens occasionally.)

 Tuesday, September 14, 2004       mail    link

It's the second Tuesday of the month, which means that it must be "Microsoft Patch Tuesday".

(Cue the responses from the "my Linux OS is safer than your Windows OS" and the "Get a Mac!" crowd. Although there are almost daily updates to various Linux OS and software.)

Microsoft released two patches today. One is for a buffer overrun when viewing JPEG images (common on many web pages). A "specially-crafted" JPEG will allow the attacker to control your computer (install programs, run commands, etc). The signed-on user would have to be "administrator" equivalent for the attack to succeed. Most single-user computers are set up as administrator-equivalent.

A Windows XP/SP2 system is not vulnerable to the jpeg buffer overrun. But since jpegs can be used in MS-Office applications, there are also some updates that should be applied if you have Office installed. You can go to the Windows Update site to get Office Updates. (The easiest way is via Windows Update on your Start, Programs menu, then look for "Office Updates").

There is a second patch for a similar problem with the WordPerfect 5.x conversion part of MS-Office. Not as critical as the first, but should be installed.

Since many applications can use jpeg image files, it's important to update your applications. Use Windows Update to get to the Office Update site (ok, it's here: http://office.microsoft.com/en-us/officeupdate/default.aspx), then hit the "Check for Updates" link and install whatever is recommended for your version of Office. (And it seems to me that I saw patches to fix the same problem on "open-source Office", but I can't find the link right now.)

I just tried it, and noticed a new "Office Update Engine" that needed to be installed. But the result is a list of all the updates you need to get installed.

Updates are good. Do it now. I'll wait.

In virus news, you might have read about the latest MyDoom virus variant. It has text inside where the virus authors advertise for a job in the anti-virus industry. Which made the Sunday cartoon from "User Friendly" pretty funny. (Good geeky cartoons there; it's a daily stop on my 'net travels.

I read in the news about the Manua Loa volcano in Hawaii. Seems that the volcano scientists think it's getting ready to erupt. Since that's in Dan Seto's neighborhood, he was kind enough to explain things for this "haolie". (Dan's place is another daily stop.)

And if you aren't reading Wil Wheaton's blog, you should. He's an excellent writer. Another daily stop.

 Wednesday, September 15, 2004       mail    link

A note about the MS Office updates (part of the patches Microsoft released yesterday). They usually require access to the Office CD in order to install the updates. But I tried it on one computer today, and even though the update process said that the Office CD might be needed, it wasn't. Not sure if that's a new policy, but it's a good thing.

I usually get around that problem by copying the Office CD to the C drive, then installing from there. Since the update process needs (apparently sometimes) access to the source of the install, this process doesn't require me to be able to find the original CD. The installation is faster, even when you count the time involved in copying the CD to the C drive. On a couple of systems, I've taken the time to uninstall a CD-based installation, then reinstall using the copy-and-install process. Makes updates much faster.

If you are using alternative browsers, you should be aware of this (full story on The Register's site):

"Mozilla released a series of security updates for its Firefox and Mozilla 1.7 browsers yesterday that resolve the first security vulnerabilities to come from the Mozilla Foundation's Security Bug Bounty Program. Its Thunderbird email client also needs patching for similar reasons.

"The total of 10 vulns discovered are described by security firm Secunia as "highly critical" - and with good reason. Attack scenarios opened up by the flaws include cross-site scripting attacks, access or modification of sensitive information and (in the worst case) the complete compromise of a user's system. Not good. Users are advised to upgrade to Mozilla 1.7.3, Firefox 1.0PR and Thunderbird 0.8 from earlier versions to protect themselves against attack."

Info about the vulnerabilities is here.

So, patch away. (Could that be related to what's happening on this Friday, matey?)

 Thursday, September 16, 2004       mail    link

OK, let's see if I can get this straight.

"International Talk Like a Pirate Day" is on September 19, 2004. That's a Sunday. Lots of details on their website. There. That's right. I think.

Updated the web filtering software today. New version is a lot faster in how it logs access to the 'net. Need to do some minor tweaking of the rules and blocking categories. There are some new categories, including one for spyware. There do seem to be some duplicate categories, but I think that's related to keeping the old settings. I didn't have time to get too deep into it, but the blocking is working.

 Friday, September 17, 2004       mail    link

In posts a while back, I referenced the . Got a nice note from them:

Hi - thank's for the mention and link to Spyware Warrior's Rogue/Suspect Anti-Spyware Programs page. It looks like there is an error in the URL in the link. The correct link is http://www.spywarewarrior.com/rogue_anti-spyware.htm it looks like the "m" was cut off of "htm". I found your URL in my server error logs.

Somebody is paying attention there. I'll fix that link later, but wanted all my readers (yes, all three of you) to know.

I had sent an alert to Dr. Jerry Pournelle's site about vulns in Mozilla (here; scroll down a bit to get to it, although the other mail on that site is always interesting). That prompted a response from one of his readers, to which I replied:

Mr. Jim Mangles responded to my statement of "Nobody is exempt from security problems." with "It has to be said: ... except Mac and Linux users, by and large. " (Your Thursday mail this week.)

I stand by my statement, noting that:

1) Mozilla/Firefox/Thunderbird (all open-source programs "OSS") had vulnerability issues with handling of bmp images and other difficulties, which could allow the same type of 'let the hacker control your computer' problems. Updated versions of those programs were released. See the US-CERT Security alert issued today: http://www.us-cert.gov/cas/techalerts/TA04-261A.html . They recommend updating to current versions.

It is true that open-source-based software gets updated faster than Microsoft products. But I suspect that's because Microsoft does much more extensive testing of fixes than the open-source crowd. That's not to say that OSS does not test their fixes. I just think that OSS bug fixes happen faster because they don't test as much.

2) There is a lot of press (and "blogger", although I don't like that term either) coverage of how other browsers are taking away market share from IE. For instance, Walt Mossberg's Wall Street Journal column of Sept 16, 2004, where he says "I suggest dumping Microsoft's Internet Explorer, which has a history of security breaches. I recommend instead using Mozilla Firefox. It's not only more secure but also more modern and advanced, with tabbed browsing and a better pop-up ad blocker."

It may well be more advanced, although still in pre-release distribution. And the vuln list at Security Focus lists 12 issues with Firefox since 8/14/04 (one month).

2) OSS has it's share of problems and bugs. A great source for looking for reported bugs is at www.securityfocus.com . Pick any product (OSS or
not) and you will find problems, some more than others. Some of the vulnerability issues might be minor and obscure, but they are there.

Even Xandros (based on Debian) has had buffer overflow problem with graphic images.

3) Updating OSS is not always easy; it is true that OSS is, as you state, "guru-friendly wizard full employment act". Here's a typical update instruction for OSS

# emerge sync

# emerge -pv ">=media-libs/libpng-1.2.5-r8"

# emerge ">=media-libs/libpng-1.2.5-r8"

# revdep-rebuild

Yep, that's easy. And there are some better update processes available for OSS, but not all are as easy as Windows Update.

I am not saying that Windows products are better, or have good security. All software, OSS or not, will have security issues that must be addressed.

I lock my door every time I leave the house. And I update my computers, no matter which OS is on them.

So, the mantra around here is (still) "update early, and often".

Advance warning: no post is scheduled for Saturday, but anticipate one for Sunday. (I know it will be difficult, but try to adjust to the missed day.)

By the by, you be practicing your pirate talk, matey. We'll be expecting y'ar report!