Sunday, September 30, 2007

Advance Notification of Security Updates for Java SE

Well, now, this is one blog post that is too important to put off. Thanks, Nellie2!

It seems that Sun Microsystems, Inc. is finally improving their update process. As announced
last week:
"Sun Microsystems, Inc., is announcing two new Java SE security response features, each designed to strengthen the Java platform's position as one of the most widely used, secure software platforms available. The new features include Sun's synchronized release of Java SE security fixes, and advance customer notification of those releases. They are designed to complement Sun's existing Sun Alert notifications, as well as the built-in Java Auto Update tool for Microsoft Windows users, and build a foundation for additional Sun Connection services and a customized Java SE platform for production environments that are expected in 2008."
I have not been impressed with Sun Java and, in fact, have yet to install it on my new laptop. The "built-in Java Auto Update tool" has been a rather poor performer. Let's hope things are improving. See below for the first update schedule.

Advance Notification of Security Updates for Java SE:
"The following is our first advance notification of security updates for Java SE.

On the week of October 1, 2007, Sun will be releasing security updates with JDK and JRE 6 Update 3, JDK and JRE 5.0 Update 13, and SDK and JRE 1.4.2_16. This will be followed by the release of SDK and JRE 1.3.1_21 on the second week of October 2007.

This is Sun's first step towards the simultaneous release of security fixes across all supported Java SE release families. Sun expects to fully synchronize the release of security fixes across all supported releases, including J2SE 1.3.1 in 2008. Note that J2SE 1.3.1 has completed the Sun "End of Life" (EOL) process and is only supported for the Solaris Operating Environment and customers on Sun's Vintage Support Offering."


References:






Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Windows Vista News

I just realized that this post has been in draft mode since last week! Yes, I have been busy with other tasks but I am determined to get this published today, just in case some of my regular readers may have missed the news.

DreamScene

The Windows Vista Teams have been busy in several arenas. In addition to the expected Tuesday update of Windows Defender definitions, saw there was an optional Windows Update for Windows DreamScene. When I checked the Windows Ultimate Team blog, I discovered the announcement:
Windows DreamScene released! This updates the beta version of the Windows DreamScene Content released in March of this year.

Additional DreamScene desktop options are available at Dream.WinCustomize.com from Stardock, a Microsoft partner. Brandon LeBlanc provides A look at the Windows DreamScene Content Pack Favorites in the Windows Experience Blog.

References:
Windows Vista Service Pack 1 (SP1)

The other exciting news is that Windows Vista SP1 was released to a private group of Beta testers via connect.microsoft.com. Brandon LeBlanc was busy again, this time with a review of SP1. See Experiencing Windows Vista Service Pack 1 Beta.




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, September 28, 2007

XP Repair and Windows Update Issues

As was reported in How Windows Update Keeps Itself Up-to-Date Microsoft customers who use the Windows Update received an update to the service. Unfortunately, this change has affected customers who repaire their systems using a Windows XP CD. This method or repairing the system replaces all system files (including Windows Update) on the machine with older versions of those files and restores the registry.

The problem, as explained by Nate Clinton (Program Manager, Windows Update) is
"the latest version of Windows Update includes wups2.dll that was not originally present in Windows XP. Therefore, after the repair install of the OS, wups2.dll remains on the system but its registry entries are missing. This mismatch causes updates to fail installation."
If you are affected, contact Product Support Services. In the U.S. and Canada, help with security update issues or viruses can be obtained at no charge using the PC Safety line (1-866-PC-SAFETY). For locations outside the U.S. and Canada, go to http://support.microsoft.com/security for the number in your area.

See the blog post by the Windows Update Team and Microsoft Knowledge Base Articles:
  • KB 943144: Updates are not installed successfully from Windows Update, from Microsoft Update, or by using Automatic Updates after you repair a Windows XP installation
  • KB 916259: The Windows Update Web site and the Microsoft Update Web site do not scan for updates when you repair a failed installation of Windows XP Service Pack 2 or of Windows XP Service Pack 1




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Sunday, September 23, 2007

WinPatrol News and Updates

I have been feeling very negligent because I have not provided Security Garden readers with information on the latest updates that Bill Pytlovany has made to WinPatrol. I am going to remedy that with this post.

The first change was the minor update earlier this month when version 12.0.2007.5 was released. For long-time WinPatrol users who missed the original Scotty icon in the system tray, this version includes a new option that allows you to select the original black Scotty icon.

Several days later, Bill provided an explanation of the WinPatrol feature for protecting file type associations. One of the most widely viewed pages here at Security Garden is the tutorial on recovering from the Ad-Watch setting that can kill .LNK and .EXE File Extensions. There are no such problems with WinPatrol. See Don't Change My File Type Associations and the follow-up post, Show File Types and Hidden Files.

Lastly, just announced today, is a New Win Patrol Plus Data Collection option being added to WinPatrol in order to increase the precision of the PLUS database. As Bill explains:

"To accomplish this, our new version (12.1.2007.5) will be collecting more data on requested programs. This is strictly information on the file and not the user. Typical data sent will incude version, company name, install path, file date, file size and date detected. The results will be better detection of rootkits and other more devious attacks. It will also help detect outdated system files which may create unstable versions of Windows. (Something which has caused me grief recently)

This will be an “Opt-in” decision for both free and PLUS WinPatrol users. By default, this option will be off. By checking the option users give permission for their data to be used to improve our results. New PLUS data option


Users can participate or not by downloading our newest version at http://www.winpatrol.com/download.html"

I don't suppose I need to tell you that I installed the latest version of WinPatrol, clicked the Options tab and checked the "Allow Plus Info data collection".


References:






Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, September 20, 2007

How to fix Internet time sync

Although the time on my computers has always been correct, it appears many people have not been so fortunate. Ed Bott has posted instructions on How to fix Internet time sync. Like others, he has apparently not had success with the clock synchronized with time.windows.com and changes the location to one of the U.S. government servers.

With Windows Vista, it is easy to access Date and Time. Just click Start (the Vista Orb) and start typing "date and time". You will find it the second selection after typnig "da".




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, September 18, 2007

Firefox 2.0.0.7 Security Update, September 18, 2007

Mozilla released a security update for Firefox 2.0.0.7:
  • MFSA 2007-28 -- Code execution via QuickTime Media-link files
To update manually rather than waiting to be offered the update is as easy as 1, 2, 3:

1. Select Help > Check for updates


2. Click Download & Install Now


3. Click Restart Firefox Now


Since it is that simple, why not do it now?


References:




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Saturday, September 15, 2007

Kodak Implodes Building 50

Earlier in the week I took my camera to work to catch a shot of Kodak Building 50 before it was imploded this morning. The picture below was taken from my office window. I annotated it to show the location of the former Building 9 that was imploded on June 30. In the distance is Kodak Office, about four miles south of this site.



Building 50 was built in 1918 and a source for the paper that so many Kodak memories have been printed on the past 89 years. Although I did not go to the "event", my husband and I  heard it from 4.5 miles away. The picture below of the dust cloud created as the 174,000 square foot Building 30 was becoming a memory was taken from the roof of the Research Laboratories. The complex was off limits this weekend to all but essential personnel and, obviously, the press.

Photograph by WILL YURMAN staff photographer,
Democrat and Chronicle.





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

ASAP - Alliance of Security Analysis Professionals

I have no doubt that regular readers of Security Garden have noticed the rather substantial slowdown in new posts. There are two reasons.

The first reason is the title of this post, ASAP (Alliance of Security Analysis Professionals). I have been spending a fair amount of my on-line time devoted to ASAP issues. There has been a rather substantial increase in member applications lately. In fact, two new sites were recently added to ASAP. This post provides a perfect opportunity to welcome both sites to ASAP.
Alphabetically, first comes AntiSlyware. AntiSlyware is the brain-child of fellow Microsoft MVP, Tom "Coyote" Wilson. Members of the security community know Tom and his many years of involvement. For those who don't know him, you can meet Tom here.

The other site admitted to ASAP is Smokey's Security Forums. Smokey's SF is celebrating their first anniversary. The site hosts and maintains all Jetico Inc. Official Support Forums (Jetico Personal Firewall, BestCrypt aso) and the Official Neoava Guard HIPS Support Forums. In addition, Smokey's SF provides HijackThis Log Analyzing & System Cleaning Services.
Congratulations and welcome to ASAP!

Now, what is the other reason for the sporadic posting here? Truthfully, my ISP has changed their TOS (terms of service), resulting in a substantially reduced number of hours of service provided. Granted, I could upgrade to a different level of service with the ISP. However, the price tag is almost as much as broadband. Yes, I am still on dialup. Unfortunately, there is little competition in my area for broadband services and the cost for cable access if over five times what I pay for dial-up, with DSL about triple. So, for the time being, I am conserving my on-line time or will find myself unable to connect before the month ends.

I must admit, after seven years with the same ISP, it is rather bittersweet thinking that I will need to move to a different service in order to continue providing the same level of help on the forums, here and the project on the back burner to revamp Windows Vista Bookmarks.




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, September 13, 2007

Calling Students: The Ultimate Steal

That is right, "The Ultimate Steal" program is being extended by Microsoft from Australia to include students actively enrolled at eligible educational institutions in the U.S., Canada, U.K., Spain, Italy and France. Those students who can meet the requirements will be able to purchase Office Ultimate 2007 via the Web "for a steal". The package normally sells for $679 (USD) but will be available at the student price of $59.95 (USD).

Microsoft Office Ultimate includes Office Groove 2007 and Office OneNote 2007. The promotion is scheduled to run until April 30, 2008. Go to The Ultimate Steal to find out if you are eligible.

References:





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, September 11, 2007

September 2007 Monthly Security Bulletin Release

Microsoft has released the following security bulletins:

Critical
  • MS07-051 -- Remote Code Execution Affecting Microsoft Windows 200

Important
  • MS07-052 -- Remote Code Execution Affecting Microsoft Visual Studio
  • MS07-053 -- Elevation of Privilege Affecting Windows Services for UNIX, Subsystem for UNIX-based Applications
  • MS07-054 -- Remote Code Execution affecting MSN Messenger, Windows Live Messenger
References:



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, September 06, 2007

MSRC Security Bulletin Release: Advance Notice, September 2007

On 11 September 2007, Microsoft is planning to release five new security bulletins, one critical and 4 important. Here is a summary in order of severity:

Critical:
Affected Products: Microsoft Windows
Impact: Remote Code Execution
Detection: MBSA
Important:

Affected Products: Microsoft Visual Studio
Impact: Remote Code Execution
Detection: MBSA & EST

Affected Products: Windows Services for UNIX, Subsystem for UNIX-based Applications
Impact: Elevation of Privilege
Detection: MBSA & EST

Affected Products: MSN Messenger, Windows Live Messenger
Impact: Remote Code Execution
Detection: These products provide built-in mechanisms for automatic detection and deployment of updates

Affected Products: Microsoft Windows, SharePoint Server
Impact: Elevation of Privilege
Detection: MBSA


Although Microsoft does not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released.




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...