Wednesday, March 26, 2008

Is Apple Turning to Foistware Methods?

For the time being, I am stuck with Apple QuickTime on my laptop because it is needed for the Kodak EasyShare software. However, that doesn't mean that I like QuickTime's persistence in being in Start Up. (Thank goodness for WinPatrol to control that!)

Apparently, my irritations with QuickTime are not the only issues with Apple software. The other day my friend Tashi reported highly critical new vulnerabilities in Apple Safari 3.1 for Windows, the browser she quoted Apple as indicating:
"Engineers designed Safari to be secure from day one"
It rather sounds as though the Apple Engineers have a bit of a problem. However, there is more to this story than vulnerabilities. As Tashi reported in What’s Up Apple, I don’t want Safari, Apple is using their Software Update program to push the not so "secure from day one" Safari browser on people. Is the Apple market share doing so poorly that they are resorting to foisting their software on their customers? Is Apple taking advantage of the years the security community has spent telling people to keep their software up-to-date, hoping unsuspecting customers will click Next > Next > Next?

Ed Bott said it best in What Microsoft can teach Apple about software updates:
"Companies that deliver network-connected software that contains potential security vulnerabilities have a responsibility to offer regular updates to repair those issues. The right way to do it involves these four principles
  • Opt-in is the only way. The update process should be completely opt-in. The option to deliver software should never be preselected for the user.
  • Offer full disclosure. The software company has a responsibility to fully disclose what its software does, and the customer should make the opt-in decision only after being given complete details about how the update process works.
  • Offer updates only. Updates should be just that. They should apply only to software that the customer has already chosen to install.
  • Don’t mix updates. Updates that are not critical should be delivered through a separate mechanism.
References:

Certified Bug:

Ed Bott:



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox 2.0.0.13 Update

Firefox 2.0.0.13 has been released. The fixes noted below have been incorporated in the update. If you do not have auto-update turned on, select Help > Check for Updates. If you need assistance, additional instructions for updating Firefox are available here.

Fixed in Firefox 2.0.0.13

MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
MFSA 2008-18 Java socket connection to any local port via LiveConnect
MFSA 2008-17 Privacy issue with SSL Client Authentication
MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, March 25, 2008

The Best Firewall Software of 2008: Online Armor

Following a long year and a half study, Scot Finnie named Online Armor 2.1 as the Best Firewall Software of 2008. Unfortunately Windows Vista users will have to wait a while longer. As far as I can tell, Tall Emu has not yet released a Windows Vista compatible version of the firewall.

See Scot's report at The Best Firewall Software of 2008: Online Armor. References are provided below for Online Armor help and Matousec's latest report.

References:

Matousec Personal Firewall Leak Test Results
Online Armor Help Center
Online Armor Support Forums
The Best Firewall Software of 2008: Online Armor




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, March 21, 2008

Microsoft Security Advisory (950627) Released

Microsoft released Security Advisory 950627 - Vulnerability in Microsoft Jet Database Engine (Jet) Could Allow Remote Code Execution - on 21 March 2008.

Microsoft is investigating new public reports of a vulnerability in Microsoft Jet Database Engine. Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue.

At this time, Microsoft is aware of very limited, targeted attacks that use this vulnerability and is investigating the public reports and customer impact.

Anyone believed to have been affected can reach support online at this location:
http://www.microsoft.com/protect/support/default.mspx

Those in the United States can contact Customer Service and Support (CSS) at no charge using the PC Safety hotline at 1-866-PCSAFETY.

References:





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

WinPatrol Plus Easter Discount!

Easter greetings to all WinPatrol users! Bill Pytlovany is offering a $10.00 discount to anyone who upgrades to WinPatrol Plus this Easter weekend.

What advantages are there to WinPatrol Plus?
  • Complete access to the WinPatrol PLUS Knowledgebase

    Within WinPatrol, click the "PLUS Info..." button and connect to the WinPatrol online database for information on the program in question. Descriptions are in "plain speak" not "geek speak" and generally include links and program tips that might be useful. (Sample)
  • Real-time Infiltration Detection (R.I.D.)

    R.I.D. was developed by BillP Studios to provide immediate detection of newly installed programs. This technology allows real-time detection without impacting system performance.
  • Provide support for further development

    For a one-time subscription fee, provide support for the future of an exceptional software, compatible with all versions of Microsoft Windows software from Windows 95 through and including Windows Vista.
Take advantage of the special $10.00 Easter weekend discount today. Click the Ukrainian Easter Egg image below to go to the BillP Studios Order Center. Use the Coupon Code Pysanky when placing your order.

Note to PayPal customers: Please send an e-mail to BillP Studios at support@winpatrol.com and provide your license information to receive the $10 rebate.



Coupon Code: Pysanky

Coupon Code: Pysanky




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, March 18, 2008

Windows Vista SP 1 Released To The Public

It is official! Windows Vista Service Pack 1 (SP1) was released to the download center and Windows Update as well as to the download center on microsoft.com today. Note that this release only includes the English, French, Spanish, German and Japanese versions.

In mid-April, Windows Vista SP1 will be released to Windows Vista customers who have chosen to have updates downloaded automatically and will be a much smaller download, advisable for people with only one computer to update or on a dial up connection.

Note that you will need to have the prerequisites before being able to install SP1.


Edit: 19Mar08

Although the announcement indicated that SP1 would be released in mid-April to customers who have chosen to have updates downloaded automatically, apparently this has changed. Either that or different update settings (i.e., ask and let me decide as I have) started receiving the SP1 install offer via automatic updates last evening.

I received it today. Being on dial-up, the 69.8 MB download is taking quite a while. I will likely have to leave it running when I head off to bed and see how it does on its own.

For more information on what to expect, see Ed Bott's writeup: Want Vista SP1? Here’s what to expect. In particular, note the link to the Microsoft dedicated support page for Windows Vista SP1.



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, March 14, 2008

E-Filing Your Tax Return?

It is rapidly approaching the income tax filing deadline in the U.S. As more families start using their home computer to E-file their tax return, it is vitally important to keep some important security aspects in mind. In the wrong hands, the information contained in your tax return could easily result in identity theft.

Microsoft has published some steps to help avoid online tax fraud. If you are planning on E-filing your tax return, please do not take any chances. In the event you suspect you are a victim of tax fraud or identity theft, visit the links below to get help.


References:

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, March 11, 2008

Microsoft Security Bulletin Summary for March 2008

Microsoft is releasing the following four new security bulletins for newly discovered vulnerabilities:

Bulletin Number: MS08-014
Maximum Severity: Critical
Affected Products: Microsoft Office.
Impact: Remote Code Execution


Bulletin Number: MS08-015
Maximum Severity: Critical
Affected Products: Microsoft Office.
Impact: Remote Code Execution


Bulletin Number: MS08-016
Maximum Severity: Critical
Affected Products: Microsoft Office.
Impact: Remote Code Execution


Bulletin Number: MS08-017
Maximum Severity: Critical
Affected Products: Microsoft Office Web Components.
Impact: Remote Code Execution

References:





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, March 06, 2008

Sun Java SE Update 5 (And another Toolbar)

Sun Java has released Update 5 for Java SE. Although I do not have Java installed on my home computer, I have updated the widely used tutorial, SunFlowers and SunJava Update.

I learned from the owner of Montana Menagerie.org that caution is needed if you don't want the Google toolbar version. The link that I provide is to Sun Microsystems' download link and apparently does not include the Google toolbar. However, the links from Java.com come with this extra (see Edit Comments below):


Image from Montana Menagerie.org


Is it any wonder the download is now over 15 MB?

How much money is Google, Yahoo, Ask, etc. paying vendors to include a toolbar? We know from Bill Pytlovany the revenue is significant -- enough that he would have been able to retire comfortably by the end of the year. If you've followed Bill any length of time, you now it would take a lot of money to reach that "comfortable stage".

See the topic at Montana Menagerie.org

Edit Note 3/8/08:
As indicated in the comments to this blog posting, an update has been posted by evilfantasy in the topic at Montana Menagerie.org. Unfortunately, Blogger comments to not accommodate long URLs very well. To see the update: --> Update < --

Edit Note 3/11/08:
A friend sent me a link to an explanatory blog post that goes back to 2005 which discusses Sun's agreement with Google to include the Google tool bar with consumer Java SE downloads from java.com.

As indicated by Dave's comments posted , he has not been offered the tool bar, as I have heard others say as well. I have no explanation as to what the installer is finding on the machines where it is not offered and continue to encourage people to follow the offline installation only from Java SE Downloads. Along with that recommendation is the reminder to read the installation windows rather than blindly clicking Next, Next, Next.

See:
Java SE and the Google Toolbar



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Security Bulletin Advance Notification for March 2008

With four new security bulletins scheduled for March 11, 2008, the anticipated security updates for March will be much lighter than they were in February. However, Windows Vista users should keep in mind the schedule for SP1 and check that all the prerequisites are installed.
  • In mid-March Windows Vista SP1 to (in English, French, Spanish, German and Japanese) will be released to Windows update and to the download center on microsoft.com.
  • In mid-April, Windows Vista SP1 will be released to Windows Vista customers who have chosen to have updates downloaded automatically.
  • April, the remaining languages to RTM.
Three of the scheduled updates for this March are for remote code execution vulnerabilities in Microsoft Office. The fourth is also remote code execution but for Microsoft Office Web Components.

References:






Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Saturday, March 01, 2008

Grisoft/AVG Version 8 Includes Yahoo Search Bar

Grisoft, now AVG, released updated version 8.0 of their security software for licensed subscribers only. The "free for personal use" versions have not been updated yet. Included with the package of the licensed (read "pay for use") software is the Yahoo search bar.

Granted, the Yahoo search bar does not have the same questionable reputation as the Ask toolbar. However, what message is AVG sending when their newly released Version 8 product includes the search bar pre-checked and disguised as a "Security Toolbar"?



To make matters worse, the reports indicate the toolbar is installed even when the option to include the toolbar is UNchecked.


(Click image for larger view)


Discussion in some communities is suggesting that the Yahoo search bar is easy to uninstall. In my opinion, that is already too late. Depending on the package home subscribers purchase, the cost goes from $35 to $55 (USD). That means that AVG receives not only the price of the subscription but also the fee from Yahoo for each installation, all at the cost to the subscriber.

What happened to integrity?


(Hat Tip to Wilders thread by JonPaulOnLine)




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...