Uncategorized

Saw this on one of the Office (? — yeah, weird, I know) web sites. At this URL, Apple let’s you create an RSS feed to see new releases, top tunes, etc of the genres you specify.

Current issue of Woody’s Windows Watch talks about the FUBAR stuff that MS04-004 has caused a number of people. MS04-004 is the one that removes the ability to include username and password in the URL field and has apparently broken a number of applications and sites. So, MS has released an update to the patch, MSKB 831167. The symptoms are described as follows:

Programs that use Wininet functions to post data (such as a user name or a password) to a Web server retry the POST request with a blank header if the Web server closes (or resets) the initial connection request.

For example, when you submit your user name and password to an SSL-secured Web site by using a form on a HTTPS Web page, Microsoft Internet Explorer may not resend this information to the Web server if the initial connection is closed (or reset).

I like knowing what my system’s doing. Bandwidth utilization, processor and page usage, that kinda stuff. I’ve been using CoolMon from ArsWare for a really long time … like more than a year. But it’s had a couple of bugs that bother me. Not significant problems, just little nuisance ones. Well, last week I came across Serious Samurize and, I’ve gotta tell ya … WOO HOO! It has built-in access to quite a few counters but also gives you access to perfmon counters and WMI stats and plug-ins PLUS console-based programs and VB scripts. You can render things as graphs (line, pie chart, histogram, etc) and/or as text. Comes with a configuration editor that’s very intuitive. It’s donation-ware (free but they ask for a donation) and well worth whatever you wanna throw at ’em. I’m a convert.

Today the BBC published one of the most worthless articles on a Windows XP vulnerability (here). Also on the “nearly worthless” list was this one from US-CERT (although it contained quite a bit more technical information). Far and away the best one, though, is this one from Secunia, at least IMHO. Secunia tells you that Kerberos and NTLMv2 authentication can trigger the vulnerability.

Very nearly as scary, at least if you’re running a server, is this WINS vulnerability as reported by Secunia.

Update:

OK, I take it back. The US-CERT Technical Alert gives a good technical overview of the ASN.1 vulnerability, adding SSL and TLS to the list (NTLMv2 and Kerberos) that trigger it.

MS04-004 is a cumulative security update (Microsoft KB832894) which addresses 3 issues:

* A cross-site scripting issue
* a drag-and-drop DHTML vulnerability and
* an incorrect parsing of URLs.

It also makes URLs of the form http://username:password@site/something-else invalid. Note that URLs of that form are acceptable according to the W3C and is a shorthand way of specifying an unencrypted username/password pair.

This bulletin replaces MS03-048.

Imagine having a truly state-of-the-art firewall. One that’s recognized as being one of the best around. How would you feel if you found out that it was susceptible to penetration? You should feel better about things. Know why? Cause nothing’s truly secure. And knowing about the vulnerability is better than not knowing. What you should care about is how quickly your vendor responds to vulnerabilities.

OK, so, US-CERT’s reported this vulnerability in Check Point’s Firewall-1 NG with Application Intelligence which allows an attacker to penetrate by attacking in a particular way. The good news? Check Point’s already got a fix.

V7#3 of Woody’s Windows Watch offers some very good insight into Secunia’s Internet Explorer File Download Extension Spoofing advisory. None of the information in the Woody’s Watch article is really new but it explains things in ways that helps one (me, in particular) understand the exposures a little better.

(If that link to the Woody’s Watch article doesn’t work yet, try this one and if it still doesn’t work, try again in a few hours — I just got the email newsletter and there’s sometimes a lag before the newsletter makes it on to his website.)

The long and short of Woody’s article: NEVER use “Open” when you’re downloading a file, ALWAYS use “Save”, even if you think you’re an expert on these things. And if you’re reading email and there’s an attachment, even if it looks benign (“no, that’s not an executable, it’s a PDF”), it might not be — check to make sure that the sender actually sent you the email and included the attachment. And, again, don’t “Open” the attachment, “Save” it and make sure it’s what you think it is.

Take a look at this. A combination wireless spycam and AM/FM Clock Radio from TigerDirect.

Supposedly, XP SP2 will give you the ability to have one user logged in locally and one user logged in remotely, over Remote Desktop. According to this FAQ from Windows and .NET Magazine:

1. Start a registry editor (e.g., regedit.exe).
2. Navigate to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\Licensing Core registry subkey.
3. From the Edit menu, select New, DWORD Value.
4. Enter the name EnableConcurrentSessions, then press Enter.
5. Double-click the new value, then set it to 1.

I’ll have to give it a try when I finally install a production version of SP2.

Did you know there’s a keyboard shortcut to move focus between the items in the system tray? There is. — Ctrl-Windows Logo Key-TAB will get you there and then you can use the Left and Right cursor keys to move between them, bringing up context menus or whatever you like.

Having been raised on keypunch machines, VT100s and 3270s, I’ve always fancied myself a keyboard kinda guy, priding myself on being able to just about anything with a keyboard on a contemporary Windows system. Well, I learned something from Microsoft KnowledgeBase article 126449, including that little gem I started with.