Right now there are a total of 5 different security newsletters from Microsoft. Two for home users and three for geeks, uhh … I mean IT professionals.

If you’re a home user:
* The Microsoft Security Newsletter for Home Users — a bimonthly publication.
* The Microsoft Security Update — a monthly publication.

If you’re an IT type:

* The Microsoft Security Notification Service — a monthly newsletter
* The Microsoft Security Notification Service: Comprehensive Version — same as the one above but it includes modifications to previously published notices.
* The Microsoft Security Newsletter — published monthly

If you have a Microsoft Passport you can sign up for these at the Passport subscription center. If you don’t have a Microsoft Passport you can sign up for one here.

You can also sign up for the Security Notification Service without a Passport. Go here to do that.

Update, March 10, 2004 — Microsoft has revised this, increasing the severity to Critical and removing references to Outlook Today. See the Microsoft Office Security Bulleting for March, 2004

Secunia has published this advisory affecting Outlook 2002 Service Pack 2, a component of Office XP Service Pack 2. Office 2000 SP3, Office XP and Outlook 2002 SP3, Office 2003 and Outlook 2003 are not vulnerable.

In a nutshell, if Outlook Today is your default folder home page in Outlook, you’re exposed. Opening a malicious email or visiting a malicious web site is all that’s required to infect you. At that point your files are exposed. The easiest workaround is to change your default folder. The other alternative is to download and install Office 2000 Service Pack 3.

Can’t recall where I saw this but Topix.net is a new site with local news. You key in your ZIP code and it’ll show stories that are local to you (yes, it knows about Beaver, Oklahoma). Course, it’s also got business, national, international, science, etc.

Mike Langberg is a columnist for the San Jose Mercury News. He has a pretty good article in today’s edition that recommends some ways for you to from having to send change of address messages to your friends when you change ISPs. It’s pretty simple, actually — it all comes down to separating your email address from your ISP. He recommends a couple of services. Listed from cheapest to most expensive, they are Mailblocks, OddPost and eOutlook.

I got a Mailblocks account last year when they launched and it’s pretty good. OddPost is interesting, too, but the one that really catches my attention is eOutlook. This is Outlook on the web. And on top of that familiar interface, they also back up your email.

For my part, I also like Fastmail.fm and Mailshell. My home email account, though, is with a UNIX shell access provider that I’ve been with for probably 10 years. I just can’t seem to break myself away from UNIX as my base system — it gives me a lot of flexibility that you just can’t get (yet) any other way. Having my email on the UNIX account in combination with storing important and related files there gives me access many of the things I need regardless of whether I’m at home or on the road. And having it all on the same server means that I’m not restricted when I’m on a dial-up connection. I can log in to the shell account with a terminal client, do my email, save attachments locally to the UNIX system, edit files and forward them off to others without having to wait for them to download or upload. And when I’m on a speedy connection I can get to everything (including my files) with IMAP or, heck, even run X11 clients on the UNIX system against my laptop — the choice is mine.

Some email providers, like Fastmail, have a file storage option but if you use IMAP you’ve got the same capability (assuming your client and your provider implement the the proper IMAP functions) — just create some new IMAP folders on your provider and drag your files there. What they don’t provide are the rest of the UNIX functionality. Like what? Well, sometimes I’ll come across a site that I just can get to from my laptop. I can traceroute or use the command-line browser Lynx to bring the site up on my shell account. May be too geeky for some of you but I find the additional capabilities worth the money I pay.

Looking for a low-cost shell provider? Check out FreeShell.

From the March 4, 2004 Windows Client Update:

If you’re tired of clicking URLs in email messages or applications only to have the resulting window take over the Microsoft Internet Explorer (IE) browser you’re currently using, try this simple registry edit. It will enable a new browser window to open and won’t affect the current browser window.

1. Launch a registry editor in Windows XP or Windows 2000.
2. Open the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AllowWindowReuse subkey.
3. Set the subkey’s value of type REG_DWORD to 0.
4. Exit the registry editor.
5. Log off, then log back on to activate the change.

Got this security advisory from Secunia. It seems that the Motorola T720 phone for Cingular Wireless is vulnerable to Denial of Service attacks. Their response: don’t connect the phone to untrusted networks! Uh huh. OK. Is the cellular network untrusted?

A WPA story.

I got a D-Link DI-624 802.11g wireless router and a D-Link DWL-G650 card a few months ago. Good price and it runs the Atheros chipset with bonds two channels together to give a max bandwidth of 108Mbps. Supposedly WPA support was available in the router firmware but I could never get it to work. Then, last week, D-Link released firmware revision 2.36. A few people reported on their installs on the D-Link forum on Broadband Reports and, at the time I read them, things didn’t seem too bad. I installed it and it was a disaster! Reboots, disconnects and lost connections and I hadn’t even enabled WPA. So, I backed it off and things still didn’t come around until I’d done about 3 reboots of my laptop. D-Link removed the firmware from their site.

OK, I backed off and decided to wait. Just a few days ago, D-Link posted version 2.37. Good reports in the forums so, after about 24 hours, I installed it. Last night. Before I went to bed. From the wired computer. And then I went to bed.

Got up this morning and the router hadn’t rebooted all night. A good sign as it was rebooting every few minutes on 2.36. So, I connected my wireless laptop. No problems. Ran most of the morning and still no problems. OK, deep breath, take a System Restore point (that was the only thing that rescued me the last time I installed the WPA update). Run InstallWatch so I can see what’s changed on my system and install the WPA update. Things continue to run OK in WEP so I decide to enable WPA-PSK on the router and on the laptop.

Voila!

I’ve been using J. River’s Media Center since, oh, I dunno, maybe version 7. It was called Media Jukebox then, I think. Version 10’s in beta now and I’m very pleased with it. There are a lot of free media managers and taggers out there and I’m always looking. Two that have recently come to my attention are The Godfather and Media Tagger. Doesn’t look like either of them maintain a database like the J. River products but they still look like they can be handy.

Two others that I’ve looked at and am pretty happy with are ID3-TagIT and Mp3 Book Helper.

Got this abbreviated rundown of what’s in SP2 from a friend. He distilled this from the various documents available from this Microsoft page.

The overview White Paper seems to have the most useful info in least amount
of bytes. Major tightening on:
* Firewall (ICF beefed up quite a bit, but still no outgoing protection like ZA does.)
* RIPC – but Firewall has to be on to enforce
* DCOM – better protection from non-authenticated admins lot of safeguards/detection on buffer overruns, other memory protection (enabling hardware protection on Itanium & AMD K8)
* Outlook Express gets most of the Outlook security enhancements (images, HTML, application execution, etc.)
* IE adds a lot of new controls (all URL objects similar to ActiveX controls, no cached scriptable objects, block pop-ups, stop scripts from moving/resizing windows, etc.)
* DirectX and Media Player 9 locked down – details for that in a doc I have not read yet
* Alerter and Messenger services OFF by default

I’ve been taken to task on occasion for only reporting Windows issues. Well, the fact is, that’s what concerns me the most. But this Secunia advisory got my attention because I use Mozilla (well, Firefox) a lot. Not to the exclusion of IE but a lot.

The flaw’s supposedly caused by a race condition which will allow a script from a previous page to be executed in the current page’s context. It’s supposed to be fixed in V1.6b of the Mozilla Suite.

I notice that the Mozilla site doesn’t say anything about the flaw or its resolution and the current full Win32 download is tagged as being version 1.6 (note, no “b”). Matter of fact, 1.6b was released BEFORE the current release, back in December. The bug was reported on December 2 and a fix was submitted on the 3rd but there was a lot of discussion in the bug report about whether it should be “revealed” until all versions are fixed. Then, on Feb. 25, they finally say it’s fixed and we get the security alert. Isn’t that backward? Aren’t we supposed to know about these things earlier?

(OK, Chuck, you happy now?)