Archive for September, 2006

Third-party patch available for setSlice() vulnerability

Saturday, September 30th, 2006

Determina has released an unofficial patch for the Microsoft Internet Explorer [tag]WebViewFolderIcon[/tag] ActiveX vulnerability (also known as the [tag]setSlice()[/tag] vulnerability).  Download from [tag]Determina[/tag].

The patch can be applied to Windows XP, Windows 2003 Server and Windows 2000.

After applying the patch you can test that it works by visiting this test page.  Unpatched versions of Internet Explorer will crash.

Another day, another Internet Explorer vulnerability

Saturday, September 30th, 2006

UPDATE: Unofficial patch available from Determina.

--------------------------------------------------------------

More stuff to worry about.  This time a vulnerability again relating to Internet Explorer called [tag]setSlice()[/tag].  This relates to a flaw in webvw.dll.  So far there's little in the way of info from Microsoft but there is a tool that has been developed by SANS that will disable it easily (download here).

Killbit webvw.dll

Killbit means making a change to the registry so that Internet Explorer cannot make use of this vulnerable DLL file.

For those in the know about killbits, here are the CLSIDs on which the killbit is being set:

  • {844F4806-E8A8-11d2-9652-00C04FC30871}
  • {E5DF9D10-3B52-11D1-83E8-00A0C90DC849}

It seems that this exploit is being used extensively by hackers:

And this is so massively exploited, it makes VML look cute. There’s a rootkit, some other malware, and haxdor! (a phishing trojan horse)

Here is all Microsoft has to say at present:

Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft PowerPoint 2000, Microsoft PowerPoint 2002, Microsoft Office PowerPoint 2003, Microsoft PowerPoint 2004 for Mac, and Microsoft PowerPoint v. X for Mac.

In order for this attack to be carried out, a user must first open a malicious PowerPoint file attached to an e-mail or otherwise provided to them by an attacker.

As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability.

Take care out there.

ZERT comes out with unofficial patch for older Windows systems

Saturday, September 30th, 2006

Most of you will know that people running older operating systems like Windows 98, Windows 98 SE, Windows ME, Windows 2000 and Windows 2000 SP3 no longer get any patch love from Microsoft because there are out-of-support products.

However, [tag]Zeroday Emergency Response Team[/tag] ([tag]ZERT[/tag]) is offering [tag]VML[/tag]/[tag]vgx.dll[/tag] security patches for these outdated operating systems.  If you are running one of these, consider a patch like this as a little breathing space while you consider your alternatives.  Mixing old, unsupported operating systems and the Internet is a bad idea.

These unofficial (but highly effective) patches can be downloaded from ZERT.

Sony gives in and issues global battery recall

Friday, September 29th, 2006

Sony has done what I've been expecting it to do for a few weeks now - it has issued a global recall of all [tag]lithium-ion[/tag] ([tag]Li-Ion[/tag]) [tag]batteries[/tag] used in notebooks. 

Withe the Dell, Toshiba, Apple and Lenovo recall Sony was looking at replacing around 7 million batteries.  This recall is bound to dramatically increase that number.  This means that if you have a notebook that contains a Sony battery (and that's not something that's easy to spot) then you need to be on the lookout for a recall.  I'll post all the information that I find - if you find anything, feel free to drop me a note.

This is going to mean laptop troubles for a lot of people.  Bad news all round.

Should Microsoft delay releasing IE7 until after the Holidays?

Friday, September 29th, 2006

Interesting post on TechWeb:

Microsoft's decision to push Internet Explorer 7 to users with its Auto Updates mechanism will mean "inevitable" problems for Web sites during the critical holiday selling season, the chief executive of a Web services firm said Friday.
"I applaud what [tag]Microsoft[/tag]'s done with [tag]IE 7[/tag], and the browser works very well," said Richard Litofsky of Rockville, Md.-based cyScape. "But even the best software needs time to work out things once it's in the wild."

The automatic updating of most browsers -- [tag]Internet Explorer[/tag] controls 83 percent of the world's browser market according to the most recent data from Net Applications -- will stress Web sites' help desks like nothing before, Litofsky claimed.

"Virtually overnight all these sites are going to be running a whole new platform."

I don't think that Internet Explorer 7 should be delayed because the betas have been out for long enough and web vendors have had plenty of time to get their act together.  I predict that we're going to see an unprecedented increase in the number of phishing attacks and spoof emails over the Holidays this year and IE7 is going to play a vital part in protecting users from these threats (and protecting them from themselves). 

From the perspective of the end user, [tag]IE7[/tag] looks and feels very much like IE6 and I don't see the change putting people off using online retailers.  If they can't get along with IE7 then I have to wonder how they got along with [tag]IE6[/tag].