He seems to be on a quest to visit every country on the planet. Found him while I was checking out a directory of other sites hosted by my ISP. This video leaves me with a very positive feeling for some reason.
_____________________________________________________________
KevFrey
kevfrey@gmail.com
. . . . . .. . . . . .
Firefox just released another update – 1.5.04. You can read the technical Firefox release notes for 1.5.04 
for more information, but the fixes listed are primarily secure-browsing type updates. You should have already been prompted to upgrade if you actively use Firefox, so this is probably old news for you. Something that is important if you run extensions that isn’t completely automatic yet – During new upgrades like this is a good time to check for updated extension versions. To do that, choose Tools-Extensions from the drop down menu. Then choose the "Find Updates" button at the bottom of the resulting window. This polls the extensions for new updates and displays a list if any updates are found. Always a good idea to upgrade those as you go. I’m a big fan of NoScript (currently at v1.1.4.1), AdBlock, and Fasterfox – but there are a ton of others, so just keep in mind that those need to be upgraded/updated routinely as well (like any other software) for compatibility and security reasons. Also, please be aware that they have discontinued the v1.0 version of Firefox, so if you are one of those "holdouts" that hasn’t upgrade to 1.5.0.x yet, please do so immediately.
_____________________________________________________________
KevFrey
kevfrey@gmail.com
. . . . . .. . . . . .
Apple has released two sets of new security updates.
1) Affecting both Windows (2000 and XP) and Mac OSX users, a new Quicktime flaw has been resolved in version 7.1 as an update. Windows users who have not installed Quicktime or iTunes need not apply this fix. The Apple advisory describes the details and includes a download link to the updated software. Windows users will need to manually apply this update, but if Mac OSX users have automatic Software Updates enabled in their preferences they should automatically be prompted for this installation. Doesn’t hurt to double check in your updates program since the flaw that is fixed prevents local access to your computer through this vulnerability.
2) Affecting Mac OSX users – A big list of fixes has been released in Apple’s third major patch deployment of the year. The list is available here. As above, if you have automatic updates enabled, you should have already been prompted. If not, please check your updates program to ensure that these updates are applied – they are critical fixes. The Apple Download page has the latest updates available (both sets of fixes were released 05/11/2006).
Several watchdog groups have reported that a flaw has been found in Microsoft Word (XP and 2003) and it is being actively exploited "in the wild." This doesn’t appear to affect the Mac versions of Office. Microsoft’s bulletin on the flaw is here . The flaw is intended to be fixed on the upcoming June 13th release of monthly fixes, but it might be issued sooner if larger-scale (more widespread) exploits arise. This is a nasty flaw since it is related to email attachments and people generally trust Word docs. Don’t open any Word attachments until you have applied the forthcoming fix (unless you are expecting it from a known sender)! If a bad guy decides to couple this attack with collected, related address book email addresses, one could easily receive a message from a known sender but it could contain an exploited Word doc attachment, so be careful in all cases. The trouble with patching this flaw is that Office XP users will probably need to have their installation media available to install the patch. This isn’t such a big deal in a home environment, but in an enterprise it presents the challenge of deploying patches to users that do not have Administrative rights to their PCs. Office 2003 does not seem to have this trouble. Microsoft has issued a workaround procedure to assist users in protecting themselves from this flaw in the interim. Good news is that they have instructions for both home users and enterprise-focused administrators. Expand the "Workarounds…" section in the above listed link (there are several levels to expand using the plus "+" signs). In there you will find the workaround directions that best suit your situation. Domain administrators have been given a method for Group Policy deployment (GPO) for implementing the "safe mode" portion of the workaround. This is nice, but to disable Outlook feature of using Word as an email editor is still a manual workaround according to Microsoft. However, you should be able to enforce the Microsoft Word editor option using the Office Resource Kit’s Group Policy object to modify the Mail Editor settings accordingly (based on your environment). All you Admins out there: I haven’t experimented with this option myself, but it should do the trick… if concerned, try it out on a limited OU of test machines/users and let me know if you feel altruistic. Here is where the setting should be:
But I digress – If you choose not to open any Word attachments, you can safely "wait it out" for the patch to be released 2nd week of June.
_____________________________________________________________
Greetings all; Just a quick one…
New flaws have been fixed by Nullsoft (list of fixes here ) to resolve some apparently nasty issues in WinAmp. Additionally, many other fixes that resolve some operational issues with the software have been implemented which should help the overall user experience (few crashes, odd behavior, etc.).
If you use Winamp, please update it to v5.22 .
For years, my wife and I watched Wall $treet Week on Friday evenings. Although that sounds like a laughably dry way to spend Friday nights with a loved one, for those that don’t know he was a very entertaining fellow. We looked forward to the 30 uninterrupted minutes of his wit and subtle puns on the weekly PBS show and he always put us in a good mood. Being that we often do the bills on the weekend (as I imagine millions of other Americans do too), he would make it less of a chore and more of an opportunity through his light-hearted framing of money matters.
When PBS gave him a very bitter pill to swallow, we applauded his move to CNBC and followed him over. And, we applauded CNBC for retaining that no interruption, low key format with which fans and viewers fell in love. 
who was out to make sense of big economic ideas for the lamen. I, for one, will miss him.
Hiya; My Firefox just prompted me to download and install the 1.5.0.3 update. Last week I reported that the Mozilla team had developed a fix, so it was soon to be released. Now, that fix is out in the patch 1.5.0.3. So, please install it when prompted by Firefox – or if you are not prompted, go download it here: Firefox Download
Additionally – More bad news about IE: Just today (2006-May-02), security researchers have found YET ANOTHER new flaw.
Ugh. Microsoft is burning up my OT.
_____________________________________________________________KevFrey
kevfrey@gmail.com. . . . . .. . . . . .
First off, the patches to fix the flaw from two weeks ago was flawed itself in that some machines had problems either during shutdown immediately after patch installation or afterward due to a compatibility problem with certain third party software.
The former I experienced on Windows 2000-based workstations – After the patch was installed and the machine was restarted, the restart process hung during shutdown (“Shutting down Windows….”). A hard power cycle was required to get through it, but then everything seemed fine on the machines after that.
The latter I have not encountered myself, but appears to be related to certain HP-based software (for things like CD burners, certain printers/scanners, etc.) and certain Nvidia video drivers .
A “patch for the patch” was released last Tuesday (2006-Apr-25) and I have deployed it in my test environment successfully. I have not seen any reports of issues related to the new version of the software (that doesn’t mean there aren’t any, but they are not widespread if there are some). If you run Automatic Updates on your computer, you should have already been prompted to install these updated updates. I know this gets confusing, but please bear with me (it gets worse, read on).
So, after you are all patched up – know now that there are ADDITIONAL zero-day flaws released this week that affect “fully patched” versions of Windows. There are two:
which will allow you to easily set your default browser.Firefox is not untouchable, however – So please keep that in mind (nothing beats “safe” web browsing practices). I highly recommend the use of the NoScript extension for Firefox. This allows you to execute JavaScript for only certain websites, disallowing all others by default. This can result in some odd behavior for disabled JavaScript sites, so just enable it for sites that you trust only.
But, I digress – Firefox has had its share of knocks recently as well. You must upgrade to 1.5.0.2 if you haven’t already. However, PC Magazine has reported the following:
1.5.0.2 – current patched-up version, allows remote code execution, but only through some user cooperation. The Firefox development team is working on a patch.
The problem happens when non-image content is presented in an IMG tag. It will appear to the user as a broken image link. If the user right-clicks and chooses the View Image option, the file will be downloaded and, if the type is in the Firefox bypass list, executed.
In other words, one must interact with a “dead image link” directly by right clicking and executing it (if it is in the list of automatic programs to execute like a movie file or an acrobat file, etc.). This isn’t a terribly serious bug, but it could be a what we in the security community call a “vector of attack” into your computer. The good news is that the mozilla developers have already alleviated the bug, but it has not yet been incorporated into a public release yet (that will surely be soon to come).
Mac OSX continues to be a larger target, perhaps because more people are using Macs now or perhaps because the underlying operating programming code changed from older Macs to a Unix-based system. Whatever the reason, a new set of flaws has been found in OSX by a security researcher named Tom Ferris . These flaws are also unpatched, but expect to see them soon via the auto update feature of OSX if you run it. Stay vigil.
A bit of interesting Microsoft news is that not only are they seemingly gearing up to get into the anti-malware business (after years of promises to business partners in those sectors that they would not), a new version of their “Desktop Search” program was released this week a little bit under-the-radar. Like Google Desktop (extremely popular and useful), Windows Desktop Search v2.6.5 ” helps you find virtually anything on your PC or your networked drives including e-mail messages, calendar appointments, documents, and more. Searching your computer is now as fast and easy as searching the Web. After you install this item, you may have to restart your computer.” – Those are Microsoft’s words via the corporate Upate tool that we use to deploy new patches (WSUS – see my recommendation for those interested). This isn’t groundbreaking stuff, but just another battle in the war between Google and Microsoft.
My upcoming travel fyi: I am headed out to SoCal on May 14 – 18. I am in D.C. for the Gartner IT Security conference, and then in Frankfurt, Deutschland consulting with a sister division later in June (Hi Mr. Bhatti!). Let me know if any of you will be be “in town” on those dates/places and we can try to get together.
Subscribe to my blog via Email (easiest for most people) or RSS (for advanced users).
See above right for subscription field: Looks like this——————
Update, reboot, lock down, be safe.
_____________________________________________________________
Hi all;
Sorry I’ve been away recently – Lots of confidential security breach discoveries going on at work which have been keeping me swamped.
Along with other patches in this “Patch Tuesday” deployment, Microsoft has deployed the fix for the recently disclosed flaw that was allowing spyware and other malware authors to bypass system security, install devious software, eavesdrop on passwords/account numbers/etc. and in general cause trouble.
As usual, I will test them out in the test base and confirm here once installation is confirmed OK and operational.
ComputerWorld article here.
Also, about a week ago, Apple released additional fixes for OSX that Mac users will want to download and install (if the system didn’t already prompt you to update automatically).
More info here.
Administrative Note: As a side note, take a look at the “Subscribe” link at the top right of this page. It allows you to subscribe to this blog and receive an email everytime I update this page. If interested, simply type in your email address and press the Subscribe button.
_____________________________________________________________
