Is your computer ready for Vista?

Is your computer ready for Vista? Run these advisor’s to see if your pc is ready for Windows Vista.

http://www.microsoft.com/downloads/details.aspx?FamilyId=67240B76-3148-4E49-943D-4D9EA7F77730&displaylang=en

http://go.microsoft.com/fwlink/?linkid=65926&clcid=0×409

Life-Long Computer Skills

This excerpt is taken from useit.com

Jakob Nielsen’s Alertbox, February 26, 2007:

Summary:
Schools should teach deep, strategic computer insights that can’t be learned from reading a manual.

I recently saw a textbook used to teach computers in the third grade. One of the chapters (“The Big Calculator”) featured detailed instructions on how to format tables of numbers in Excel. All very good, except that the new Excel version features a complete user interface overhaul, in which the traditional command menus are replaced by a ribbon with a results-oriented UI.

Sadly, I had to tell the proud parents that their daughter’s education would be obsolete before she graduated from the third grade.

The problem, of course, is in tying education too tightly to specific software applications. Even if Microsoft hadn’t turned Excel inside out this year, they would surely have done so eventually. Updating instructional materials to teach Office 2007 isn’t the answer, because there will surely be another UI change before today’s third graders enter the workforce in 10 or 15 years — and even more before they retire in 2065.

There is some value in teaching kids skills they can apply immediately, while they’re still in school, but there’s more value in teaching them deeper concepts that will benefit them forever, regardless of changes in specific applications.

Teaching life-long computer skills in our schools offers further benefit in that it gives students insights that they’re unlikely to pick up on their own. In contrast, as software gets steadily easier to use, anyone will be able to figure out how to draw a pie chart. People will learn how to use features on their own, when they need them — and thus have the motivation to hunt for them. It’s the conceptual things that get endlessly deferred without the impetus of formal education.

Following are some general skills that I think we should teach in elementary school.

Continued at http://www.useit.com/alertbox/computer-skills.html

Mozilla Plugs 26 Security Holes in Firefox

Severity: Medium

23 February, 2007

Summary:

Late today, the Mozilla Foundation released updates fixing 26 security vulnerabilities in Firefox 1.5.0.9 and 2.0.0.1, for Windows, Linux, and Macintosh. If one of your Firefox users visits a malicious Web page, an attacker could exploit the worst of these vulnerabilities to execute code on that user’s computer, with that user’s privileges, possibly gaining complete control of the computer. If you run Firefox on any platform, you should download and deploy version 2.0.0.2 as soon as possible.

Exposure:

Yesterday, the Mozilla Foundation released Firefox 1.5.0.10 and Firefox 2.0.0.2, fixing 26 security vulnerabilities (as well as adding more Vista compatibility and new language support) in the popular Web browser. Some of these vulnerabilities could allow a remote attacker to execute arbitrary code on your users’ computers. We highlight a few of the more worrisome flaws below:

• Multiple Memory Corruption Vulnerabilities. Firefox suffers from several bugs that crash the browser and corrupt system memory. These flaws — twenty in total — involve different components of Firefox, such as its layout engine and its JavaScript engine. Mozilla presumes that a skilled attacker could exploit at least some of these memory corruption vulnerabilities to execute code on your computer. Of course, the attacker would first have to lure one of your Firefox users to a malicious Web site. If your user runs Firefox as a local administrator or root user, the attack could exploit this flaw to gain complete control of the victim’s computer. If you’d like more information on these twenty flaws, check out their individual Bug IDs in Mozilla’s alert.

Mozilla Impact rating: Critical.

• Two SSLv2 Buffer Overflow Vulnerabilities. Mozilla uses a custom set of security libraries called Network Security Services (NSS) to support various security protocols such as SSL, TLS, and PKCS. The NSS library suffers from two buffer overflow flaws involving its handling of the SSLv2 protocol. By enticing one of your users to a malicious Web site with a specially crafted public key certificate, an attacker could exploit one of these flaws to execute code on that user’s computer with that user’s privileges. However, Mozilla notes, “exploiting this overflow appears to be unreliable.” Furthermore, Firefox 2.0.x doesn’t enable SSLv2 by default. So this flaw primarily affects Firefox 1.5.x users.

Mozilla Impact rating: Critical. (less severe for 2.0.x users)

• Cookie-Stealing Vulnerability. A technically complicated flaw in Firefox could allow an attacker to tamper with cookies from other sites you visit. The flaw stems from the way Firefox handles something called the ‘location-hostname’ DOM property. In a nutshell, if an attacker can entice you into clicking a link on his malicious Web page, he can tamper with authentication cookies on your computer from any other Web site. Depending on what kind of information the third party site stores in its cookies, this could allow the attacker to seriously manipulate how that third party Web site displays and operates for you. To see this flaw in action, check out this benign Proof-of-Concept provided by the flaw’s discoverer, Michal Zalewski.

Mozilla Impact rating: High.

The twenty memory corruption vulnerabilities alone should convince any administrator to upgrade to 2.0.0.2 as soon as possible. However, if you’d like to know more about the remaining vulnerabilities, check out Firefox’s known issues page.

Solution Path:

Mozilla has updated Firefox in order to correct these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 2.0.0.2 as soon as possible. Mozilla also released Firefox version 1.5.0.10 to fix these issues for users who insist on sticking with the 1.5.x branch of Firefox. However, Mozilla plans to end 1.5.x support on April 24, 2007. We recommend that 1.5.x users migrate to 2.0.0.2 now.

• Windows
• Linux
• Mac OS X

Status:

The Mozilla Foundation has released Firefox 1.5.0.10 and 2.0.0.2, fixing these security issues.

References:

• Firefox 2.0.0.2 Release Notes
• Vulnerabilities Fixed in Firefox 2.0.0.2
• Vulnerabilities Fixed in Firefox 1.5.0.10

iTunes and Windows Vista

iTunes 7.0.2 may work with Windows Vista on many typical PCs. Apple recommends, however, that customers wait to upgrade Windows until after the next release of iTunes which will be available in the next few weeks. This document will be updated as more information becomes available.If you are upgrading to Windows Vista or have purchased a new computer with Windows Vista pre-installed, here is some information you may find helpful:

Compatibility with Windows Vista

Apple is preparing to address a number of iTunes compatibility issues in the next release of the software.

Some currently known compatibility issues with iTunes 7.0.2 and earlier versions include:

• iTunes Store purchases may not play when upgrading to Windows Vista from Windows 2000 or XP.
• iPod models with the “Enable Disk Use” option turned off may be unable to update or restore iPod software, and make changes to iPod settings.
• iPod models configured to Auto Sync and have the “Enable Disk Use” option turned off may require being ejected and reconnected to resync.
• Ejecting an iPod from the Windows System Tray using the “Safely Remove Hardware” feature may corrupt your iPod. To always safely eject an iPod, choose Eject iPod from the Controls menu within iTunes.
• Cover Flow animation may be slower than expected.
• Contacts and calendars will not sync with iPod.

Upgrading to Windows Vista

If you are upgrading from Windows XP or 2000 to Windows Vista prior to the next release of iTunes, here are a few steps that will improve your experience when syncing your iPod or playing iTunes Store purchases once upgraded to Windows Vista.

1. Deauthorize all iTunes Store accounts.
2. Enable Disk Use on all iPod models.
3. Uninstall iTunes.
4. Perform a clean install of Windows Vista (Highly recommended but not required).
5. Reinstall the latest version of iTunes.
6. Open iTunes.
7. Choose Authorize Computer from the Store menu in iTunes.

Customers who have upgraded to Windows Vista and are still experiencing issues playing iTunes Store purchases should download and run the iTunes Repair Tool for Vista after re-installing iTunes 7.0.2. Click here for more information about this tool.

Apple Fixes A Few OS X Foibles

Severity: High

15 February, 2007

Summary:

Today, Apple released a security update fixing four security issues in software packages that ship as part of OS X, including Finder, iChat, and UserNotificationCenter. An attacker exploiting the worst of these security issues could execute code on your Mac, possibly gaining full control of your computer. If you manage OS X 10.3.9 or 10.4.8 machines, you should download, test, and install the appropriate Apple security update as soon as possible.

Exposure:

Apple’s latest security update corrects four vulnerabilities affecting software packages that ship with OS X 10.3.9 and 10.4.8. Two of the vulnerabilities allow attackers to execute arbitrary code on your OS X machines. The vulnerabilities include:

• Buffer Overflow Vulnerability in Finder. Finder is the application that helps you organize, display, and search for files and folders in OS X. Unfortunately, Finder suffers from a buffer overflow vulnerability involving the way it handles specially malformed disk images (.DMG). By enticing one of your users into downloading and mounting a malicious disk image, an attacker could exploit this flaw to either crash Finder, or to execute code on that user’s computer with that user’s privileges. Kevin Finisterre and his research partners disclosed this vulnerability early last month during their Month of Apple Bugs (MoAB) event. They also released public Proof-of-Concept (PoC) code that could allow an attacker to easily exploit this issue. With this exploit code available for the pillaging, we recommend you patch quickly.

• Multiple iChat vulnerabilities. iChat is OS X’s instant messaging client. It allows to you chat real-time with your friends. According to Apple’s alert, iChat suffers from two security vulnerabilities, one trivial and one very serious. iChat’s less severe vulnerability concerns a flaw in its Bonjour message handling features that could result in a Denial of Service. By sending a specially crafted message, an attacker on your local network could exploit this flaw to crash iChat. However, having local attackers crash your chat client seems more a nuisance than a serious threat.

On the other hand, the second iChat vulnerability flaw poses a much larger risk. The code iChat uses to process AOL Instant Messaging (AOL) URLs suffers from a format string vulnerability. By enticing one of your users into visiting a malicious Web page, an attacker can exploit this flaw to execute code on that user’s OS X machine, potentially gaining complete control of it. The MoAB team has released a PoC exploit for these flaws as well.

• UserNotificationCenter Elevation of Privilege Flaw. UserNotificationCenter is an OS X process that presents you with special notification dialogs during certain types of system events. Unfortunately, this process suffers from an elevation of privilege flaw. By running a specially crafted application, a local attacker can exploit this flaw to gain administrative privileges on your OS X machines. However, the attacker must already have access to your OS X machine in order to carry out his attack. That said, this vulnerability would combine well with either of the code execution flaws described above to give an attacker complete control of your OS X computers.

The MoAB team has released PoC exploits for all of these flaws. A motivated attacker could easily modify these PoC exploits and combine them in an attack that could yield the attacker full control of your OS X machines. You should definitely patch your OS X machines as soon as you can.

Solution Path:

Apple has released updates to fix these vulnerabilities for both OS X 10.3.9 and 10.4.8. Apple OS X administrators should download, test, and deploy the appropriate updates as soon as possible.

• Security Update 2007-02 for Panther
• Security Update 2007-02 for PPC
• Security Update 2007-02 Universal

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend you let OS X’s Software Update utility automatically pick the correct update for you.

For All Users:

These flaws support diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). The most secure course of action is to install the updates.

Status:

Apple released updates to fix these issues.

References:

• Apple’s February OS X Advisory

Six Cracks in Windows Yield One Critical Flaw

Severity: High

13 February, 2007

Summary:

Today, Microsoft released six security bulletins describing vulnerabilities that affect Windows and components that ship with it. A remote attacker could exploit the worst of these flaws to execute code and potentially gain complete control of your Windows PCs. For a table briefly summarizing which vulnerabilities affect which versions of Windows, see Microsoft’s Security Bulletin Summary for February and expand the section, “Affected Software and Download Location.” If you manage a Windows network, you should download, test, and deploy the appropriate Windows patches throughout your network as soon as possible.

Exposure:

Microsoft’s six security bulletins detail vulnerabilities found in, or affecting, components of Windows. Each vulnerability affects different versions of Windows to a different extent. Two of the vulnerabilities also affect Microsoft Office and Visual Studio to some degree. We summarize these vulnerabilities below, listed from highest to lowest severity.

MS07-008: HTML Help ActiveX Control Vulnerability

HTML Help is the standard help system that ships with Windows. It includes various ActiveX controls that Internet Explorer uses to display HTML Help pages. Unfortunately, some of HTML Help’s ActiveX controls don’t properly validate input. By enticing one of your users to a specially crafted Web page, an attacker can exploit this flaw to execute code on your user’s computer, with that user’s privileges. If you grant your users local administrative privileges, the attacker could exploit this flaw to gain complete control of the victim’s computer.
Microsoft rating: Critical.

MS07-011, MS07-012, MS07-013: Three Vulnerabilities Involving OLE objects embedded in RTF Documents

Microsoft Security Bulletins MS07-011 through MS07-013 cover three very different Windows components, including the OLE Dialog, the MFC component, and RichEdit. However, all three of these components suffer from vulnerabilities that have the exact same scope and impact.

Specifically, none of the three affected Windows components properly handles specially crafted Rich Text Format (RTF) documents that contain Object Linking and Embedding (OLE) objects. In all three cases, if an attacker can trick one of your users into downloading, opening, and interacting with an RTF document embedded with a maliciously crafted OLE object, he can exploit these flaws to execute code on that user’s computer, with that user’s privileges. As with most Windows code execution flaws, if the victim has administrative privileges, the attacker could exploit these vulnerabilities to gain complete control of their computer. While the three affected components come with Windows, two of the components also come with Visual Studio, Office, and other Microsoft productivity packages. Make sure to install the patches for all the software packages you use.
Microsoft rating: Important.

MS07-006: Windows Shell Hardware Detection Elevation of Privilege Vulnerability

According to Microsoft, the Shell Hardware Detection Service provides notification for Autoplay hardware events. If you’ve ever plugged in a USB storage device, a digital camera, or any piece of hardware and seen the Autoplay dialog pop up and ask what you want to do with the device, the Shell Hardware Detection Service is the component responsible for spawning that pop up. The Shell Hardware Detection Service suffers from an elevation of privilege vulnerability because it does not validate input properly. By running a specially crafted application, an attacker can exploit this vulnerability to gain complete control of vulnerable Windows machines. However, the attacker needs valid user credentials on the targeted machine in order to log in and run his malicious application. This mitigating factor limits the flaw primarily to an insider threat.
Microsoft rating: Important.

MS07-007: Windows Image Acquisition Service Elevation of Privilege Vulnerability

The Windows Image Acquisition Service enables imaging programs to communicate with your digital camera or scanner. This service suffers from a buffer overflow vulnerability similar in scope and impact to the Shell Hardware Detection flaw described above. Like the flaw above, if an attacker can run a specially crafted program on a vulnerable Windows computer, he can gain complete control of that machine. However, the attacker needs to log in to the targeted machine with valid user credentials in order to carry out this attack. Thus, this flaw primarily poses an inside threat. Furthermore, this flaw affects Windows XP only.
Microsoft rating: Important.

Solution Path

Microsoft has released patches for Windows to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

Note: Microsoft no longer officially supports Windows NT 4.0, 98, ME or XP with SP1. If you manage any of these operating systems, Microsoft suggests you migrate to supported versions to prevent potential exposure to vulnerabilities. You can learn more about Microsoft’s extended security update support at their Product Support Services Web site.

MS07-008:

• 2000
• XP SP2
• XP x64
• Server 2003
• Server 2003 Itanium Edition
• Server 2003 x64

Doesn’t affect Vista.

MS07-011:

• 2000
• XP SP2
• XP x64
• Server 2003
• Server 2003 Itanium Edition
• Server 2003 x64

Doesn’t affect Windows Vista.

MS07-012:

• 2000
• XP SP2
• XP x64
• Server 2003
• Server 2003 Itanium Edition
• Server 2003 x64

Doesn’t affect Windows Vista.

• Visual Studio .NET 2002
• Visual Studio .NET 2002 w/SP1
• Visual Studio .NET 2003
• Visual Studio .NET 2003 w/SP1

MS07-013:

• 2000
• XP SP2
• XP x64
• Server 2003
• Server 2003 Itanium Edition
• Server 2003 x64

Doesn’t affect Vista.

• Office 2000
• Office XP
• Office 2003
• Office 2004 for Mac
• Project 2000
• Project 2002
• Office 2000 Multilanguage Packs
• Visio 2002
• Learning Essentials for Office
• Global Input Method Editor for Office

MS07-006:

• XP SP2
• XP x64
• Server 2003
• Server 2003 Itanium Edition
• Server 2003 x64

Doesn’t affect Windows 2000 or Vista.

MS07-007:

• XP SP2  

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS07-006
• Microsoft Security Bulletin MS07-007
• Microsoft Security Bulletin MS07-008
• Microsoft Security Bulletin MS07-011
• Microsoft Security Bulletin MS07-012
• Microsoft Security Bulletin MS07-013

Internet Explorer Updates: One Theme, Two Patches, Three Vulnerabilities

Severity: High

13 February, 2006

Summary:

Today, Microsoft released two security bulletins describing three vulnerabilities which are exploited via Internet Explorer. By tricking one of your users into visiting a maliciously crafted Web page, an attacker could leverage flaws in libraries or controls accessible through IE to execute code on your user’s computer, with your user’s privileges. In many cases, the attacker could gain complete control of the victim’s computer. If you use Internet Explorer in your network, you should download, test, and deploy the appropriate Internet Explorer patches immediately.

Exposure:

In security bulletins (MS07-009, MS07-016) released today as part of their monthly patch update, Microsoft describes three new vulnerabilities in Internet Explorer (IE) versions 5.01, 6.0, and 7. All three vulnerabilities are rated critical. IE 7 on Vista is not affected. The vulnerabilities break down as follows:

1. IE improperly starts COM objects

The vulnerability here lies in the way IE starts (or, in geek speak, instantiates) certain Component Object Model (COM) objects. Not all COM objects were meant to be started by IE, and Microsoft’s bulletin lists seven such COM objects. A knowledgeable attacker can build a Web page which forces IE to start one of these seven and then use it to corrupt the system’s memory (similar to a buffer overflow attack), gaining the same level of authority on the system that the logged on user has. If that user has administrator rights, then so does the attacker.

2. IE improperly responds to FTP server commands

In addition to being a Web browser, IE is also an FTP client. The FTP client is vulnerable to an unspecified memory corruption vulnerability when transferring data from a malicious FTP server. When exploiting this vulnerability, the attacker gains the same level of control over the system as the logged on user has. If that user has administrator rights, then so does the attacker.

3. An ActiveX control for database connectivity can be abused

IE can be used to access databases. To do so, it frequently utilizes components from Microsoft’s Data Access Components framework (MDAC). One of the ActiveX controls in the framework (ADODB.Connection) has a memory corruption vulnerability. The attacker exploits the vulnerability by luring a victim to a specially crafted Web page which instructs the browser to start the ADODB.Connection ActiveX applet. Attackers exploiting this vulnerability gain the same level of control over their victim’s computer that the victim has. If the victim is an administrator, so is the attacker. Because of the nature of this vulnerability, Microsoft chose to address it in a separate patch, linked below.

In addition to fixing the newly announced flaws, the patch announced with MS07-016 cumulatively fixes all previously known IE security issues and offers some security enhancements as well as minor changes in functionality.

Solution Path:

Microsoft offers many workarounds for the issues covered by these bulletins. Most of the workarounds involve various ways of keeping IE from accessing the vulnerable components. In some cases, their advice leads to a reduction in functionality and may not be a realistic option for you.

In light of the seriousness of the issues covered in this alert, we recommend that you download, test, and deploy the appropriate IE patches as soon as possible. Please note that there are two patches, and you want both of them.

Patches associated with MS07-016 (IE cumulative patch)

• Internet Explorer 5.01
  
• Internet Explorer 6.0
  •  
    • Microsoft no longer supports 98, ME, or XP SP1
    • For Windows 2000
    • For Windows XP SP2
    • For Windows XP x64
    • For Windows Server 2003
    • For Windows Server 2003 Itanium
    • For Windows Server 2003 x64
• Internet Explorer 7.0
  •  
    • For Windows XP SP2
    • For Windows XP x64
    • For Windows Server 2003
    • For Windows Server 2003 Itanium
    • For Windows Server 2003 x64

Patches associated with MS07-009 (MDAC update)

• Windows 2000 SP4
  •  
    • MDAC 2.5 SP3
    • MDAC 2.7 SP1
    • MDAC 2.8
    • MDAC 2.8 SP1
• Windows XP SP2
  •  
    • MDAC 2.8 SP1
• Windows Server 2003
  •  
    • MDAC 2.8
• Windows Server 2003 Itanium
  •  
    • MDAC 2.8  

Status: Microsoft has released patches to fix these vulnerabilities.

References:

• MS Security Bulletin MS07-016
• MS Security Bulletin MS07-009

Microsoft Finally Patches Months-Old Office Flaws

Severity: High

13 February, 2007

Summary:

Today, Microsoft released two security bulletins describing eight vulnerabilities affecting Microsoft Office for Windows and Mac. By enticing one of your users into opening a maliciously formed Office file, an attacker could exploit any of these flaws to execute code on your user’s computer, with your user’s privileges, potentially gaining control of that computer. If you use Office in your network, you should download, test, and deploy the appropriate patches immediately.

Exposure:

Microsoft’s two security bulletins describe eight vulnerabilities found in components or programs that ship with Microsoft Office for Windows and Mac. Some of these flaws also affect Microsoft Visio, Works, and Project, since those products include the vulnerable Office components. Each vulnerability affects different versions of Office to a different extent. Each of these eight flaws differs a little from the others technically, and affects different components and applications within Office. But the end result is always the same. By enticing one of your users into downloading and opening a specially crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, with that user’s level of privileges and permissions. If your user has local administrative privilege, the attacker gains full control of that machine.

The Office documents Microsoft specifies as vulnerable include:

• Word (.doc) documents
• PowerPoint (.ppt) documents
• Excel (.xls) documents

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

• MS07-014: Six Word Vulnerabilities
• MS07-015: One Excel and One PowerPoint Vulnerability

If you’ve read our past Wire posts on the subject [ 1 / 2 / 3 / 4], you know that up until today Microsoft Office has suffered from at least five unpatched vulnerabilities in Word and Excel. Microsoft confirmed three of these five vulnerabilities in security advisories they released over the last three months [ 1 / 2 / 3 ]. According to updates in these advisories, today’s Office patches fix three of these previously unresolved issues. However, since Microsoft never confirmed two of the unpatched Word flaws, we cannot say for sure whether or not today’s updates fix them as well.

Attackers have been exploiting some of these flaws in the wild for over two months. Many of these flaws were first discovered as exploit code spreading in the wild. That means the bad guys found them before us and have been exploiting them actively. This makes it particularly crucial for you to test and deploy these Office patches immediately.

Solution Path

Microsoft has released patches for Office, Project, Works, and Visio that correct these vulnerabilities. Download, test, and deploy the appropriate patches throughout your network immediately.

MS07-014:

• Office 2003
  • Word Viewer 2003
• Office XP (and Works Suites 2004-2006)
• Office 2000
• Mac – see note below

MS07-015:

• Office 2003
• Office XP
• Office 2000
• Project 2002
• Project 2000
• Visio 2002
• Mac – see note below

Note for Mac users: The patch below corrects both the vulnerabilities described in Microsoft’s Office security bulletins:

• Office 2004 for Mac

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS07-014

Microsoft Security Bulletin MS07-015

Critical Flaw Makes Microsoft’s Security Solution the Problem

Severity: High

13 February, 2007

Summary:

Today, Microsoft released a security bulletin describing an integer overflow vulnerability in Microsoft’s Malware Protection Engine, the scanning engine Microsoft’s latest security products use. By sending an email containing a specially crafted PDF attachment, an attacker could exploit this flaw to execute code and gain total control of any computer running Windows Live OneCare, Windows Defender, Microsoft Antigen, or Microsoft Forefront Security. Since the Malware Protection Engine software scans incoming files automatically, the attack could succeed even if the targeted victim does not interact with the malicious PDF file. If you use any of Microsoft’s vulnerable security products in your network, you should download, test, and apply the appropriate patch immediately.

Exposure:

Microsoft’s Malware Protection Engine provides the scanning, detecting, and cleaning capabilities for the following Microsoft security products:

• Windows Live OneCare
• Windows Defender
• Microsoft Forefront Security
• Microsoft Antigen

According to Microsoft’s security bulletin, the Malware Protection Engine suffers from an integer overflow vulnerability due to its improper handling of specially malformed PDF documents. By sending an email containing a specially crafted PDF attachment, an attacker can exploit this integer overflow to gain complete control of any computer running Microsoft’s security software. Since the Malware Protection Engine scans incoming files automatically, this sort of attack would succeed even if no one interacts with the malicious email. Once the engine scans the infected email, the attacker gains full control without any help from the unsuspecting victim. Furthermore, the Malware Protection Engine also scans files that pass via HTTP. This means an attacker might also exploit this flaw by hosting his malicious file on a Web site.

Neel Mehta, an X-Force research engineer, and Alex Wheeler, a former X-Force team member, originally discovered this scanning engine flaw. They have found flaws in antivirus (AV) scanning engines since 2005. If you’d like to read more about problems in antivirus, check out our interview with them from Black Hat 2005, “Antivirus: Solution, or Problem?“

Solution:

Microsoft has released updates correcting this vulnerability. The affected Microsoft security products all receive updates automatically. As long as you have not disabled automatic updates, you should have already received the patch. If you have disabled AutoUpdate or Microsoft Update for the Microsoft Antivirus client software, you need to either re-enable AutoUpdate or update the Microsoft Antivirus client software manually to obtain the updated Microsoft Malware Protection engine. To update the Microsoft Antivirus client software manually, follow the product documentation provided with the affected software. Unfortunately, Microsoft does not provide any direct links to these updates.

Status:

Microsoft has released fixes for this issue.

References:

Microsoft Security Bulletin MS07-010

QuickBooks Service Notice: Important Information about Microsoft Windows Vista

SERVICE ALERT If you are considering Windows Vista, please note that QuickBooks 2006 and earlier versions may be adversely affected.   Dear Quickbooks Customer, You may have heard about the upcoming release of Microsoft’s new operating system, Windows Vista. Microsoft has made significant changes to how software runs on Windows Vista.I’m sending you this important service alert because you are using a 2006 or earlier version of QuickBooks software.Since QuickBooks 2006 and earlier versions were developed and released before the introduction of Windows Vista, these versions may be adversely affected when used on a computer running Windows Vista.This will impact Simple Start, Basic, Pro, Premier, Payroll and Point of Sale, as well as other QuickBooks products and services. We recognize that your QuickBooks software is an important business tool and apologize for any inconvenience this may cause you. WHAT YOU SHOULD DO TO STAY UP AND RUNNING ON QUICKBOOKS     • If you do NOT upgrade to Windows VistaNo action is required. If you plan to stay with your existing Windows operating system (for example, Windows XP or Windows 2000), you can continue to use your current QuickBooks products.     • If you choose to upgrade to Windows VistaWe recommend that you use QuickBooks 2007 (and Point of Sale v6.0, if applicable). QuickBooks 2007 is the only version of the software built to run on the new Windows Vista operating system. To learn more about your options for running QuickBooks products on Windows Vista, please visit www.quickbooks.com/support/vista. You’ll find detailed instructions on how to use QuickBooks while you consider the transition to Windows Vista.     Again, we apologize for any inconvenience this may cause. If you would like to send us feedback on QuickBooks and Windows Vista, please visit our Windows Vista Resource Center at www.quickbooks.com/support/vista. Thank you for making QuickBooks a part of your business.Sincerely, Brad Smith Senior Vice President, QuickBooksPlease print and save for your records.