 Number 292 - September 2007 |
|
| What programs do you want alerts for? | |
|
by Bob de Violini | |
|
For something different this month, I'd like to start off by asking for some of the most valuable information anyone writing an ongoing series of articles here in TOE can ask for--the readers input. Specifically, are there any programs you use on a regular basis that I haven't mentioned in previous articles I've written about security updates or vulnerabilities? I've tried keeping my list limited to a set of very widely used programs in an effort to keep these articles relevant to the greatest number of users in the CIPCUG membership. However, in doing so, I realize that I may have overlooked a program or a few programs that are in wide use in the club itself, such as a version of photo editing software. So, if you'd like me to keep an eye out for updates or vulnerabilities for a particular program you routinely use feel free to drop me a line at the e-mail address listed at the top of this column, and I'll make a note of it. I can also remove a program from the list I currently maintain (included below) if I get enough folks saying they don't use that program. I'll keep a running count of the most popular submissions, and the most popular ones will be added to or deleted from the current list. That list currently includes all currently supported Microsoft operating systems (2000, XP and Vista), Microsoft Windows Media Player, Microsoft Office applications, Mozilla Firefox (browser) and Thunderbird (e-mail client), Adobe Acrobat reader, Adobe Shockwave and Flash (multimedIa plug-ins for Internet browsers), Apple QuickTime media player for Windows, Real Media's RealPlayer for Windows, Ad-Aware, Spybot Search & Destroy and SpywareBlaster (free anti malware programs), WinZip file compression/decompression software, and WinAmp media player.
'New' QuickTime vulnerability Speaking of QuickTime, a "new" vulnerability has been announced for all versions of the media player up to and including 7.1.3. Basically, it involves a "heap buffer overflow" type of problem. The program gets too much info in too small a space in memory and can't look at it all to process it properly. That then allows the bad guys behind the attack to run any type of malicious code on your computer they want to. The reason I have the word new in quotation marks is that it was discovered early last year and privately reported to Apple so they could quietly issue a patch, which they did around September of last year. The vulnerability was then made public in mid-May of this year so customers would hopefully have already gotten the newer, patched version installed on their computers. The latest version that's available from Apple is version 7.1.6, and it can be downloaded from the following link: http://tinyurl.com/d3w3t. If you already have version 71.6, Apple just released an urgent security update for it on May 29, which is available from the following link: http://tinyurl.com/2fsfgm. Once there, look for the Download Details box on the right side of the page, and click on the blue down arrow to start the downloading of the file. Problems With Office 2007 fixes Well, Microsoft "blew" it again. Apparently, two of the fixes released last month that deal with Office 2007, MS07-23 and MS07-25, were either not offered to people or not installed if they were offered. Things went awry in Microsoft's detection mechanism with these two updates, |
causing the snafu. This didn't happen to everyone who got updates through the various official update channels such as the Microsoft Update or Office Update Web sites, mostly to those running Office 2007 on Windows Vista. So, if you go back to the Microsoft Update or Office Update site and are offered either one of these updates again, please take the time to download and install it.
Office attachments Worried about getting infected from an unexpected Word, PowerPoint or Excel file from a friend or co-worker? Microsoft finally has a solution for you. Although it's considered a poor idea to open unexpected files in attachments from unknown people, you can get infected from someone you know if they send you an infected file as an attachment to help guard against this scenario, Microsoft has released the Microsoft Office Isolated Conversion Environment, or MOICE. What it does is convert Word, Excel and PowerPoint files in attachments to another, safer format called the Open XML format instead of opening them in their native binary format. When it performs the conversion, it does so in a specially protected area of your computer, commonly called a "sandbox." That way, if the file is infected, it won't cause the damage it would otherwise. This special program is only for the Office 2003 and 2007 series of suites, and is an added feature of the Compatibility Pack for the Word, Excel and PowerPoint 2007 file formats. The Compatibility Pack, and additional information. are available from Microsoft at the following Web site: http://support.microsoft.com/kb/935865. This new tool is supposed to already be integrated into the Office 2007 suites as sold at retail. Finally this month, I'd like to end with a couple of quick notes. The first is that, as of May 30, Mozilla no longer supports Firefox 1.5 officially. Mozilla is trying to get all Firefox users to migrate up to version 2, which is up to iteration 2.0.0.4, and version 1.5 is finalized at 1.5.0.12. Both of the latest iterations were released on May 30, to coincide with the end of support for the version 1.5 line. If you haven't updated your version to the latest iteration, please do so, as they contain important bug fixes. The second quick note is that as of the beginning of June/end of May, there was a very prevalent scam e-mail making the rounds, purporting to give you a free preview of the latest Pirates of the Caribbean in theaters AND to give you a shot at free tickets to see it. Just remember, in this case you don't get anything but infected if you take the bait in the e-mail. Until next month, Safe and Happy Computing! |
|
Number 292 - September 2007
|
|