March 2006 - Posts

DHL strikes again....

Remember this?
http://msmvps.com/blogs/spywaresucks/archive/2006/03/03/85327.aspx

Well, its happened again.  I got an email from Microsoft today that said, and I quote, ""Funny timing - we just got your [delivery] back - DHL made an error on the shipping label and it got returned.  Took about a month for it to make it back -- I'll be re-sending again on Monday"

I've asked my correspondent at MS to provide me with a tracking number so I can see for myself what went wrong this time.

The last time this happened, DHL sent me a "without prejudice" letter by email containing an apology and an offer of a free 5KG delivery to any destination, which I didn't accept (glad I didn't now).

What does "without prejudice" mean, I hear you ask.. here's an explanation:
http://www.ahernslawyers.com.au/web/factsheet_1648.htm

Posted by sandi with no comments

A useful little IE7 tool by Bindar Dundat

I've been chatting with Bindar Dundat by email about IE7.  He's put together a little utility that y'all may find useful:

http://dundats.mvps.org/Software/SoftFixes.htm

Some of the options can already be adjusted using IE's menu options (enabling/disabling Clear Type, enabling/disabling the Classic Menu and restoring default settings) but others cannot be changed from within the IE interface, and it is those options that make this tool useful.

One cool feature is the option to place the Classic Menu bar ABOVE the Address Bar (restart IE to see the change).  It is not possible to drag the toolbar into this position from within IE (btw, Tony Schreiner posted about how to do this a while back)

 

The tool also allows you to quickly change edit your computer's registry to fool sites into thinking that you are running IE6, and then swap back to IE7 again.  Why is this sometimes necessary?  See here:
http://msmvps.com/blogs/spywaresucks/archive/2006/02/21/84376.aspx

Also, the tool makes it easy to change your default 'save to' directory when downloading files.

Bindar is planning to make lots of changes to the application, so don't be shy about emailing him and letting him know what you'd like to see :o)

Enjoy.

Posted by sandi with 1 comment(s)
Filed under:

Who the heck thinks this stuff up???

http://www.escapeyesterworld.com/

A promo for Sql Server 2005 and Visual Studio 2005

Erm, did I just see the quote "all your base are belong to us" flash on screen?

Posted by sandi with 1 comment(s)

Trend PC-Cillin Internet Security 2006... giving me the irrits

Trend PC-Cillin Internet Security 2006 includes a feature called "Private Network Protection".  This feature, apparently, allows you to remotely manage Trend installations on all machines on a local network.

Here's the situation.

Four PCs, all with the same version of Trend PC-Cillin installed.  All installs have a password enabled, and all have the same password. But what happens when I try to refresh the list of PCs on the network? "No computer with supported software found".  Even after disabling firewalls on all PCs (safe to do on a temporary basis because I have a hardware firewall) Private Network Protection simply doesn't work.

 

So, let's have a look at the help page:

 

Correct version of PC-Cillan installed on all PCs? - yep
Private network protection enabled? - yep
Password set? - yep
Same Trend password on all PCs? - yep

Well, I can't get it to work - have never been able to get it to work. Damned irritating.  The help page reads like all we need is a password to protect the Trend console - maybe I'm reading it wrong - I hope not, because if all PCs must have the same user account password, sorry, but that ain't gonna happen.

Now that I have an SBS2003 box running at home, I'll be able to drop the consumer product and go back to the SMB version once a certain gentleman, who shall remain nameless, answers an email query... yes, you know who you are ;o)    That being said, I'd really like to work out why the heck I can't get Private Network Protection working. 

Posted by sandi with 1 comment(s)

This is why I use Sneakemail

http://australianit.news.com.au/articles/0,7204,18586129%5E15306%5E%5Enbv%5E,00.html

"NEW YORK Attorney General Eliot Spitzer has filed a lawsuit accusing a company of selling email addresses in what he described as the largest deliberate breach of privacy in internet history.

The suit against web site operator Gratis Internet alleges that the company sold personal information obtained from millions of consumers under a strict promise of confidentiality.

...

In each of these deals, Gratis wrongfully shared between one and seven million confidential user records," Mr Spitzer said. "

Sneakemail is an anonymous email service that I have used for years for things such as Web forum subscriptions.  It allows you to generate unique email addresses AND record who you have the unique email address to, making it very easy to track down who is selling or sharing your email address.  If an email address starts being spammed, simply delete the address :o)

RSS is not always RSS...

Hey FSecure - IE7 is unable to display your RSS feed - you may want to do something about that:
http://www.f-secure.com/weblog/

"Internet Explorer does not support feeds with DTDs....This feed contains a DTD (Document Type Definition). DTDs are used to define a structure of a webpage. Internet Explorer does not support DTDs in feeds."

Posted by sandi with 1 comment(s)
Filed under:

createTextRange vulnerability - update

A proof of concept is circulating that uses the vulnerability that I blogged about yesterday:
http://isc.sans.org/diary.php?storyid=1212

New publicly disclosed vulnerability in IE

The fact that it is publicly disclosed means that the bad guys *will* try to use it:

http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx

I know... telling people to only go to trusted sites is a tad unrealistic .. :o(

I note the blog mentions that the latest Beta 2 Preview for IE7 (5335.5) is not affected by the vulnerability, and even provides a link, but please don't download and install the beta simply to avoid this vulnerability ... the beta is targeted at developers and IT pros and it has its problems (for example, History is broken, Trend online AV scan doesn't work, some McAfee features don't work, and a lot of sites have not been recoded to work with IE7).  I can't recommend that the 'man in the street' download and install IE7 Beta 2 Preview to avoid this vulnerability.  Turn off active scripting instead.

Hmm, I have a new feed...



See that entry for "Microsoft Feeds"?  I didn't add that... also, I note that all of my feed update schedules have been reset to once a day.  I had to go through and reset every single one of them only to discover the next time I fired up IE that they had all changed back to the default setting again <<muttering>>  C'mon guys, couldn't you leave that untouched?  I find tweaking such user settings back to what I had to be soooo irritating.

Feed control page has changed too:

Old:


New:

Posted by sandi with no comments
Filed under:

I thought my RSS feeds were a bit quiet....

RSS synchronisation is turned off by default in IE7 Beta 2 Preview Build 5335.5

 

One thing I do like... RSS feeds will be updated even if IE is not running.

 

Posted by sandi with 1 comment(s)
Filed under:

Internet Explorer 7 Beta 2 Preview Build 5335.5 comes with a little extra tweaking...

Heads up:  the latest IE7 Beta 2 Preview Build seems to include the activex 912945 update described here:
http://msmvps.com/blogs/spywaresucks/archive/2006/03/04/85409.aspx

Ok, this is a surprise and a shock.  Maybe I've simply missed an announcement or heads up, but I don't remember any mention of the 912945 update being included in build 5335.5.

Granted, the changes will be included in the next security update, but it would have been nice to have some warning.

Watch out for this when installing the new build of IE7 Beta 2 Preview

Heads up:  the latest IE7 Beta 2 Preview Build seems to include the activex 912945 update described here:
http://msmvps.com/blogs/spywaresucks/archive/2006/03/04/85409.aspx

Ok, so you've downloaded the latest build of IE7 and want to install...

Please, disable antivirus and crashguards, antispyware products etc.  Shut down all other programmes, including those that run via System Tray, but do NOT disable your firewall.

Disable automatic updates... I promise, you'll thank me for it.

Uninstall any previous build of IE7 and reboot twice - yes, twice.  You may experience a svchost.exe crash the first time you reboot.  Ok it and continue on.  You shouldn't see the crash during the second reboot.

Note: If you did not disable automatic updates before now, AU will trigger and start downloading updates after IE7 has been removed and the system rebooted.  If your system is set to download *and* install updates, let it finish and reboot twice.  Do NOT try to install IE7 while this is happening.

If, on the other hand, you have AU set to download but not install updates, just ignore it.  Let it download, but do not install.  It is safe to install IE7 while the updates are downloading if you do not attempt to install the updates during or after the IE7 installation, but it can get a tad messy.  When you reboot your PC when the IE7 installation is finished you may see an error about an 'extracting files' program having to be closed slowing down the restart.

Ok, so now we're ready to install.  Things may seem slow between 45% and 48% complete, so be patient.  The install will sit there, your hard drive will crunch away, and the percentage counter may not move for what feels like a very long time.  Then, suddenly the percentage counter will jump forward and installation will finalise.

Reboot twice before re-enabling automatic updates and your antivirus and crashguards.

The first time you start IE you will be redirected to http://runonce.msn.com/runonce2.aspx.  Make any changes you want to make then scroll to the bottom of the page where you will see these options:

 

Many people with smaller monitors have not spotted the options pictured above.  The page should not appear more than once, but if it does, use the bottom link.

Posted by sandi with 2 comment(s)
Filed under:

Microsoft and the Global Phishing Enforcement Initiative

"Microsoft to initiate over 100 legal actions in Europe, the Middle East and Africa; company brings together law enforcement, governments and industries in worldwide fight against online fraud."
http://www.microsoft.com/presspass/press/2006/mar06/03-20GPEIPR.mspx

Good on 'em. I hope it makes a difference.

Australian? Using Optus for your internet access?

You might want to reconsider providers - it boggles the mind that there is no UPS protection for mission critical equipment, and that installation is not planned until March next year...

http://australianit.news.com.au/articles/0,7204,18540875%5E15306%5E%5Enbv%5E,00.html

Updated: Activex update 912945 to be deployed maybe during April

Edit:  Ok, so maybe it won't be 11 April, but the Activex update *will* be included in the next available Internet Explorer security update.

The blog entry still says 11 April ;o)
http://blogs.technet.com/upstate-ny-technology/archive/2006/03/20/422522.aspx

What the update will do:
http://msmvps.com/blogs/spywaresucks/archive/2006/03/04/85409.aspx

I'm receiving emails from people saying they are going to refuse to install the activex update, but the only way to do that is to avoid the security update.  Please don't do that.

The changes are very user friendly compared to the original version that was dropped when Microsoft won a round of the EOLAS battle.  Web pages are easily coded to address the changes made by the update.

MS has no choice but to make the changes.  If you want to yell at somebody, yell at those behind the EOLAS patent lawsuit.

A new build of Internet Explorer 7 is available

http://www.microsoft.com/windows/ie/ie7/ie7betaredirect.mspx

Please uninstall the previous build of Internet Explorer 7 Beta 2 Preview then reboot *twice* before installing the newly released build.

How to uninstall IE7:
http://msmvps.com/blogs/spywaresucks/archive/2006/02/05/82589.aspx

Installation tips:

Some may not agree with the following, but years of experience have shown this to be best practice... [;)]

  1. Set a restore point (just in case)
  2. Disable antivirus
  3. Shut down all running programmes (except for firewall) - that includes Messenger, Windows Defender, OneCare - don't forget to exit via systray icons as well.
  4. Turn off Automatic Updates (believe me, you'll thank me later)
  5. If you have installed any other build of IE7 you must uninstall those versions before you try to install Beta 2 Preview.
  6. Reboot *twice* after removing old beta builds (yes, it really does make a difference)
  7. Don't forget to shut down those programmes again before proceeding.  This is where shutting down automatic updates makes a difference.  Uninstalling beta builds of IE7 in the past has, for me, triggered Automatic Updates to offer a slew of updates which is darned irritating if Automatic Updates is set to download and prompt to install, or download and install automatically.  I'd prefer you didn't install these updates before installing IE7 Beta 2 Preview.  After the installation of IE7 Beta 2 Preview you can turn Automatic Updates back on - you won't be prompted install all those updates.
  8. Install IE7 Beta 2 Preview... reboot twice after successful installation.
  9. Don't forget to re-enable your antivirus now you're finished.

Sometimes the installation may fail - no error message.  Right click on the downloaded IE7 installation file, select properties, then select "unblock"

Posted by sandi with no comments
Filed under:

Another false positive - this time AdAware

This problem was pointed out in a spyware mailing list that I subscribe to (waving at Robear):

Definitions 112 detect the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG" as W32.Trojan.Downloader. 

According to Walter Clayton the key is related to the Windows Firewall .

The problem was quickly fixed by definition 113,  but as I said in an earlier blog post, don't these guys test their definitions anymore?  We're not seeing obscure little programmes being affected by false positives.  We're seeing products and services that are standard on Windows machines, and programmes that are used by millions of people, being hit by false positives.

Unfortunately Lavasoft have shut down the free support forums, so there is no URL I can give you that discusses this false positive.  Nothing in the Lavasoft blog at time of writing.

Want to help in the fight against spyware, malware and viruses?

Microsoft is calling for samples of viruses, malware, adware etc, and have created two new email addresses especially to receive submissions.

avsubmit@submit.microsoft.com (virus/worm/trojan/etc)
windefend@submit.microsoft.com (spyware)

These email addresses have been set up so that samples sent to the team will not be stripped or blocked by antivirus protection.

Make sure that you "zip" any samples, and password protect the zip file.  The password to use should always be the word "infected" (no quotes).

Use the subject line to provide a brief description of what you are sending, eg "new malware", "false positive", "new virus" etc.  Any further detail should be included in the message body.

The team are most interested in samples of "new" malware, and false positives generated by Microsoft's protective programmes and services such as OneCare, the Malicious Software Removal Tool, Windows Defender, safety.live.com, Microsoft Client Protection etc.

Internet Explorer bug...

...I wonder who was unlucky enough to be bitten by *this* bug :o)

http://support.microsoft.com/default.aspx?scid=kb;en-us;911740&sd=rss&spid=2073

You use a Hebrew-language Web page that is read from right to left.
The 99th character on the Web page is a period (.).
The period is located in a decimal number. For example, the period is located in the decimal number 3.25.
In this scenario, when you resize or maximize the Web page in Microsoft Internet Explorer 6, the decimal number is reversed to 25.3.

 

Posted by sandi with no comments
Filed under:
More Posts « Previous page - Next page »