July 2007 - Posts

I've been tagged too - stuff i couldn't live without

It's all Brian's fault - here I am, after taking the weekend off, escaping to my holiday unit to read Harry Potter, trying to catch up on the millions of emails that arrived during my 24 hour absence (and the 3 million spam hiding said million important emails), when I spot that Brian wants me to do this tagging thing....

Ok, so what are the things Sandi could not live without....

  1. First and foremost - that which beats all others - my music - I own far too many CDs covering every music style know to man except for trance - I have a home built jukebox PC installed in my primary work area, with a kick ass surround-sound card and speakers and it plays constantly, in shuffle mode, all day when I'm at home, and it plays loud.

    Same with the car - maybe one day I'll get a CD stacker, but for now every spare nook and cranny is filled with CD cases and again, the music is played LOUD - drives the family nuts, especially on long trips.

  2. RSS - I could not do what I do without it - I can monitor hundreds of information sources at a glance.  It's been invaluable in helping me protect the networks that I am responsible for.

  3. My car - a Ford Explorer - I love that beast and I've been the recipient of some *strange* looks when I've been driving down the freeway with the rear seats laid flat and the cargohold full to the brim with old PC monitors, PC cases, keyboards, mice etc that are being trashed after a network rebuild. 

    I've driven 4WDs since I first got my licence and my father still owns the Toyota Landcruiser that I learned to drive in - it's done over a million kilometers now and is still going strong - and I still say it wasn't me that wrecked the clutch all those years ago, it was my brother.

  4. The air filter cover on my Dad's Toyota Landcruiser.... "is she nuts??" I hear you say... actually no, there's a story behind that cover.   Years and years ago I worked for KFC (Kentucky Fried Chicken as it used to be known), first out the front serving customers and then out the back cooking the chicken itself.  I remember to this day, not long after I started, a TV advertising campaign was launched and we were allocated stickers to hand out to customers to go with the campaign.  Here I was, 15 or so years old, and I took one of those stickers home and told my Dad that he had to put it somewhere really important... so he stuck it on the Toyota's air filter cover, and the last time I checked it was still there.  There's something special about the fact that the sticker still exists to this day.

  5. My holiday unit - it's "out bush" and there is no telephone line installed (and the only cellphone service is CDMA - GSM doesn't work), no air conditioning or heating, only 4 television channels (on a good day) - and it's a stone throw from the ocean.  Because I'm a coffee snob we have a semi-automatic coffee machine so that we can have a decent coffee in the morning, but apart from that it is anti-technology - we often fish for our dinner and eat what we catch (except for my daughter - ever since she saw her father cleaning the day's catch she has refused to eat fish - it had never occurred to her that eating animal products involves killing an animal) and it is peace personified.  Yes, if all the scare stories about global warming and rising sea levels come to pass then we may be in a spot of bother, but I love to go up there when I need a time out - I'll either sleep all day or sit on the jetty while hubby fishes and I contemplate the sunset/sunrise, and I always come back with a sense of peace and a good supply of cuttlefish bone for the bird aviary at home.

    My favorite fish recipe? That's easy - all you need is some greased Alfoil (aluminum to you non-aussies), some butter, tomatoes, onions, some breadcrumbs and Herbamare.... stuff the cleaned fish's abdominal cavity with the tomatoes, onions and butter and a smidge of breadcrumbs, sprinkle with a bit of Herbamare... wrap in greased Alfoil and cook for the appropriate time for the size of the fish.... wonderful....

  6. My laptop - one of the infamous Ferrari 5000 blogger laptops - and to go with it my Targus Notebook stand and removable Chill Hub.
  7. Software (as in stuff I use everyday) - Fiddler, Microsoft Network Monitor, SnagIt, Skype, Windows Live Messenger and a few other bits and pieces that I can't tell you about Winking
Posted by sandi with no comments
Filed under:

viruses, worms, botnets and hacking - instructional videos for new computer users

I admit, there are some statements in the first video that I would argue with (such as 50% of all spam coming from bots - it is far more than that - and some of the technical statements are inaccurate) but overall the videos are a good start and they get the message across.  Their target audience is the new computer user who is a true naivete when it comes to the dangers of the online world - Grandma and Grandpa, for example, who have purchased their first computer at the behest of distant family members determined to send the grandparents photos of the grandchildren via email.

The first video, a cartoon animation, tries to explain the danger of computer viruses, worms and botnets in a way that the uninitiated can understand.   Developed for the computer user at home, the animation will introduce them to the world of botnets, how they are created, how they develop themselves and how the home user can easily become a victim. It also shows how the computer user can protect him or herself against such criminal activity on the Internet and be aware of it.  The security advice is basic, but sound - install antivirus and keep it updated, install a firewall, install security updates for software and operating systems, and do not open email attachments that you do not trust.

The videos are available for download here:

Windows Media Video, 18MB
Windows Media Video, 23MB

A large screen presentation is available for in-house training seminars: MPEG, 108MB

The Stevens Family (Hacker Demo)

This movie shows how easily we can be the victim of a hacker if we have not taken care of the proper IT security measures. The family, father Ed (who is a doctor), mother Anne, son Dave and daughter Megan all use the Internet differently - I wonder if you will guess, before the fact, who was responsible for the hacker being able to infiltrate their home network.

Source: http://www.waarschuwingsdienst.nl/render.html?cid=106  (waarschunwingsdienst.nl is a website owned by the Computer Emergency Response Team for the Dutch government)

HOTFIX: A site does not run in the expected security zone in IE7 if the site address in the security zone uses a wildcard character

Symptom 1

A site address that uses a wildcard character overrides a site address that uses the exact name. For example, assume that you have added the "*.subdomain.domain.com" site address to the Local Intranet security zone. You also add the "server.subdomain.domain.com" site address to the Trusted Sites security zone. When you access the following Web site, you expect the Web site to run in the Trusted Sites security zone:


However, the status bar of Internet Explorer indicates that the Web site runs in the Local Intranet security zone.

Symptom 2

A site address that uses a wildcard character does not apply to a site address that is in a nested namespace. Instead, the site address that uses a wildcard character applies only to a site that is directly in the defined namespace.

For example, assume that you have added the "*.subdomain.domain.com" site address to the Local Intranet security zone. When you access the following Web site, you expect that the Web site will run in the Local Intranet security zone:


However, the status bar of Internet Explorer indicates that the Web site runs in the Internet security zone.

In this case, the Web site runs in the Local Intranet security zone only after you add the following addresses to the Local Intranet security zone:

• *.dns.subdomain.domain.com
• server.dns.subdomain.com

Note The Web site runs in the correct zone in Microsoft Internet Explorer 6.


To apply this hotfix, you must have Windows Server 2003 Service Pack 2 installed on the computer.


To apply this hotfix, you must have Windows XP Service Pack 2 installed on the computer.

WINDOWS VISTA - No prerequisites


Posted by sandi with no comments
Filed under:

HOTFIX: IE7 does not open a link in a new window as expected after you use Dynamic Data Exchange to integrate a program into IE7

Consider the following scenario. You use Dynamic Data Exchange (DDE) to integrate a program into Windows Internet Explorer 7. In this program, you configure some options to open links in new Internet Explorer windows. However, when you try to open a link in a new window, Internet Explorer 7 opens the link in a window that was already open.

This problem occurs if you configure Internet Explorer 7 to open links from other programs on a new tab in the open window.


Posted by sandi with 2 comment(s)
Filed under:

HOTFIX: The "Size (bytes) field displays the file size as Damaged when you view the file properties for an ActiveX control in IE7

Consider the following scenario. You download an ActiveX control. You view the file properties for the control in the Downloaded Program Files folder. You click the Dependency tab in the Properties dialog box. In this scenario, the Size (bytes) field may not display the file size in bytes. Instead, the Size (bytes) field displays the file size as Damaged. This problem occurs if Windows Internet Explorer 7 is installed on the computer.

Note By default, the downloaded ActiveX controls are stored in the C:\WINDOWS\Downloaded Program Files folder when you install the control.


Posted by sandi with 2 comment(s)
Filed under:

The dangers of experimenting with online advertising...

A trackback on my site pointed me to www.eq2flames.com/general-gameplay/8990-seeking-ideas-make-people-less-upset-about-ads-20.html

Now, ever since this blog (and many others) became the target of sustained attempts to seed the blog with comments pointing to URLs that attempt to infect systems with winfixer malware, I check trackbacks and comments and delete those that are a risk to visitors.  The www.eq2flames.com trackback points to a legitimate site that went through a hell of a time after implementing advertising. 

A user's complaint...

"Ok bud, here is the info on what happened yesterday. Im using AVG. Was viewing EQ2Flames when the popup blocker stopped a download, at the time I didn't pay attention to what it was but immeditatly after that AVG kicked in and stopped a threat. Going back to the Virus Vault in AVG I see the following:

7/26/2007 5:00:45 PM
Virus Name: Trojan Horse Downloader.Generic4.XDV
File Name: poolsv.exe
Size: 36 KB

Now for the fun part, when I logged into just 5 mins ago and went to send you this PM, screen loaded and IE blocked another pop-up. This time the pop-up blocker frame said the following:

"This website wants to run the following add-on: 'Microsoft Data Access - Remote Data Services Dat...' from 'Microsoft Corporation'. If you trust the website and the add-on and want to allow it to run, click here..."
After this AVG kicked in and stopped the threat. I then went to AVG virus vault and looked again and this time there were two additions showing the following:

7/27/2007 225 PM
Virus Name: Trojan Horse Downloader.Generic4.WTK
File Name: xpre.exe
Size: 59.5 KB

7/27/2007 222 PM
Virus Name: Trojan Horse Downloader.Agent.MFJ
File Name: xrun.exe
Size: 64 KB

As soon as I finish typing this I am going to run a full scan and will post up the results."

What is really scary is the **Site Administrator's Response** to the comment about MDAC:

"I also got that "download from microsoft" thing yesterday, but the certificate was Microsoft's, so I allowed it.

It seemed reasonable to me, since I'd reinstalled both browsers based on unrelated browser issues I'm having (oddly - firefox currently won't display ads on this site for me no matter what I do, and I can't find the solution to that, plus my IE browser is bugged from a fricken Comcast toolbar I uninstalled that won't allow me to switch toolbars now). So i assumed it was Microsoft updating what I'd deleted.

But my full AVG scan of less than an hour ago didn't reveal a single malware on my comp, so as far as AVG is concerned, I don't have any malware of any kind on my comp, and yes I updated AVG this morning.

Thanks for checking this out, though."

Oh dear, oh dear, oh dear, oh dear, oh dear... they approved the MDAC download (a common symptom of a hacked web site, btw, and often used by bad guys to exploit computer systems) because "the certificate was Microsoft's so I allowed it"??  Those poor guys, I hate to think about what may be on their systems now...

Information about MDAC exploits can be found at these URLs:


Adbrite's reaction when complaints about winfixer ads were received:

"I’m very sorry to hear that! I just talked to my director. We’re immediately checking the ads and remove any ad that might cause you trouble.

We’re talking right now to our advertisers to find out what the problem is.

I’m very sorry for any inconvenience that might have caused you!!!

All my apologies. I’ll get back to you asap with any updates on the ads."

Despite Adbrite apparently promising that the ads were gone, the problems continued.  The site's admin became more and more and more upset, with messages sent to the advertising network like:

"Miriam, I'm very sorry, but your ads have downloaded some very nasty and severe malicious viruses/trojans/malware that has taken over my computer - this is defying even my AVG antivirus software, I may have to reformat my entire computer to get rid of this.

I know you tried, but what your ad software is doing to my site is worse than the very worst porn/warez site I've ever seen - I've never seen anything like this and must remove your code immediately to protect my site and users."

And then, sadly, the Admin reports *about his own computer* (although it is not surprising considering he allowed the MDAC control to load when it appeared in a pop-up window):

"This is worse than the very worst porn / warez site I've ever seen - I'm running three different cleaning programs, and getting over 5000 malicious files downloaded since this morning.

Jesus Christ, I hope Niber can delete this *** asap, I don't know how to myself."

The site admin's "Privacy Protector" software screenshot shows 3,419 malware entries found, and 3,414 entries repaired.  The screenshot looks like Uniblue's SpeedUpMyPC software, not the likenamed Winfixer crud.

The admin also says:

"Jesus people I'm really really sorry, Niber is deleting the ad code from our site right now, I'll try another advertiser later tonight.

We can't allow the current one to continue for another minute.

I'm shocked, the one that allowed all this bullshit to slip through with it's ads is ADXDirect, one of the leading ad companies on the Internet.

I've never seen anything like this, had to uninstall firefox and reset IE back to manufacturer specs - I'm not sure if I need to wipe and reinstall my harddrive, even AVG isn't getting rid of this ***."

The advertising code had been removed from eq2flames by the time I saw the trackback and went to have a look at the eq2flames.com site (although white panels remain where the advertising used to be displayed - a check using Fiddler shows no sign of advertising activity)  so I don't have a trace to show exactly where the adverts are coming from. 

The admin then goes on to say:

"Ok, the ad code is removed, there is no possiblity of this reoccuring.

To remove all this bullshit from my comp, I had to:

-uninstall Firefox
-reinstall IE 7
-Run the MS malicious software tool
-Update IE 7 from Windows Update
-Run AVG + 2 other virus/malware apps - got over 5k bad files total
-reinstall Firefox

Got rid of it all, now running normally.

Again, we've removed that advertisers ad code. In the future, I'm pursuing a zero tolerance policy with this ***. Any malware downloaded = that advertiser is gone."

So, in short, the supplier of the advertising did not clean up its act - eq2flames were forced to remove the advertising completely.  What an amazing amount of grief to go through, all because the site owner wanted to earn some money to try and support the costs of running his web site - and the sad thing is, there are who knows how many other sites being served the same dangerous advertisements, and will continue to be served those advertisements unless and until they complain.

Attention developers: new IE6 and IE7 VPCs based on XPSP2 with the latest patched are planned for release on 10 August 2007

A common request by developers is that they want to run IE6 and IE7 side by side for testing purposes.  To address this need (and help developers avoid having to use the various hacks that almost/kinda/close enough met the developers' need to run IE6 and IE7 on the same machine) the IE team started offering, for free, Virtual PC images of XPSP2 with IE6 or IE7 pre-installed.  The VPCs are already activated, and can be used with Microsoft's Virtual PC product, which is also free.

The IE VPCs are time-bombed, and the last released build is due to expire on 17 August 2007. Pete LePage has announced that a new IE6 and an IE7 VPC image, based on Windows XP SP2 + the latest patches is planned for release on 10 August 2007.


Power to the people - WGA helps shut down the biggest software counterfeiting outfit in history

"Earlier today the Chinese government and the FBI announced the largest bust of counterfeit software manufacturing or distribution ever. The bust by the Chinese Public Security Bureau (PSB) in cooperation with the FBI and help from Microsoft and others was of a syndicate, headquartered in China's Southern Guangdong province that is estimated to have sold more than $2 billion in counterfeit Microsoft software in 27 countries.


More than 1,000 Microsoft customers in 12 different countries who had counterfeits from this particular source used WGA to learn their software was counterfeit, submitted the counterfeits to Microsoft, and forensic and intelligence specialists then traced the counterfeits back to the criminal syndicate in China."

Source (including picture of pirated software):

Posted by sandi with 2 comment(s)
Filed under:

HOTFIX: Appointments that are sent between different Exchange Server organizations may be incorrect by one hour when one of the organizations is in the Western Australia time zone

Yep, I've been hit by this one :o(

Daylight saving time (DST) was introduced to Western Australia for a three-year trial period that started December 3, 2006. The Microsoft Exchange Server 2003 Collaboration Data Objects (CDO) tables and Microsoft Office Outlook Web Access tables do not contain updated DST transition times for the Western Australia time zone if this hotfix is not installed.

You must have Microsoft Exchange Server 2003 Service Pack 2 (SP2) installed before you apply this hotfix.  You may have to restart the passive node in a clustered environment when you apply this hotfix.




Posted by sandi with no comments
Filed under:

Window Snyder fesses up - Firefox also passes "bad data"

Window says:

"Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point. While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application.

We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in We believe that defense in depth is the best way to protect people, so we’re investigating it now.

We are working to make sure that we are giving you as much information about pressing security issues as possible. We make real-time updates as we find out new information because we are committed to an open and transparent security process."

Quote source:  http://blog.mozilla.com/security/2007/07/23/related-security-issue-in-url-protocol-handling-on-windows/

In the original scenario that started this entire brouhaha, Firefox did not validatate the input that it was receiving from IE, leading to the exploit in question. In that case, FF were in the wrong - it had the responsibility of ensuring that the data it was accepting was safe.  Window Snyder countered that IE was at fault for sending "bad data" to FF in the first place.  And it is that statement, gentle reader, that leads to a parting of the ways.

Several respected experts have said that it should not be IE (or Firefox's) responsibility as CALLER, nor is is realistic or practical, for a CALLER application to validate the data that it passes on to whatever application happens to be CALLED at any particular point in time.  On the contrary, it is the responsibility of the CALLED application to verify the data that it is accepting.

Now, if Mozilla want to continue down their chosen path of verifying data as CALLER before passing it to the CALLED application, all power to them. I wait with bated breath to see how they are going to fix things and what may break in the process.

One other question remains, actually two... why hasn't Snyder credited Jesper with revealing the "new scenario" - in fact, I notice that Window Snyder has gone so far as to remove all links to Jesper's blog entry from the comments about her blog entry, replacing them with the text "(Jesper's Blog)".  I'm struggling to understand why she would do that.  I admit, I have been known to remove links from comments as well, but only because they are dangerous in some way, exposing malware or other unsavory content.

Asa Dotzler, to his credit, has not removed links to Jesper's article from comments on his blog:

For those people who missed it, here is Jesper's article describing the "new scenario":

Alun has his say:

and previously:

As does Markellos on the IE team:

Window Snyder's blog entry that started the maelstrom (with links to Jesper's blog removed from comments):


Posted by sandi with 1 comment(s)

Remote control flaw found in iPhone

Independent Security Evaluators discovered the problem, developed a patch and alerted Apple to the exploits on 17 July 2007.  Vulnerability details will be withheld until 2 August to allow Apple to patch the vulnerabilities.

ISE reports that "The most glaring is that all processes of interest run with administrative privileges. This implies that a compromise of any application gives an attacker full access to the device." 

Why on earth would Apple grant so many processes admin rights?  Did they not learn any lessons from watching us struggle with security problems made worse by the fact that programs insist that they have admin rights to be able to run? Have they not heard of Susan Bradley's Local Administrator/Power User/Non support of Patching/UAC Hall of Shame?

ISE goes on to report that:

"To demonstrate these security weaknesses, we created an exploit for the Safari browser on the iPhone. We used an unmodified iPhone to surf to a malicious HTML document that we created. When this page was viewed, the payload of the exploit forced the iPhone to make an outbound connection to a server we controlled. The compromised iPhone then sent personal data including SMS text messages, contact information, call history, and voice mail information over this connection. All of this data was collected automatically and surreptitiously. After examination of the filesystem, it is clear that other personal data such as passwords, emails, and browsing history could be obtained from the device. We only retrieved some of the personal data but could just as easily have retrieved any information off the device.

Additionally, we wrote a second exploit that performs physical actions on the phone. When we viewed a second HTML page in our iPhone, it ran the second exploit payload which forced it to make a system sound and vibrate the phone for a second. Alternatively, by using other API functions we discovered, the exploit could have dialed phone numbers, sent text messages, or recorded audio (as a bugging device) and transmitted it over the network for later collection by a malicious party."

Attack scenarios

Email - "A link to a malicious site can be included in an email sent to the victim. When the victim clicks the link, they will be taken to the webserver containing the malicious HTML and the exploit will take control of their device."

Man in the middle - "An attacker could set up and advertise a free WiFi hotspot in a heavily populated area. The iPhone will automatically seek these out and ask the user to connect to them. Once connected, all traffic from the victim will pass through the attacker controlled wireless router. The attacker can intercept and change any HTTP traffic intended for the victim. This traffic can invisibly be modified to contain the iPhone exploit code. Again, complete control will be obtained over the iPhone. This time the only actions performed by the victim include using an unsafe WiFi connection and surfing to any website.  WiFi connection and surfing to any website. This last scenario is aided by the fact that iPhones advertise their existence via HTTP headers. In this manner the exploit code can be delivered only to iPhones and not other devices and browsers."

ISE's full report can be downloaded here:


Posted by sandi with no comments
Filed under:

fox news site exposes a working user name and password for ftp.g.ziffdavis.com

Edit: The original source article at linuxinit has been deleted (cue Twilight Theme music)... 

Original source: http://linuxinit.net/site/?id=664  Found via http://blogs.securiteam.com/index.php/archives/966

Fox News have got their asses hanging out in the fresh air, waiting to be kicked - there's no other appropriate description for this.

"While browsing around the Fox News website, I found that directory indexes are turned on. So, I started following the tree up, until I got to /admin. Eventually, I found my way into /admin/xml_parser/zdnet/, in which, there is a shell script. Seeing as it’s a shell script, and I use Linux, I took a peek. Inside, is a username and password to an FTP. So, of course, I tried to login. The result? Epic fail on Fox’s part. And seriously, what kind of password is T1me Out. This is just pathetic."

Surely not, says I ... Fox News is not exactly a backwater newspaper... but nay, somebody has screwed up.  I browsed to http://www.foxnews.com/admin/ and what did I see?  The index of /admin is exposed to the world.

You can see from the screenshot that all of the directories have been untouched since 2006 and earlier, just like the files discovered on the FTP server by linuxinit are all dated between 2002 and 2006.

BUT, that being said, linuxinit reports that the FTP username and password revealed by the shell script still works and THAT, gentle reader, is a dangerous situation for Ziff Davis.

So, what went wrong? How did such a basic breakdown in security protocols happen?  Did a long departed admin, perhaps, get lazy one day in the dim past and create a shell script to make his life a little easier, forgetting to delete it before leaving.

Perhaps the existence and location of the shell script were undocumented and unknown to anybody else but the person who created it.

Or perhaps somebody forgot to reset the password for the FTP user account... or forgot to disable the account ...

Who the hell knows? All I do know is that it is absolutely crazy to have a shell script that contains a username and password so easily accessible to anybody with enough curiosity, bravado and brains to find it.

Ziff Davis should be extremely grateful that those behind linuxinit are honest enough to alert them to the problem.  Somebody less honest could have turned ftp.g.ziffdavis.com into an FTP for hire.

Edit: I note that Index of /admin is no longer accessible. All we see now is...


Posted by sandi with no comments

Firefox vulnerable to username and password theft

Firefox is not having a good week.  Hot on the heels of the "Hey Mozilla: Quotes are not legal in a URL" embarrassment, a vulnerability that exposes the usernames and password of FF users has been reported that apparently affects Firefox and earlier.

To quote Heise Security, "Firefox, if allowed, can store usernames and passwords. If you visit a login page again, the password is then entered automatically. But this means, that a second, evil page on the same server could steal those saved passwords."

Demonstration page here:

Javascript must be enabled for the exploit to work.

This vulnerability holds a real potential for harm in the current internet environment wherein criminals are hacking into servers all over the world and inserting malicious code on legitimate Web pages - code that tries to take advantage of various security exploits affecting Firefox, Opera and IE to infect a visitor's Web browser.  It would be a simple matter for the criminals to also upload an "evil page" to a hacked server to capture usernames and passwords of FF users.

Posted by sandi with 1 comment(s)

Jesper is alive and posting ... damn it's good to see him back

And... he hasn't lost his special knack for being able to aim his riposte just right...

My regular readers will remember my indignant reaction to Mozilla.org's advice that we should use Firefox to browse the web to prevent attackers from exploiting MFSA 2007-23.

Well, Jesper took things one step further after he spotted a blog post by Window Snyder, in which she repeats Mozilla.org's advice by saying:

"This patch for Firefox prevents Firefox from accepting bad data from Internet Explorer. It does not fix the critical vulnerability in Internet Explorer. Microsoft needs to patch Internet Explorer, but at last check, they were not planning to. Mark Griesi is quoted in Infoworld saying “We don’t feel that there’s an issue in IE, and therefore, there’s nothing to be fixed.”

Mozilla recommends using Firefox to browse the web to prevent attackers from taking advantage of this vulnerability in Internet Explorer."

Asa Dotzler also said for Firefox that "At Mozilla, we were able to address the biggest part of this problem in Firefox ages ago by simply escaping quotes in URLs before handing them off."

I say to Asa, are you are absolutely certain that you are correct?  Jesper did a little digging, and a little experimenting, and discovered that Firefox also does not escape quotes in URLs before it passes them on to protocol handlers.  In short, Firefox no longer accepts "bad data" (Windows Snyder's description) from IE, but happily continues to pass what it calls "bad data" on to protocol handlers.  Umm, oops.

Note that Jesper stands by his original opinion that any "fault" lies with the program that creates a vulnerable protocol handler and fails to validate input, not the program that calls the said protocol handler. 

Markellos Diorinos, an IE Product Manager, also explained things very clearly when he said:

"The number of potential applications (and protocol handlers) is effectively limitless, allowing for many new and exciting ways to enrich the Web.  However, as with many extension models, there are security implications. In this example, one potential threat is that the custom URL may have dangerous parameters, such as strings that are too long and might cause a buffer overflow. The limitless variety of applications and their unique capabilities make it very difficult to have any meaningful automated parameter validation by the hosting (caller) application. It is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters"

Just like Jesper and Markellos, I am of the opinion that Firefox isn't actually doing anything wrong in this instance, but unfortunately for Mozilla.org and Snyder, that is not the stance that *they* have taken - this embarrassing situation is entirely of their own making.  Why didn't Mozilla tell us about the Firefox behaviour as revealed by Jesper?  Did Mozilla not check to make sure that Firefox does not pass what Snyder called "bad data"? 

What will Windows and Mozilla.org say now that Firefox has been shown to be guilty of the very "critical vulnerability" they have been criticizing Internet Explorer for?  Will we see an apology?  A retraction? A promise to spend less time bashing IE and trying to increase the Firefox user base, and more time putting user safety first, even if it means admitting that you're guilty of an equal sin (a sin in their eyes, not Microsoft's)?

Hey Snyder and Asa, you'd better look behind you ...


Posted by sandi with 1 comment(s)
Filed under:

even the experts can be fooled by phishing sites

Yep, even me.

McAfee SiteAdvisor have released a phishing quiz.

I went in with supreme confidence ... I can ace this quiz said I ... nope, I got 9 out of 10.

"So which question did you get wrong?:, I hear you ask.  It was the question about Chase Bank - I immediately rejected the *real* site because it asked for a Social Security number.  My thinking, as a non-American, was that a legitimate banking site would not be so silly as to desensitize their users to dangerous internet practice by asking them to enter their Social Security Number into an online loan application - it seems I was wrong.  Anyway, because of my reaction to the request for a Social Security Number I only glanced at the other site and was fooled.

It just goes to show - never make assumptions when dealing with phishing sites.  And don't get over-confident; over-confidence leads to mistakes.


Internet Explorer stops responding when you use the AttachEvent method in an ASP.NET application to embed a Microsoft Office Web Components spreadsheet control in IE6

You see the following error messages:

Internet Explorer has encountered a problem with an add-on and needs to close.

The following add-on was running when the problem occurred:

File: owc11.dll
Company Name: Microsoft Corporation
Description: Microsoft Office Web Components 2003
Learn more about add-ons.

When you click on Continue you see...

Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.

If you were in the middle of something, the information you where working on might be lost.

Please tell Microsoft about this problem!

We have created an error report that you can send to help us to improve Internet Explorer. We will treat this report as confidential and anonymous.

To see what data this report contains click here.

To resolve this problem, use attributes instead of events in the code for the application. Then, try running the application again.


Posted by sandi with no comments
Filed under:

Your questions answered: Smartbridge Alerts problem when using IE7

How can I not answer the following plea for help?

"how do i get rid of smartbridge alerts , please it is driving me crackers."

I assume that the error the writer is complaining about is very similar, if not identical, to this:



Software that may trigger this error includes Exchange System Manager Help (Exchange 2000/2003) (note that the ESM embedded in Server Management Console is not affected), McAfee software, BT Broadband Help (BT Yahoo Help), Motive SmartBridge, Hal Screen Reader and Supernova Reader Magnifier by Dolphin.

The fix is to go to the installation location for the affected software.

Find PSAPI.DLL in the installation location for the affected software and rename it to something else, such as PSAPIOLD.DLL.

**Do not rename the PSAPI.DLL file in your \\Windows\System32 directory. **

Restart the computer.

Your questions answered: IE7 crashes when a window is closed

I received this email today:

"I use Vista.  Each time I close an I.E. window I get a message that IE has stopped working and, eventually IE restarts when I want it closed,  Can you help?"

If I were a betting person I'd put my money on an add-on - most likely a toolbar.

You have two options - run IE7 in no add-ons mode, or use RIES (Reset Internet Explorer Settings).

Information about RIES is here:

If you decide to be more hands on and diagnose exactly what is going on, and try no add-ons mode, use the instructions below to troubleshoot the cause of your issue. 

Troubleshoot IE7:

If the problem goes away when using no add-ons mode, then you know your culprit is an add-on.  From that point it is a matter of trial and error to track down what is causing a problem.


security update: firefox released

It is recommended that you update to this version as soon as possible - download here:

Vulnerabilities fixed:

MFSA 2007-25 XPCNativeWrapper pollution

MFSA 2007-24 Unauthorized access to wyciwyg:// documents

MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer

MFSA 2007-22 File type confusion due to %00 in name

MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document

MFSA 2007-20 Frame spoofing while window is loading

MFSA 2007-19 XSS using addEventListener and setTimeout

MFSA 2007-18 Crashes with evidence of memory corruption

Be warned, if you are using a version of Firefox earlier than 1.5.x you will need to manually download and install the update.  Users of later versions should be prompted to update, if not they can open Firefox, click on "Help" and then click on "Check for Updates."

MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer has received a lot of attention since it became public... some blamed Firefox, some blamed IE, and let's be honest, far more blamed IE.  The Mozilla Foundation were even cheeky enough to say that they "highly recommend(s) using Firefox to browse the web to prevent attackers from exploiting this problem in Internet Explorer"

Hang on a sec - that statement is nearly as cheeky as Apple saying they were upset with Windows when new iPods were shipped complete with a worm/trojan ...

Let's look at what happened:

  • Firefox introduced a security vulnerability by creating a protocol handler that doesn't validate URLs properly
  • Mozilla tell everybody to use Firefox and avoid IE so that the vulnerability that they introduced cannot be used

Um no... when the *Firefox* product creates a vulnerability on my system, then Mozilla fixes the problem, they don't tell me to stop using their competitor's product - especially when the protocol handler created is not for the exclusive use of Internet Explorer.

Cite: http://www.kb.cert.org/vuls/id/358017 "if a remote attacker can persuade a user with Firefox installed to access a specially crafted web page using Internet Explorer, and perhaps other Windows applications, the malicious JavaScript will be executed. Reports claim this vulnerability is introduced when Firefox versions and later are installed."

Cite: http://www.mozilla.org/security/announce/2007/mfsa2007-23.html

"Note: Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data. This patch does not fix the vulnerability in Internet Explorer."

Sorry, but I'm siding with Jesper:

"It is clear from the documentation that it is incumbent upon the application to validate the URL string. If the application can accept, and process, dangerous commands through its protocol handler, as Firefox does, it is even more critical that the application take care to validate the URL before processing it. In fact urlmon.dll even provides such a way."

Internet Explorer stops unexpectedly when you try to use a JavaScript command to start Internet Explorer at a specific size and location

When you try to use the following command to start Windows Internet Explorer at a specific size and location, the command does not work, and Internet Explorer stops unexpectedly:

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" "BLOCKED SCRIPTresizeTo(800,600);moveTo(0,0);document.location.href='http://www.msn.com'"

This problem occurs when you use the following versions of Microsoft Windows:

• Microsoft Windows XP with Service Pack 2
• Microsoft Windows Server 2003 with Service Pack 1

This problem does not occur when you use the following versions of Windows:

• Microsoft Windows 2000 with Service Pack 4
• Microsoft Windows Server 2003 without a service pack installed

This problem occurs because you cannot use JavaScript to resize the Internet Explorer window. This restriction is for security reasons. Internet Explorer does not support using JavaScript from the command line.


A comprehensive list of IE7 related Knowledge Base articles can be found here:

Posted by sandi with no comments
Filed under:
More Posts Next page »