February 06, 2004

MS04-004 : Cumulative Security Update

MS04-004 is a cumulative security update (Microsoft KB832894) which addresses 3 issues:

* A cross-site scripting issue
* a drag-and-drop DHTML vulnerability and
* an incorrect parsing of URLs.

It also makes URLs of the form http://username:password@site/something-else invalid. Note that URLs of that form are acceptable according to the W3C and is a shorthand way of specifying an unencrypted username/password pair.

This bulletin replaces MS03-048.

Posted by tony at 09:05 PM | Comments (0)

February 05, 2004

Secure firewalls?

Imagine having a truly state-of-the-art firewall. One that's recognized as being one of the best around. How would you feel if you found out that it was susceptible to penetration? You should feel better about things. Know why? Cause nothing's truly secure. And knowing about the vulnerability is better than not knowing. What you should care about is how quickly your vendor responds to vulnerabilities.

OK, so, US-CERT's reported this vulnerability in Check Point's Firewall-1 NG with Application Intelligence which allows an attacker to penetrate by attacking in a particular way. The good news? Check Point's already got a fix.

Posted by tony at 07:53 PM | Comments (0)

February 04, 2004

More (better) detail on IE spoofing flaw

V7#3 of Woody's Windows Watch offers some very good insight into Secunia's Internet Explorer File Download Extension Spoofing advisory. None of the information in the Woody's Watch article is really new but it explains things in ways that helps one (me, in particular) understand the exposures a little better.

(If that link to the Woody's Watch article doesn't work yet, try this one and if it still doesn't work, try again in a few hours -- I just got the email newsletter and there's sometimes a lag before the newsletter makes it on to his website.)

The long and short of Woody's article: NEVER use "Open" when you're downloading a file, ALWAYS use "Save", even if you think you're an expert on these things. And if you're reading email and there's an attachment, even if it looks benign ("no, that's not an executable, it's a PDF"), it might not be -- check to make sure that the sender actually sent you the email and included the attachment. And, again, don't "Open" the attachment, "Save" it and make sure it's what you think it is.

Posted by tony at 02:34 PM | Comments (1)

February 03, 2004

Now why would you want one of those?

Take a look at this. A combination wireless spycam and AM/FM Clock Radio from TigerDirect.

Posted by tony at 07:25 PM | Comments (0)

2 concurrent sessions in Windows XP SP2

Supposedly, XP SP2 will give you the ability to have one user logged in locally and one user logged in remotely, over Remote Desktop. According to this FAQ from Windows and .NET Magazine:

1. Start a registry editor (e.g., regedit.exe).
2. Navigate to the
Server\Licensing Core registry subkey.
3. From the Edit menu, select New, DWORD Value.
4. Enter the name EnableConcurrentSessions, then press Enter.
5. Double-click the new value, then set it to 1.

I'll have to give it a try when I finally install a production version of SP2.

Posted by tony at 04:44 PM | Comments (0)

Windows XP Keyboard shortcuts

Did you know there's a keyboard shortcut to move focus between the items in the system tray? There is. -- Ctrl-Windows Logo Key-TAB will get you there and then you can use the Left and Right cursor keys to move between them, bringing up context menus or whatever you like.

Having been raised on keypunch machines, VT100s and 3270s, I've always fancied myself a keyboard kinda guy, priding myself on being able to just about anything with a keyboard on a contemporary Windows system. Well, I learned something from Microsoft KnowledgeBase article 126449, including that little gem I started with.

Posted by tony at 04:32 PM | Comments (0)

Wardriving maps/locators

Pete's Demo Wardriving Maps (SF Bay area)
WiFiMaps.com (maintenance until Feb 7, 2004)

Posted by tony at 04:25 PM | Comments (0)