MS04-004 is a cumulative security update (Microsoft KB832894) which addresses 3 issues:
* A cross-site scripting issue
* a drag-and-drop DHTML vulnerability and
* an incorrect parsing of URLs.
It also makes URLs of the form http://username:password@site/something-else invalid. Note that URLs of that form are acceptable according to the W3C and is a shorthand way of specifying an unencrypted username/password pair.
This bulletin replaces MS03-048.
Imagine having a truly state-of-the-art firewall. One that's recognized as being one of the best around. How would you feel if you found out that it was susceptible to penetration? You should feel better about things. Know why? Cause nothing's truly secure. And knowing about the vulnerability is better than not knowing. What you should care about is how quickly your vendor responds to vulnerabilities.
OK, so, US-CERT's reported this vulnerability in Check Point's Firewall-1 NG with Application Intelligence which allows an attacker to penetrate by attacking in a particular way. The good news? Check Point's already got a fix.
V7#3 of Woody's Windows Watch offers some very good insight into Secunia's Internet Explorer File Download Extension Spoofing advisory. None of the information in the Woody's Watch article is really new but it explains things in ways that helps one (me, in particular) understand the exposures a little better.
(If that link to the Woody's Watch article doesn't work yet, try this one and if it still doesn't work, try again in a few hours -- I just got the email newsletter and there's sometimes a lag before the newsletter makes it on to his website.)
The long and short of Woody's article: NEVER use "Open" when you're downloading a file, ALWAYS use "Save", even if you think you're an expert on these things. And if you're reading email and there's an attachment, even if it looks benign ("no, that's not an executable, it's a PDF"), it might not be -- check to make sure that the sender actually sent you the email and included the attachment. And, again, don't "Open" the attachment, "Save" it and make sure it's what you think it is.
Take a look at this. A combination wireless spycam and AM/FM Clock Radio from TigerDirect.
Supposedly, XP SP2 will give you the ability to have one user logged in locally and one user logged in remotely, over Remote Desktop. According to this FAQ from Windows and .NET Magazine:
1. Start a registry editor (e.g., regedit.exe).
2. Navigate to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\Licensing Core registry subkey.
3. From the Edit menu, select New, DWORD Value.
4. Enter the name EnableConcurrentSessions, then press Enter.
5. Double-click the new value, then set it to 1.
I'll have to give it a try when I finally install a production version of SP2.
Did you know there's a keyboard shortcut to move focus between the items in the system tray? There is. -- Ctrl-Windows Logo Key-TAB will get you there and then you can use the Left and Right cursor keys to move between them, bringing up context menus or whatever you like.
Having been raised on keypunch machines, VT100s and 3270s, I've always fancied myself a keyboard kinda guy, priding myself on being able to just about anything with a keyboard on a contemporary Windows system. Well, I learned something from Microsoft KnowledgeBase article 126449, including that little gem I started with.
Pete's Demo Wardriving Maps (SF Bay area)
WiFiMaps.com (maintenance until Feb 7, 2004)