http://blogcritics.org/ A sinister cabal of superior bloggers on music, books, film, popular culture, politics, and technology - updated continuously. en Copyright 2005-2007 by the authors Mon, 18 Jun 2007 10:44:55 EDT http://backend.userland.com/rss Blogcritics.org custom software http://blogcritics.org/ Phillip WinnSunday, August 26, 2007, marks the switch of all Blogcritics.org article feeds from full-content to short-content. This is the result of several converging factors, and is unfortunately a permanent decision (as permanent as any decision can be on the web, that is). We are aware of all of the reasons that this is a Bad Idea, and we are aware that some of you will be quite upset about having to click on something to read the free content, and we're sorry. Unfortunately, despite great effort, full-content feeds are not currently economically viable. Two other factors are involved: full-content feeds have resulted in an unprecedented level of content theft, with BC content appearing on many websites, usually spam sites, without attribution or permission. This duplicate content causes a cascading set of problems, not the least of which is that search engines generally aren't favorable to duplicate content, and don't always guess correctly. Finally, our RSS advertising partner is strongly in favor of short-content feeds. We hope that you'll continue to subscribe to BC via RSS, and when an article grabs your eye, it's only a click away, still free on the BC website. Thank you for your understanding. Administration0@blogcritics.org Sun, 26 Aug 2007 12:00:00 EDT http://blogcritics.org/archives/2007/06/18/104455.php Bruce KratofilHere are some of the most significant bugs from the past week in the BugBlog:According to the Adobe Dreamweaver CS3 for Windows Read Me, if you create a CSS file in Dreamweaver that is exactly 8192 bytes, or some multiple of 8192 bytes, in size, Dreamweaver will crash. It also won&#39;t restart until you change the size of that stylesheet. Luckily, you don&#39;t have to use Dreamweaver -- any text editor, including Windows Notepad, will do. Open the file there, and add or subtract a few characters or comments.Connect a USB telephony device to a Windows Vista computer, and Vista may decide to make it the default audio device. That should play havoc with audio/visual applications. Microsoft says this is because Vista sees that the device has audio capabilities, but doesn&#39;t determine the correct kind. There is a hotfix for this, which will be in a future service pack. If you need it right away, see the MS KnowledgeBase. Just to point out the obvious -- the recently-released Apple Safari for Windows is still a beta product. Beta products are supposed to have bugs. In this case, Symantec (and others) point out that Safari for Windows is vulnerable to a number of well-known browser exploits, including denial of service and remote code exploits. Read more at Symantec. <div id="authorbio">Bruce Kratofil blogs on bugs and other things that can go wrong with your computer at <a href="http://www.bjkresearch.com/bugblog">The BugBlog</a>, and writes about computers and economics at <a href="http://www.bjkresearch.com">BJK Research</a></div> Sci/Tech65391@blogcritics.org Mon, 18 Jun 2007 10:44:55 EDT http://blogcritics.org/archives/2007/04/18/211526.php Bruce KratofilCode that attacks an unpatched hole in Microsoft Windows DNS (Domain Name System) is now being circulated over the Internet. This code means that you won&#39;t need to be particularly skilled to exploit the bug, which may allow attackers to completely take over your system. Read more at ZD Net. Microsoft&#39;s official response is &quot;We&#39;re working on it&quot; but they do have some temporary fixes here that include turning off some services and firewall tweaks.Adobe says that the Zone Labs ZoneAlarm security program may interfere with the installation of Adobe Photoshop CS3 for Windows. That&#39;s because the installation needs to modify the Registry, and ZoneAlarm prevents that. There are two possible workarounds from Adobe (three if you count checking with ZoneAlarm for help.) Either disable ZoneAlarm while you install the product, or turn on ZoneAlarm&#39;s Control Program Access. See Adobe for details. Remote attackers may be able to gain access to users of an Apple AirPort Extreme Base Station with 802.11n. According to Apple, this is because the Base Station default configuration allows incoming IPv6 connections. Apple has changed this configuration in the Firmware Update 7.1. Only local network traffic will be allowed to use IPv6. Get the update details here.<div id="authorbio">Bruce Kratofil blogs on bugs and other things that can go wrong with your computer at <a href="http://www.bjkresearch.com/bugblog">The BugBlog</a>, and writes about computers and economics at <a href="http://www.bjkresearch.com">BJK Research</a></div> Sci/Tech62769@blogcritics.org Wed, 18 Apr 2007 21:15:26 EDT http://blogcritics.org/archives/2007/03/03/233144.php Bruce KratofilEvery month the BugBlog picks its Bug of the Month, the most significant bug found in the past month. Sometimes the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus. This month the Bug of the Month award goes to the U.S. Congress. While there may be ample reasons to criticize Congress, in this particular case it was for the relatively rapid change-over to new dates for Daylight Savings Time. That has meant that software manufacturers have had to hustle out fixes for software that tracks the &quot;Spring Ahead, Fall Back&quot; days. Some of the items in the BugBlog or BugBlog Plus this month that covered these patches include: Apple says that most of the Daylight Savings Time rule changes for the US and Canada are already in Mac OS X 10.4.5 and later. If you have questions about earlier versions of Mac OS X, go here.Apple says that if you are using Mac OS X 10.0.x through 10.2.8, you will need to adjust your computer&#39;s clock manually when Daylight Savings Time comes. These older versions of OS X apparently won&#39;t get a patch to adjust for the &quot;spring ahead&quot; dates. If you administer an IBM WebSphere Portal Mail and World Clock server, and you aren&#39;t sure yet what you need to do for the new Daylight Savings Time switchover, see this document.If you are running IBM Lotus Notes or Domino, you will need to make some adjustments due to the change in Daylight Savings Time implementation. Do nothing, and your appointments from March 12 through March 31 may be an hour late. See this page for links to fix information.Daylight Saving Time starts earlier this year. Any software, such as your operating system, that automatically does the &quot;spring ahead, fall back&quot; may not be able to handle the change. Microsoft has a February 2007 cumulative time zone update for Microsoft Windows that will make the adjustment. Follow the link to the patch for your version of Windows.Microsoft has a Time Zone Data Update Tool for Microsoft Office Outlook that will configure Outlook for the changes in Daylight Savings Time. Read the extensive discussion of this tool, as well as some Windows Registry edits that need to be made.If you apply the Time Zone Data Update Tool for Microsoft Office Outlook, it will not change any recurring calendar items in Outlook Web Access. Microsoft says that creators of those repeating items will have to manually update them.If you maintain any Java applications that may be affected by the change in Daylight Savings Time in the US and Canada, Sun Microsystems has a paper discussing some of the ramifications. Read it here.So for triggering these patches (and for making me revert to getting up in the morning in pitch darkness for another couple of weeks) the U.S. Congress wins their first Bug of the Month award.<div id="authorbio">Bruce Kratofil blogs on bugs and other things that can go wrong with your computer at <a href="http://www.bjkresearch.com/bugblog">The BugBlog</a>, and writes about computers and economics at <a href="http://www.bjkresearch.com">BJK Research</a></div> Sci/Tech60486@blogcritics.org Sat, 3 Mar 2007 23:31:44 EST http://blogcritics.org/archives/2007/02/27/164107.php Bruce KratofilHere are some of the most significant bugs from the past week in the BugBlog:eEye Digital Security says they have found a bug in Microsoft Office Publisher 2007 that can be used by remote attackers. As a result, the attackers may be able to run their code on your computer, at the security level of the logged-in user. eEye sent the details on to Microsoft on 2/16. Keep an eye on their bulletin for updates. Until a fix is ready, be wary of Publisher files that you don&#39;t create yourself.Try to install Windows Vista, and you may get this error report: Error 0xC004F02A - The Software Licensing Service reported that the license is invalid. What Microsoft says might be the case, however, is that the BIOS for this computer is incompatible with Vista, or is outdated. That means you may need a BIOS update. Microsoft has the details here. Mozilla has released Firefox 2.0.0.2, along with Firefox 1.5.0.10 and SeaMonkey 1.0.8. This is a bugfix release that takes care of a number of bugs that could cause a crash and corrupt memory. Malicious websites may be able to take advantage of this bug to run hostile code. Get the updates either at their website or through the Firefox automatic update.<div id="authorbio">Bruce Kratofil blogs on bugs and other things that can go wrong with your computer at <a href="http://www.bjkresearch.com/bugblog">The BugBlog</a>, and writes about computers and economics at <a href="http://www.bjkresearch.com">BJK Research</a></div> Sci/Tech60267@blogcritics.org Tue, 27 Feb 2007 16:41:07 EST http://blogcritics.org/archives/2007/02/20/080836.php Bruce KratofilHere are some of the most significant bugs from the past week in the BugBlog:Apple&#39;s Security Update 2007-002 fixes two bugs in iChat for Mac OS X 10.3.9 and 10.4.8. One bug may let attackers on a local network crash the iChat client. The second may cause iChat to crash or possibly run hostile code, if you visit a malicious website. These bugs were originally reported by the Month of Apple Bugs project.Now that Microsoft has released a patch for previous zero-day bugs plaguing Microsoft Word, it is time for the bad guys to release new zero-day bugs. Microsoft says they are researching a new bug that may target Word 2000 and Word XP. The vulnerability can only be triggered if you open a maliciously-designed document. Microsoft is tracking this particular bug here. There is a bug in the way that Mozilla browsers, including Firefox, handle URIs in a webpage with frames. This may allow an opportunity for a cross-site scripting attack, where a user can be tricked into giving information to a malicious website. There is no fix yet. You can see the details at US-CERT. Michal Zalewski is credited with finding this bug.<div id="authorbio">Bruce Kratofil blogs on bugs and other things that can go wrong with your computer at <a href="http://www.bjkresearch.com/bugblog">The BugBlog</a>, and writes about computers and economics at <a href="http://www.bjkresearch.com">BJK Research</a></div> Sci/Tech59907@blogcritics.org Tue, 20 Feb 2007 08:08:36 EST http://blogcritics.org/archives/2007/02/12/150036.php Bruce KratofilHere are some of the most significant bugs from the past week in the BugBlog:Apple has a firmware update for MacBooks. The MacBook SMC Firmware Update v1.1 is supposed to fix some bugs that were causing unexpected shutdowns, otherwise known as crashes. You&#39;ll need to be updated to Mac OS X 10.4.8 to be able to see the SMC Update. Find out more here.Daylight Savings Time starts earlier this year. Any software, such as your operating system, that automatically does the &quot;spring ahead, fall back&quot; may not be able to handle the change. Microsoft has a February 2007 cumulative time zone update for Microsoft Windows that will make the adjustment. Follow the link to the patch for your version of Windows.The encryption that Windows Vista uses for communicating with secure web pages via SSL (Secure Socket Layers) is not compatible with the encryption used by Cisco PIX 515E firewalls. Try to use Internet Explorer 7 on Vista from behind one of these firewalls, and you may see this error message with secure pages: Internet Explorer cannot display the webpage. Microsoft says the Cisco firewall can only use the weaker DES. They have a workaround that weakens security. They also prod Cisco on that page to provide an update.<div id="authorbio">Bruce Kratofil blogs on bugs and other things that can go wrong with your computer at <a href="http://www.bjkresearch.com/bugblog">The BugBlog</a>, and writes about computers and economics at <a href="http://www.bjkresearch.com">BJK Research</a></div> Sci/Tech59576@blogcritics.org Mon, 12 Feb 2007 15:00:36 EST http://blogcritics.org/archives/2007/02/05/194647.php Bruce KratofilEvery month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.This month the Bug of the Month goes to Adobe for the problems in Adobe Reader and Adobe Acrobat. The first report was on January 4:There are a number of bugs in the Adobe Acrobat Plug-In for browsers, and in the free Adobe Reader 6 and 7. A malicious website may be able to carry out cross-site scripting attacks because the browser plug-in doesn&#39;t correctly validate URI parameters. There&#39;s no official word from Adobe, although US CERT says that it appears the bugs were fixed in Adobe Reader 8. Read their report. Stefano Di Paola, Giorgio Fedon, and Elia Florio are credited with finding these bugs. UPDATE: Adobe now has a bulletin online. The reason for the update in that bug report was that Adobe didn&#39;t have a bulletin online when the US CERT report (and BugBlog item) was first reported. The next BugBlog item came on January 10:Adobe now has a patch for the security problems in Adobe Reader and Acrobat 7.0.8 and earlier versions. The bugs, which were in the 1/4 BugBlog, may allow both cross-site scripting attacks and the ability of the attackers to take over the victim&#39;s computer. Adobe&#39;s earlier advice was to upgrade to the Adobe Reader 8. They now have a patch that will fix version 7.0.8 of the Reader as well as Acrobat Elements, Standard, and Professional. (Good news for those latter users, since the upgrade from 7.0.8 to 8.0 will normally not be free). Get the patch. Why this bug? First, because of the wide-spread use of Adobe Acrobat. Just about everyone has either the Adobe plug-in for their browser or the Adobe Reader software installed. The Adobe Acrobat software, either Elements, Standard or Professional, is not as universal, but still has a rather large installed base. Thus, the bug affects lots of users.Second, this points out that PDF documents can cause problems, which is unfortunate because at this time many people may be suggesting PDFs as a replacement strategy for exchanging documents. The reason you may need a replacement strategy is that there are currently four unpatched zero-day bugs affecting Microsoft Word (see the January Bug of the Month for coverage of this), and you may have reason to be a little paranoid about Word docs that show up as email attachments. While you may wish to suggest PDFs as a replacement, you cannot suggest that they themselves never have security problems. <div id="authorbio">Bruce Kratofil blogs on bugs and other things that can go wrong with your computer at <a href="http://www.bjkresearch.com/bugblog">The BugBlog</a>, and writes about computers and economics at <a href="http://www.bjkresearch.com">BJK Research</a></div> Sci/Tech59215@blogcritics.org Mon, 5 Feb 2007 19:46:47 EST http://blogcritics.org/archives/2007/01/29/173049.php Bruce KratofilA number of people have asked me if they should upgrade to Windows Vista. I reply with a quote from a wise old philosopher, Dirty Harry. &quot;It all depends, do you feel lucky?&quot; In honor of the Windows Vista release, here is an all Vista BugBlog Report:Try to activate Windows Vista, and you may get an error message that includes one of these error codes:0XC004D401 or 0x80080250 According to Microsoft, these codes show that there is an incompatibility between Vista and your antivirus software or your digital rights management (DRM) software. You&#39;ll have to upgrade that software before you can activate Vista.It appears that Intuit QuickBooks 2006 is not compatible with Windows Vista. In this case, the blame appears to lie with Intuit, for QuickBooks uses some techniques in communicating via the Registry that violate Windows XP standards, much less the newer Vista. David Berlind covers this in a number of posts.If you are running a Microsoft Office 2007 application on a Windows Vista computer, and you try to print to a Dell printer, your computer may lock up. Microsoft does not specify which Dell printers have a problem, but they say to check with Dell for a new printer driver. You may also want to switch things so the Dell printer is not the default printer. Keep an eye on this web page for updates. Microsoft says that unformatted DVD-RAM disks cannot be formatted by Windows Vista. However, Vista is able to reformat a DVD-RAM disk that has already been formatted. The only workaround is to make sure you buy pre-formatted disks.Microsoft has a list of when third-party VPN (virtual private network) clients will be available for Windows Vista. These include clients for Aventail, Checkpoint, Cisco, Citrix, F5 Networks, Juniper Networks, NCP, Nortel, and SafeNet. At this point, the majority of them are unavailable. See this page for the estimated dates.<div id="authorbio">Bruce Kratofil blogs on bugs and other things that can go wrong with your computer at <a href="http://www.bjkresearch.com/bugblog">The BugBlog</a>, and writes about computers and economics at <a href="http://www.bjkresearch.com">BJK Research</a></div> Sci/Tech58891@blogcritics.org Mon, 29 Jan 2007 17:30:49 EST http://blogcritics.org/archives/2007/01/22/185815.php Bruce KratofilHere are some of the most significant bugs from the past week from BugBlog:If you want information on the storms hitting Europe, stick to the Weather Channel. Do not open an email attachment that comes with the subject line &quot;230 dead as storm batters Europe&quot;. If you do, you may end up with the Storm Worm Trojan Horse that opens a back door on your computer and will later steal data or send out spam. Read more at ZDnet.com.It&#39;s not quite Night of the Living Dead, but an army of remotely controlled zombie computers are targeting computers running old versions of Symantec Client Security and Symantec AntiVirus Corporate Edition. You can read about the details at ZDnet.com. Note that Symantec&#39;s consumer software, Norton Antivirus and Norton Internet Security, are not affected. Symantec actually patched the hole being used on 5/25/2006, so victims have had ample time to apply the fix. The original Symantec fix is at Symantec.com.There is a critical bug in the way that Sun Microsystems Java Runtime Environment handles GIF images. An attacker may be able to use this bug to raise the privileges of a Java applet. This could allow hostile code to run on a computer, outside the confines of the Java sandbox. Sun has updates at Sun.com. They credit the Zero-Day Initiative and Tipping Point for finding this bug.<div id="authorbio">Bruce Kratofil blogs on bugs and other things that can go wrong with your computer at <a href="http://www.bjkresearch.com/bugblog">The BugBlog</a>, and writes about computers and economics at <a href="http://www.bjkresearch.com">BJK Research</a></div> Sci/Tech58542@blogcritics.org Mon, 22 Jan 2007 18:58:15 EST http://blogcritics.org/archives/2007/01/15/112653.php Bruce KratofilHere are some of the most significant bugs from the past week in the BugBlog:Adobe now has a patch for the security problems in Adobe Reader and Acrobat 7.0.8 and earlier versions. The bugs, which were in the 1/4 BugBlog, may allow both cross-site scripting attacks and the ability of the attackers to take over the victim&#39;s computer. Adobe&#39;s earlier advice was to upgrade to the Adobe Reader 8. They now have a patch that will fix version 7.0.8 of the Reader as well as Acrobat Elements, Standard, and Professional; good news for those latter users, since the upgrade from 7.0.8 to 8.0 will normally not be free. Get the patch from Adobe&#39;s website.The Month of Apple Bugs (MOAB) project has come up with a series of bugs in the UFS filesystem that can be triggered via DMG files (disk image files). At least one of the bugs can be remotely exploitable via Safari if the &quot;opening safe files after downloading&quot; option is turned on. These bugs occupy the #9 through #12 spot on the list at the project&#39;s site. As workarounds, avoid DMG files from untrusted sources, and turn off that Safari option.There is a bug in the Vector Markup Language (VML) in Microsoft Windows that can allow remote attackers to run hostile code on your computer. The vulnerability will occur via Microsoft Internet Explorer 5.5, 6, and 7, which means it affects Windows 2000, Windows XP, and Windows Server 2003. Vista is unaffected. Microsoft says this is a Critical Update, and it is available on their Technet site. They also have workaround information there, if you can&#39;t install the patch right away. Microsoft credits Jospeh Moti working with the iDEFENSE Contributor Program for finding this bug.<div id="authorbio">Bruce Kratofil blogs on bugs and other things that can go wrong with your computer at <a href="http://www.bjkresearch.com/bugblog">The BugBlog</a>, and writes about computers and economics at <a href="http://www.bjkresearch.com">BJK Research</a></div> Sci/Tech58266@blogcritics.org Mon, 15 Jan 2007 11:26:53 EST