Blackmoor Vituperative

Microsoft zero-day vulnerabilities are increasingly so commonplace, the risk is lost with the message. On Feb. 2, Microsoft issued another security alert, this one for Excel, that largely went unnoticed.

In its security bulletin, Microsoft warned that “other Office applications are potentially vulnerable” to the zero-day flaw.

Zero-day refers to a flaw for which there is an exploit but no available fix. The Excel vulnerability is Microsoft’s fifth zero-day exploit since December, and part of an increasingly troubling trend.

(from eWeek, New Zero-Day Threat Excels)

Does a house have to fall on you? Anyone still using MS Office after all this time and all these security vulnerabilities probably shouldn’t be permitted to use a computer. Switch to OpenOffice, you blockheads.

I’ve been working with Vista since its beta days, and I started using Linux in the mid-’90s. There may be other people who have worked with both more than I have, but there can’t be many of them. Along the way, I’ve formed a strong opinion: Linux is the better of the two.

(from eWeek, Leveling the Playing Field)

Interesting. Academic, since I have no intention of buying Vista at any price, but still, it’s interesting.

A fourth yet-to-be-patched security vulnerability in Microsoft Word is actively being exploited in cyberattacks.

In other news, water is wet, teen-agers are horny, and politicians lie and steal. Switch to OpenOffice, you blockheads.

As the number of Web applications grows so does the number of vulnerabilities introduced. Failure to follow proper coding guidelines can expose an organization, its employees, and its customers to malicious attacks.

This is the first in a series of articles in which I explore the Open Web Application Security Project (OWASP) Top Ten and how the OWASP recommendations for dealing with the identified vulnerabilities can be integrated into your Software Development Lifecycle.

(from TechRepublic.com, Lock it down: Use the OWASP Top Ten to secure your Web applications — Part 1)

This is good stuff. Check it out.

An easy-to-exploit security vulnerability in Apple Computer’s QuickTime media player could put millions of Macintosh and Windows users at risk of code execution attacks.

The QuickTime flaw kicked off the Month of Apple Bugs project, which promises to expose unpatched Mac OS X and Apple application vulnerabilities on a daily basis throughout the month of January.

(from eWeek, Apple Vulnerability Project Launches with QuickTime Exploit)

I think this is great. Anything which helps educate Apple users and knocks their undeserved arrogance down a notch or three is a good thing.

Spam has exploded in the last several weeks. 9 out of 10 emails in 2006 were spam. It’s been so bad it has caused delays and even shutdowns on some networks. It’s ridiculous. The SMTP protocol is way, way past overdue for replacement with something that has authentication built in, and it really pisses me off that it hasn’t been replaced by now. I am sick to death of people saying that it isn’t practical — the choice will soon be either to replace SMTP or to stop using email at all. Stop making excuses and replace the damned protocol. Here’s one suggestion. Here’s another. Get it done.

At this point I don’t even think it’s worth the effort of reporting spam to services like SpamCop. That’s like calling the police every time you see someone driving over the speed limit. It’s just a waste of time, because it makes no difference.

Apart from the actual security provided by digital certificates in a Web environment, in terms of encryption of data and authentication of participants, they are meant to be a confidence-boosting measure.

That little lock icon in the browser and the “https” in the address tell the user that the communications are secure. Users can also click through some dialog boxes linked from the icon to see specifics of the certificates for the site they are viewing and make a decision about the authenticity of that site. Of course, 99% of users never do any such thing, and probably very few even notice the relatively obscure lock icon.

Even the value of the lock icon has been diminished lately. There have been recent examples of scammers obtaining a certain kind of SSL certificate, called a domain-authenticated SSL certificate, that can be obtained with very little in the way of verification of the bona fides of the applicant. Even if the user takes care to look for the lock symbol, he or she can be fooled by such a certificate.

A new standard hopes to address this situation with a new class of certificate. Some reports indicate that the final official name for these certificates will be “Extended Validation,” but they are more widely known as “High Assurance” SSL certificates.

(from IIS Zone, High Assurance SSL)

Last month a panel of EU experts warned that the e-Passport’s security is “poorly conceived”, and a week later a British newspaper demonstrated a crack. Now another researcher has shown how to clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying “It is hard to see why anyone would want to access the information on the chip.”

M.A. is one of the world’s foremost experts on neural networks. His undergraduate specialty was artificial intelligence, his master’s thesis was about genetic algorithms, and his doctoral dissertation covered evolutionary programming. Such an extensive computer science education opened up a wide range of career options, ranging from a professor at a university to … a professor at another university. When someone outside of academia sought out his expertise for a project, he jumped at the opportunity.

The company that wanted to hire M.A. was a small programming firm that developed and maintained software used by the Bureau of Water Management. They were recently awarded a large contract to redo a rather inefficient part of the system and were convinced that implementing a neural network was the way to go. After the initial interview, M.A. told them that a neural network was the wrong tool for the job and that they should use a traditional approach. Management disagreed with his assessment and insisted that he come aboard to help rebuild the system. Had they not offered such a generous salary, he might have recognized this as a first warning sign. […]

(from The Daily WTF, No, We Need a Neural Network)

Go read the whole thing. Don’t worry, it has a happy ending. I am tempted to hand this article to every client I have from now on.

Hats off to M.A., though. He told them the right way to do it, and then did what the client wanted instead. And then three years later, he told them the right way to do it, and then did it. That’s a professional. I want to be like this guy.

Exploit code for a third, unpatched vulnerability in Microsoft Word has been posted on the Internet, adding to the software maker’s struggles to keep up with gaping holes in its popular word processing program.

The attack code, available at Milw0rm.com, contains sample Word documents that have been rigged to launch code execution exploits when the file is opened.

Microsoft has not yet publicly acknowledged the vulnerability, but the United States Computer Emergency Readiness Team issued an alert to warn that Word documents can be manipulated to trigger code execution of denial-of-service attacks.

(from eWeek, Third MS Word Code Execution Exploit Posted)

At this point I just have to ask… why the hell is anyone still using MS Office? Fool me once, shame on you, fool me over and over and OVER AND OVER again, for years on end, and maybe I’m just too damned stupid to be permitted to operate a computer. I think anyone still using MS Office falls squarely into that category.