Are you ready for Vista?

Have you been anxiously awaiting the opportunity to experience Vista? If so, the Windows Team Vista Blog reports:

RC1 CPP Now Available to General Public

A quick update on CPP status:

Windows Vista RC1 is now publicly available. This means that 32- and 64-bit downloads for all three languages (English, German, and Japanese) are live. If you did not receive and email in the previous wave, you can now both download the ISO image and request a product key (PID).

First and foremost, if you are not "computer saavy" or if your computer is "mission critical", I would advise you to wait until the final product release. Otherwise, you can find the necessary information at the Windows Vista "Customer Preview Program" page.
Whether you are ready now or anticipating an upgrade after final release, find out if your Windows PC can run Windows Vista with the Windows Vista Upgrade Advisor RC, which works with 32-bit versions of Windows XP and Windows Vista. Note, however, that it does not work with Windows 98, Windows 2000, or Windows XP Professional x64 Edition.
From there, go to Upgrading Planning for Windows Vista to find out if your system can be upgraded to Vista or if a clean install will be required.

Adobe Flash Player Security Bulletin - Critical

Adobe released a Security Bulletin, identifying critical vulnerabilities in Flash Player 8.0.24.0 and earlier versions. According to Adobe, the vulnerabilities

"could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious SWF file must be loaded in Flash Player by the end user for an attacker to exploit these vulnerabilities."

Details and upgrade information are available at Adobe Support.
Hat tip to "Eric The Red" for the information.

Microsoft Security Advisory 925568 Released

Microsoft has issued Security Advisory 925568 in which a vulnerability in vector markup language could allow remote code execution. As reported at the Microsoft Security Center Blog:

". . . this exploit code could allow an attacker to execute arbitrary code on the user's system. We also want you to know that we’re aware that this vulnerability is being actively exploited. Thus far the attacks appear targeted and very limited. We’ve actually been working on an update that addresses this vulnerability and our goal is to have it ready for the October release, or before if we see widespread attacks."

========================================
Summary
========================================

Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML). Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware that this vulnerability is being actively exploited.

A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.

========================================
Mitigating Factors
========================================

• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• In an e-mail based attack of this exploit, customers who read e-mail in plain text are mitigated from this vulnerability, instead users would have to click on a link that would take them to a malicious Web site, or open an attachment to be at risk from this vulnerability.

• By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because Binary and Script Behaviors are disabled by default.


========================================
Additional Resources:
========================================

• Microsoft released Security Advisory 925568 – Vulnerability in Vector Markup Language Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/925568.mspx

• Microsoft Knowledgebase Article 925568 - Microsoft Security Advisory: Vulnerability in Vector Markup Language Could Allow Remote Code Execution
http://support.microsoft.com/kb/925568

• MSRC Blog:
http://blogs.technet.com/msrc/
Note: check the MSRC Blog periodically as new information may appear there.

October 10 Ends Support for XP SP1 and SP1a

Just as the seasons change, now in the Northern Hemisphere from summer to autumn, so does the support for the software we have on our computers.
Quite some time ago, Microsoft published the "Life Cycle" for their products. The information for all software, games, tools, hardware is available in Product Life Cycle, which is reviewed and updated regularly.
In January of this year, Microsoft announced that support was extended from September to October for XP Service Pack 1 (SP1) and 1a (SP1a). As published in Microsoft Help and Support:

Windows XP SP1 and SP1a support ends on October 10, 2006

Support for Microsoft Windows XP Service Pack 1 (SP1) and Service Pack 1a (SP1a) ends on October 10, 2006. Microsoft will end support on this date. This also includes security updates for these service packs. Microsoft is providing final notifications to customers regarding the end of support for these products.

Service Pack 2 (SP2) for Microsoft's XP Operating system was released two yearsago. SP2 included significant security enhancements. So why is it a surprise that support for SP1 and SP1a is ending? Why is it that I am still seeing countless logs in the forums either without any service pack installed or still at SP1? There is no time to delay. Information on updating to XP SP2 is available at the link below.

Please don't delay.

The SP2 upgrade is free and includes not only enhancements to the XP operating system but, more importantly, it incorporates better protection against viruses, hackers, and worms than SP1 and SP1a.

Removing Fake Security Programs Like VirusBurst, WinMedia & Other Codecs

It seems that the writers of the rogue applications are on a spree. The latest, WinMediaCodec was discovered on a few days ago. (See what it looks like at the Sunbelt Blog). Fortunately, by Saturday morning, S!Ri, the developer, had already updated SmitFraudFix. Good thing too because within an hour I was helping someone with that infection. It was also fortunate that the person found the help site because his/her friends said there was no way to remove it and a clean format was the only solution. Rest assured, if you are unfortunate enough to be infected by one of these rogues that there is help available.
I have seen a lot of search results locating this blog after searching Google for VirusBurst and the like. As a result, it is time to provide the preliminary steps for removing the likes of VirusBurst, MediaCodec, WinMediaCodec, as well as future iterations of what we generically refer to as the "SmitFraud" infection. Understand that this will provide relief, but additional steps will likely be needed to completely remove the the debris. That is where the security help forums come into play. You can find me and others at LandzDown and Freedomlist as well as others in the community at the various ASAP member sites.
You might find digging out dandelions an easier task so roll up your sleeves and get to work!
A. Start by downloading and installing the following files:

1. Download HijackThis© from: http://www.thespykiller.co.uk/files/HJTsetup.exe .
   
   
   1. At the download prompt, choose "Save".
   2. Navigate to the saved file and double-click the installer, HJTsetup.exe.
   3. HijackThis will be installed on your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.
   4. When the installation is complete, exit HijackThis.
      
2. Download SmitfraudFix (© S!Ri) to your Desktop from http://siri.urz.free.fr/Fix/SmitfraudFix.zip . Extract all the files to your Desktop and a folder named SmitfraudFix will be created on your Desktop.
   
   Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user (See http://www.beyondlogic.org/consulting/processutil/processutil.htm).
   
3. Download ewido anti-spyware from HERE. Save the file to your desktop so you can locate it.
   
   
   1. Locate the ewido anti-spyware icon on the desktop.
   2. Double-click the large yellow "e" ewido icon to launch the set up program.
   3. The installation will require a restart of the computer.
   4. Launch ewido to update to the latest definition files.
   5. On the main screen select the "Update" icon
   6. Click "Start Update". The update will start and a progress bar will show the updates being installed.
   7. If you have problems with the updater, you can use this link to manually update ewido -- ewido manual updates
      
4. Setup ewido as follows:
   
   
   1. Select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
   2. In the Settings screen click "Recommended actions" and then select "Quarantine".
   3. Under "Reports"
      • Select "Automatically generate report after every scan"
      • DE-Select "Only if threats were found"
      • close ewido

B. Restart your computer in Safe Mode.

1. Wait 30 seconds, and then turn the computer on.
   
2. Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
   
3. Ensure that the Safe Mode option is selected.
   
4. Press Enter. The computer then begins to start in Safe Mode.
   
5. Login on your usual account (If you need further assistance with Safe Mode, see Symantec).
   

C. Scanning and system cleaning with ewido.

1. Lauch ewido-anti-spyware by double-clicking the icon on the desktop.
   
   IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
   
2. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
   
3. ewido will now begin the scanning process. Be patient as this may take a little time.
   
4. While scanning, ewido will list any infections found on the left side.
   
5. When the scan is completed, the recommended action should be set to Quarantine. If not click Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right side.
   
6. Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
   
7. Close ewido.

D. Navigate to the SmitfraudFix folder on your desktop.

1. Double-click smitfraudfix.cmd file to start the tool.
   
2. Select option #2 - Clean by typing 2 and press Enter.
   
   Note: running option #2 on a uninfected computer will remove your Desktop background.
   
   
3. Wait for the tool to complete and disk cleanup to finish.
   
4. You will be prompted : "Registry cleaning - Do you want to clean the registry?"
   
   
   
   
   
   
   
   1. Answer Yes by typing Y
   2. Hit Enter.
5. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.
   
   
   1. If prompted, answer Yes to the question "Replace infected file?" by typing Y
   2. Hit Enter.
   
   
   
6. A reboot may be needed to finish the cleaning process. If your computer does not restart automatically please do it yourself manually.
   
7. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

That will have taken care of the majority of the problem. However, there are likely remnants or other problems caused by the rogue installation. It is advisable to go to one of the security sites for a reviw. Its easy to register. Then create a topic in the appropriate forum for HijackThis logs. Be sure to include a copy of the rapport.txt, ewido log and a HijackThis log.

(Do NOT attempt to remove anything with HijackThis on your own. It is very powerful and removing the wrong thing could easily cripple the computer.)


Note: Special thanks to S!RI for not only creating SmitFraudFix but also for keeping it updated.

Important Update: Security Bulletin Released

The Microsoft Security Response Center Blog announced that MS06-049 for Windows 2000 users is being re-released. This is related to a vulnerability in Windows kernel that could result in an elevation of privilege.
For more information, see Microsoft Knowledge Base Article 920958.

Note: This is an important update for Microsoft Windows 2000 Service Pack 4.
Known issues from KB 920958: After you install the original version of security update 920958 (MS06-049) on a computer that is using NTFS file system compression, compressed files that are larger than 4 kilobytes (KB) may be corrupted when you create or update the files.

To resolve this problem, install the new version of security update 920958 (MS06-049) that released on September 26, 2006.
================================================
Re-released Security Bulletins
================================================

In addition, Microsoft is re-releasing the following security bulletins

(NOTE: This list contains ONLY those products affected by the re-release and the severity of the vulnerability for those products affected by the re-release)


Microsoft Security Bulletin MS06-049 - Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)

Summary: Who Should Read this Document: Customers who use Microsoft Windows

Impact of Vulnerability: Elevation of Privilege

Maximum Severity Rating: Important

Recommendation: Customers should apply the update at the earliest opportunity

Reason for re-release: A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

After you install security update 920958 (MS06-049) on a computer that is using NTFS file system compression, compressed files that are larger than 4 kilobytes (KB) may be corrupted when you create or update the files. (See http://support.microsoft.com/kb/920958 for details)

Information on these re-released bulletins may be found at the following pages:
http://www.microsoft.com/technet/security/Bulletin/MS06-049.mspx

Mozilla Firefox 2 RC 1 Available for Testing

Announced at Mozillazine:

"Wednesday September 27th, 2006 Mozilla Firefox 2 Release Candidate 1 is now available for download. This preview of the next version of Firefox browser is aimed at Web Application Developers, testers and early adopters."

The updates from the Release Notes are reproduced below. There are some exciting features coming for Firefox users. Of course, all of your favorite extensions, plugins and themes from earlier versions of Firefox may not work properly.
As good as the new features may sound to Firefox users, don't discount IE7. Although not "apples-to-apples", check this comparison in features between IE7 and FF2 in "Internet Explorer 7 v Firefox 2.0", Published 22 August 2006 by Wil Harris.

• "Visual Refresh: Firefox 2's theme and user interface have been updated to improve usability without altering the familiarity of the browsing experience. For instance, toolbar buttons now glow when you hover over them. We will continue to improve the look and feel throughout the release candidate process.
• Built-in phishing protection: Phishing Protection warns users when they encounter suspected Web forgeries, and offers to return the user to their home page. Phishing Protection is turned on by default, and works by checking sites against either a local or online list of known phishing sites. This list is automatically downloaded and regularly updated when the Phishing Protection feature is enabled.
• Enhanced search capabilities: Search term suggestions will now appear as users type in the integrated search box when using the Google, Yahoo! or Answers.com search engines. A new search engine manager makes it easier to add, remove and re-order search engines, and users will be alerted when Firefox encounters a website that offers new search engines that the user may wish to install.
• Improved tabbed browsing: By default, Firefox will open links in new tabs instead of new windows, and each tab will now have a close tab button. Power users who open more tabs than can fit in a single window will see arrows on the left and right side of the tab strip that let them scroll back and forth between their tabs. The History menu will keep a list of recently closed tabs, and a shortcut lets users quickly re-open an accidentally closed tab.
• Resuming your browsing session: The Session Restore feature restores windows, tabs, text typed in forms, and in-progress downloads from the last user session. It will be activated automatically when installing an application update or extension, and users will be asked if they want to resume their previous session after a system crash.
• Previewing and subscribing to Web feeds: Users can decide how to handle Web feeds (like this one), either subscribing to them via a Web service or in a standalone RSS reader, or adding them as Live Bookmarks. My Yahoo!, Bloglines and Google Reader come pre-loaded as Web service options, but users can add any Web service that handles RSS feeds.
• Inline spell checking: A new built-in spell checker enables users to quickly check the spelling of text entered into Web forms (like this one) without having to use a separate application.
• Live Titles: When a website offers a microsummary (a regularly updated summary of the most important information on a Web page), users can create a bookmark with a "Live Title". Compact enough to fit in the space available to a bookmark label, they provide more useful information about pages than static page titles, and are regularly updated with the latest information. There are several websites that can be bookmarked with Live Titles, and even more add-ons to generate Live Titles for other popular websites.
• Improved Add-ons manager: The new Add-ons manager improves the user interface for managing extensions and themes, combining them both in a single tool.
• JavaScript 1.7: JavaScript 1.7 is a language update introducing several new features such as generators, iterators, array comprehensions, let expressions, and destructuring assignments. It also includes all the features of JavaScript 1.6.
• Extended search plugin format: The Firefox search engine format now supports search engine plugins written in Sherlock and OpenSearch formats and allows search engines to provide search term suggestions.
• Updates to the extension system: The extension system has been updated to provide enhanced security and to allow for easier localization of extensions.
• Client-side session and persistent storage: New support for storing structured data on the client side, to enable better handling of online transactions and improved performance when dealing with large amounts of data, such as documents and mailboxes. This is based on the WHATWG specification for client-side session and persistent storage.
• SVG text: Support for the svg:textpath specification enables SVG text to follow a curve or shape.
• New Windows installer: Based on Nullsoft Scriptable Install System, the new Windows installer resolves many long-standing issues."

Microsoft Security Advisory 926043

The details of the advisory are below. The work-around, as always, keep your antivirus software updated and don't open unexpected attachments in e-mails. For this vulnerability, at least until the Windows Update on October 10, when using Internet Explorer, disable Active X.

To disable Active X:

-- Click Tools > Internet Options > Security tab > Internet Web Content Zone > Custom Level
-- In the Settings box, scroll to "Scripting" and Disable Active scripting and Scripting of Java applets.
-- Click OK twice.

This alert is to notify you that Microsoft has released Security Advisory 926043 – Vulnerability in Windows Shell Could Allow Remote Code Execution - on 28 September 2006.

========================================
Summary
========================================

Microsoft is investigating new public reports of a vulnerability in supported versions of Microsoft Windows. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly. We are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. We will continue to investigate these public reports.

The ActiveX control called out in the public reports and in the Proof of Concept code is the Microsoft WebViewFolderIcon ActiveX control (Web View). The vulnerability exists in Windows Shell and is exposed by Web View.

We are working on a security update currently scheduled for an October 10 release.

Customers are encouraged to keep their anti-virus software up to date.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

========================================
Mitigating Factors
========================================
• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.
• By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because ActiveX and Active Scripting are disabled by default.

========================================
Additional Resources:
========================================

VideosCodec and More on Fake Codecs

Take a close look at the rose image, nestled among the greenery, accompanying this blog post. Is the rose real or fake? Difficult to tell, isn't it. In this case, just as in the fake codecs, it is fake.
Yes, I hear you. Of course you could tell the difference in your own garden but how many times have you seen artificial plants that look so real you had to examine them closer? It is the same with the fake codecs -- the most recent added to the list just today being VideosCodec. Others we have seen include VirusBurst, VirusBurster, MediaCodec, WinMediaCodec, X Password Generator, strCodec, pCodec, etc.
You may wonder why so much attention is given to the fake codecs by the security community. The reason is just this simple. They are not going away, as evidenced by the over 20 updates S!Ri has made to his SmitfraudFix© tool so far just in September. Besides, knowledge is power. The more information we can share, the better able you will be able to protect your computer. Just like the artificial rose, the fake codecs look real from the distance. Take this for example:

It certainly looks legitimate. Want to see what would happen if you clicked on the download link? Take a look at the page entitled, "General installation of Fake Codecs, or . . . how to get screwed the easy way" that Jahewi put together and made available at his Jahewi's Anti-Malware Information website. It is not a pretty picture, at least not if it is on your computer.
If you find a movie-clip that you want to see, be wary, very wary, if you get a message that Windows Media Player cannot locate the right codec and you are asked to download and install the codec in order to watch the movie. If you get taken in, instructions for removal are provided in "Removing Fake Security Programs Like VirusBurst, WinMedia & Other Codecs".

SunFlowers and SunJava Update

Having sunflowers in the garden add a bright spot of color and attract birds to feed on the seeds. However, having old versions of SunJava on the computer will attract nasty infections like Virtumundo (Vundo) or Winfixer, which require specialized tools for removal.
Current Release: Java Runtime Environment (JRE) 1.6.0_07 for Java SE 6.

System Requirements: See supported System Configurations for information about supported platforms, operating systems, desktop managers, and browsers.

Running with less memory may cause disk swapping which has a severe effect on performance. Very large programs may require more RAM for adequate performance.

This installation requires Windows Installer 2.0 to be on your machine, or an Internet connection for it to be automatically downloaded. For more details, see the Troubleshooting the Installation section of JDK.

• Note: Trying to install the Java SE Runtime Environment on a non-supported version of Microsoft Windows or on a machine that doesn't have a sufficiently up-to-date Service Pack will cause the installer to generate this warning: "We recommend that you do not install this Java platform for the following reasons: This Java platform does not support the operating system or operating-system service pack on this machine."

Update Instructions:

Let's walk through the steps, beginning with removing any prior versions of SunJava on the computer.

1. Close any open programs you may have running, especially your web browser
   
2. Click Start > Control Panel (Depending on your OS or configuration, you may have to click Start > Settings > Control Panel)
   
3. Open Add or Remove Programs (If you have Windows 98 or Windows 2000, open Add/Remove Programs)
   
4. Click once on any item listing J2SE or Java Runtime Environment in the name. (Not every version of Java will begin with "Java" so be sure to read each entry in the list) Here is a sample of what you might find:
   
   Particularly vulnerable versions of Sun Java Runtime Environment (JRE) include the following and should be uninstalled as well as ALL other versions located:
   
   
   • JDK and JRE 5.0 Update 9 and earlier
   • SDK and JRE 1.4.2_12 and earlier
   • SDK and JRE 1.3.1_18 and earlier
5. Click the Remove or Change/Remove button
   
6. Follow steps 4 and 5 as many times as necessary to remove all versions of Java
   2
7. Search 'Programs' and 'Application Data' and remove old version files manually.
   
   
   1. C:\Program Files
   2. C:\Documents and Settings\USERNAME\Application Data\
8. Restart your PC once all Java components have been removed
   
9. Reconnect to the Internet and go to Java SE Downloads.
   
10. Scroll down the page until you reach Java Runtime Environment (JRE) 6 Update 7 as shown below and click on the Download button:
    

    Java Runtime Environment (JRE) 6 Update 7 The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
    Installation Instructions | ReadMe | ReleaseNotes | Sun License | Third Party License

11. You will then find yourself on a page requiring acceptance of the License Agrement. Click in the circle next to Accept:

Required: You must accept the license agreement to download the product. Accept License Agreement | Review License Agreement
Decline License Agreement

12. After accepting the license agreement, a new page opens with a table of platforms to select from. For Microsoft Windows systems, the first selection on the list is the one you want. It is recommended that you select the Windows Offline Installation.

Windows Platform - J2SE(TM) Runtime Environment 6
Windows Offline Installation, Multi-language	jre-6u5-windows-i586-p.exe	15.24 MB

13. Save the update to your computer:

14. When installing, be alert to the options. If you do not have the Google Toolbar installed on your computer, you may find the offering illustrated below. UNcheck "Google Toolbar for Internet Explorer" if you do not want the toolbar included with the installation. There may be other pre-checked "optional" installs that you may also choose to uncheck.



15. Restart the computer to finalize the process after completing the download/install of the SunJava update.

16. Optional: Verify the version installed at http://www.java.com/en/download/help/testvm.xml

Following the above instructions will help keep your computer not only updated but also less vulnerable to infections inherent in older versions of SunJava.

Adobe Flash Player Security Bulletin - Critical

Adobe released a Security Bulletin, identifying critical vulnerabilities in Flash Player 8.0.24.0 and earlier versions. According to Adobe, the vulnerabilities

"could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious SWF file must be loaded in Flash Player by the end user for an attacker to exploit these vulnerabilities."

Details and upgrade information are available at Adobe Support.

Hat tip to "Eric The Red" for the information.

Microsoft Security Advisory 925568 Released

Microsoft has issued Security Advisory 925568 in which a vulnerability in vector markup language could allow remote code execution. As reported at the Microsoft Security Center Blog:

". . . this exploit code could allow an attacker to execute arbitrary code on the user's system. We also want you to know that we’re aware that this vulnerability is being actively exploited. Thus far the attacks appear targeted and very limited. We’ve actually been working on an update that addresses this vulnerability and our goal is to have it ready for the October release, or before if we see widespread attacks."

========================================
Summary
========================================

Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML). Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware that this vulnerability is being actively exploited.

A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.

========================================
Mitigating Factors
========================================

• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• In an e-mail based attack of this exploit, customers who read e-mail in plain text are mitigated from this vulnerability, instead users would have to click on a link that would take them to a malicious Web site, or open an attachment to be at risk from this vulnerability.

• By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because Binary and Script Behaviors are disabled by default.


========================================
Additional Resources:
========================================

• Microsoft released Security Advisory 925568 – Vulnerability in Vector Markup Language Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/925568.mspx

• Microsoft Knowledgebase Article 925568 - Microsoft Security Advisory: Vulnerability in Vector Markup Language Could Allow Remote Code Execution
http://support.microsoft.com/kb/925568

• MSRC Blog:
http://blogs.technet.com/msrc/
Note: check the MSRC Blog periodically as new information may appear there.

October 10 Ends Support for XP SP1 and SP1a

Just as the seasons change, now in the Northern Hemisphere from summer to autumn, so does the support for the software we have on our computers.
Quite some time ago, Microsoft published the "Life Cycle" for their products. The information for all software, games, tools, hardware is available in Product Life Cycle, which is reviewed and updated regularly.
In January of this year, Microsoft announced that support was extended from September to October for XP Service Pack 1 (SP1) and 1a (SP1a). As published in Microsoft Help and Support:

Windows XP SP1 and SP1a support ends on October 10, 2006

Support for Microsoft Windows XP Service Pack 1 (SP1) and Service Pack 1a (SP1a) ends on October 10, 2006. Microsoft will end support on this date. This also includes security updates for these service packs. Microsoft is providing final notifications to customers regarding the end of support for these products.

Service Pack 2 (SP2) for Microsoft's XP Operating system was released two yearsago. SP2 included significant security enhancements. So why is it a surprise that support for SP1 and SP1a is ending? Why is it that I am still seeing countless logs in the forums either without any service pack installed or still at SP1? There is no time to delay. Information on updating to XP SP2 is available at the link below.

Please don't delay.

The SP2 upgrade is free and includes not only enhancements to the XP operating system but, more importantly, it incorporates better protection against viruses, hackers, and worms than SP1 and SP1a.

Critical Update: Microsoft Security Bulletin MS06-055

Rather than wait until the next scheduled update on October 10, Microsoft released Security Bulletin MS06-055. This is a highly critical update. A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it.
Note: If you have applied any of the third party fixes for the VML remote code vulnerability, I would suggest that you reverse those changes before installing this update.
================================================
New Security Bulletins for September 26 2006
================================================

Microsoft is releasing the following security bulletins for newly discovered vulnerabilities:

Microsoft Security Bulletin MS06-055 - Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)

Summary: Who Should Read this Document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately

Important Update: Security Bulletin MS06-49 Re-Released

The Microsoft Security Response Center Blog announced that MS06-049 for Windows 2000 users is being re-released. This is related to a vulnerability in Windows kernel that could result in an elevation of privilege.
For more information, see Microsoft Knowledge Base Article 920958.

Note: This is an important update for Microsoft Windows 2000 Service Pack 4.
Known issues from KB 920958: After you install the original version of security update 920958 (MS06-049) on a computer that is using NTFS file system compression, compressed files that are larger than 4 kilobytes (KB) may be corrupted when you create or update the files.

To resolve this problem, install the new version of security update 920958 (MS06-049) that released on September 26, 2006.
================================================
Re-released Security Bulletins
================================================

In addition, Microsoft is re-releasing the following security bulletins

(NOTE: This list contains ONLY those products affected by the re-release and the severity of the vulnerability for those products affected by the re-release)


Microsoft Security Bulletin MS06-049 - Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)

Summary: Who Should Read this Document: Customers who use Microsoft Windows

Impact of Vulnerability: Elevation of Privilege

Maximum Severity Rating: Important

Recommendation: Customers should apply the update at the earliest opportunity

Reason for re-release: A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

After you install security update 920958 (MS06-049) on a computer that is using NTFS file system compression, compressed files that are larger than 4 kilobytes (KB) may be corrupted when you create or update the files. (See http://support.microsoft.com/kb/920958 for details)

Information on these re-released bulletins may be found at the following pages:
http://www.microsoft.com/technet/security/Bulletin/MS06-049.mspx

Microsoft Internet Explorer ActiveX Vulnerability - CERT SA06-270A

US-CERT (The National Computer Emergency Readiness Team) issued the following alert, SA06-270:

Microsoft Internet Explorer ActiveX Vulnerability

Original release date: September 27, 2006
Last revised: --
Source: US-CERT

Systems Affected

• Microsoft Windows
• Internet Explorer

Overview

A vulnerability in ActiveX and Internet Explorer could allow an attacker to take control of your computer.

Solution

Microsoft has not yet released an update to address this vulnerability. Until an update is available, consider the following best practices:

Disable ActiveX

Disabling ActiveX will prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in "Securing Your Web Browser" and "Improve the safety of your browsing and e-mail activities."

Do not follow unsolicited links

Do not click on unsolicited URLs, including those received in email, instant messages, web forums, or internet relay chat (IRC) channels.

Description

An attacker could exploit a vulnerability in an ActiveX control by convincing a user to visit a web site with Internet Explorer. The attacker could then take any action as the user, including installing malicious software and accessing sensitive personal information.
For more technical information, see Vulnerability Note VU#753044.

Mozilla Firefox 2 RC 1 Available for Testing

Announced at Mozillazine:

"Wednesday September 27th, 2006 Mozilla Firefox 2 Release Candidate 1 is now available for download. This preview of the next version of Firefox browser is aimed at Web Application Developers, testers and early adopters."

The updates from the Release Notes are reproduced below. There are some exciting features coming for Firefox users. Of course, all of your favorite extensions, plugins and themes from earlier versions of Firefox may not work properly.
As good as the new features may sound to Firefox users, don't discount IE7. Although not "apples-to-apples", check this comparison in features between IE7 and FF2 in "Internet Explorer 7 v Firefox 2.0", Published 22 August 2006 by Wil Harris.

• "Visual Refresh: Firefox 2's theme and user interface have been updated to improve usability without altering the familiarity of the browsing experience. For instance, toolbar buttons now glow when you hover over them. We will continue to improve the look and feel throughout the release candidate process.
• Built-in phishing protection: Phishing Protection warns users when they encounter suspected Web forgeries, and offers to return the user to their home page. Phishing Protection is turned on by default, and works by checking sites against either a local or online list of known phishing sites. This list is automatically downloaded and regularly updated when the Phishing Protection feature is enabled.
• Enhanced search capabilities: Search term suggestions will now appear as users type in the integrated search box when using the Google, Yahoo! or Answers.com search engines. A new search engine manager makes it easier to add, remove and re-order search engines, and users will be alerted when Firefox encounters a website that offers new search engines that the user may wish to install.
• Improved tabbed browsing: By default, Firefox will open links in new tabs instead of new windows, and each tab will now have a close tab button. Power users who open more tabs than can fit in a single window will see arrows on the left and right side of the tab strip that let them scroll back and forth between their tabs. The History menu will keep a list of recently closed tabs, and a shortcut lets users quickly re-open an accidentally closed tab.
• Resuming your browsing session: The Session Restore feature restores windows, tabs, text typed in forms, and in-progress downloads from the last user session. It will be activated automatically when installing an application update or extension, and users will be asked if they want to resume their previous session after a system crash.
• Previewing and subscribing to Web feeds: Users can decide how to handle Web feeds (like this one), either subscribing to them via a Web service or in a standalone RSS reader, or adding them as Live Bookmarks. My Yahoo!, Bloglines and Google Reader come pre-loaded as Web service options, but users can add any Web service that handles RSS feeds.
• Inline spell checking: A new built-in spell checker enables users to quickly check the spelling of text entered into Web forms (like this one) without having to use a separate application.
• Live Titles: When a website offers a microsummary (a regularly updated summary of the most important information on a Web page), users can create a bookmark with a "Live Title". Compact enough to fit in the space available to a bookmark label, they provide more useful information about pages than static page titles, and are regularly updated with the latest information. There are several websites that can be bookmarked with Live Titles, and even more add-ons to generate Live Titles for other popular websites.
• Improved Add-ons manager: The new Add-ons manager improves the user interface for managing extensions and themes, combining them both in a single tool.
• JavaScript 1.7: JavaScript 1.7 is a language update introducing several new features such as generators, iterators, array comprehensions, let expressions, and destructuring assignments. It also includes all the features of JavaScript 1.6.
• Extended search plugin format: The Firefox search engine format now supports search engine plugins written in Sherlock and OpenSearch formats and allows search engines to provide search term suggestions.
• Updates to the extension system: The extension system has been updated to provide enhanced security and to allow for easier localization of extensions.
• Client-side session and persistent storage: New support for storing structured data on the client side, to enable better handling of online transactions and improved performance when dealing with large amounts of data, such as documents and mailboxes. This is based on the WHATWG specification for client-side session and persistent storage.
• SVG text: Support for the svg:textpath specification enables SVG text to follow a curve or shape.
• New Windows installer: Based on Nullsoft Scriptable Install System, the new Windows installer resolves many long-standing issues."

Microsoft Security Advisory 926043

The details of the advisory are below. The work-around, as always, keep your antivirus software updated and don't open unexpected attachments in e-mails. For this vulnerability, at least until the Windows Update on October 10, when using Internet Explorer, disable Active X.

To disable Active X:

-- Click Tools > Internet Options > Security tab > Internet Web Content Zone > Custom Level
-- In the Settings box, scroll to "Scripting" and Disable Active scripting and Scripting of Java applets.
-- Click OK twice.

VideosCodec and More on Fake Codecs

Take a close look at the rose image, nestled among the greenery, accompanying this blog post. Is the rose real or fake? Difficult to tell, isn't it. In this case, just as in the fake codecs, it is fake.
Yes, I hear you. Of course you could tell the difference in your own garden but how many times have you seen artificial plants that look so real you had to examine them closer? It is the same with the fake codecs -- the most recent added to the list just today being VideosCodec. Others we have seen include VirusBurst, VirusBurster, MediaCodec, WinMediaCodec, X Password Generator, strCodec, pCodec, etc.
You may wonder why so much attention is given to the fake codecs by the security community. The reason is just this simple. They are not going away, as evidenced by the over 20 updates S!Ri has made to his SmitfraudFix© tool so far just in September. Besides, knowledge is power. The more information we can share, the better able you will be able to protect your computer. Just like the artificial rose, the fake codecs look real from the distance. Take this for example:

It certainly looks legitimate. Want to see what would happen if you clicked on the download link? Take a look at the page entitled, "General installation of Fake Codecs, or . . . how to get screwed the easy way" that Jahewi put together and made available at his Jahewi's Anti-Malware Information website. It is not a pretty picture, at least not if it is on your computer.
If you find a movie-clip that you want to see, be wary, very wary, if you get a message that Windows Media Player cannot locate the right codec and you are asked to download and install the codec in order to watch the movie. If you get taken in, instructions for removal are provided in "Removing Fake Security Programs Like VirusBurst, WinMedia & Other Codecs".

SunFlowers and SunJava Update

Having sunflowers in the garden add a bright spot of color and attract birds to feed on the seeds. However, having old versions of SunJava on the computer will attract nasty infections like Virtumundo (Vundo) or Winfixer, which require specialized tools for removal.
Current Release: Java Runtime Environment (JRE) 1.6.0_07 for Java SE 6.

System Requirements: See supported System Configurations for information about supported platforms, operating systems, desktop managers, and browsers.

Running with less memory may cause disk swapping which has a severe effect on performance. Very large programs may require more RAM for adequate performance.

This installation requires Windows Installer 2.0 to be on your machine, or an Internet connection for it to be automatically downloaded. For more details, see the Troubleshooting the Installation section of JDK.

• Note: Trying to install the Java SE Runtime Environment on a non-supported version of Microsoft Windows or on a machine that doesn't have a sufficiently up-to-date Service Pack will cause the installer to generate this warning: "We recommend that you do not install this Java platform for the following reasons: This Java platform does not support the operating system or operating-system service pack on this machine."

Update Instructions:

Let's walk through the steps, beginning with removing any prior versions of SunJava on the computer.

1. Close any open programs you may have running, especially your web browser
   
2. Click Start > Control Panel (Depending on your OS or configuration, you may have to click Start > Settings > Control Panel)
   
3. Open Add or Remove Programs (If you have Windows 98 or Windows 2000, open Add/Remove Programs)
   
4. Click once on any item listing J2SE or Java Runtime Environment in the name. (Not every version of Java will begin with "Java" so be sure to read each entry in the list) Here is a sample of what you might find:
   
   Particularly vulnerable versions of Sun Java Runtime Environment (JRE) include the following and should be uninstalled as well as ALL other versions located:
   
   
   • JDK and JRE 5.0 Update 9 and earlier
   • SDK and JRE 1.4.2_12 and earlier
   • SDK and JRE 1.3.1_18 and earlier
5. Click the Remove or Change/Remove button
   
6. Follow steps 4 and 5 as many times as necessary to remove all versions of Java
   2
7. Search 'Programs' and 'Application Data' and remove old version files manually.
   
   
   1. C:\Program Files
   2. C:\Documents and Settings\USERNAME\Application Data\
8. Restart your PC once all Java components have been removed
   
9. Reconnect to the Internet and go to Java SE Downloads.
   
10. Scroll down the page until you reach Java Runtime Environment (JRE) 6 Update 7 as shown below and click on the Download button:
    

    Java Runtime Environment (JRE) 6 Update 7 The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
    Installation Instructions | ReadMe | ReleaseNotes | Sun License | Third Party License

11. You will then find yourself on a page requiring acceptance of the License Agrement. Click in the circle next to Accept:

Required: You must accept the license agreement to download the product. Accept License Agreement | Review License Agreement
Decline License Agreement

12. After accepting the license agreement, a new page opens with a table of platforms to select from. For Microsoft Windows systems, the first selection on the list is the one you want. It is recommended that you select the Windows Offline Installation.

Windows Platform - J2SE(TM) Runtime Environment 6
Windows Offline Installation, Multi-language	jre-6u5-windows-i586-p.exe	15.24 MB

13. Save the update to your computer:

14. When installing, be alert to the options. If you do not have the Google Toolbar installed on your computer, you may find the offering illustrated below. UNcheck "Google Toolbar for Internet Explorer" if you do not want the toolbar included with the installation. There may be other pre-checked "optional" installs that you may also choose to uncheck.



15. Restart the computer to finalize the process after completing the download/install of the SunJava update.

16. Optional: Verify the version installed at http://www.java.com/en/download/help/testvm.xml

Following the above instructions will help keep your computer not only updated but also less vulnerable to infections inherent in older versions of SunJava.

Microsoft Security Updates for October 2013

Microsoft released eight (8) bulletins.  Four of the bulletins are identified as Critical with the remaining four bulletins rated Important.

The updates address 26 unique CVEs in Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight.

The updates to Windows and Internet Explorer require a restart.  For those people who run into problems with .NET Framework updates, it is recommended that the update be installed separately with a restart between other updates.

The Critical update for Internet Explorer addresses the publicly disclosed issue described in Security Advisory 2887505.  From the MS13-080 Update FAQ:

"If I applied the automated Microsoft Fix it solution for Internet Explorer previously described in Microsoft Security Advisory 2887505, do I need to undo the workaround before or after applying this update?

No. Customers who implemented the Microsoft Fix it solution, "CVE-2013-3893 MSHTML Shim Workaround," previously described in Microsoft Security Advisory 2887505, do not need to undo the Microsoft Fix it solution before or after applying this update.

Note Although it is not necessary to undo the Microsoft Fix it solution, customers can follow the steps in Microsoft Knowledge Base Article 2879017 to undo the Microsoft Fix it solution."

Critical:

• MS13-080 -- Cumulative Security Update for Internet Explorer (2879017)
• MS13-081 -- Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008)
• MS13-082 -- Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890)
• MS13-083 -- Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2864058)

Important:

• MS13-084 -- Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2885089)
• MS13-085 -- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2885080)
• MS13-086 -- Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2885084)  
• MS13-087 -- Vulnerability in Silverlight Could Allow Information Disclosure (2890788)

Users of Windows XP are reminded that support ends for Windows XP on April 8, 2014.  See Tim Rains article, The Countdown Begins: Support for Windows XP Ends on April 8, 2014.

Support

The following additional information is provided in the Security Bulletin:

• The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
• Security solutions for IT professionals: TechNet Security Troubleshooting and Support
• Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
• Local support according to your country: International Support

Improvement to Windows 7 SP1 Disk Cleanup

Included with Microsoft Updates on the last Patch Tuesday was KB 2852386, an optional update.  This update changes the Disk Cleanup wizard to provide the ability to delete superseded Windows updates in Windows 7 SP1, reducing the space used by the WinSxS ("Windows Side by Side") folder.

Normally, superseded Windows updates can be removed with the installation of a Service Pack.  However, since Windows 7 SP1 was released over two years ago, the size of the C:\Windows\Winsxs folder has grown significantly since SP1.

As seen in the image copy of WinSxS Properties on my Windows 7 computer, before running Disk Cleanup, it is a very large folder at over 17 GB with over 73,000 files and 18,000 folders.

Before Disk Cleanup

Important Notes

1. Disk Cleanup needs to be run as Administrator.
2. Windows Update Cleanup is checked by default under Clean up system files.  If you have had problems with Windows Updates in the past, you may not want to include the Windows Update Cleanup option when running Disk Cleanup.
3. If you do not see the option for Windows Update Cleanup under Clean up system files, either the wizard did not detect Windows updates that are not needed on the computer or KB 285238 has not been installed yet.
4. After running the Disk Cleanup wizard, you may not be able to roll back to a superseded update.  In that situation, it will be necessary to manually install the superseded update.
5. The superseded update files will not be removed until the computer is restarted.  Windows will configure Windows updates on shutdown and Cleanup on startup.  Do not turn off your computer during that process. 

Results

Results will vary depending on the Microsoft programs installed on your computer.  In my case, with a lot of Microsoft programs installed and fully updated, there is a significant difference.  Comparing the before image of WinSxS Properties from my computer with the results after running Disk Cleanup:  14,684 files and 3,507 folders have been superseded since installing SP1.  Net gain:  6.9 GB!

After Disk Cleanup

Illustrated screen images of the step-by-step process are available in the TechNet article referenced below.