Wiz's Computer and Website Security Blog

On Thursday, August 19, 2010, Adobe released critical "out of cycle" security updates, 9.3.4 and 8.2.4, for its commercial Acrobat PDF encoder and free Adobe PDF Reader programs. Today's updates fix at least two critical vulnerabilities that are being exploited in the wild. Exploitation of these vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Updates are available for Windows, Mac and UNIX versions of these Adobe programs. Windows users may receive automatic updates notices, or may be auto-updated, depending on how you have set your updater preferences (Edit > Preferences > Updater). You can also check manually, buy going to the Help menu item, then down to "Check for updates." An updater window will open separately, download the new version upon receiving your permission. It will close Reader or Acrobat, then install then new version. If you were working on any PDF documents, save them and exit the application during the update phase. It may take some time to complete (I don't know why, it just does!).

The official Common Vulnerabilities and Exposures code for today's update is: CVE-2010-2862, which was discussed and demonstrated at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. The actual vulnerability is described as: "Integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3, allows remote attackers to execute arbitrary code via a TrueType font with a large maxCompositePoints value in a Maximum Profile (maxp) table."

Further details are: "Network exploitable; Victim must voluntarily interact with attack mechanism" - which they are tricked into doing.

Vulnerability details were provided and/or discovered by: Charlie Miller, Independent Security Evaluators, and Tavis Ormandy, Google Security Team.

All of this follows on the heels of another out-of-cycle critical update in Adobe's Flash Player, on August 11. It appears that Adobe Acrobat and Reader bundle a version of Flash inside the program, and that version was exploitable, via authplay.dll. The new updates to Reader and Acrobat supply the latest, patched version of Flash, bundled inside those programs.

Posted by Wiz at 4:30 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

August 11, 2010

Adobe Releases Security Update for Flash Player: Adobe has released Flash Player 10.1.82.76 to address multiple vulnerabilities. See Go here for the details.

See what version of Flash you have installed for each browser brand, here. If you use the current version of Firefox it will tell you to update Flash, when a new version has been released. Internet Explorer users still need to go to Adobe and update the ActiveX version manually.

Due to exploits in the wild, you are strongly advised to update your Flash players now! Adobe recommends users of Adobe AIR 2.0.2.12610 and earlier versions update to Adobe AIR 2.0.3, by downloading it from the Adobe AIR Download Center.

Note, that previously, one could navigate to C:\Windows\System32\Macromed\Flash and use the FlashUtil(version#).exe application to run a manual update. Those files no longer work that way. Now, the FlashUtil apps uninstall Flash, rather than update it. You can download the new Flash installers, named: install_flash_player_ax.exe, for Internet Explorer based browsers, and install_flash_player.exe, for Mozilla based browsers (non-ActiveX), from the Adobe Flash Download Center. Administrator privileges are required to install or update Flash via these installer files. Use "Run As" (Administrator & password) if necessary.

A word of warning!
As you browse the Internet, or read emails about watching movies online, always beware of any links that take you to a page that tells you to update your Flash Player, but the link does not go to www.adobe.com, or http://www.adobe.com/go/getflash/ . Cyber criminals are famous for creating fake Flash and YouTube players, with a spinning circle in a black player screen, telling you that your Flash Player needs updating and click there. If you hover your mouse over those links you may or may not see that they never leave that website. The files you are about to downland and run from these fake web pages are Trojan Horse programs designed to make your PC a member of a Botnet, or install rogue security scanners, or a login stealing Trojan, like the Zeus/Zbot Trojan.

If you are tricked into clicking on a fake media player and a download dialog appears, dismiss it immediately, then close your browser. Use your anti-virus scanner to see if malware was downloaded into the browser's cache and remove it, or clear the cache. Always update your anti-malware definitions before scanning for new threats.

Posted by Wiz at 1:43 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Vulnerability identifier: Adobe security advisory APSB10-15 - a.k.a. CVE-2010-1297

On June 29, 2010, Adobe is planning to release updates for Adobe Reader 9.3.2 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.2 for Windows and Macintosh, and Adobe Reader 8.2.2 and Acrobat 8.2.2 for Windows and Macintosh to resolve critical security issues in the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This has been known about since June 4 and is being exploited in the wild.

According to the advisory, "the June 29, 2010 updates represent an accelerated release of the next quarterly security update originally scheduled for July 13, 2010. With this accelerated schedule, Adobe will not release additional updates for Adobe Reader and Acrobat on July 13, 2010."

UPDATE: June 29, 2010

As scheduled, Adobe has released patched versions 9.3.3 and 8.2.3 of its pdf Acrobat and Reader. 17 vulnerabilities were fixed in this update, including one zero-day flaw that has been exploited in the wild. I applied this update to my XP SP 3 computer and it required a reboot to complete, and your computer may also require a restart, depending on the OS. Be prepared to save any work in progress and reboot after you receive this update, whether manually or automatically.

Adobe warned about that vulnerability, which also affected Flash Player, on June 4, 2010, and plugged the hole in Flash on June 10. If you haven't updated Flash for all of your browsers, do so now, at http://www.adobe.com/go/EN_US-H-GET-FLASH, or from http://get.adobe.com/flashplayer/.

If you are currently using the latest version of Adobe Reader or Acrobat, you should have automatic checking for updates and notification of availability turned on by default, unless you purposely turned this safety feature off. That means that when the check for updates is run after these updates are pushed out, you will be notified about their availability and can download the update. If you set your Updates preference to automatically download and install the updates, this will happen automatically, in the background. This could be the same day, or the next day, depending on what time your Adobe Reader checks for updates. You can also run a manual check for updates, via the Help menu > Check for Updates.

You can set or reset your preferences for Adobe Reader and Acrobat update checking, via Edit > Preferences > Updater. I recommend "Automatically Install Updates." Note, that you must use Administrator credentials to check for and apply updates to Adobe Reader and Acrobat. This can be done from a less privileged account by right clicking on the desktop or Start Menu icon for Adobe Reader/Acrobat and choosing "Run As" (Administrator).

If you are running Ubuntu or Debian Linux, you must update Adobe Reader via the Updates Manager, found under the Menu item: Administration. An Administrator password is required to check for and install updates.

Please apply the security update to all PCs running Adobe Reader and or Acrobat, as the vulnerability is critical and if exploited, may lead to complete takeover of unpatched PCs. From that point on, anything goes.

Posted by Wiz at 12:18 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

According to a security bulletin posted on Adobe.com, on April 13, 2010 they will be releasing updated version 9.3.2 of Adobe's PDF Reader and Acrobat PDF encoder software, for Windows, Mac and Linux/Unix operating systems. This is a critical update that will correct a feature that has been demonstrated to be an attack vector that can be used by criminal exploiters. There is also going to be an update from version 8.2.1 to v 8.2.2 for Windows and Macintosh platforms using that version.

If you have installed Adobe Acrobat or Reader 9.3.1 and chosen to set the preferences to automatically check for and apply updates, you should receive the new version when it is released in your timezone, on April 13, 2010. If you haven't set that preference, you can do so now, by following these steps...

Open Adobe Reader 9.x. Click on Edit. Scroll down to the bottom of the flyout options and click on "Preferences." When the Preferences box opens go to the last entry on the left, labeled "Updater" and click on it. In the left options select "Automatically install updates." Click OK to save your changes.

If you cannot allow the automatic updater to be enabled, due to company policy or paranoia, you should check for updates manually, by opening Reader or Acrobat, then go to the "Help" menu item, then click on the flyout option "Check for Updates." You must have Administrator privileges to check for updates, or to alter the automatic updater preferences.

The feature that is being patched on April 13 is a command known as "/Launch /Action" - which has been a part of Adobe' Reader and Acrobat for a long long time. Adobe's Reader and Acrobat are able to open or launch embedded and external applications by using this function, but they first display a dialog box requesting the user's permission. The wording inside the dialog box can be set by the author of the PDF file in question. This would allow a criminal or hacker to craft words designed to fool users into thinking that they were doing the right thing by opening an application or executable that may be embedded within the PDF package. This could be accomplished by social engineering tactics, such as are already used successfully in various Phishing attacks. They could make a PDF document look like a message from your bank or loan company, with authentic logos, then present the Open dialog box with wording to the effect that you must click Open to submit the enclosed form. You could be fooled into installing a keylogger, or Bot malware on your PC, just like that.

As was demonstrated by researcher Didier Stevens, on March 29, 2010, if a user receives such a specially crafted PDF file and is tricked into allowing the Launch action to take place, their computer could become infected with an embedded virus, or malware downloader, or the default browser could be opened to a URL where malware attacks could be launched. Furthermore, another proof of concept exploit has been demonstrated showing the this attack could be used to infect other clean PDF files on that computer, turning the original malware laden PDF file into a replicating Worm.

If you don't want to wait for Adobe's patch to be released on April 13, you can manually disable the feature that allows the exploit to occur. Just open the Adobe Reader or Acrobat Preferences (under Edit), find the left sidebar option labeled "Trust Manager" and click on it. When the Trust Manager options load, uncheck the top option labeled: "Allow opening of non-PDF file attachments with external applications." Click OK and you are protected from this particular exploit vector.

While the Reader/Acrobat Preferences are still open, consider disabling JavaScript (under "JavaScript") and/or displaying of PDF documents in Web browsers (under "Internet"). That fixes two other attack vectors already in use by malware authors. If you find that you need JavaScript to fill in forms or read certain documents, just re-enable it as needed.

You can really reduce your computer's likelihood of becoming infected by operating with non-Administrator rights. If you use Windows XP Home you can demote your account to Limited User, while XP Professional users can become Power Users. Vista and Windows 7 has a new account type called Standard User and that is what you should use for your every day operation. You should read my recent post explaining how 90% of critical Windows vulnerabilities can be mitigated by removing Admin rights from an account.

Posted by Wiz at 1:11 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

On Monday, November 2, 2009, Microsoft began using Automatic Windows Updates to forcibly push out a re-release of a critical patch for its Internet Explorer browsers. Monday's hotfix, named KB976749, targeted MS09-054, originally released on October 13, 2009. That update patched four vulnerabilities, all "critical," in Internet Explorer. It was the third fix released for last month's Windows Updates! Whew!

Microsoft Knowledge base article KB976749 outlines the two issues, one that scrambles Web page elements, while the other spawns a "Type Mismatch" script error on sites that use VBScript, or a mix of VBScript and JavaScript. That article is titled: "An update is available for Internet Explorer that resolves issues that occur after you apply security update 974455 (MS09-054)."

The following warning appears on the aforementioned page:

Important Do not install this update if you have not installed security update 974455. If you install this update without first installing security update 974455, Internet Explorer may not work correctly. If this occurs, uninstall this update, install security update 974455, and then reinstall this update.

This update affects all versions of Internet Explorer, from 5.01 through 8.x. So, if you applied last month's Windows Updates (Oct 13, 2009) and allowed the IE patch to be installed, you will need to install this patched patch.

Many people will have already received this update automatically by the time I published this blog article. It requires a reboot to install the patch and you will be logged off and your PC will restart automatically, unless you intercept the pop-under notice giving you a 15 minute warning before shutdown (Maybe it was 20 minutes to start. When I first noticed it the timer said 15 minutes). Even Power Users and probably Limited Users are affected by the automatic installation and reboot process, if your PC is set to install Windows Updates automatically.

BTW: The "Restart later" button was grayed out for me, so I was forced to save all work in progress, close open applications to avoid data loss, then use "Restart Now" to let the inevitable update complete. The aggravating part of this process was that I don't browse at all with Internet Explorer! I only open it to obtain Windows Updates, after logging into a Administrator level account, or to check layouts of websites I design and maintain. I do all daily browsing on Mozilla's Firefox, using latest version. I operate as a Power User and was forced to allow the installation and forced reboot. Not much finesse on Microsoft's part.

Note, that if this patch causes you more problems that it solves, you can uninstall it via Control Panel > Add/Remove Programs, with the Show Updates option checked. After rebooting you will be rolled back to the previous state of "patchedness."

Note also that one can only avoid these forced installation/reboot routines by disabling Automatic Windows Updates. Anything less will allow critical patches to be downloaded and installed if you are browsing on a less privileged account type. People who (foolishly, in my opinion) insist on using Administrator level accounts will at least see the gold shield tray icon notification that an update is available. or has been downloaded. By the time a Power User sees the shield, the countdown timer has starting its countdown to a forced restart.

Posted by Wiz at 5:38 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

I have a couple of new items to alert my readers about today. First, Sun Corporation has just updated their Java Virtual Machine (JVM) to version 6, Update15 (build 1.6.0_15-b03), fixing vulnerabilities announced by Microsoft in ATL components of Visual Studio. Apparently, Java itself used some of the vulnerable ATL modules and had to re-code the JVM to prevent it from being exploited in drive-by attacks against these components. Go to www.java.com to download and install the current version of Java from your browser. You can also manually choose an online or offline setup version for various operating systems, from this page.

As of today, updating the Java VM does not automatically uninstall older versions of Java. This is by an executive decision made by Sun Corp. They are afraid of breaking existing programs that depend on certain versions of Java. However, cyber-criminals are known to write codes pointing to the default installation paths of vulnerable versions of Java. If you leave an exploitable Java executable on your computer, then accidentally surf to, or get redirected to a hostile website, that version of Java can be used against you! If at all possible, if you aren't running a critical application that depends on an older version of Java, uninstall older versions after you update to a new version. You must close all browsers for the updates to take effect. If an application stops working properly after you update the Java VM, go to the manufacturer's website or look for a built-in check for updates link, to see if they have released a patched version to work with the new JVM.

The second matter affects Windows PC users who download Hotmail messages to their desktops, via Microsoft's Outlook, Outlook Express or Entourage programs. Microsoft has decided to make code changes to the way the Hotmail email servers work and these changes will cause Outlook and Outlook Express to stop sending and receiving Hotmail messages on September 1, 2009. Hotmail is now called "Windows Live Hotmail."

To continue to receive e-mail from your Hotmail account, you will have to select one of the alternative solutions below before September 1, 2009. After that day, new Hotmail e-mail can only be delivered to, or sent from your mail programs through the following alternative solutions. However you can continue to view and send your Hotmail messages via your web browsers.

If you use Microsoft Office Outlook to view Hotmail, you can download the free Office Outlook Connector to continue accessing your Windows Live Hotmail within Outlook 2003 or 2007. If you run an older version, read this information.

If you use Outlook Express (OE) to view Hotmail, you can choose to download the free Windows Live Mail (WLM), which resembles Outlook Express, but is much more powerful, less prone to crashes and contains a junk filter. You can import all of your saved .eml messages and accounts from OE into WLM (via Export/Import, or drag and drop between email clients). You can also import your personal folders from OE. The view is a little different, but you'll get used to it. You can find help on this page with exporting messages from Outlook Express into WLM.

If you are using Entourage to send and receive Hotmail, read these instructions to continue connecting to the new servers.

Why did this change happen? Because Microsoft Outlook, Outlook Express, and Entourage use a legacy communications method, known as the DAV protocol, to access Hotmail. Because the DAV protocol is not optimally suited for programs to access large inboxes such as Hotmail which now provides users ever-growing storage*, new alternatives have been built. Microsoft postponed their initial plans to retire the DAV protocol until more options were available. Now that these options (including the POP3 protocol) are available, they are ready to retire the DAV protocol, on September 1, 2009.

Posted by Wiz at 4:04 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

July 25, 2009

There are some new vulnerabilities to be alerted to that are being exploited in the wild right now and may impact you. Some affect Windows computers, while others are cross platform (Linux, Mac, Solaris). Foremost among the vulnerable software are Internet Explorer, Visual Studio components and three Adobe programs.

First off, Microsoft just announced that they will be releasing two out-of-cycle security patches on Tuesday, July 28, 2009. This is very rare for Microsoft, who mainly stick to a Patch Tuesday happening just once a month schedule. The two vulnerabilities are being actively exploited in the wild and cannot wait until August 11 to be fixed. Too many PCs would be compromised by then.

If you have followed Microsoft's recommendation and set your Windows PCs to download and install Windows Updates Automatically, you will receive them sometime during the day of July 28, 2009, depending on where you are located. For folks living in the Eastern US time zone these updates will probably show up around 2 PM. If you are going to be away from your PC during that afternoon you should save any work in progress, because Windows Update will reboot your computer without interaction, if required to install those updates, after popping up a pending shutdown alert. If you aren't there to dismiss that alert your PC will be automatically rebooted to finish installing these critical patches.

Adobe has three products being exploited by cyber criminals this week. They are Adobe's Acrobat, Reader and Flash Player. This time the exploit lies in the way in which Adobe Reader and Acrobat are set to automatically run embedded Flash code whern a person opens a .pdf document (pdf = Portable Document Format) in any current version of Reader or Acrobat. In case you were wondering, Acrobat is an expensive program used to create pdf documents. Reader opens them for reading and printing. Flash is active content for interactive forms and video presentations on web pages, or for embedding into pdf files. YouTube videos are encoded using Adobe Flash and are viewed in Flash Player.

Adobe will be releasing patches on two days this month. An update for Flash Player v9 and v10 for Windows, Macintosh, and Linux will be available by July 30, 2009. They expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009. While you patiently wait for those patches you can protect you computers from getting hacked from hostile pdf documents by applying two officially recommended workarounds.

UPDATE:
August 2, 2009

Both Microsoft and Adobe did release the promised, out-of-band, critical updates, fixing the reported vulnerabilities in Microsoft's Internet Explorer and Visual Studio ATL and in Adobe's Flash, Reader and Acrobat. If you have not already done so, please run the Secunia Online Software Inspector, to see what insecure software is installed on your computers. Download links are provided in its report.

Note: If you are a programmer and have written any code that utilizes the Microsoft Visual Studio ATL, you may need to make changes to get those controls working again. See this MSDN page for more information about how the security update of 7/28/09 will impact your code.

Details about the Adobe vulnerabilities and their workarounds are in my extended content.

Continue reading "Microsoft and Adobe to release out-of-band patches" »

Posted by Wiz at 6:29 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

There have been significant program updates issued for Microsoft Windows, the Firefox browser, Adobe Acrobat and Reader and Apple's QuickTime browser plug-in. All updates were released this week to fix critical vulnerabilities that were reported and were being exploited by hackers and cyber-criminals. These criminal elements hijack legitimate websites and install hidden codes to redirect innocent visitors to hostile websites loaded with exploit attack codes.

Most of the successful attacks exploit vulnerabilities in browsers (usually Internet Exploder), or their installed add-ons and plug-ins. like Apple QuickTime, Adobe Flash and Reader (and other PDF readers) and Sun's Java plug-in. If any of these items are a vulnerable version you may have your computer hijacked by cyber-criminals who will make it a zombie member of their Botnet. This will turn your PC into a spam machine, or it could be used to attack websites or Governments, with whom the hackers have a difference of opinion.

In order to stay safe from the barrage of hack attacks targeting browsers and their plug-ins it is imperative that you keep Windows and its components and all third party add-ons up to date. One way is to always select the option to automatically check for, download and install updates to those programs. If there is no automatic update mechanism for a program you use you should check to see if it has been updated. This could be at the manufacturer's website, or by using the free Secunia Online Software Inspector (requires current version of Java).

The details of this week's updates are below, in my extended comments.

Continue reading "Windows, Firefox, Adobe Reader and Apple QuickTime updated" »

Posted by Wiz at 1:07 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

From the security desk of Wiz Feinberg
March 11, 2009

On March 9 and 11, Foxit then Adobe released patched, updated versions of their PDF readers, responding to critical vulnerabilities, like the JBIG exploit, currently being exploited in the wild. Until the Foxit patch was announced on the 9th, many people believed that it was a safe alternative to the Adobe Reader. Not so. The Adobe exploits are targeting all Reader and Acrobat versions 7, through 9.0.

Foxit has patched three critical vulnerabilities with version 3.0 Build 1506. You can download the latest patched Foxit PDF Reader here. Interestingly, Foxit was only notified about these exploitable vulnerabilities a few weeks ago, in mid-February and were able to push out a patch in a short time.

Adobe, on the other hand, has been aware of the vulnerabilities in it's PDF Reader and Acrobat PDF encoder for three months (since early January 2009) and just today released the patch. When these security concerns were publicized Adobe recommended disabling JavaScript and browser plug-in functions in the Adobe Reader and in Acrobat. However, it was later demonstrated in a lab test at Secunia that Reader and Acrobat are still exploitable with these functions disabled. The patched versions released on March 11 finally plugs the holes that allow these exploits to occur. JavaScript and displaying a pdf in your browser can now be re-enabled, after you upgrade to Adobe Reader and Acrobat 9.1. Older Readers version 7 and 8 x will be patched on March 18, 2009.

You can download the current version of Adobe Reader here. This Adobe page has links to patch your version of Adobe Acrobat.

Adobe has published a security bulletin about the vulnerabilities affecting its Reader and Acrobat software, with the dates the vulnerabilities were announced and the release dates for the patches. This page goes far back and shows how they have responded to exploitable weaknesses for years.

If you missed the news, Adobe also released a patched version of Adobe Flash Player, on February 24, 2009. Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

The risk of browsing the Internet or opening emails containing links to or attachments containing rigged Flash and PDF files, without being fully patched against the exploit codes, is total system compromise. There have been malicious Flash banner ads released through some affiliate ad services that are capable of redirecting your browser to a hostile web server, where it will attempt to forceably and invisibly download exploit codes to your computer, if you have installed a vulnerable version of Flash Player, or Adobe (PDF) Reader or Acrobat.

You can scan your PCs online at Secunia.com, using their Online Software Inspector tool. It requires Java to operate and will report on any missing Windows patches, as well as any left over insecure versions of third party applications, like Flash, Reader and Java. It provides direct download links to obtain the latest patched versions, plus shows you the exact path to the old, exploitable versions still installed on your PC. I use it and recommend you do so every week, say on Tuesday evenings (after Windows Updates are released on Patch Tuesdays). It usually takes under a minute to complete the online scans. You must uninstall old software and install the updates yourself.

Posted by Wiz at 8:32 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

A faulty definitions update issued on November 9, 2008 caused AVG Anti Virus 7.5 and 8.0 (free and paid versions) to either automatically or manually delete and/or quarantine a required Windows XP System file; User32.dll, as soon a scheduled scan came to that file, or when a user opened the System32 directory to search files in it. Without this file in the System32 directory, Windows will not boot! AVG released updated definitions shortly thereafter to fix the false positive detection. If your computer was still on and you checked for AVG updates again before shutting it down, you may have received the patched definitions and are OK to operate as usual. You will know the next time you reboot or shut down and restart your computer!

If this bad update occurred while your PC was operating and you either rebooted, or shut it down, before obtaining the updates that fixed the false detection, it will not boot into Windows again until you disable the AVG Resident shields using the Recovery Console and restore user32.dll from a backup image, or location, or from your Windows XP CD.

The system can be restored by using the Windows XP Recovery Console to copy a backup of User32.dll into the System32 directory. If you have already installed the Recovery Console as a boot option, boot into it, then run the copy command listed in the next paragraph.

If you haven't installed the Recovery Console, but you do have your bootable Microsoft XP CD, it contains the Recovery Console. Boot from the Microsoft Windows XP CD and choose Setup Option "R" to Repair your Windows Installation using the "Recovery Console." You will be taken to a black screen with white text which will halt at a blinking command prompt (just like MS DOS). The Recovery Console command to type in would be as follows:

copy c:\windows\system32\dllcache\user32.dll c:\windows\system32\user32.dll

Press Enter and wait a second or two. If it reports "1 file copied" then the Windows boot portion of the problem is fixed. However, you will still need to disable the AVG Resident shields from the Recovery Console, as described in my extended comments and on the AVG Support website, until you are able to boot into Windows and run a manual check for AVG updates and receive the patched definitions file. Don't forget to reactivate the resident shields after updating the definitions (as described in my extended comments or on the AVG Support site)!

If the above code fails, try the following:

copy c:\windows\servicepackfiles\i386\user32.dll c:\windows\system32\user32.dll

If that doesn't work you will have to expand and copy it from the XP CD, as follows:

copy d:\i386\user32.dl_ c:\windows\system32\user32.dll

The above uses drive letter "d:" as the source for the CD drive containing the recovery media. Your CD drive letter may be different, depending on how many hard disks or partitions you have installed. So, for instance, if your Windows CD is in drive F, substitute F: for D: in the last command.

If this, or another update or software installation has crippled your PC and you use Acronis True Image to make daily backups, insert your bootable Acronis Recovery CD (you were told to create that CD when you installed Acronis True Image), boot into the rescue interface, locate the most recent backup of the entire computer and restore it to the C drive. You should be up and running within about a half hour, or so.

If you don t have any recent backup images, nor a Windows operating system CD, your OEM hard drive might have a hidden recovery partition on it. Reboot your computer and press the Pause key when the first screen appears. It will usually contain information about pressing a particular key to restore your computer to "Day-1" condition. You will lose everything you have saved or created since that day, but at least the PC will boot into Windows. This is a worse case scenario for most of you.

Continue reading "AVG False Positive Cripples Windows XP PCs, on November 9, 2008" »

Posted by Wiz at 4:48 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

May 2, 2007

Apple today released QuickTime 7.1.6 for Mac and QuickTime 7.1.6 for Windows which delivers numerous bug fixes, addresses a critical security issue with QuickTime for Java and includes support for:

Final Cut Studio 2
Timecode and closed captioning display in QuickTime Player

This update is recommended for all QuickTime 7 users, including Firefox users. (Firefox uses the QuickTime Plug-in which is vulnerable and needs updating)

About the security content of QuickTime 7.1.6:

CVE-ID: CVE-2007-2175
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9, Windows XP SP2, Windows 2000 SP4

Impact: Visiting a malicious website may lead to arbitrary code execution

Description: An implementation issue exists in QuickTime for Java, which may allow reading or writing out of the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. The code will run with the privileges of the target user.

QuickTime 7.1.6 is available via Software Update and also as standalone installers, using the following links:

QuickTime 7.1.6 for Mac (43.6MB)
http://www.apple.com/support/downloads/quicktime716formac.html

QuickTime 7.1.6 for Windows (19.1MB)
http://www.apple.com/support/downloads/quicktime716forwindows.html

The official Apple advisory is available at:
http://docs.info.apple.com/article.html?artnum=305446

Posted by Wiz at 7:54 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Three flawed Windows security and driver updates were released on Patch Tuesday, February 13, and continued through Friday, February 16, 2007. The first one involves a defective "signed" VIA IDE driver update that places most computers into endless reboot cycles. The second involves installing an unnecessary Alps Pointing Device driver, on computers that don't have such a device. The third is a patch for PowerPoint that fails to fix the stated vulnerabilities it is meant to address.

The flawed VIA Primary IDE driver only appeared under optional Hardware Updates, if you ran manual updates, using the Custom Option. I first became aware of the problem on Friday, February 16, when I performed Windows Updates for a client, at his office. The first and second machines to receive updates had the VIA Primary IDE Driver listed under Hardware Updates, so I installed it and rebooted, and rebooted, and rebooted... After the third time I realized that there was a problem with that driver and I used F8 to get to the boot menu, where I selected "Last Known Good Configuration," which succeeded in getting back into Windows. From there I right-clicked on My Computer, selected Properties, then Hardware, then Device Manager > IDE ATA ATAPI Controllers, then rolled-back the VIA Primary Channel IDE driver update to the previous driver, rebooted, and all was well again.

Another one of the Hardware updates seems to have placed an unwanted and unneeded Alps Touchpad/Pointing device driver and icon on the computers that did not have an Alps Touchpad attached to them. Using Device Manager > Mice/Pointing Devices I rolled-back the driver and the touchpad icon and other pointer problems were resolved, after a reboot.

The third problem was just announced via Microsoft Technet, in this security re-release notice: http://www.microsoft.com/technet/security/bulletin/ms06-058.mspx

Microsoft Security Bulletin MS06-058
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163)
Published: October 10, 2006 | Updated: February 21, 2007

Recommendation: Customers should apply the update immediately

Security Update Replacement: This bulletin replaces a prior security update.

Why did Microsoft minor revise this bulletin on February 13, 2006?

Further investigation of CVE-2006-3877 as originally revealed that the update was not effective in removing the vulnerability from affected systems. The Microsoft Security bulletin, MS07-015 has been issued to properly address CVE-2006-3877 and customers should apply the updates in this bulletin immediately.

More information and links to download hotfixes are in the extended entry -->

Continue reading "Microsoft Releases Flawed Windows Updates in Feb 13-16, 2007 Patch and Hardware Updates" »

Posted by Wiz at 3:40 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

I am posting this for my viewers who use Apple's Mac operating systems, the percentage of which is not declining ;-)

Apple released Security Update 2006-007 in various versions. The update is available via Software Update and also as standalone installers.

Security Update 2006-007 is recommended for all users and improves the security of the following components:

- AirPort
- ATS
- CFNetwork
- Finder
- Font Book
- Font Importer
- Installer
- OpenSSL
- PHP
- PPP
- Samba
- Security Framework
- VPN
- WebKit
- gnuzip

About the security content of Security Update 2006-007:
http://docs.info.apple.com/article.html?artnum=304829

Continue reading "Apple releases Security Update 2006-007" »

Posted by Wiz at 6:20 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

YPOPs, a free POP3 email interface for sending and receiving Yahoo email via your POP3 email client, was updated on October 18, 2006. POP3 email clients include Outlook, Outlook Express, Thunderbird, Eudora, etc. If you use one of these programs and would like to be able use it to send and receive your Yahoo email, YPOPs will allow you to do so. Normally, Yahoo email must be accessed via HTTP, using a web browser. This program bridges the gap between HTTP and POP3 email.

I have written out instructions for configuring and using YPOPs on my Wiz's Workshop page. I am using YPOPs on various operating systems, including Windows Vista RC1. I am not affiliated with YPOPs in any way; I am just a happy user.

Download
You can download the latest version of YPOPs from Don Beusee's Download Site (He is involved in the project).

YPOPs Project information, documentation and discussion forums

Continue reading "YPOPs has been updated (delivers Yahoo email via POP3)" »

Posted by Wiz at 1:08 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Microsoft Security Bulletin MS06-055:

Vulnerability in Vector Markup Language Could Allow Remote Code Execution - Patched

Published: September 26, 2006

This information deals with the VML vgx.dll buffer overflow vulnerability announced on September 19, 2006, and the VML exploits that are currently in the wild.

http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx

VML Buffer Overrun Vulnerability - CVE-2006-4868:

A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft has issued an out-of-cycle patch for the Vector Markup Language vulnerability mentioned above and in a previous entry on my blog. This is a critical vulnerability and if you have not already obtained the patch you should do so immediately. Go to Windows Updates to receive it manually, or turn on Automatic Windows Updates (Control Panel > Automatic Updates), or visit the page linked to above and download the patch for your OS.

Undo the suggested Microsoft workaround if you applied it! See my extended comments for details.

Continue reading "Microsoft Patch MS06-055 Issued for VML Exploit" »

Posted by Wiz at 12:48 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.