So here it is, folks, the first of what is likely to be many bugs affecting unpatched versions of Windows XP Service Pack 2 (SP2), which of course will remain unpatched since Microsoft cut off support for XP SP2 and earlier.
According to a security advisory (2286198), "the vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives," Microsoft says.
While disabling AutoPlay lessens the risk, users with an infected USB thumb drive can still fall prey the attack if they were to manually browse to the root folder. And because it can run when AutoPlay and AutoRun are disabled, Sophos senior security advisor, Chester Wisniewski, warns that the bug is particularly "nasty," pointing out in a blog post that "it bypasses all Windows 7 security mechanisms, including UAC, and doesn't require administrative privilege to run."
Mozilla’s six-year-old Security Bug Bounty Program, which rewards security researchers for reporting bugs in its software, just became more lucrative. The bounty payment has now been hiked from $500 to $3000 per eligible bug, Mozilla announced on its blog. This has been done “to make it economically sustainable for security researchers to do the right thing when disclosing information.”
The company has made some additions and subtractions to the list of products covered under the bounty program. It has also amended the eligibility terms to better elucidate its “right to disqualify bugs from the bounty payment if the reporter has been deemed to have acted against the best interests of our users.” However, Mozilla clarified that publicly disclosed bugs will continue to be eligible for the bounty program despite the amendments.
“We have also clarified the products covered under the bounty to better reflect the threats we are focused upon. We still include Firefox and Thunderbird obviously, but we also added Firefox Mobile and any Mozilla services that those products rely upon for safe operation,” Mozilla said. “Release and beta versions of those products are eligible. Mozilla Suite bugs however is no longer eligible, as it is not an officially released nor supported Mozilla product.”
There are some details are leaking out regarding antivirus maker McAfee's assessment of yesterday's buggy update to their corporate security software. The update caused Windows XP machines to crash left and right. The confidential documents were sent to Ed Bott, and paint a picture of poor quality control. The anonymous sender of the email says the error was totally preventable.
The document itself seems to indicate that steps in the testing process were not followed. McAfee requires peer-review of all DAT update files, and apparently that didn't happen. They also inexplicably failed to test the update with Windows XP SP3, the operating system affected by the bug. Just as a reminder, this is an enterprise product. You'd expect special attention to be paid to the QC process.
It's a little telling that McAfee's website has not been updated with any details on the error. Could it be they are working on a way to spin this unflattering evidence into a bad news/good news statement? Businesses definitely are suffering financially from this incident which will likely require techs to make a visit to each and every affected PC. Any reports from the field? Are you seeing clean-up efforts proceed as planned?
It was a cyber attack that sparked the current row between Google and the Chinese administration, leading Google to redirect all searches coming from China to its uncensored Hong Kong-based site. And the day began with the Guardian breaking the news of what appeared to be a fresh cyber attack against Google. The internet giant's corporate information sites were appearing in Chinese.
Even though a Google search for the term “Google executives” returned an English-language page at the very top of the search results, clicking on the link automatically redirected the user to a company page with all information in Chinese. The report also noted that the main corporate page “was also in Chinese and further directing users from there to the new non-censored Chinese version of Google.” With the inexplicable redirects coming straight after Google's exit from China, a cyber attack appeared to offer the best possible explaination.
Adobe last week released a security update for a critical vulnerability in Adobe Flash, but according to security researcher Aviv Raff, installing the update could be cause for concern.
"If you did upgrade to the latest version of Flash from the Adobe website, you very likely have Adobe Download Manager installed," Raff points out.
So what's the big deal? Raff says there's an undisclosed flaw in the way Adobe's Download Manager works, which makes it possible for an "attacker [to] force an automatic download and installation of any executable he desires." In other words, those who download the update end up exposing themselves to a zero-day attack, Raff claims.
Adobe is apparently aware of the issue and is reportedly working with Raff to patch it up. The software maker also downplayed the security risk, saying "the user has to accept a number of prompts before being taken through the installation process," and therefore making it hard for a user to install unwanted and malicious software without their knowledge.
Y2K is but a distant memory at this point, Y2K10 is not, at least not for Symantec. While there are no forecasts of the end of the world and other gloom and doom scenarios, Symantec did confess that its Endpoint Protection Manager is incorrectly labeling updates issued in 2010 as out-of-date.
"Customers running SEP (Symantec Endpoint Protection) are still protected, and we are continuing to release updated definitions as normal," the company said in a blog post. "However, for the time being, SEP definitions will display a date of December 31, 2009, with increasing revision numbers."
Symantec says the bug affects its Endpoint Protection v11.x product line, EndPoint Protection Small Business Edition v12.x product line, and products which rely on Symantec Endpoint Protection for definition updates ( such as Symantec Mail Security for Microsoft Exchange or Symantec Mail Security for Domino).
The company said it is working on a permanent fix. In the meantime, you can find out more info here.
Late last month, several owners of Intel's X25-M G2 solid state drives cried foul when a firmware update promising a 40 percent performance boost ended up bricking their drives instead. Oops! That marked the latest in a what's becoming a string of problems plaguing the 34nm SSDs, and once again, Intel says a fix is on the way.
"Intel has replicated the issue on 34nm SSDs -- X25-M -- and is working a fix," wrote Alan Frost of Intel's NAND Solutions Group. "Intel is pursuing the resolution of this as a high priority. Intel is seeking direct feedback on this issue from members of the [Intel Support Community]... asking them to send their drives directly to Intel to expedite the analysis of the issues. This action will enable us to more quickly generate a resolution for this issue."
Frost added that there have been no reports of related issues by users who were able to successfully upgrade to the 02ha firmware via the firmware upgrade tool, which would suggest the problem isn't the firmware itself, but a bug in the loader software.
Following the launch of Windows 7 next week, if Microsoft's upcoming OS can avoid deleting user data, it will have bragging rights over Apple's recently released Snow Leopard. That's because Snow Leopard users have been reporting lost data due to a bug in the OS.
According to the complaints, the problem crops up when a user logs into the Guest account, whether on purpose or by accident. Once the user logs out and then back into their regular one, users are greeted with a fully reset account where all the data has been eradicated, just as if they had created a new one.
Users initially reported that the data was unrecoverable, but Cnet published steps on how to restore the files from a Time Machine backup to a new, identical user profile, although the method can take over two hours to complete, Neowin.net reports.
For the most part, Windows 7 has been met with considerable praise from those who have given the beta and RC releases a spin, but all those good vibes are in jeopardy following the discovery of a major bug. According to DailyTech, RTM build 7600.16385 suffers from a "massive" memory leak in the frequently used chkdsk.exe application.
The bug rears its ugly head when scanning a second hard disk on a non-boot partition or second physical drive using the "/r" parameter. Doing so triggers a nasty memory leak, with the term "leak" being used loosely. Some users have reported the dreaded blue screen of death, while others note a memory usage of about 98 percent within seconds of running the app, but without the system crash.
DailyTech says the bug has been confirmed on a variety of hardware configurations, including netbooks and Core 2 Duo notebooks, and it affects both 32-bit and 64-bit versions.
"In this case, we haven’t reproduced the crash and we’re not seeing any crashes with chkdsk on the stack reported in any measurable number that we could find. We had one beta report on the memory usage, but that was resolved by design since we actually did design it to use more memory. But the design was to use more memory on purpose to speed things up, but never unbounded — we request the available memory and operate within that leaving at least 50M of physical memory. Our assumption was that using /r means your disk is such that you would prefer to get the repair done and over with rather than keep working."
When Build 7000 of Windows 7 leaked onto the Internet recently, some bloggers speculated that Microsoft had deliberately leaked Build 7000. If that's the case, Redmond has some 'splainin' to do: numerous users have reported that Windows Media Player 12 (the media player included in Windows 7) corrupts some MP3 files.
Microsoft is aware of the bug and is working on a patch, but if you've decided not to wait for an official Beta 1 of Windows 7, what should you do in the meantime to protect your MP3 collection? Join us after the jump to learn how to protect your precious rips and purchased files - and for your chance to tell us if this has happened to you.