This week, Microsoft announced that DirectShow ActiveX code in Internet Explorer 6 and 7 that was reserved for future use has finally been used - by malware providers. The DirectShow Video ActiveX control in the msvidctr.dll file can be used to take over your system if you visit an infected website. According to Symantec, thousands of websites (primarily in China and other parts of Asia) have been affected.
Who's vulnerable? According to Microsoft Knowledge Base article 972890, Windows Server 2003, Windows XP SP2, Windows XP SP3, and Windows XP 64-bit edition are at risk if they haven't upgraded to IE8. IE8 is not vulnerable because the DirectShow ActiveX control being exploited was disabled in IE8. But, if you're still running IE7 (or - horrors! - IE6), what now?
Although Microsoft doesn't have a software patch, it's offering the next best thing: visit KB article 972890 to download and run Microsoft Fix it control 50287 to work around the problem (the same site also offers Microsoft Fix it control 50288 to disable the workaround). The woraround and disable workaround controls are distributed in .msi installer files. Microsoft also recommends the workaround for Windows Vista and Windows Server 2008 users who are still running IE7.
If you want to learn more about what the workaround changes, you can visit the Microsoft Security Advisory (972890) page. This page lists the CLSID values that must be changed. This information can be incorporated into a .reg file, or can be distributed to multiple PCs in a domain using Group Policy. For additional information, see Security Focus article 35558.
While Windows 7, unlike Vista, runs well on netbooks, there are two big problems that must be overcome to make Windows 7 easy to install on netbooks:
Most netbooks lack CD or DVD drives
Netbooks run Windows XP or Linux, neither of which are supported for upgrade installations of Windows 7
As far as problem number one is concerned, there may be a solution: Cnet's Ina Fried reports that Microsoft is mulling over the idea of providing Windows 7 on USB thumbdrives to make upgrading netbooks easier without connecting an external CD or DVD drive. As we demonstrated earlier this year, you can install Windows 7 from a USB key after a bit of finagling. Creating a version of Windows 7 that's USB key-friendly would make the process a lot easier for clean installs.
However, what about Windows XP netbook users who want an easy upgrade? Fried reports that Best Buy's Geek Squad is looking at developing Windows 7 upgrade services.
Windows 7 does include Windows Easy Transfer to move user accounts, email, and data files from Windows Vista or XP systems, but is there a better solution that also works with programs? How about Linux netbook users? Any apps or scripts that can at least get the data over to Windowsland safely? We're looking for better suggestions for making the move from Windows XP or Linux on a netbook or other PC to Windows 7 as painless as possible for non-technical users. Think simple, think reliable, and join us after the jump to pass them along.
Until the introduction of Windows 7, device management was a multi-application nightmare. Want to see a device's hardware configuration? Open Device Manager. Want to browse the contents of a storage device? Open My Computer. Need to manage the settings used by a specific device? Open the appropriate applet in Control Panel (Mouse, Keyboard, Game Controller, and so on). If you have a multifunction device, you would need to open separate applets to manage the printing, faxing, scanning, and file management functions of one device.
In Windows 7, the Devices and Printers applet in Control Panel provides a single entry point to managing single-purpose and multifunction devices. Microsoft considers Devices and Printers so important to system management that you can start Devices and Printers directly from the Start menu. To learn how Devices and Printers will make your life easier, and what you need to do to make it work better for you, join us after the jump.
In Windows 7, Windows Media Center is a more useful tool than ever before for working with audio and visual media. While at first glance, Windows 7's version of WMC doesn't look a whole lot different than its predecessor, it includes many improvements. In this article, we'll focus on improvements in WMC's TV setup process, support for digital broadcast TV, the program guide, Internet TV, WMC access from the desktop, RAW file support for photos, picture and music playback and sports.
What do Solid Oak Software's CyberSitter and China's Green Dam Youth Escort Internet filtering programs have in common? According to the BBC, the answer is CyberSitter code. The BBC reports that both Solid Oak's Brian Milburn and a report from the University of Michigan conclude that the developer of Green Dam Youth Escort, Computer System Engineering Inc, have incorporated code from CyberSitter into Green Dam - without a license.
According to the China Daily, Solid Oak is sending "cease and desist" letters to HP and Dell to stop shipping computers bundled with Green Dam, and may seek legal action against the developers. The legal-technical drama is being played out against the background of China's requirement that all new systems sold as of July 1 include Green Dam, as we reported last week.
What have the developers of Green Dam done that might help fend off legal action and improve their product's security? Join us after the jump.
This week, Adobe converted its Acrobat.com online service, introduced last year, from beta to production status, and rolled out two extra-cost upgrades while continuing to offer a free version. All versions of Acrobat.com include Adobe's Buzzword online word processing, but other features differ:
The free version can create up to five PDF files, allows up to 100 downloads per file, supports web conferences for up to three users, and provides tech support through moderated forums.
For $14.99/month or $149/year, you can upgrade to Premium Basic, which enables users to create up to 10 PDF files per month with unlimited downloads, web conferences for up to five users, and premium one-on-one phone chat tech support. Upgrade by July 16 to a one-year subscription, and save $15.
Upgrade to Premium Plus, the high-end service, for $39/month or $390/year, and get unlimited PDF creation and downloads, web conferences for up to 20 users, and premium one-on-one phone chat tech support. Upgrade by July 16 to a one-year subscription, and save $50.
There are also a couple of new goodies at Acrobat.com Labs for all Acrobat.com users. To learn more, join us after the jump.
The Chinese government is requiring all PC makers selling into the China market to bundle Green Dam Youth Escort web filtering software as of July 1, as we reported earlier this week. This software, already widely used in China's schools and elsewhere, has plenty of flaws, BBC News reports:
Unencrypted connections between client PCs and the company's servers, which could lead to information theft or the PCs being turned into botnet nodes for malware attacks
Filtering only Internet Explorer browsers, not Firefox
Support only for Microsoft Windows
Inaccurate web site blocking (pictures of pigs blocked, but not pictures of African women)
Potential privacy risks for users because the software logs all web pages the user attemps to access
Right now, it seems as if Green Dam Youth Escort is incapable of meeting its specified goals of "healthy development of the internet" and "effectively manag[ing] harmful material for the public and prevent it from being spread," while providing a terrific opportunity for malware providers. Have you encountered similar problems with web filtering software? Join us after the jump to sound off.
June 9th saw a rare 'double-header' in security updates: Microsoft's monthly Patch Tuesday was joined by Adobe's quarterly security updates for Acrobat and Adobe Reader. How big was this month's 10-update Patch Tuesday? According to a Microsoft spokesperson quoted by Cnet, the 31 vulnerabilities covered by updates are "the most since Microsoft started releasing updates on a regular schedule of the second Tuesday of every month in October 2003."
Users of Windows 2000 SP4 through Windows Vista SP2 (and holdouts still running Windows 7 Beta), Microsoft Office 2000, 2003, or 2007; Microsoft Office for MacOS 2004 and 2008, Microsoft Works 8.5 and 9, and IE5.01 through IE8 users have some work to do before heading off on vacation, as do users of Adobe Reader and Acrobat 7.x, 8.x and 9.x. To find out what's being changed - and why - join us after the break.
Could the design philosophy used by Airbus's fly-by-wire electronic flight control systems have been the final death blow to Air France Flight 447? That's the chilling possibility suggested by a recent posting by Information Week blogger Michael Hickins.
Air France Flight 447 used an Airbus A330, which uses a completely electronic fly-by-wire system without manual or hydraulic backups. The leading theory of the cause of the Air France Flight 447 crash is conflicting information from pitot tubes, which are used to transmit flight and wind speed information to onboard computers. While Airbus had begun to replace pitot tubes in May, the pitot tubes had not yet been replaced on the plane that crashed in the Atlantic.
According to a report cited by Hickins, Airbus and Boeing, the biggest rivals in the commercial jet field, have diametrically opposed views on pilot override capabilities. Airbus A320 and newer models include so-called "hard limits" that prevent maneuvers that would overstress the airframe, while Boeing's approach keeps the pilot in charge. While it's impossible to know if a Boeing-style system could have enabled the flight crew of Air France Flight 447 to successfully handle the severe weather existing in the air, some Boeing aircraft have survived stresses well in excess of recommended limits - limits that could not be exceeded if the flight computers are in ultimate charge of the aircraft. Commercial pilots' comments, like the industry itself, are divided over whether the differences in fly-by-wire design make one method ultimately safer than another.
Which approach is better? Join us after the jump for your comments.
The Chinese government takes the threat of unfettered Internet access seriously. China's "Great Firewall" blocked access to reports about the 20th anniversary of the 1989 Tianamen Square massacre last week. Although some users bypassed the blocks by using proxy servers, China's upped the ante: The Australianreports that China is requiring that all new PCs sold in China starting July 1st must include website blocking software developed in China.
The software's Chinese name is "Green Dam-Youth Escort". The word "green" in Chinese is used to describe web-surfing free from pornography and other illicit content.
The software was developed by Jinhui Computer System Engineering, with input from Beijing Dazheng Human Language Technology Academy. Both companies have ties to China's military and its security ministry. Jinhui says Green Dam operates similarly to software in other countries designed to let parents block access to web content inappropriate for children.
Foreign industry officials who have examined Green Dam say that personal information could be transmitted through the software and that it will be difficult for users to tell what exactly is being blocked.
Green Dam-Youth Escort can be preinstalled on systems sold in China, or be bundled with systems sold there. Although the developer states that the software contains a password-based parental bypass feature and can be uninstalled, one wonders if China will allow web access if the software is not active. Will the biggest PC vendors in the Chinese market (second only to the US market in sales last year) push back against this requirement, or will July 1st see the "Great Firewall" become even harder to crack? Join us after the jump for your chance to sound off.