NVDi Support News & Alerts

Microsoft is releasing a pair of critical Windows security updates on July 28th. This is highly unusual. Microsoft normally issues security fixes on the second Tuesday of the month — “Patch Tuesday.” When they release an out-of-band update like this, it is usually because it deals with a critical vulnerability that is being actively exploited. According to Microsoft’s advance notification, the updates will affect Internet Explorer and Visual Studio. For most of us pluggers, it’s the Internet Explorer patch that will matter.

Tags: Internet Explorer, security patches, security updates, Visual Studio, web browser vulnerabilities

In case you’ve been busy doing real world stuff and missed all the noise in the trade press, Windows 7 went RTM today. “RTM” means “release to manufacturing.” Microsoft has tucked in all the loose ends — at least, all the loose ends they’re going to worry about right now — and Windows 7 is officially ready to go into production. The folks who build and sell computers will get the final Windows 7 bits almost immediately. Software developers, integrators and other uber-geek types will start getting their hands on it August 6. General public availability — when normal, sane people can buy it — is October 22, 2009.

In other words, beginning on October 22, you’ll be able to buy systems with Windows 7 pre-installed. You’ll also be able to buy Windows 7 off-the-shelf on that date. In the meantime, most computer manufacturers are including a “free” upgrade to Windows 7 with their current offerings.

Tags: Windows 7

Just as Microsoft was rolling out this month’s collection of security patches and software updates, a new Internet Explorer vulnerability cropped up. Basically, it’s another one of those deals where you could get infected simply by visiting a maliciously crafted web page.

Unless the bad guys start exploiting this bug heavily, Microsoft will likely not fix it until the next regular second-Tuesday patch cycle. Until then, there’s a Help and Support page offering a temporary workaround.

Tags: Internet Explorer, security patches

Firefox 3.5.1. has just been released to fix a potentially critical vulnerability. It’s not listed on the regular download page yet, but should be shortly.

A couple of days ago, proof-of-concept code was posted showing how a malicious web site could trigger a “drive-by download” when a page was viewed with Firefox 3.5. The 3.5.1 release plugs this hole.

You can get the latest version of Firefox from the Mozilla web site or by clicking on “Check for updates…” in the Firefox Help menu or you can wait for the update to be offered to you automatically when you launch Firefox. Personally, I wouldn’t wait too long.

Tags: Firefox, security updates, web browser vulnerabilities

The July Microsoft patches for Windows and layered products, such as Office, are available for download. The servers are slow right now, probably because a whole bunch of people are jumping on them, trying to get at the “critical” Internet Explorer updates.

Tags: critical updates, security patches

July 14th is “Patch Tuesday,” the day each month when Microsoft issues patches for Windows and other Microsoft products. (It also happens to fall on Bastille Day this year.)

Two of the three critical patches released this month are very high priority because they are already being exploited in the wild. Both deal with ActiveX-related video handling in Internet Explorer. One of them permits “drive-by” infection of a visitor viewing an infected web page. The other works by tricking people into viewing a malformed QuickTime video. These vulnerabilities affect users running Internet Explorer under Windows XP, but not Vista and Windows 7. Microsoft is less forthcoming about the third critical patch but, word is, it impacts all Windows versions.

Bottom line: When Windows Update offers you these critical updates, you should install them. Immediately.

Updates and clarifications . . .

If you are riding herd on any Windows-based servers, Internet Explorer running under Windows Server 2003 is vulnerable to the ActiveX exploits mentioned above; the Server 2008 environment is safe.

And, just to make myself perfectly clear, you have to be running Internet Explorer directly to be affected by these issues. Although other applications — the Outlook email client, for instance — use Internet Explorer components to view web content, they do so in a more restricted environment that blocks ActiveX exploits.

Tags: ActiveX, Patch Tuesday, QuickTime

May 12th is “Patch Tuesday,” the day Microsoft traditionally issues security updates. Adobe is also issuing a patch for Adobe Reader and Acrobat.

The sole Microsoft patch fixes a “critical” flaw in PowerPoint. “Critical” means it’s a big deal. In this case, opening a maliciously crafted PowerPoint presentation could allow an attacker to execute code remotely on a victim’s computer. All versions of PowerPoint released in the past 10 years are vulnerable to this one.

Adobe is patching Reader/Acrobat to fix yet another problem associated with embedded JavaScript. This issue, as well as a work-around, was discussed in an earlier post here.

You can safely assume that the bad guys, knowing that people are often sloppy about security updates, will try to take advantage of both vulnerabilities. The Adobe Reader bug will likely be the primary target. Almost everyone has Adobe Reader installed on their computer and most folks are used to encountering PDF files on web sites.

Be careful out there.

Tags: Adobe Acrobat, Adobe Reader, Patch Tuesday, PowerPoint, security patches, security updates

Some of you may have encountered a few recent articles bloviating about how Microsoft has failed to plug a security hole in Windows 7 and that — horrors! — the vulnerability has been around since Windows NT hit the streets back in the 90’s.

Short version: It’s bugle oil. They’re talking about the way Windows handles the display of something called file extensions. This was always a fairly minor issue and, for the past several years, has been a non-issue.

Read on for details, if you wish…

A file name has two parts: the name of the file and its extension. Think of an extension as the part of the name that identifies the file’s type. For example, suppose you create a Word document named “Newsletter”. The actual name of the file on disk is “Newsletter.doc” (or maybe “Newsletter.docx” if you’re using Word 2007). The “.doc” (or “.docx”) part is the file’s extension. It tells Windows that the file is a Word document and that it should be opened with Microsoft Word and not some other program.

Unless you tell it not to, Windows hides the extensions for all recognized file types. So, if you look in your documents folder, you will see your Word document listed as “Newsletter”, not “Newsletter.doc”. Windows is trying to be “helpful,” here. The idea is that, if you saved your document as “Newsletter”, it is less confusing if it simply shows up as “Newsletter” on disk.

Problem is, scammers sometimes take advantage of this extension-hiding feature to make infected email attachments look harmless — sort of. For instance, they might create an infected email attachment named “bargains.txt.exe”. The “.exe” part means that it is a program but, if Windows is hiding extensions, the name will appear as “bargains.txt”. Some folks might open the attachment, thinking it is a harmless text file.

First off, the double extension trick was never that effective and, for that reason, is hardly used anymore.

Also, Windows effectively plugged that hole several years ago. Beginning with Windows XP Service Pack 2, attempting to launch any program downloaded from an external source triggers a warning that looks something like this:

Getting a warning like that when you thought you were opening a text file is a pretty strong clue that something is amiss.

Finally, if you have any sort of reasonably competent, up to date antivirus program running, it will probably zap the offending file before you even get a chance to look at it. A good antivirus program isn’t guaranteed to catch everything, but a miss is pretty rare unless you encounter a very recent (as in a few hours old), cleverly written piece of malware.

So, you can shoot yourself in the foot by opening an infected email attachment, but you have to work at it. Whether or not you are hiding  file extensions has very little impact on your risk level.

All that being said, I still prefer to be able to see complete file names, including extensions. It’s one of the first tweaks I make to Windows when I’m setting up a new system. If you wish to disable extension hiding, there’s an article in the WhertRA web log that tells you how to do it.

Tags: email attachments, file extensions, hiding file extensions, malware, Windows Explorer

The online pond scum are at it again, using public concern about the recent Swine Flu outbreak to trick people into opening infected email attachments or into visiting malicious web sites. No doubt they will be attempting to game search engine results, too, although this will  be a lot tougher to accomplish than it was during the big Conficker scare.

The usual cautions apply: Avoid unverified email attachments. The same goes for links in unsolicited emails. If you are researching swine flu online, look at search result links with a jaundiced eye. Better yet, go straight to one of the authoritative web sites and work from there. The World Health Organization’s Influenza A(H1N1) is a good starting point, as is a similar page maintained by the U.S.-based Centers for Disease Control.

Be careful out there.

Tags: CDC, H1N1 Flu, spammers, Swine Flu, WHO

Office 2007 Service Pack 2 was released yesterday. It’s a big download — 290MB if you grab the whole thing — but worth it. For most folks, the biggest reason to get it is that a number of Office applications load and run noticeably faster. SP2 also rolls up a great many security and bug fixes and incorporates support for Open Document Format (ODF). ODF is an important, non-Microsoft document standard and the default format used by third-party packages such as Open Office. This is no more than a convenience for most small operations, but is a big deal for organizations with  significant cross-platform or international exposure.

How to get it…

• If you have automatic updates enabled and set up to download more than just core Windows updates, you should be offered Office 2007 SP2 automatically.
• You can download it directly from Microsoft.
• Or, you can get SP2 from a third party such as BetaNews fileforum.

So far, the SP2 update seems to be pretty well behaved. It reset my default news reader setting, but that was a minor irritation, easily corrected. If I encounter any significant issues, I’ll post them here.

Oh, one more thing: If you are running Windows XP, you must have Service Pack 3 installed before you can install Office 2007 SP2. For Vista, Service Pack 1 is required.

Tags: ODF, Office 2007 Service Pack 2, Open Document Format