Category: Technology

Categories
Technology

Serious Windows security flaw

Recovered from the Wayback Machine.

Thanks to Ken Camp we’re warned about an extremely serious Windows vulnerability.

The flaw, which allows hackers to insert malicious computer programs into seemingly innocuous image files, was discovered last week.

But the potential for damaging attacks increased dramatically at the weekend after a group of computer hackers published the source code they used to exploit it.

Unlike most attacks, which require victims to download or execute a suspect file, the new vulnerability makes it possible for users to infect their computers with spyware or a virus simply by viewing a web page, e-mail or instant message that contains a contaminated image.

There is no official Microsoft patch, and until there is, I’m keeping my Windows 2000 dual boot firmly fixed on Ubuntu. If you’re running XP there is an unofficial patch.

In the meantime, if you’re running an unpatched Windows machine, I would strongly suggest that you not follow any links that appear in my or anyone else’s comments — even if the person writing the comment seems to be someone you know. Anyone can use any name with a comment (even someone else’s name), and I don’t filter links.

All you have to do is open one email, IM, or web page with an infected image — or use something like Google Desktop, which indexes such.

Ad Makers are exploiting this vulernability to infest your machines with spyware.

But before you click that link–you sure you want to do that?

A weblogger named Jesper who says he’s a Senior Security Strategist in the Security Technology Unit at Microsoft wrote unofficially on workarounds et al on this issue.
His view of the unofficial non-Microsoft kissed patch is: don’t use it.

Again, it is risk management. If you have extremely high security requirements, you may want to go so far as using something as drastic as an unofficial patch. However, in that situation you are probably not willing to trust a third-party packaged patch anyway. The unknown risk of issues with an unofficial patch is pretty high. The cost of implementation ranges from low in a very managed environment, to very high in an unmanaged environment. If your risk and the cost of the attack is very high then you may want to consider the unofficial patch, but I cannot in the best conscience recommend it right now.

This after listing a bunch of options that even he admits won’t likely protect a computer, especially with the new malware exploits. He’s speaking privately, though, and not officially so we have to factor that in our interpretation–except we have to assume that since he’s a ’security consultant’ he’s fully aware of the impact of his position on people reading his words.

Some folk would say this is the power of weblogging; this real company people writing to real weblogs saying real things. To that I say, “Bullshit!” This is the weakness of weblogging — no one says anything directly. It’s all a game, and those of us who are forced into the game are stuck trying to figure out the rules before we get swept from the board.

Jesper isn’t condemning the patch because he knows it to be flawed or unworkable, but because it isn’t Microsoft. Pure and simple. And he’s doing so as one of us, which is supposed to what? Increase his credibility?

Well, since Microsoft is the one who put out the code, and has downplayed the vulnerabilities (”We have determined that an attacker would have no way to force users to visit such a malicious Web site”–this from a weblog entry), as well as be less than concerned about putting out a timely fix (”we will release a fix via our regular monthly security release…Have a Happy New Year!”), I have to wonder who exactly it is we are supposed to trust?

Categories
Programming Languages

More new toys

I still love Locomotive, but I haven’t forgotten my PHP, or my first love, RDF. (Note to self: get out more).

Anyway, I spotted the following at the RAP (RDF API for PHP) site:

RAP 0.93 will be released in January 2006 and will include support for the SPARQL query language and the SPARQL protocol.

I’ve been waiting for this to implement more evil plans. Oh rapturous joy! Oh sublime happiness!

I am dancing a jig. Do you see me?

*dance* *dance*

Happy face.

*dance…GROWORWOOWROWRWR!

(I danced on Zoë’s tail…)

Categories
Technology Weblogging

Form to Press

I’m in the process of porting the functionality I’ve created in Wordform to WordPress 2.0. You can see the working weblog here. While I’m at it, I’m updating the semantic weblog plugins to fit the new environment.

(Speaking of WordPress 2.0, did that go from source code control to release with no intervening beta period? Does this make it, then, Web 3.0–no beta at all?)

Some of the functionality I created with Wordform will be easy to implement in WordPress. For instance, I can create a new Administrative skin which, among other things, turns off the display of the in-page preview for the Write page. I can then add another plugin function to add a Preview button and open the preview full page, as I have it with Wordform. This was very difficult with older versions of WordPress because it wouldn’t display posts with draft status. Now, all you have to do is attach the page number to the end, and it displays. Be aware of this if you’re running WordPress–anyone can see your draft posts, as long as they can work through the post number.

This is the same functionality I have with Wordform. I had planned on putting in password protection, but never did.

Correction: In WordPress 2.0, it doesn’t display unless you’re logged in. My error. Sorry.

The comment management system I have is going to be tricky to implement in WordPress. This includes the post-edit, as well as my spam prevention techniques which are dependent on turning comments off after a certain period, adding in throttles, and the use of whitelisting. I also have to turn off ping and trackbacks, though not disable them. I particularly have to add plugins to remove that abysmal misuse of microformats, nofollow on links for commenters. This is on by default and I see no way in options of disabling this. Bluntly, this should be an option, because nofollow is a piece of crap. However, I believe plugins already exist for this.

I also have to see if the Dashboard can be overridden to remove the WordPress feed; at a minimum, I should be able to override the menu and remove the Dashboard option altogether.

Anyway, once I’ve worked these things through, I’ll port Burningbird back to WordPress.

Categories
Programming Languages

Chu chu code

Recovered from the Wayback Machine.

I can’t believe how easy it is to set up Ruby on Rails on the Mac with Locomotive. I went from two downloads to my first application in less than 1/2 hour. Great stuff.

I’m in the process of making vast changes here abouts. The first change is I’m moving my Tinfoil Project domain to a new development server that is upgraded to all the latest, breaking edge PHP, MySQL, Ruby on Rails, and so on. Tinfoil is being re-focused from photos to high-tech, and the new server will provide examples of code how-tos and tutorials I hope to work on this next year.

I’m looking at a virtual private server at A2 Hosting or OCS Solutions at this time, but wouldn’t mind hearing about other hosts–with a few caveats.

I’m looking for a service that goes month to month, since my income is uncertain from month to month. I need enough RAM to run my examples, and enough bandwidth not to have to pay overage. I wouldn’t mind a control panel, and some assistance (paid or otherwise) if things go wonky. I’d also like a system that has some of what I want already installed, so I don’t have to start from scratch. These are things I want. What don’t want is a service that’s heavily connected with weblogging.

You all may jump on the Cluetrain, but I’m finding I’d be just as happy, thank you, in not having a close, intimate connection with vendors. I want to be able to deal at a professional level with companies, and not have Sarah or Sam ‘offended’ by what I write in my weblog.

I want a clear means of communication detailed at the company site; I don’t want representatives in my comments whenever I mention their product. I don’t want to have to use my weblog as a form of extortion to get a company’s attention; or as a backdoor way of doing business.

I don’t care if they see me for who I really am, as long as they see me as ‘customer’ and act accordingly. I don’t want input into the company workings other than “what you’re selling me is working, here’s my money”.

I don’t want to be ‘bad’ or ‘good’ for being critical. I don’t want legions of supporters converging in my space, protecting that nice woman, hip young man, or crusty, but with a heart of gold, legend in his own mind . I don’t want what I say to show up on the tech.meme. I don’t care if what I write shows up on Google — I just want it to work.

I want a service; I’m willing to pay. This is not the beginning of a personal relationship. I don’t want it treated that way. The only train I want to be on around here, is Locomotive.

Categories
Programming Languages

Mystery solved

A month or so ago, I wrote that I couldn’t access my weblog because when I tried, nothing showed. My host had upgraded to PHP 4.4.1 and it broke something in the application, but what we couldn’t tell. My host said they could find nothing in the logs to explain the problem. In the meantime, they backed out 4.4.1 on my machine, and haven’t upgraded it back.

Yesterday, I heard from a weblogger who is using the semantic web plugins I created for WordPress: all of a sudden, he couldn’t access his administration pages. However, in his case he was able to find the problem in his error log:

PHP Fatal error: Maximum execution time of 30 seconds exceeded in
…/wp-content/plugins/delSetup.php on line 31

I didn’t see this error message in my error logs, but his email gave me a key to the problem. The line number indicated pointed to the following lines in the plugin:

reset( $del_menu_items );
while( $arr = current( $del_menu_items ))
{
while( $submenu[’metadata.php’][$index] ) $index++;
$submenu[’metadata.php’][$index++] = array(__($arr[’title’]), 5, $arr[’script’]);
next($del_menu_items);
}

The culprit is the code traversing the submenu and testing to see if it exists. Seeing this tiggered my memory about one of the first bugs issued for PHP 4.4.1 that had to do with next and current array functions, and other array problems introduced with the security fix. These have since been fixed in the CVS source, but not issued as a new release.

The code used in the plugin is a copy of code that others have used to add administrative menu extensions to WordPress. Further checking showed that WordPress now has functions to manage menu additions starting in WordPress 1.51 and 1.52. Examining the function code, there shouldn’t be any problems with PHP 4.4.1, so I’m changing my plugins to use the new functions.

Note, though, to other WordPress users: if you’re using a plug-in that’s extended the administrative menus, check with the creator to see if they’re using the old hack or the new admin menu functions. If they’re using the old hack, disable the extension until new plugins are released. If you don’t and your ISP upgrades to 4.4.1, you’ll be dead in the water.