IT Masala

Microsoft found a compatibility problem between Microsoft Dynamics Retail Management System and an electronic checkout system for small- and mid-sized retailers, for both Windows XP SP3 and Vista SP1.

What is Dynamics RMS?

It's software that enables specialty retailers to handle cash register functions, process payments, and automate purchasing, inventory and other back-end processes, said Michael Griffiths, the group product manager for the retail part of the Dynamics business.

There has been series of delays, this update was to be released in 2006 and it got delayed upto 2007 and now its again being delayed ! surprising !

According to a post on Microsoft's Windows XP SP3 forum by Chris Keroack, release manager for Windows serviceability, the delay is in place to "make sure customers have the best possible experience".

Chris says "We are also testing a fix, and will make it available once that process is complete". They are testing this since the first release delay in 2006.

I don't understand the essence of the given comment. What do they mean by "make sure customers have the best possible experience" , is it by delaying the updates and making people wait desperately for the XP and Vista updates !

image courtesy:  Tech Herald

[ Microsoft ] [ WindowsXP SP3 ] [ WindowsVista SP1 ]

Six new security patches will be released by Microsoft, which will include four "critical" updates affecting Windows, Internet Explorer, Outlook Express, and Windows Mail for Vista.

The company said that four out of the six bulletins that are scheduled for June 12, 2007, will be ranked “critical”, while one each will be labeled “important” and “moderate”.

Also, according to Microsoft, half of the batch of security updates affects Windows Vista, or one of its components, such as Internet Explorer 7 or the Windows Mail email client. Out of the three Vista patches, two have been termed as “critical”.

Windows will have three updates, Internet Explorer just one, Outlook Express and Windows Mail will also have one each and Visio 2002 and Visio 2003 will also have one patch. 

Tuesday's updates will be available for manual download from the Microsoft Web site about 1 p.m. PDT. ( …… How come Micro$oft became so active in releasing patches…)

Yahoo has issued a critical security patch for Messenger to address zero-day exploits that take advantage of vulnerabilities in its Webcam ActiveX controls.

Problem :

Messenger users' computers could be at risk if they visit malicious Web sites or view other malicious HTML code. The attackers could then exploit security flaws in the Yahoo Webcam ActiveX control, a software package that is downloaded with Messenger.

So how fast is Yahoo in patching this problem ? 

eEye Digital Security discovered the flaw and reported it to Yahoo earlier this week. eEye gave the problem its highest risk rating; fellow security company Secunia did the same, labeling it "extremely critical." Yahoo issued the patch in an update on Thursday.

Download Security patch:

Yahoo's advisory on the problem states that anyone using a version of Messenger obtained before Friday should download the update.

[ zdnet ] 

Third party extensions including the widely used toolbars from Google, Yahoo, Ask, Facebook, LinkedIn, as well as social bookmark extension from  Del.icio.us and two anti-hacking add-ons, the Netcraft Anti-Phishing Toolbar and the PhishTank SiteChecker all put users at risk of having their browser infected with malicious code.

Unlike almost all of the extensions hosted at Mozilla, the foundation that created the open-source Firefox browser, these commercial extensions check for updates from servers controlled by their respective corporate overlords.  And they fail to check for extensions from servers with SSL certificates, which most users know as sites that start with https://.

one security extension, the McAfee SiteAdvisor add-on that warns users when they are about to visit a site known to host untrustworthy downloads or malicious code, correctly uses an https:// extension for updates.

UPDATE: Reader Johnny writes in the comments that the SiteAdvisor add-on is actually not safe:

Unlike the research suggests, McAfee SiteAdvisor is actually worse than any of these other major extensions. It periodically downloads completely unauthenticated code from McAfee's server, which it then executes with the same privileges as your browser.

Not only does this backdoor allow McAfee to do whatever they please with your computer, but a hacker can run any malicious code on your system without you ever noticing by simply spoofing the URL http://www.siteadvisor.com/download/safe/safe.js

More on the vulnerability from Ryan Naraine and Brian Krebs.

The Washington Post’s security guru Brian Krebs has written an intriguing article on AOL’s password practices.

A reader wrote in to Krebs to tell him that AOL’s password system seemed to be accepting the first eight characters of his (more than 8 character) password plus any combination of characters thereafter, bringing into question the strength of AOL’s password security.

Krebs said that AOL spokesman Andrew Weinstein explained that “the company was looking into the matter” but didn’t provide any further information.

Scammers all over are taking advantage of the knowledge of common people using Windows. They have adopted nice engineering tricks to trick ppl …

According to the Symantec Security Response Weblog:

Recently we came across an interesting Trojan sample, detected by Symantec as Trojan.Kardphisher. The Trojan is not very technical - it's really just another classic social-engineering attack. What makes it interesting is that the author has obviously taken great pains to make it appear legitimate.

Here’s the scam. The Trojan installs itself onto a PC and presents the user with the following message:

“Your copy of Windows has been activated by another user.
To help reduce software piracy, please re-activate your copy of Windows now.
WE will ask for your billing details, but your credit card will NOT be charged.
You must activate Windows before you can continue to use it.
Microsoft is committed to your Privacy. For more information, www.microsoft.com/piracy.
Do you want to activate Windows now?”

Look at the screenshot:

Read the rest of this entry »