Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
User Journal

Journal Journal: Microsoft's Patch Tuesday to be Biggest for a While

After a few relatively quiet months on the patch front we're back to the good old days with a bumper issue of security bulletins coming up. Microsoft releases patches in a bundle on the second Tuesday of each month and according to the Advance Notification, we should expect 7 patches rated as 'critical' and 5 rated as 'important' next week.

Expect the regular cumulative patch for Internet Explorer 6, along with a slightly less regular one for IE7, along with a bundle of fixes for older versions of Office. It also appears someone has been poking around Microsoft's script offerings as vulnerabilities in VBScript and JScript have been found.

Internet Information Services (the web server bundled with Windows) is affected - versions 5 through to 7 (Win2000, XP, 2003, Vista). This could be an embarrassment for Microsoft as I think there were a few murmurings from Redmond about IIS being more secure than Apache. In what could be something of a headache for systems administrators, a denial of service vulnerability has been found in Active Directory

Overall Vista seems to be affected to just about the same degree as XP.

User Journal

Journal Journal: Truecrypt 5.0 Released 1

The long-anticipated version 5.0 of Truecrypt, the disk-encryption software, became available today.

With 5.0 there's now a Mac OS X version and the Linux version has a GUI. Other improvements include XTS mode, SHA-512 hashing, huge speed improvement under Windows and the ability to encrypt a Windows system partition with pre-boot authentication.


Journal Journal: Patch Tuesday - IE7 Clean 75

As per the advance notification, Microsoft's monthly security bulletin, released yesterday addressed five general Windows issues and one in Visual Studio. It also included a fix for a problem in Windows Media Player for a total of seven updates.

As patch Tuesdays go it was fairly unremarkable. The only general Windows update (not counting IE) labelled as 'critical' is for the flaw in Media Player. As usual, there's a cumulative update for Internet Explorer and it does sound quite nasty - there are two critical script-related vulnerabilities and Secunia has already issued an advisory. Significantly, only versions of Internet Explorer versions 5 and 6 are affected. Version 7 is clean - which is welcome news as this is the first round of updates since the upgrade was pushed to world+dog last month as part of Windows Update.

SANS is calling this 'Black Tuesday' and recommends patches be applied urgently for the Visual Studio and Media Player vulnerabilities. The Visual Studio update is for version 2005. SANS indicates that there are already known exploits circulating for the SNMP vulnerability but currently none targetting the latest flaws in IE. However if you really have to use IE I recommend using a metabrowser such as Maxthon, Avant or SlimBrowser. SANS is recommending the Heise Offline Update utility covered in a previous story.

Journal Journal: Security bulletins - advance notification

Vulnerabilities seem to be flavour of the month, what with weaknesses in Oracle and OS X being in the news just lately.

Microsoft probably won't be outdone. Watch this space - next advance notification is Thurs Dec 7th. It should give you a modest idea of how vulnerable - potentially and currently - you are. Vulnerabilities are exploited quickly once the miscreants know where to look - see previous journal entry - so with advance notice you'll have an idea whether you should be taking steps to boot Linux for a few days, make sure you're running as non-admin, making sure that firewall is up, turning off unnecessary services or getting used to running Open Office instead of the Microsoft version.

Remember the next bunch of updates will be the first since Internet Explorer 7 was pushed out to world+dog via Windows Update. Previous versions of IE made near-monthly appearances so the second Tuesday security bulletin will be an indication of whether Microsoft have really sorted out their browser issues or whether it's a case of more of the same.

Journal Journal: Patch Tuesday - Pick an exploit, any exploit 1

As per last Thurday's advance notification Microsoft has just released five general Windows updates and one for XML. So what's new? Well a grand total of five are rated 'critical'.

We have the omni-present Cumulative Security Update for Internet Explorer (922760) - pay particular attention to the "HTML Rendering Memory Corruption Vulnerability" - and a nasty-sounding "Vulnerability in Workstation Service".

Last month Microsoft Office took the limelight; this month "Remote Code Execution" targetting the core services seems to be de rigeur. Keep your systems patched, don't run unecessary services and don't run more than you have to as administrator. Sign up for notifications here.

Update: Vnunet says the vulnerabilities in XML and IE's DirectAnimation ActiveX control are already being actively exploited. Sans reports that the exploit for the workstation service is out in the wild.
Wireless Networking

Journal Journal: What's not illegal in Singapore? 587

Surprised this hasn't been posted, a 17-year-old from Singapore is is facing three years' jailtime for accessing his neighbour's wireless network.

Yup, the neighbour complained and now the unfortunate Tan Jia Luo is facing charges under the computer misuse act and is scheduled to appear in court on Wednesday.

It must be great having such lovely neighbours.
User Journal

Journal Journal: 'Pocket PCs' for Kenyan school kids

As the BBC reports, a trial project in Kenya is offering primary students Linux-based handhelds in an effort to 'reduce the costs of education in poor communities'. Families pay $100 for the Wi-fi enabled devices which are equipped with an interesting 'anti-theft mechanism'. As the article states, this school is very lucky to even have electricity, in a nation where school enrollment is 50 percent. The project is being run by EduVision.

Slashdot Top Deals

Murphy's Law, that brash proletarian restatement of Godel's Theorem. -- Thomas Pynchon, "Gravity's Rainbow"