Posted by: kurtsh | January 2, 2006

RELEASE: WMF vulnerability 3rd party patch released

(Note:  Microsoft doesn’t recommend that people use this patch)

Ilfak Guilfanov who is being billed as one of the foremost experts in Windows low level technology has released a temporary/interim patch for Windows that’s NOT from Microsoft.

EXE file:  http://castlecops.com/article-6436-nested-0-0.html
(MSI file located here:  http://handlers.sans.org/tliston/WindowsMetafileFix.html)

 

Technical details:

"This is a DLL which gets injected to all processes loading user32.dll. It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore."

Once Microsoft releases an official patch, or if the above doesn’t work, you can uninstall it from your Add/Remove Programs menu. It’ll be listed as "Windows WMF Metafile Vulnerability HotFix".

 

The Internet Storm Center gives this patch its stamp of approval:

——————————————————————————–
We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.

The word from Redmond isn’t encouraging. We’ve heard nothing to indicate that we’re going to see anything from Microsoft before January 9th.

The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.

Comments Off on RELEASE: WMF vulnerability 3rd party patch released

Posted in Release

Posted by: kurtsh | January 2, 2006

COMMENTARY: More reasons why Wiki’s a weak reference tool

I nearly kneeled over laughing reading this.
 
The full text explanation of the rationale around the comic is here.
 
Apparently the folks at Penny Arcade discovered that wikipedia is almost entirely subjective.  Objectivity is not a requirement for anyone publishing to a given publicly accessible wiki.
 
At Microsoft, we have a wiki and it works wonderfully.  It’s called a Support database.  When you call into Microsoft with a problem, all the research and solution information is cataloged for anyone else to reference.  Granted the content is rather "pell mell’ in the sense that every email, every comment, every dialogue is recorded for everyone to read – this includes every customer swear word, every bit of customer-identifiable information, every Microsoft reference to current issues and secret projects being worked on.  (These are the reasons, y’all, the reading public aren’t permitted to see it.)
 
But the difference between OUR Support database, and public wikis is that:
1) ACCOUNTABILITY
Everyone is held accountable to their entries and there are consequences to ‘screwing around’ with the Support database… being fired is one of those consequences.  Not to mention that everything in the database is backed up regularly.
2) COMMON PURPOSE
People using the database are in there to track their own customer’s product support issues.  It’s their JOB to create good content and get resolutions by recording nothing but fact… conjecture is identified readily, and dismissed if it is found to be incorrect, however both the hypothesis and the conclusion are recorded permanently for posterity.  Putting inaccurate information only hurts the employee, not to mention other employees.
3) UNIFYING GOAL
The Support organization has a unifying goal of helping to make Microsoft a better company through the creation of a better customer experience.  This is the foundation upon which the Support database exists, thus, everything that is entered into it is done with "the company’s best interests in mind".
 
Public wiki has NONE of this which is why most wiki content is an endless charade of subjective opinions masquerading as expert fact.

Comments Off on COMMENTARY: More reasons why Wiki’s a weak reference tool

Posted in Computers and Internet

Posted by: kurtsh | December 31, 2005

RELEASE: A commentary on the WMF Vulnerability

The sad ridiculous media hype over this vulnerability truly highlights how warped the priorities are of many journalists – particularly those on the Internet.  The common journalistic claim to "inform the public" and "defend their right to know" sometimes seems like a giant front for a real agenda to "create panic and hysteria"… because as we all know, negativity always generates an audience in the same way that highway accidents attract rubberneckers. 
 
To be clear, I have no problem with people that want to bring attention to this vulnerability.  That’s important.  What’s not cool is that most of these same people absolve all responsibility for informing people about what to do about it.
 
Net Net:  If there’s a problem, why not link to the "official description" of the problem instead of some 1 man consulting firm hack that wants to get his name in the press… and God forbid,  why not link to some"potential solutions"?  Why write about the supposed cataclysmic disaster impending and not tell people how to avoid it?
 
THE PROBLEM:
The official Microsoft advisory on this issue is located here: 
Microsoft Security Advisory (912840):  Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution. http://www.microsoft.com/technet/security/advisory/912840.mspx
 
THE SOLUTION:
There are a number of solutions available. 
  1. SOFTWARE DATA EXECUTION PROTECTION:
    There’s a real simple solution – Enable software DEP, a feature of Windows XP Service Pack 2.  Here’s a quote from the advisory that no one seems to be reading.
    "I have software DEP enabled on my system, does this help mitigate the vulnerability?
    Yes. Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.
    For additional information about how to “Enable DEP for all programs on your computer”, see the product documentation."

    To enable or mess around with the DEP settings:
    – Go to START->CONTROL PANEL->SYSTEM
    – Click ADVANCED tab & press Performance SETTINGS button
    – Click DATA EXECUTION PROTECTION tab
    Make sure that the "Turn on DEP for essential Windows programs and services only" radio button is clicked.

  2. HARDWARE DATA EXECUTION PROTECTION:
    This is an even easier solution.  Enable hardware DEP support  (also called NX support) on your PC if you have a recent Pentium 4 from Feb 2005 on, or an AMD Athlon chip. 
    (BTW If you have no idea what this is, check out http://www.updatexp.com/data-execution-prevention.html for a 3rd party explanation of what software and hardware DEP is.)
  3. DISABLE OR UNREGISTER "SHIMGVW.DLL"
    A couple of security firms, including Verisign’s iDefense, have published workarounds that appear to mitigate the threat. According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

    1. Click on the Start button on the taskbar.
    2. Click on Run…
    3. Type "regsvr32 /u shimgvw.dll" to disable.
    4. Click ok when the change dialog appears.

    iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven’t had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.

There’s even more than this, but I’ll leave 3 as a starter.  This hopefully will tell you, dear reader, how easy it is to protect yourself – in fact, many of you probably already are by virtue of WinXPSP2’s software DEP feature that you installed and didn’t even know was operational.
 
…but oooohh watch out.  The press says that "THERE IS NO KNOWN PATCH AVAILABLE FROM MICROSOFT!"  Aigh!  What are we going to do?!?  There’ll be panic in the streets!  Mayhem and chaos across the Internet!  Dogs and cats living with each other!  (With apologies to Bill Murray)  We’rrrrrre allllll gonnnnnnna diiiiiiiiiiiie!
 
Or maybe not.  Film at 11.
 
 
 

Comments Off on RELEASE: A commentary on the WMF Vulnerability

Posted in Release

Posted by: kurtsh | December 31, 2005

MULTIMEDIA: Microsoft’s Home of the Future on NBC’s Today Show

Thursday, on NBC’s "The Today Show," Robbie Bach will announce a $300,000 software donation pledge to the "Today Show"’s Annual Holiday Gift Drive, marking the fifth year we have participated in the Gift Drive. In addition, we will donate 75 Xbox 360s and will distribute additional Microsoft hardware and software products to the crowd for an on-camera contribution to the gift drive.
 
On a related note, we had about a 5 minute segment covering the Microsoft Home on the Today show earlier this week as well.
 

Comments Off on MULTIMEDIA: Microsoft’s Home of the Future on NBC’s Today Show

Posted in Multimedia

Posted by: kurtsh | December 31, 2005

NEWS: Bill & Melinda Gates & Bono named Tim Magazine’s “Persons of the Year”

Bill & Melinda Gates & Bono from U2 named Time Magazine’s "Persons of the Year".

Comments Off on NEWS: Bill & Melinda Gates & Bono named Tim Magazine’s “Persons of the Year”

Posted in Computers and Internet

Posted by: kurtsh | December 31, 2005

NEWS: XBox360 in the comics!

Wow.  Here’s a listing of a ton of comics with XBox360 as the topic.
http://cagle.msnbc.com/news/XBox/main.asp

Comments Off on NEWS: XBox360 in the comics!

Posted in Web

Posted by: kurtsh | December 31, 2005

WEB: Blogging… the Microsoft Executive way

Here’s a list of high-level Microsoft executives that frequently update their blog.
 
Ray Ozzie, Chief Technology Office  (of Lotus Notes & Groove fame)
http://spaces.msn.com/members/rayozzie/
 
Soma Somasegar, VP of Development Tools
http://blogs.msdn.com/Somasegar/
 
Steven Sinofsky, VP of Business Productivity/Office
http://blogs.msdn.com/techtalk/
 
Satya Nadella’s blog , Corp VP Microsoft Dynamics previously known as Microsoft Business Solutions
http://blogs.msdn.com/satyanadella

Comments Off on WEB: Blogging… the Microsoft Executive way

Posted in Web

Posted by: kurtsh | December 31, 2005

PRODUCT: Nissan’s “URGE” – The first car with SERIOUSLY integrated XBox360

DETROIT — Dec. 28, 2005 — Nissan North America Inc.(NNA) and Microsoft Corp. have merged automobile design and gaming technology to create the first-ever fully integrated gaming system within a vehicle. Conceived by Nissan Design America Inc. (NDA) and equipped with the Xbox 360™ next-generation video game and entertainment system from Microsoft, the Nissan URGE concept car allows drivers (while parked) to play “Project Gotham Racing® 3” using the car’s own steering wheel, gas pedal and brake pedal while viewing the game on a flip-down seven-inch LCD screen. “PGR® 3” is developed exclusively for Xbox 360 by Bizarre Creations Ltd. for Microsoft Game Studios.
The URGE, which will make its world debut at the 2006 North American International Auto Show on Jan. 9, offers a glimpse of how echo boomers are influencing the next generation of vehicle design.
“Nissan conducted an Internet survey of 2,000 echo boomers, a majority of which said technology and gaming are among the most important attributes in their first car,” said Bruce Campbell, vice president of design at Nissan Design America in La Jolla, Calif. “Xbox 360 offered the latest in technology and was already a favorite among this audience.”
The Nissan URGE, outfitted with an Xbox 360 video game and entertainment system, puts the controls of the world’s most powerful gaming console at the hands and feet of the driver. Implemented by the designers at Nissan Design America with the guidance of Microsoft engineers, the Nissan URGE delivers an immersive driving experience not available in any living room.
The URGE concept car is equipped with the award-winning “PGR 3,” which allows drivers to control a breathtaking trip through the streets of five photo-realistic locations: New York City, London, Las Vegas, Tokyo and the Nurburgring test track in Germany. “PGR 3” drivers view and play the game on a flip-down LCD screen, which doubles as a rear-view mirror when the car is being used for real driving. They control the action using the Nissan URGE’s race-inspired steering wheel, gas pedal and brake pedal. A Nissan URGE driver can, for example, maneuver through the streets of New York, park the car and fire up the Xbox 360, then virtually race through the same streets using the same steering wheel, gas pedal and brake pedal — blurring fantasy and reality in a way that the automotive world has never before seen.

Comments Off on PRODUCT: Nissan’s “URGE” – The first car with SERIOUSLY integrated XBox360

Posted in Product

Posted by: kurtsh | December 31, 2005

HOWTO: Get an XBox360 at retail prices, the geek way – part 2

This is a tactic that folks within Microsoft have been using.  Sean Alexander wrote about it in his blog… basically it uses a web services watching piece of software.
 
Average time I’ve seen for sporadic Xbox 360 availability is about 4-20 minutes before sell-out over the past few days.  This means you need to get notified down to the minute.  So I wrote a how-to that combines an free web inventory tracker with a freely downloadable shareware app to play a chime when the tracker status is updated with new availability:
 
 
Target.com, CircuitCity.com and WalMart.com are all getting bundles and console shipments in multiple times a day for online purchase. 

Comments Off on HOWTO: Get an XBox360 at retail prices, the geek way – part 2

Posted in Computers and Internet

Posted by: kurtsh | December 19, 2005

RELEASE: Office 2003 Add-in: Word Redaction

Redaction is the careful editing of a document to remove confidential information.

The Microsoft Office Word 2003 Redaction Add-in makes it easy for you to mark sections of a document for redaction. You can then redact the document so that the sections you specified are blacked out. You can either print the redacted document or use it electronically. In the redacted version of the document, the redacted text is replaced with a black bar and cannot be converted back to text or retrieved.

Sensitive government documents, confidential legal documents, insurance contracts, and other sensitive documents are often redacted before being made available to the public. With the Word 2003 Redaction Add-in, users of Microsoft Office Word 2003 now have an effective, user-friendly tool to help them redact confidential text in Word documents.

 
Tips on how to use the Word Add-in for Redaction is available here:

Comments Off on RELEASE: Office 2003 Add-in: Word Redaction

Posted in Release

« Newer Posts - Older Posts »

Categories