Aug 17, 2008

Phelps wins record eighth gold at Beijing 2008

BEIJING, August 17-- Michael Phelps won his record eighth gold medal in the Men's 4 x 100m Medley Relay final on Sunday but this time needed some help from his friends.

Men's 4 x 100m Medley Relay: Phelps wins record eighth gold

The US team of Aaron Peirsol, Brendan Hansen, Jason Lezak and Phelps won at the National Aquatics Center in a time of 3:29.34 and in doing so broke the world record by 1.34 seconds.

The defending Olympic champions and world record holders led from start to finish.

Men's 4 x 100m Medley Relay: Phelps wins record eighth gold
(L-R) Hansen, Phelps, Peirsol and Lezak hold the American flag (Photo credit: Al Bello/Getty Images)

Peirsol gave them a great start with a 53.16sec split. Hansen increased the lead on the world record split taking it 0.39 seconds under at the race's halfway mark. Brenton Rickard swam his breaststroke leg in 58.56, faster than Hansen, to bring the Australians into second place.

Phelps fought off the Australian challenge in the Butterfly leg before Lezak kept Eamon Sullivan on his shoulder until the wall.

The Australian team of Hayden Stoeckel, Andrew Lauterstein, Rickard and Sullivan finished 0.70 seconds behind the US to win silver in an Oceania record 3:30.04, also under the old world record.

Australia went into the race as world champions but only as beneficiaries of a US disqualification at the 2007 world championships.

Japan's team of Miyashita Junichi, Kitajima Kosuke, Fujii Takuro and Sato Hisayoshi took bronze in an Asian record 3:31.18.

Russia finished fourth in a European record 3:31.92.

Michael Phelps sets Olympic record for gold medals

BEIJING: Everybody has their theory about what makes Michael Phelps peerless. Simon Burnett, a freestyler from Great Britain, shared his the other day with Eddie Reese, the United States men's Olympic coach.

"He's not from another planet," Burnett told Reese. "He's from the future."

On the ninth day of swimming at the Beijing Games, Phelps collected his eight gold medal, becoming the career leader in Olympic golds with 14 Gold Medals.

Recounting the story Sunday, Reese laughed and said, "That's probably the best explanation I've heard."

Mac Users Get Clipboard-Jacked At Digg, Facebook

Macs dont actually get attacked by malicious code, right? No, they do, even if its a comparatively rare thing.

Consider this support thread on apple.com in which a Mac user using Firefox complains about how his clipboard gets hijacked. Once he visits a certain site, a top-level link off of digg.com, his clipboard gets stuffed with a malicious link (to Windows malware) and nothing else can change the clipboard contents.

Oh yes, that's right, Firefox also gets attacked now and then, despite conventional wisdom to the contrary.

Other readers piped up to relate similar circumstances on other sites, including Facebook and lime.com. In fact, this attack was first reported about a week ago on the Spyware Sucks blog. Of course it is meant to target Windows systems and works well on them too.

If you think you are experiencing this attack take note of what sites you have open. One reader reported that the attack was only active while the page was open. So you should eventually be able to end it by closing browser windows one at a time.

There is a security setting for Internet Explorer to block/allow programmatic access to the clipboard, and the default is to prompt the user. You can test this harmlessly at tinyurl.com.

clipboard.jpg

Back on the Spyware Sucks blog entry comments indicate that the prompt setting isn't working; users are getting attacked in spite of this setting. We can't confirm this.

(full story)

Mozilla Fixes Awesomebar In Next Firefox Version

I've been complaining about new "Awesomebar" in Firefox 3, which is the name for all the new functions in the location bar. To quote the Firefox help on the subject, "[t]ype something into the Location bar, and the autocomplete drop-down will show matching sites from your browsing history, as well as sites you have bookmarked and tagged." Awesomebar is also known as the Smart Location Bar.

I liked to use the Tools-Clear Private Data feature now and then in Firefox 2, because it cleans out the Location bar history. You can get it with Ctrl-Shift-Del. When I started using Firefox 3 it looked like it didn't work anymore. That's because bookmarks are not considered private data to be cleared. Even after you clear all the private data, if you then drop the location bar down there are still entries in it.

I wasn't the only one who found this confusing. Several bug reports turned up on Firefox Bugzilla site and a popular add-on for Firefox, Hide Unvisited 3, came out to turn off the tracking of bookmarks in the Awesomebar.

Now Mozilla has announced that they will add functionality equivalent to Hide Unvisited 3 to Firefox 3.1. The changes will be in the form of entries in about:config. The feature will be in Alpha 1 of 3.1, which should be out soon.

(full story)

Microsoft Released 11 Patches

Microsoft released 11 security bulletins today along with updates to address the vulnerabilities described in them. Various versions of Windows and Office are affected. The Advance Notification indicated that there would be a 7th critical update; this appears to have been removed at the last minute.

All updates are available through Windows Update and all the other usual avenues.

(full story)

Intel's 'Core i7' Processor

Intel has announced that the upcoming Nehalem processor will be officially known as the Core i7.
Nehalem has been the code name for Intel's upcoming processors first due in Q4 2008. Nehalem represents a major overhaul of Intel's processor technology and introduces a number of improvements over existing process bottlenecks.
Intel's choice of name seems to be arbitrary but will reportedly fit into the naming scheme for the full line of chips, as explained by TGDaily.com:
"Intel told us that “i7” was simply chosen because it is “short and sweet”. The company showed some understanding for our confusion over this name choice and promised that i7 would make sense down the road when additional new identifiers are introduced."
Intel is expected to reveal more information about the Core i7 at the Intel Developer Forum on August 19th. At the conference, Intel will also detail a new energy saving technique in the i7:
"Intel would not reveal the nature of the new energy efficiency feature in the Core i7 chips. A company spokesman said it is not a direct evolution of the Intel's SpeedStep technology that automates frequency scaling based on workloads."
While the first of the Core i7 processors will be introduced in Q4 2008, mainstream desktop and mobile versions of the processor will be delayed until well into 2009.
(full story)

Apple's Crap Store

Ninety percent of everything is crap, science fiction author Ted Sturgeon once said. That's certainly true of the crud passing for "software" in Apple's new App Store. While there are some useful applications in there, the vast majority of programs are half-fast, buggy, repetitive, or rehashes of useful Web sites.

This makes me worry about software development in general. Mobile computing platforms are the future primary PCs for much of the world. Yes, you'll be able to get a big screen and keyboard for these small CPUs eventually. And the iPhone is a powerful platform. It's got a 600-MHz CPU, excellent network connectivity, and a desktop-class OS. In theory, we could see the kind of apps developed for this platform that helped make personal computers as popular as they are today.

The App Store is beautiful, comprehensive (by fiat), and well designed. For the first time, you can actually get an overview of all the applications available for a computing platform and easily acquire them. It's an idea that a lot of other people have had before, but Apple has done it with more polish and ease of use.

But what do we get? Some great games. Notice that when the Wall Street Journal recently reported on Apple's app sales reaching $30 million, the only examples the Journal gave were games. There are a few good vertical business and programmer's apps, and Pandora for music lovers. But we also get a surfeit of crappy little applets like currency calculators that don't download exchange rates off the Web, social networks nobody's heard of, subway maps, way too many Sudoku games, and a vast pile of reformatted Web sites in app form. About 10 percent of the apps are great. Ninety percent smell like old Sturgeon.

I know this is beating a dead horse, but we're still waiting for apps that fill in the obvious gaps in the iPhone's feature set: office suites, video cameras, GPS navigation, or voice dialing that works properly. I know there are office suites in development, but anyway, those are old ideas. The real thrill will come from new ideas.

Of course, it's not as if Apple encourages app developers to think outside the box. IAmRich.com was a German avant-garde art project in the form of an iPhone app. It wasn't malware. Apple yanked it from the App Store just because the company didn't like its face. That's a great message to send to developers: We might kill your app if we think you're a little weird.

(full story)

Gateway P-7811FXQ

When Gateway announced the end of its online and phone sales, many people proclaimed it the end of an era. Well, Gateway is kicking off a new era with its first retail-only PC, the P-7811FX ($1,399 list), available, right now, only at Best Buy. This hulking laptop offers a home-theater-quality 17-inch widescreen along with decent gaming capabilities at a competitive price. In addition, the notebook debuts with the latest Centrino 2 processor, making it an all-around solid system.
The first thing I noticed when I sat down in front of the P-7811FX was its impressive 17-inch screen. The laptop offers a 1,920-by-1,200-resolution picture, which, in home-theater terms, means it can display 1080p content. Few systems are able to match that at this price point (the ASUS M70Sa-X2 is a notable exception). For a laptop of this size and with such a gorgeous display, it seems a shame not to offer a Blu-ray drive. I know: Adding Blu-ray would drive up the price, but I was left wanting more than the included dual-layer DVD burner. (full story)

Are Some PCs Born Bad?

A few weeks ago, a friend of mine told me about his wonky laptop. It was a familiar story. His newish Vista box had, without much warning, begun collapsing into a blue-screen funk on almost a daily basis. He went on to explain that he'd spent countless hours on the phone with Dell support techs, all of whom were kind, polite, and intent on being helpful. The problem, of course, was that none of them had actually helped at all.
"When did you get this?" I asked. "April," he replied.
We were near my friend's office, so we stopped in so he could show me the laptop. I was startled by how new it was.
It was early June. The PC was not even three months old. The blue screens had begun within a few weeks of owning the Dell XPS M1530 laptop—one of PCMag's favorites (Cisco Cheng gave it four out of five stars). I asked my friend the usual questions: Had he installed any unusual apps, visited any odd sites, or opened an e-mail attachment that he probably shouldn't have?
His response: "No. It happens when I use the browser."
That seemed somewhat specific. In my experience, it's usually pretty hard to recreate a blue-screen experience. But my friend walked me through a simple series of steps…
"I start it up, open the browser, visit this site [one chosen from his favorites in IE7], and then…."
He trailed off as the system lapsed into a blue-screen coma. I was stunned. Rarely had I seen a consumer so expertly recreate a PC malfunction.
Holding a sheaf of papers in his hand, my friend pointed out notes from six different multi-hour support calls. He'd recorded the names of the support techs, as well as the time, date, and duration of each call. Each support tech had tried something different. For example, even though the PC came with security software, one had him install new protection from Trend Micro. In fact, there was a lot of utility installing and uninstalling. None of it worked.
(full story)

Aug 15, 2008

Bug In Firefox Prevents Updates For Some Users

As I had reported in an earlier post, my Check for Updates option on the Help menu in Firefox 3 was grayed out:

FF3-no-checkforupdates.jpg

I had a similar problem with Firefox back around version 1.5 and reported it in Bugzilla. I remember nobody being very helpful about it. My report was probably one of many that was consolidated into one report on the same problem. The original post was in December 2005 and it's still basically open, depending on who you listen to in the report's discussion thread. A second Bugzilla thread covers the same bug and attempts to narrow the bug report scope and give it new attention.

The problem appears to be that if a user does not have write access to the directory from which Firefox was installed then Check for Updates will be grayed out and the user will get no automatic updates. How would such a thing happen? In my case, I installed Firefox 3 from a network share while logged in as Administrator. I would argue that giving a non-privileged user write access to software installation directories is a bad practice. This bug appears in all platforms, not just Windows.

Some users on the Bugzilla thread are arguing that this is proper behavior, but the problem is that it seems not to have been the behavior in the Firefox 2.x generation. Thus the bug would appear to be a regression error. The threadmaster argues that this is proper behavior and that if Firefox 2 did not behave this way (which was also my experience) then that was a bug.

In the meantime I am forced to change to a behavior I don't believe in, either granting my restricted user account write access to the installation directory or reinstalling as that user with a new writeable installation source directory. Not a really big deal, but not the right way to do things.

(full story)

The Security Question Vulnerability

It's common for sites for which you must provide logon credentials to let you set a "security question" that they may ask you in case you forgot your password. An entry on the Securiteam blog challenges the security of this system, at least as it is implemented in many ways.

The gist of the challenge is that it's easy to research many of the answers to the stock questions services ask. The blog looks at Windows Live Mail, Yahoo! Mail and GMail. Of those 3 only GMail allows you to define your own question, presumably one harder to research (e.g. "What girl did I have a secret crush on in 8th grade?")

The blog also makes the obvious suggestion that you can lie; take an easy question, like "What is your father's middle name?" and make the answer your phone number. There is a hole in this theory: if you can't remember your own user name and password, why would you expect to remember the inaccurate answer you provided to one of these questions?

Still, they make a good point that you need to be careful in choosing a security question. Too easy an answer and a stranger (or, easier, someone who knows you) can steal the account away.

(full story)

Norton Internet Security 2008

Symantec continues to polish and enhance its flagship Norton Internet Security suite. The 2008 edition adds full-scale password and identity management, and its new BrowserDefender technology offers even stronger defense against Web-based attacks. Borrowing a page from Norton 360's playbook, NIS 2008 now offers a built-in, multilayered help system. For the multicomputer home, it now includes a network map and optional remote monitoring of other NIS 2008 installations. Antispam and parental controls remain second-class citizens, present only if you install the optional Add-On Pack.

Microsoft Sets Kill Bits

At the request of their ISVs, Microsoft has released kill bit packages for certain versions of HP Instant Support and Aurigma Image Uploader. They have been released as part of a cumulative security update for ActiveX with many other kill bits.

Kill bits are settings in the Windows registry which disable an ActiveX control. When an ISV finds a vulnerability in an ActiveX control they often ask Microsoft to disable that control by making the kill bit available. Click here to learn more about kill bits.

This cumulative update was pushed out with this past Patch Tuesday's set of updates, but the update was rated Important, so if your Automatic Updates is set only to apply critical updates you may not have it.

You can apply the update by running Windows Update manually or by downloading and running the appropriate update for your system from Microsoft's Knowledge Base.

For details on the new kill bits and what they kill see the advisories at Aurigma and HP (here and here).

Excerpt: A cumulative update disables many faulty ActiveX controls.

(full story)

Aug 12, 2008

"Quality Issue" Holds Media Player Update Back

You might have noticed that when Microsoft released the Advance Notification last week for Patch Tuesday they said there would be 12 updates, 7 of them critical. When Tuesday came around there were only 11 updates, 6 of them critical. Where'd the last critical update go?

In the Microsoft Security Response Center the company answered this, although not in any detail. The withholding of the update was due, the company says, to "a last minute quality issue." It's not the first time this has happened; testing of the updates continues, it seems, even after the advance notification. Chances are that the update, which addressed a flaw in Windows Media Player, will be in the September updates.

(full story)

Java Will Solve Old Version Problem

Have you ever looked in your Add/Remove Programs applet and wondered why there were multiple copies of Java in it? That's because the Java installer doesn't remove old versions. Do 10 updates and you'll have 11 copies of Java installed. And they all take up a lot of space.

But an update to Java, currently in beta, will fix this problem. The current version of Java (I think) is Java 6 Update 7. A document on the Java web site says of Java 6 Update 10 that:

For current users of Java SE, the JRE update mechanism has also been improved, using a patch-in-place mechanism that translates in a faster and more reliable update process (the patch in place mechanism will take effect for end users who upgrade from this update release or later to a new update release). As an added benefit, follow-on update releases will no longer be listed as separate items in the Windows "Add or Remove Programs" dialog.

Exactly what this means is not clear; will it clean out the old versions? But it seems to say that it will solve the problem going forward. In fact, a beta is available from the page for downloading.

Do we really have to wait 3 updates for this? The page says the release is scheduled for Summer/Fall of 08. We'll see.

(full story)

Vista Security Rendered Useless?

Perhaps the most explosive presentation at last week's Black Hat hacker conference in Las Vegas was that of Alexander Sotirov and Mark Dowd. The paper they presented delves deep into security technologies in Windows Vista which protect against abuses of memory and seeks out weaknesses in them. Among these technologies are DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). The authors found many interesting attack techniques.

Some of the industry press on this presentation has been on the hysterical side: Neowin started it all with the hyperbolic "Vista's Security Rendered Completely Useless by New Exploit" followed by a TechTarget article here. The TechTarget article was updated later to tone it down some. These articles fed the fires of credulousness in those who want to believe the worst about Vista. Even the respected Bruce Schneier blogged tersely, but with great concern, about the severity of it all.

But even Sotirov himself argues that "...the sky is not falling and the flaws are not unfixable..." Thanks to Ed Bott for bringing all this out in his blog. As Sotirov says, exploitation is always a cat and mouse game, and it won't take long for Microsoft and others to respond. He adds "The articles that describe Vista security as 'broken' or 'done for,' with 'unfixable vulnerabilities' are completely inaccurate." In fact, Microsoft provided feedback on the paper to Sotirov and Dowd.

ASLR and DEP are opt-in technologies; they aren't turned on by default and a developer has to specifically build their program (with special linker switches) to opt in to the protections. Many of the attacks in the paper rely on the common software, especially Java, which does not opt in. Even Microsoft doesn't uniformly use them. Over time one can expect more programs to opt in and that aspect of the problem will tend to resolve.

The research is top stuff for sure, a good example of how independent vulnerability research can help improve products. As a general matter, if users follow common sense security practices and run a decent anti-malware package and keep everything updated they should be in good shape, even with the revelations described in this paper.

(full story)

Aug 7, 2008

Real Issues Security Updates For Windows, Mac, Linux

RealNetworks has issued a series of updates to fix four vulnerabilities in the Windows, Mac and Linux versions of RealPlayer 10 and 11. Click here to see which versions are affected on which platforms.

The vulnerabilities include:


  1. RealPlayer ActiveX controls property heap memory corruption.—A variety of versions are vulnerable to heap overflows from mismanaging memory for the software.

  2. Local resource reference vulnerability in RealPlayer.—No meaningful description was provided for this flaw.

  3. RealPlayer SWF file heap-based buffer overflow.We reported on this the other day. Processing a malicious Flash SWF file can cause a heap-based overflow.

  4. RealPlayer ActiveX import method buffer overflow.—Deleting a vulnerable file from the user's media library triggers a stack overflow and can cause arbitrary code execution.
(full story)