A big “d’oh,” maybe

It seems like only last week that I was whining that browsers were disintegrating like so many smashed plates at a Greek wedding. Oh yes, it was only last week.

Well it looks as if some of this may not be a unique personal experience but is caused by a vulnerability in IE. Microsoft’s Security Advisory describes the flaw they’ve just found. The way it seems to operate sounds uncannily like what’s happened to my browser in IE.

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable. (from Microsoft’s Technet)

“invalid pointer reference in the data binding function.” I understand all the words individually but I got lost as soon as I tried to understand them when they are linked together.

But, causing IE to “exit unexpectedly”. That sounds like what IE has been doing randomly for weeks. Often failing to release the memory that it was using – which I don’t find out until too late. I didn’t really consider that it might be a new form of browser attack. How naive is that? D’oh.

Not that’s any excuse for Firefox. But I’m not convinced that FF is so magically free from being affected by the same attack attempts, that it won’t crash and die when it bumps into them, even if it doesn’t let an intruder in. In any case, I only ever use IE when Firefox has decided to commit suicide a few times.

I know that using Linux would mean that attacks like this would never work but it’s not completely intrusion-proof. This PC is pretty well on its last legs, as it is. It’s a few more bad reads away from hard disk failure, anyway. (And that’s in the not-completely “legacy” disk drive, not the really old disks that are also still in it.) The graphics card should be in the “Museum of graphics cards that were state of the art in 2003” If I change its OS, my software won’t work, I’ll lose all my passwords, the cable connections will have to be reset and so on. When I’m forced to get a new PC, it will use Linux, but until then, no.

Microsoft Technet page warns site owners that SQL injection attacks might turn their sites into unwitting distributors for the malcode and directs worried site owners to a scrawlr, a free HP tool that is supposed to check your site for SQL injection code. Every site that uses something like php is fair game for that.

So it sounds like a plan and the scrawlr page has a good cartoon. But I end up far from convinced there’s any value in downloading scrawlr, after reading the comments. Like this one from leon:

The comic is xkcd
The tool is useless, scrawl is entirely unable to detect even the simplest vulnerabilities, i went as far as pasting an example injection into the url bar and it okayed that!!! I also have an intentionally vulnerable site with local only access that we are using to configure our new IDS and it didn’t find a thing… seriously, if you take anything away from this, let it be the comic.

(That link is to the comic, in general. The scrawlr page has the relevant cartoon.)
MarkH says:

Doesnt’ support POST forms or Javascript. In other words, this demo tool can’t actually test anything that any web developer would have written since, oh, say 2001.
Epic fail.

Doesn’t let you check POST forms? 🙂 I think I’ll pass, then.

A report on the BBC’s tech page had a “security expert” saying “don’t use IE ” and Microsoft – unsurprisingly – warning against that particular course of action. 🙂

As many as 10,000 websites have been compromised since the vulnerability was discovered, he said.
“What we’ve seen from the exploit so far is it stealing game passwords, but it’s inevitable that it will be adapted by criminals,” he said. “It’s just a question of modifying the payload the trojan installs.” (from the BBC)

As soon as “security experts” start talking up threats, I tend not to believe them. 10,000 websites sounds as unconvincing as the UK government’s “30 terror plots.” And so far the exploit has stolen game passwords. Hmm. Hardly a cause to panic about your e-bay sales or your online banking, then. Do you care if you find yourself playing World of Warcraft alongside an unaccredited troll?

Still, Microsoft’s idea of advice doesn’t inspire much confidence, either.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

How exactly am I supposed to be vigilant? I could try to check every invalid pointer reference in the data binding function, could I? Even if this wasn’t so far over my head that I could call it an “umbrella”, IE would have to become Open Source before I could even hope to identify the databinding function.

I thought I’d already pushed the intrusion detection boat out by running Ethereal and Snort whenever I feel mildly obsessive. (And they piss me off because half the transactions that my computer indulges in can’t be fathomed anyway. So I stick to using them for purposes like getting my passwords off the traffic stream, in plain text, which is surprisingly helpful when I’ve forgotten them but annoys me all the same Why on earth have passwords that are hidden from the bloody user by asterisks but easily readable by anyone with a packet-sniffer? Cue another rant.)

This “data-binding function” of IE needs a whole new set of skills that I really don’t believe would hold much entertainment value. So I don’t intend to get them. And “invalid pointers”? Can Microsoft or someone direct me to the Girl’s Big Book of Valid Pointers so I can be properly “vigilant”?

One lap

I love Linux. It’s not as if I use it much but I love the idea of it. Open source. Free collaboration. All that.

I am less enamoured of the techy-boys-toys attitudes that seem to infect a lot of Linux-users, or the unlimited contempt that they can show to anyone who knows ever so slightly less than them about operating systems.

The recent developments in the one-laptop-per-child project which will now see it offering Windows, as well as Linux, seem to be causing a lot of dissent. This was described on the BBC as the OLPC project “getting in bed with… the Great Satan”

According to the BBC report, the purists in the OLPC movement see Linux as at the heart of the project. Well fine, but is this project supposed to be about spreading access to technology and internet communication or is it about creating a world full of Linux nerds? Because, to most people, even to most techies as Ivan Krstic pointed out, computers are not ends in themselves. They are just tools.

Some of us like messing about with tech (to a degree..) Most people don’t. A television that you couldn’t operate without degree-level knowledge of electronics engineering would be pretty unpopular. Why assume that every third world kid will suddenly become someone who is happy to mess about with a kernel for weeks?

Most people in the world use Microsoft products. Nearly everyone of us has to use Microsoft in work. Surely that makes a Microsoft operating system a reasonable component to put in a product that aims to cover the world.

Or are the kids who get these laptops only to be allowed to use predefined worthy educational products on them, while their first world equivalents are playing games?

I’m not exactly the world’s biggest fan of the OLPC project anyway, but I don’t think it stands or fails on the nature of the operating system.

IMHO the OLPC has always been liable to turn out to be another top-down western attempt to solve the problems of the poor countries – our solutions to which usually turn out to benefit the rich countries.

Vista Networking – Hell on Earth

As I have a perfectly functioning set of computers at home (running XP, Ubuntu, SuSE and PCLinuxOS) who all network quite nicely and share files as you would expect. This meant, I had thought the move to Vista was in the dim and distant future.

However, a few weeks ago my laptop underwent some toddler-inspired “maintenance” and I was forced to buy a new one. All the available laptops came with Vista pre-installed so my choices were limited.

Now, over all the laptop is fantastic – new technology items are always nice to play with. It is fast (an order of magnitude faster than the 3 year old one it replaced!), it is user friendly and, for most tasks, Vista is quite usable.

I say most tasks.

One of the critical things this laptop is required to do is to be able to access the network where the rest of the PCs share files. Without this it is, largely, pointless. Sadly, vista stubbornly refuses to connect to any other computer on the network and refuses to share its own files. The hand-holding interface of vista makes trying to trouble shoot interminably difficult (I have the Windows Vista Home Premium version), and it manages to hide pretty much all the functions underneath many, many layers of “wizard” interfaces. It is, in short, a nightmare.

After a week of trying, I can now get the Vista laptop to “see” the XP machines when it draws the network map (although this involved finding and installing updates on the XP machines) but every time I try to map a network drive or connect to the networked printer, Vista decides it can no longer see any other machines on the network. It is hellish. Without being able to access the shares, the Vista laptop is largely pointless. It may end up getting hit with a sledge hammer simply to relieve frustration.

I am somewhat bemused by the way the new OS from MS is so incompatible with previous ones that you need to add a hotfix to the older machines to let Vista talk to them, but I suspect MS has its reasons.

If you are thinking of “upgrading” your MS Windows XP (or older) machines, then I STRONGLY suggest you upgrade to a better OS like Linux or even (shock, horror) Mac OS X. If you want to go for Linux, then certainly consider PCLinuxOS as it is very easy to use, offers all the benefits of Vista with none of the problems. If you go for Vista then it will cost you money and you will need to learn a new user interface – if you want to do that, go the whole hog and Linux yourself. (Hell, I’d even say go for Solaris and I’ve had many a problem with that in the past)

I really, really hate vista. [tags]Technology, Windows, Vista, XP, Operating Systems, OS, Linux, Mac, PCLinuxOS, Networking, Protocols, Microsoft, MS, Ubuntu, SuSE, Solaris, Rant[/tags]

Privacy statement zzzzz

The very words “privacy statement” have a hypnotic effect. You see them, click “Yes, Ok I’ve read it” to get to the next bit…… There may be some inbuilt mental process that protects the brain from damage by shutting it off in the presence of the small print on things like loan agreements, the introductory bits of software and so on.

I happen to have read one by accident trying to find out if there was a (potentially illusory) Microsoft product named WI. Googling just took me to the Wisconsin Microsoft Developer’s network, which wouldn’t let me go any further without agreeing to the privacy statement.

Props to Microsoft here, because you can actually read the provisions – indeed you would have to if you decide to go through the gateway. Not having any reason to join the Wisconsin Developer Network – apart from sheer nosiness and apparently a temporary failure of my low boredom threshhold – I obviously didnt.

However, the contents come as a bit of a shock. Here’s an extract:

Collection of your Personal Information
WI Microsoft Technical Community collects personally identifiable information, such as your e-mail address, name, home or work address or telephone number. WI Microsoft Technical Community also collects anonymous demographic information, which is not unique to you, such as your ZIP code, age, gender, preferences, interests and favorites.
There is also information about your computer hardware and software that is automatically collected by WI Microsoft Technical Community. This information can include: your IP address, browser type, domain names, access times and referring Web site addresses. ……

So, to join that particular developer community you just hand over information so far beyond the expected IP and referrer as to be on another level.

You might think “so what”? I hope the BBC article about the private detective agency crackers gives you a little pause.

In which case it may be a good idea to read the privacy statements now and again. ZZZZZZ ZZZZZ

Microsoft Live-writer spam now gone

If you click on the link in the post about Microsoft Live-writer’s comments being pure spam, this morning, you might wonder what I was going on about. The page now has normal-looking comments.

(I still have the page open as it was last night though so I made a screenshot – well 2 screenshots, as the page is huge and I could have made about four, but I stoppped when I got the first three spam lists.)

Without being interested enough to go through pages of comments I can’t really say if they were genuinely deleted or just fell off the front pages because of the volume of comment that Microsoft page would generate.

However, WhyDontYou blog felt slightly smug when FireStats showed that almost the first reader of that comment came from an IP address in Redmond Virginia………. Please don’t destroy the illusion that Microsoft jumps to our tune.

Microsoft Live-writer page comically spammed

😀 This is too good to pass up. There is loads of pornspam disguised as Comments on Microsoft’s Livewriter page that announces the “New Release! Windows Live Writer 1.0 (Beta) Update with Windows Live Gallery”

Come on Microsoft. Everybody else has to deal with it. You may be too proud to use Akismet but there are other ways to stop getting rubbish comments on your blog page. You are supposed to have programmers working there. 😀