" /> MowGreen: August 2007 Archives

« June 2007 | Main | September 2007 »

August 23, 2007

Sun JRE Font Parsing Vulnerability

Sun JRE Font Parsing Vulnerability

HIGHLY CRITICAL
Description:
A vulnerability has been reported in Sun JRE, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error in the parsing of fonts contained in Java applets. This can be exploited by malicious, untrusted applets to read and write local files, or to execute local applications.

The vulnerability is reported in the following products:
* JDK and JRE 5.0 Update 9 and earlier
* SDK and JRE 1.4.2_14 and earlier

Solution:
Update to the latest versions or apply patches:

JDK and JRE 5.0 Update 10 or later
http://java.sun.com/j2se/1.5.0/download.jsp

SDK and JRE 1.4.2_15 or later
http://java.sun.com/j2se/1.4.2/download.html

Why am I not surprised that there's another issue with applets and Sun's java runtime ?
And remember, bunkies, the java autoupdater does not remove older, vulnerable versions !
One must uninstall it/them from Add/Remove Programs in the Control Panel on Windows OS'.

Posted by MowGreen at 2:12 PM | | Comments (0) | TrackBacks (0)

August 20, 2007

Skype Says " Your OS Ate My P2P "

EDIT: August 21, 2007 The Microsoft connection clarified

1. Are we blaming Microsoft for what happened?
We don’t blame anyone but ourselves...

2. What was different about this set of Microsoft update patches?
In short – there was nothing different about this set of Microsoft patches...

3. How come previous Microsoft update patches didn’t cause disruption?
That’s because the update patches were not the cause of the disruption...

Thank you for being honest about the disruption and not passing the blame to "someone else", Skype.

=====================================================================

What happened on August 16

On Thursday, 16th August 2007, the Skype peer-to-peer network became unstable and suffered a critical disruption. The disruption was triggered by a massive restart of our users’ computers across the globe within a very short timeframe as they re-booted after receiving a routine set of patches through Windows Update.

The high number of restarts affected Skype’s network resources. This caused a flood of log-in requests, which, combined with the lack of peer-to-peer network resources, prompted a chain reaction that had a critical impact.

Normally Skype’s peer-to-peer network has an inbuilt ability to self-heal, however, this event revealed a previously unseen software bug within the network resource allocation algorithm which prevented the self-healing function from working quickly. Regrettably, as a result of this disruption, Skype was unavailable to the majority of its users for approximately two days.

The issue has now been identified explicitly within Skype. We can confirm categorically that no malicious activities were attributed or that our users’ security was not, at any point, at risk.


I don't have an LOL that's big enough for that explanation. If their supposition is true, than why didn't previous updates from Microsoft cause this issue before ?
There's no way in heck that all of the systems connected to Skype downloaded, installed updates, and then rebooted at the same time. NO WAY !!!!

I'm not that familiar with Skype's software but, ANY software one installs that insists on running when Windows starts up via it's Duhfault settings, is a major PITA.
There's also security implications to consider. There have been known exploits and vulnerabilities in IM/Chat Clients that are resolved when said issuer of such Clients either patch them or upgrade them. Do you really want a vulnerable Client to be connecting to the internet even though it may have a critical vulnerability for which a newly issued exploit is aimed at ?
If I want to run your software, I very well know how to start it, thank you.

Frankly, I do not recall the latest version of Skype that I installed having that as a Duhfault setting. If it did, it was disabled as soon as it was installed, trust me.

Even if Skype's lame excuse were possible ... then I say GOOD.
Serves you right for having your software run on boot because you were the ones who chose that invasive behavior, not Microsoft.

Posted by MowGreen at 11:29 AM | | Comments (0) | TrackBacks (0)

August 14, 2007

.NET Framework updates fail

The biggest culprit for .NET Framework updates failing to install properly is Antivirus software
In fact, AVs can also prevent or damage the original installation of said .NET Frameworks, thus, requiring one to uninstall them in order to install subsequent Security updates.
This requires one to completely and TOTALLY disable the installed AV when .NET Frameworks and Security updates are installed.
Not all AVs will cause such issues.
The AVs identified as causing such issues have been Norton, McAfee, or AntiVir.

Please consult the Help file of said AVs or visit the manufacturer's web site to learn how to completely and TOTALLY disable them.
For those who do not want to expose their system to the internet when the AV is disabled, then suggest you download first, disconnect the system from the network or internet, install the downloaded software/updates, reboot if necessary, REENABLE the installed AV, and then reconnect to said network/internet.

When you try to install an update for the .NET Framework 1.0, 1.1, or 2.0, you may receive Windows Update error code "0x643" or Windows Installer error code "1603"

Also, this is the Source as to .NET Framework and update issues:

Unified .NET Framework Troubleshooting Guide

What to do if other .NET Framework setup troubleshooting steps do not help

Posted by MowGreen at 2:29 PM | | Comments (0) | TrackBacks (0)