Microsoft Security Advisory 953818 - Apple Safari for Windows Vulnerability

Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.

At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers needs.

Mitigating Factors:

•	Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.

Sphere: Related Content

Celtics chant Ubuntu

For those that watched the post-game show on ESPN for the Celtics-Pistons game 6 today, you probably heard Paul Pierce lead some chants at the press conference. I was surprised to hear them say 1-2-3 Ubuntu. According to one of the commentators, Doc Rivers got 'Ubuntu' from a book by Desmond Tutu. While those that are familiar with African culture and spirituality and Linux are probably familiar with Ubuntu, it made me smile to see the word propagating into American popular culture and entertainment. Although I doubt many people watching the game were paying close attention to the chant, nor will they probably remember what was said, I think it's important to bring it to the attention of everyone. Perhaps the adoption of such a powerful phrase by athletes and role-models can infuse some of humanity centric beliefs of African culture into American society.

If I can find a clip on youtube, I will link it here for all to see.

With that I leave you with 1 - 2 - 3 - Ubuntu.

Sphere: Related Content

Dell Mini - EEEPC competitor due out June 2008 - Sneak Pics

Dell is about to enter the UMPC market with it's own mini-laptop. The rumored specs are:

• 1.6 GHz Atom Processor
• 3 USB Ports
• Ethernet
• Card Reader
• VGA Output
• 1280x800 Resolution

Wish I had more...I'll update when the specs are officially released. The rumored release is in June 2008. (Next month!)

Sphere: Related Content

Outlook 2003: Create A Button To Delete E-Mail Attachments

Every company big and small has mailbox size management issues with their users. This handy button can help drastically reduce the size of an user's mailbox. Have your users save those attachments then NUKE 'EM!

In Outlook, press Alt+F8 to bring up the Macros window. Enter a name for your macro and press the Create button.



















Highlight the new macro name and press the Edit button. This will open the VBA editor. Delete the sub/end sub entries with nothing between them.

Copy and paste in the following code:

Sub DeleteAttachments() Dim lngIndex As Long Dim AttachmentCount As Long Dim itm As Object Dim att As Outlook.Attachment On Error Resume Next Set itm = Application.ActiveInspector.CurrentItem If Not itm Is Nothing Then itm.Save AttachmentCount = itm.Attachments.Count For lngIndex = AttachmentCount To 1 Step -1 Set att = itm.Attachments(lngIndex) att.Delete Next End If Set itm = Nothing Set att = Nothing End Sub

Hit Ctrl+S to save, then Alt+Q to quit the editor. Open a new email, right-click in a toolbar and select Customize. In the customize window, select Macros under Categories.























Click and drag your new macro to a toolbar where you would like the button placed.
















Right-click the new button to change the name and icon, then close the customize window.








Your new button is now ready to use- a single click will delete all the attachments in the currently open email and then save the email.

Blogged with the Flock Browser

Sphere: Related Content

Dell C/Dock PRX incompatible with Inspiron Laptop? Here's how to get around all that...

One of my favorite things to do is to take old hardware and resurrect it for general purpose. Case in point: I was given an old Dell Inspiron 8100 laptop which was determined to be "non-functional." After a little poking around, I determined that it had a dead hard drive and dead cd-rom drive. I talked to a few friends who have 'junk drawers' full of Dell parts and they found me a replacement cd-rom drive from a slim-line Dell desktop (I just remounted it in the laptop bracket,) an old 40GB IDE HDD, 2 x 256 MB sticks of PC133 RAM (literally the only type of RAM this thing will accept,) and an old Dell C/Dock (Model PRX.) I installed all of the parts and got her to boot Ubuntu 8.04 Server beautifully. What a success! Then came time to attach it to the dock. Well, this line of laptop was obviously not meant to attach to this line of dock because there is a metal arm with a hook coming off the dock that is meant to slide into the back of the laptop and lock. Lo and behold there was a metal plate in the way. A little further investigation revealed that this plate is removable by first removing the plastic plate above the keyboard (nearest to the LCD) which in itself is as easy as pulling up on it (it has plastic clips underneath that release easily.) When you remove it, the metal plate comes up with it and is easily removed by unscrewing two small screws. Viola! Just replace the plastic panel and you're ready to go....until you dock the laptop and try to boot. Oh no! It tells you that your laptop is not compatible with this dock (or some mumbo jumbo akin to that,) and that you need to remove it to avoid damage. Yea right! How did the laptop decide this? Easy, it compares the BIOS to the accepted BIOSes for the dock and realizes that your laptop doesn't have that. The dock was designed (meant to be sold to) for the Lattitude C series notebooks. So what do you do now? Why flash the BIOS to the compatible Lattitude C series notebook of course.

Here is a list for the compatible versions:

• Inspiron 3700 - Latitude CPxH BIOS
• Inspiron 3800 - Latitude CPxJ BIOS
• Inspiron 4000 - Latitude C600 BIOS
• Inspiron 4100 - Latitude C610 BIOS
• Inspiron 4150 - Latitude C640 BIOS
• Inspiron 8000 - Latitude C800 BIOS
• Inspiron 8100 - Latitude C810 BIOS
• Inspiron 8200 - Latitude C840 BIOS

Now run over to the Dell site, download the right BIOS, load it onto a floppy (or whatever method you want to use to flash it) and flash that BIOS.

The notebook is going to complain that it isn't the right version yadda yadda yadda. It's going to fail and send you to the A:/ prompt. Perfect!

Now type: C810_A12 /jabil (replacing the C810_A12 with the exe you found for your model) and hit Enter.

It will then say: About to flash Latitude C810 BIOS on Inspiron 8100. Are you sure? (again with whatever model you chose) Just type "yes" and hit Enter.

The unit should reboot now and it should say "Lattitude" on the splash screen where it used to say Inspiron. If you see this you have succeeded!

If you didn't get asked to flash the Lattitude BIOS over the Inspiron one, try this:

Type: C810_A12 /forceit /forcetype (again C810_A12 can be any model you chose)

That should do it! Plug the laptop back into the dock and reboot. There should be no more compatibility message. If you have any questions, drop me a comment and I'll try to help you out as much as I can. Good luck!

Sphere: Related Content

Vista Now Displays INSTALLED Memory, Not Memory AVAILABLE To The OS

Microsoft has pulled the wool over the average end user's eyes, again.  This time they even tell you that in their own KB article | Notable Changes in Windows Vista Service Pack 1 :

"With SP1, Windows Vista will report the amount of system memory installed rather than report the amount of system memory available to the OS. Therefore 32-bit systems equipped with 4GB of RAM will report all 4GB in many places throughout the OS, such as the System Control Panel. However, this behavior is dependent on having a compatible BIOS, so not all users may notice this change."

They made this change because people don't understand the limitations of 32bit Operating Systems and were calling and complaining about how Vista 32 editions didn't use all their ram.  Here is a great article explaining the MATH behind the issue and why the push is on in earnest for 64bit Operating Systems.  Just how large is a 64-bit address?

So, this whole 32 bit memory issue is a math issue and not a Microsoft Issue.  That said they could do more to impress this upon their customers and dispel the "myth" that Vista can use 4 gigs or more of RAM when it is really only 64 bit Operating Systems that can use 4 gigs or more of RAM.

Blogged with the Flock Browser

Sphere: Related Content

British UFO files released to public

If you are at all interested in UFOs or unexplained phenomena of any kind, this is good news for you. Britain's Ministry of Defence is releasing files for investigations into UFO sightings between 1978 to 1987. In total, 160 files will be handed over to the National Archives. The first 8 of these files are available at http://ufos.nationalarchives.gov.uk/

I hope this information is interesting to some of you out there. I always love to read the often bizarre reports that are gathered around this type of activity.

Sphere: Related Content

IBM and Linux ad - Probably the best ad ever

This add (although old) is probably the best ad I have ever seen for IBM or Linux. It encapsulates the spirit of open-source, freedom, information and learning. Big Blue has been a major backer of Linux and open-source in general, and I'm proud to place their ad on my blog.

Sphere: Related Content

Dell to drop XPS gaming desktops in favor of Alienware

In a 'better late than never' move, Dell has decided to stop competing with itself in the gaming desktop PC market. The Wall Street Journal reports that Dell will now focus exclusively on it's premium Alienware line (which it purchased in 2006) for the gaming PC market. After falling behind in sales to HP, Dell is in the midst of a turnaround strategy put into place with the return of Michael Dell to the helm of the once dominant PC maker. Although these gaming PCs are an ultra-niche market with astronomical prices and insane capabilities, they often influence the regular PC market when the bleeding-edge components make their way down to commodity pricing and availability. This is where the bulk of the gaming enthusiasts (not fanatics) prefer to purchase higher end components for their PCs. Alienware has a very strong brand amongst the PC gaming community and the gaming community at large, and it would better serve Dell to build on that brand than to try and subvert it via a gaming line within the Dell product portfolio. Hopefully all goes well for Dell, as I fully support one of the few manufacturers to offer Linux to the casual user direct from the factory.

Sphere: Related Content

Debian Security Advisory - OpenSSL Vulnerability

For all you server admins running Debian and Debian derivatives (like Ubuntu), heed this advisory. Make sure you patch your systems!

Debian Security Advisory DSA-1571-1

Package : openssl
Vulnerability : predictable random number generator
Problem type : remote
Debian-specific: yes
CVE Id(s) : CVE-2008-0166

Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.

The first vulnerable version, 0.9.8c-1, was uploaded to the unstable distribution on 2006-09-17, and has since propagated to the testing and current stable (etch) distributions. The old stable distribution(sarge) is not affected.

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.

A detector for known weak key material will be published at:

<http://security.debian.org/project/extra/dowkd/dowkd.pl.gz>
<http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc>
(OpenPGP signature)

Instructions how to implement key rollover for various packages will be published at:

<http://www.debian.org/security/key-rollover/>

This web site will be continously updated to reflect new and updated instructions on key rollovers for packages using SSL certificates. Popular packages not affected will also be listed.

In addition to this critical change, two other vulnerabilities have been fixed in the openssl package which were originally scheduled for release with the next etch point release: OpenSSL's DTLS (Datagram TLS, basically "SSL over UDP") implementation did not actually implement the DTLS specification, but a potentially much weaker protocol, and contained a vulnerability permitting arbitrary code execution (CVE-2007-4995). A side channel attack in the integer multiplication routines is also addressed (CVE-2007-3108).

For the stable distribution (etch), these problems have been fixed in version 0.9.8c-4etch3.

For the unstable distribution (sid) and the testing distribution (lenny), these problems have been fixed in version 0.9.8g-9.

We recommend that you upgrade your openssl package and subsequently regenerate any cryptographic material, as outlined above.

Upgrade instructions
--------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

Sphere: Related Content