The Electronic Frontier Foundation (EFF) has warned that people should not download Google Desktop because it “greatly increases the risk to consumer privacy”.

A spokesEFF said that if the toolbar chooses to use it, the new “Search Across Computers” feature stores copies of the user’s Word documents, PDFs, spreadsheets and other text-based documents on Google’s own servers.

View: Full Story
Source: The Inquirer via Flexbeta

Security researcher Tom Ferris says he has discovered a security vulnerability in the Beta 2 Preview release of Internet Explorer 7. The bug lies in the urlmon.dll file and causes the browser to crash when it encounters a URL with the “file://” protocol followed by a long string of dashes.

Ferris previously discovered security flaws in Firefox, IE6 and QuickTime. He notes that arbitrary code could be executed on a machine running Microsoft’s newest beta browser, but his proof-of-concept code simply crashes the application. The issue has been reported to Microsoft and Ferris says it is only of medium severity.

Source: BetaNews via MSFN

A BOFFIN at Cambridge University says that the Voice over IP system used by Skype is a brilliant tool if you want to carry out denial-of-service attacks.

Jon Crowcroft claims Zombie networks could be controlled by messages hidden in VoIP traffic generated by programs such as Skype.

Currently DoS attacks are shut down by tracing control messages sent by chat and instant messaging programs. But if a hacker were to use a VoIP overlay as a control tool for attacks, it would be much harder to find the zombie computers, he said.

View: Full Story
Source: The Inquirer via Flexbeta

The ‘preliminary’ due date for the next collection of fixes and patches for Microsoft’s desktop operating system is as more than a year later than many company watchers were expecting. Microsoft has gone public with a tentative date for its third service pack for Windows XP. And that date - the latter half of 2007 - is considerably later than many company watchers were expecting.

Source: OSNews via MSFN

Symantec has released an update to its popular Norton SystemWorks to fix a security problem that could be abused by cybercriminals to hide malicious software. In the PC-tuning application, a feature called the Norton Protected Recycle Bin creates a hidden directory on Windows systems. The feature is meant to help people restore modified or deleted files, but the hidden folder might not be scanned during scheduled or manual virus scans, Symantec said in an advisory released on Tuesday.

“This could potentially provide a location for an attacker to hide a malicious file on a computer,” Symantec said. The Cupertino, California-based security provider is not aware of any attempts by hackers to conceal malicious code in the folder. “This update is provided proactively to eliminate the possibility of that type of activity,” it said.

View: Full Story
Source: ZDNet via MSFN

Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006, in response to malicious and criminal attacks on computer users that were discovered last week.

Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.

View: Knowledge Base
Download: Windows XP | Windows Server 2003 | Windows 2000 | Win XP x64
Source: MSFN

Microsoft Corp. said today it does not plan to release a fix for the Windows Metafile (WMF) flaw until Jan. 10, when a patch will be included as part of the company’s scheduled monthly updates for January. Microsoft has completed development of a patch for the flaw and is now testing it for quality and application compatibility, the company said in an advisory updating an earlier advisory released last week. The update will be available at Microsoft’s Download Center in 23 languages for all affected versions of the Windows operating system.

“Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement,” the company said in its statement. ” Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks are not widespread.”

View: Full Story
Source: Computer World via MSFN

This week a new vulnerability was found in Windows: http://www.microsoft.com/technet/se…ry/912840.mspx. Browsing the web was not safe anymore, regardless of the browser. Microsoft will certainly come up with a thouroughly tested fix for it in the future, but meanwhile I developed a temporary fix - I badly needed it. The fix does not remove any functionality from the system, all pictures will continue to be visible. It should work for Windows 2000, XP 32-bit, XP 64-bit, and Windows Server 2003.

Technical details: this is a DLL which gets injected to all processes loading user32.dll. It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore. If for some reason the patch does not work for you, please uninstall it. It will be in the list of installed programs as “Windows WMF Metafile Vulnerability HotFix”.

Download: Windows WMF Metafile Vulnerability HotFix
Source: MSFN

A virus masquerading as a new beta version of Microsoft’s MSN Messenger has begun circulating, antivirus company F-Secure said on its blog Tuesday. The virus, which F-Secure calls Virkel.F, comes as a file called BETA8WEBINSTALL.EXE that can be downloaded from a Web site. Running the program installs not a new MSN Messenger beta, but rather a virus that sends download links to a computer user’s MSN Messenger buddies. The virus falsely labels the link as “MSN Messenger 8 Working BETA.”

“It also connects your machine to a botnet server,” F-Secure warned, meaning that a person’s computer can be controlled remotely to attack other machines or send spam. Malicious software that uses instant messenger programs is growing more common. A November study by Akonix Systems identified 62 examples.

Source: ZDNet via MSFN

The National Security Agency has been spying on Internet and telephone communications in and out of the United States in an immense program implemented in cooperation with major telecommunications companies, the New York Times reported late Friday. The news comes just a week after the Bush administration acknowledged the existence of a domestic spying program, while claiming the executive order was limited to those individuals with known terrorist ties. But the Times cites sources who say the surveillance was much broader than admitted.

View: Full Story
Source: BetaNews via Flexbeta