Update (October 3, 2002):
In related news, the XP Service Pack 1 update was recently released. Due to the advance warning about XP's tendency to "phone home" about software and hardware on a system, many XP users opted for the more expensive XP Pro as it didn't have this dubious feature. Unfortunately, many such users also applied special non MicroSoft patches to their XP and XP Pro to defeat the "phone home" features. Applying XP Service Pack 1 to such a system is reported to break the OS. No non MicroSoft patch is known that replaces and incorporates the special security patches of XP Service Pack 1. XP Pro users have reported that XP Service Pack 1 will add "phone home" features to XP Pro.
This "phone home" aspect of XP and now XP Pro makes the entire OS a spyware. Hopefully one of the many flavors of 'Nix will shortly become mature enough to be a true replacement to the ongoing monopolistic tyranny of Redmond. OpenOffice.ORG already has an Office killer available. We tried it and like it, especially how it can open most any Office document, amend it, then save it as an Office document that is still useable by true Office software. Very nice.
In further MicroSoft bad news, Norton and Symantec have revealed that Internet Explorer (all flavors on all OS, IE4-6, all Windows OS, all NT OS, all XP OS) have a security hole you could drop a planet through. This security vulnerability allows virtually any scripting language to be used to seize control of surfers' computers by simply viewing a page with the various malicious codes. The promised patch was unavailable at press time, but various internal and external links claiming to point surfers to the download for the patch merely referred them to the security bulletin itself, with a link to a nonexistent download on another page.
Norton and Symantec are recommending that surfers immediately discontinue use of Internet Explorer until this popular browser can be repaired properly. For users who must continue with IE, it is recommended that they never visit a site they are unfamiliar with (or which they believe might use malicious code); view a page with lots of links (honest!) nor use any viewer in their E.Mail software that actually renders mail as HTML/XHTML/XML. Viewing infected HTML/XHTML/XML on local is still sufficient to compromise security and give control to an alien IP operator.
Eudora users can toggle off this problem by unchecking the MicroSoft viewer from within the program. It is unknown if using preview pane would leave the users' computers open to malicious code, but if the preview pane is set to allow HTML rendering, caution would suggest unchecking the "render as HTML, allow HTML in mail" options. Eudora users should NOT allow mail to be viewed as HTML, nor use the "send to browser" feature. Most security conscious surfers already use these "HTML not allowed" settings.
Outlook and Outlook Express users should consult their helpfiles to determine how to best not render ANY incoming mail in HTML, nor should they view their mail in their browser. This also applies to webmail sites, the code is in the page itself, surfing to it allows it on your machine. Viewing the source as text is an option for Outlook, Outlook Express and other E.Mail programs if doing so does not involve opening the mail first in the program. The Bat, Mulberry and similar non MicroSoft programs are not immune to this problem, though non MicroSoft OS are. The malicious code can only be executued on a MiscroSoft machine. Using Netscape, Opera, or other non MicroSoft browsers is reported to make the surfers' machines immune to this threat if HTML rendering is not allowed in the surfers' E.Mail programs.
The crux of the problem is the very popular MicroSoft VM (also known as 386jv, i386vm, JVM2 and related). To determine if you have this on your OS (virtually all MicroSoft OS do), open a DOS (or MS-DOS) prompt, then type:
jview
A paragraph of information about the Virtual Machine should open under the prompt. It should look something like this:
Microsoft (R) Command-line Loader for Java Version 5.00.3805
Copyright (C) Microsoft Corp 1996-2000. All rights reserved.
Usage: JView [options] [arguments]
Options:
/? displays usage text
/cp set class path
/cp:p prepend path to class path
/cp:a append path to class path
/n namespace in which to run
/p pauses before terminating if an error occurs
/v verify all classes
/d:= define system property
/a execute AppletViewer
/vst print verbose stack traces (requires debug classes)
/prof[:options] enable profiling (/prof:? for help)
Classname:
.CLASS file to be executed.
Arguments:
command-line arguments to be passed on to the class file
While technically for Java, the MicroSoft Virtual Machine also has uses in JS, JavaScripting, ASP, VB, VBS, VBScript, VBScriptlets, C, C+, C++, J+, ColdFusion, CHM (usually a helpfile, but may take other forms) and many more related scripting languages that are used in ALL the HTML-like languages. No reports have come in that PHP has this problem, but technically it is possible, PHP is a scripting language that allows other scripting languages to be embedded within it. Scripting languages frequently use the VM and there's no way to remove the VM without a full reformat and reinstall. Even then, the VM may be reinstalled.
It cannot be stressed enough: This security vulnerability will actually allow an alien operator to run your computer any way he chooses. Perhaps as a Zombie (similar to CodeRed and SubSeven and their attendent DoS attacks), perhaps as a network (your CPU does his work, relatively harmless, but you'd crash a lot and might use a lot of bandwidth), or perhaps to E.Mail people using your IP so that it looks as if you did (which is true, your machine did), or perhaps to merely erase, change, copy, or add files. The vulnerability would also reveal all your passwords, credit cards (if stored on your computer, even those in an electronic wallet), and any sensitive data, no matter how it is firewalled or encrypted.
All versions of Internet Explorer on all OS are suspect.
Original story (September 1, 2002):
In the never-ending-security-nightmare known as most any product from MicroSoft, the newer version of the XP Media Player (the successor to the Windows Media Player) represents a totally unacceptable spyware. Not only does the player gather information about DVD and CD use, it also compiles databases on the users' computers and transmits this information to MicroSoft. The very first release of XP Media Player did not have this security problem. Privacy advocates fear that this information will be misused (as all such information is) and that the most immediate misuse may be targeting users for special E.Mail spam and banner ads based on their listening habits. The newer EULA (End User License Agreement) allows MicroSoft to share this information as it sees fit. Past experience with this suggests that it needs to be stopped before it becomes a problem.
No good freeware alternate exists for the video playback properties of the Media Players, though the InVid plugin for WinAmp covers most of the filetypes associated with Media Player. The WMV (Window Media Video) is not included in the InVid WinAmp plugin. The only media player we've found that covers the WMV filetypes is Blaze Media Pro. While not free ($50.00 to buy - free fully functioning demo available - skins available), it might be worth it to avoid the very likely security compromise from XP Player. With this new security problem from MicroSoft, one of the many freeware media players is quite likely to begin covering the WMV filetypes soon.
|
|
