Yet Another ActiveX/Internet Explorer Exploit Being Exploited

For those people who have to care about Windows systems SANS ISC has info on a scary new ActiveX remote exploit doing the rounds that allows an attacker to run code on a Windows box rendering HTML via Internet Exploder or (presumably) Outlook, etc if you have virtually any version of MS Office installed..

This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets. The CVE entry for the vulnerability is CVE-2009-1136. Microsoft mentions that they are aware of active exploits against this vulnerability

There is no fix at present, though a workaround is available to disable those ActiveX controls. Attackers are actively targeting people with this too:

A highly targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML. This one was particularly nasty, it was specifically crafted for the target – with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient. Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim’s domain/IP range would not reach with the server.

Remember Microsoft isn’t the answer, Microsoft is the question. “No” is the answer.

Microsoft Guilty of Patent Infringement (again)

A patent infringement battle that’s been going on in the US for 6 years between Uniloc and Microsoft over an Australian invention that lies behind the product activation used in Windows and MS Office, etc has been resolved – and Microsoft has lost to the tune of a cool US$388 million – that’s over half a billion Australian dollars…

On Wednesday, the jury found Microsoft wilfully infringed the patent.

Wilful infringement means that Microsoft knew about it and didn’t care, rather than just not knowing it had been patented. Microsoft tried to argue that the patent was invalid, but the jury didn’t buy that argument. All rather ironic after the Tom-Tom issue (they settled as Microsoft were about to get their imports to the US blocked prior to any judgement on whether or not it was a real issue)..

There’s an interview with the CEO of Uniloc, Brad Gibson, about the verdict on the ABC website.

Sensible talk on patents from ZDNet

Like many western nations that built up their industries under protective laws and now demand that developing countries remove restrictions that they relied on we see Microsoft doing much the same with Tom Tom, as ZDNet points out when discussing why Microsoft are eager to avoid talking about the details of their patent case..

The TomTom claims cover such things as a multitasking computer on which you can run programs, in a car. A wireless Internet-connected computer, in a car. And how to create long file names in the MS-DOS filing system–a fix introduced in Windows 95 because MS-DOS is a direct descendent of 1974’s vintage 8-bit CP/M operating system. A direct descendant? More a bastard child: MS-DOS helped itself freely to many of CP/M’s design concepts, in some detail. But those were the days when Bill Gates could say that software patents had the potential to put the industry at “a complete standstill” and with good reason. If the sort of protection Microsoft now claims for itself had been available to CP/M then, Microsoft would never have created its monopoly, nor amassed a fraction of its power.

Hopefully Tom Tom now being a member of the Open Invention Network will give Microsoft pause for thought. As regards how the system currently works, I cannot put it better than how ZDNet sum it up:

The patent system is not just broken, it is poisonous. It works by fear, using the civil courts as cudgels in the hands of bullies.

Sadly I suspect it’s unlikely to change in the near future.. ­čÖü

Taxing Questions for Liechtenstein

I was listening to the BBC From Our Own Correspondent Podcast which had a great piece by John Sweeney about murky going ons in Liechtenstein. Part of it made me think that they’ve been going to the same school as Microsoft:

The next morning we heard that there was a banking seminar at the university on openness. This being Liechtenstein, the openness meeting was closed, at least to us.

John also has a wicked sense of humour..

Imagine my disappointment on discovering that Liechtenstein was, in fact, the most boring place on earth. I’m used to boredom – I work for the BBC, for heaven’s sake – but Liechtenstein was as dull as ditchwater, no duller. They bank behind closed doors. They create fuzzy trusts behind close doors. They make false teeth. And then they go to bed. The person who most looked like a ruthless killer was Howard, and he was the BBC producer.

Well worth a listen.. ­čśë

Hv3 – minimal browsing at its fastest

Wow, this is really impressive. After reading this LWN article about Hv3, a Tk/Tcl based web browser I decided to give it a go and it’s just great. Lightweight and blindingly fast!

Now this is a browser that’s still in alpha, so expect odd behaviour and bugs, but it’s still remarkably useable. The biggest issue I’ve had with it in a few minutes of playing has been that it doesn’t support HTTP authentication but that just stops me testing it on a couple of sites at work.

Well done folks, keep up the good work!

Using Internet Explorer ? Switch Browser Now!

Oh joy, the BBC is reporting

Users of the world’s most common web browser have been advised to switch to a rival until a serious security flaw has been fixed.

It’s yet another security hole in Internet Exploder, this time a heap overflow that works against IE 7 as well as IE 6 and the betas of IE8.

It’s being actively exploited too (again from the Beeb):

As many as 10,000 websites have been compromised since last week to take advantage of the security flow (sic), said antivirus software maker Trend Micro.

I’m pretty sure the writer meant flaw, not flow.. ­čÖé

Please use Firefox instead!

Spreadfirefox Affiliate Button

Ka-ching!

Now this is a monopoly lock in at work..

MICROSOFT will rip an estimated $70 million out of the aged care sector’s IT budget over the next 18 months as it forces users to pay full commercial rates for previously discounted software. Aged care providers are shocked by Microsoft’s decision to revoke their not-for-profit status, which gave them access to its products at a heavily discounted rate. As a result, Microsoft’s Office, Sharepoint and SQL server products are firmly entrenched in the sector’s IT infrastructure.

D’oh!

50%+ of Standards Norway Tech Ctte Resign Over OOXML Approval

Thirteen of the twenty three members of Standards Norway have resigned over its decision to recommend OOXML to ISO when 19 voted no and 2 voted yes for it (one of whom was Microsoft). The Inquirer has a rough Google translation of the letter, which says things like:

Standard Norway chose to defy their own technical committee and vote yes to a specification that is immature, useless, and unworthy of being called an ISO standard.

and the damning:

The administration of Standard Norway trust 37 identical letters from Microsoft partners more than their own technical committee.

Ars Technica describes that last issue as:

Standards Norway has defended its conduct and asserts that its vote in favor of OOXML approval was based on the outcome of a public inquiry in which a majority of the responses it received encouraged support of OOXML. The standards body has also admitted, however, that a significant number of those responses were identical submissions authored by Microsoft.

All the ex-members say they will continue to work towards meaningful standards outside of Standards Norway.

Microsoft goes back on IE8 standards promise for Intranet sites

So much for Microsoft promises, according to El Reg:

The dirty secret is buried deep down in the ┬źCompatibility view┬╗ configuration panel, where the ┬źDisplay intranet sites in Compatibility View┬╗ box is checked by default. Thus, by default, intranet pages are not viewed in standards mode.

The icon they’ve selected for standards compliant pages is also a little odd..

I do prefer El Reg’s idea that they use the ACID2 test image instead..