Microsoft investigates public IE CSS XSS flaw; Twitter, Hotmail vulnerable

Late last week, a security flaw in Internet Explorer 8 was publicly disclosed to the Full Disclosure mailing list. The flaw allows attackers to steal private information from online services such as web mail and Twitter, allowing attackers to, for example, delete e-mails or send tweets from their victims' accounts.

The post was made by Google employee Chris Evans. He stated that the reason for going public was to try to persuade Microsoft to fix the problem—the new flaw is a variant on an older attack, and the details of the flaw were made public in a paper authored by Carnegie Mellon students that Evans reviewed. While the other major browser vendors have made fixes to their browsers to prevent attack—Chrome 4.0.249.78, Safari 4.0.5, and most recently Firefox 3.6.7 and 3.5.11 all include protection against the flaw—Microsoft has thus far failed to update Internet Explorer to provide protection.

Read the comments on this post

Etc: Newly discovered flaws in QuickTime 6 and 7 leave users running Internet Explorer on Windows XP, Windows Vista, and Windows 7 vulnerable to drive-by attacks.

Newly discovered flaws in QuickTime 6 and 7 leave users running Internet Explorer on Windows XP, Windows Vista, and Windows 7 vulnerable to drive-by attacks.

Read More: ComputerWorld, Reversemode

Read the comments on this post

Performance, stability fixes arrive for Windows 7, Server 2008 R2

In addition to releasing the most security bulletins ever on this month's Patch Tuesday, Microsoft has released a number of non-security updates, the majority of which are for the latest versions of its client and server operating systems. All the patches are available on Windows Update and the Microsoft Download Center and most will require a restart. With the exception of the last patch, they're all for Windows 7 or Windows Server 2008 R2.

Most of these updates will be rolled into Service Pack 1 for Windows 7 and Windows Server 2008 R2. Testers got the first Windows 7 SP1 beta build two months ago, but just today Microsoft sent out build 7601.17077 to selected PC and Technology Adoption Program partners, according to ZDNet.

The first patch (KB2028560) is vaguely described as one that delivers "new functionality and performance improvements for the graphics platform." 

The second patch (KB2249857) describes an issue that occurs on 2TB+ hard disk drives. If the OS is configured to save dump files to a volume of such an HDD, some of the dump file is offset at a disk offset greater than the 2TB address, and Windows is either put into hibernation or crashes, volumes on the HDD may be corrupted, and data is lost. If the corrupted volumes include the system partition, the computer will no longer boot. 

The third patch (KB982110) fixes a problem when running 32-bit applications on a 64-bit edition of Windows 7 or Windows Server 2008 R2. If the application uses the QueryPathOfRegTypeLib function to retrieve the path of a registered type library, it may return the path of the 64-bit version of the type library instead of the 32-bit one. 

The fourth patch (KB2272691) is for a game, application, or firmware that is either installed incorrectly, causes system instability, or has primary functions that do not work correctly. The update will either prevent incompatible software from running (hard block with third-party manufacturer consent), notify the user that incompatible software is starting to run (soft block), or improve the software's functionality (update). It lists just a single application (Sensible Vision FastAccess) as being affected.

The fifth patch (KB2203330) solves a problem when installing a third-party application for the multiple transport Media Transfer Protocol (MTP) device or for the Windows Portable Device (WPD). Connecting an MTP or WPD device may result in an APC_INDEX_MISMATCH stop error message because of a race condition in the Compositebus.sys driver. 

The last patch (KB979453) is for Windows Home Server and addresses five separate issues that were found since the release of WHS Power Pack 3.

Read the comments on this post

Etc: Microsoft has released a preview build of Windows Small Business Server (codename Aurora) to testers on Microsoft Connect.

Microsoft has released a preview build of Windows Small Business Server (codename Aurora) to testers on Microsoft Connect.

Read More: The Official SBS Blog, Ars Technica

Read the comments on this post

Next Page »