http://www.computerworld.com.au/index.php?id=117316298&eid=-255

Two new vulnerabilities have been discovered in Internet Explorer which allow a complete bypass of security and provide system access to a computer, including the installation of files on someone’s hard disk without their knowledge, through a single click.

Worse, the holes have been discovered from analysis of an existing link on the Internet and a fully functional demonstration of the exploit have been produced and been shown to affect even fully patched versions of Explorer.

It has been rated “extremely critical” by security company Secunia, and the only advice is to disable Active Scripting support for all but trusted websites.

As I’ve been saying for a long time, IE simply has too many security issues to be trusted as an internet browser. Most of the issues are due to the Windows integration features. If you disable all that stuff, a lot of the fancy IE-only code on websites won’t work anyway. To make IE safe, you basically end up removing most of the proprietary stuff that other browsers like Mozilla and Opera don’t have. Might as well get a browser that has other features going for it, rather than a few tricks that have to be disabled for security issues.

I’ve heard that Opera 7.5 is pretty good, but it’s closed source adware. I personally prefer Mozilla’s open source approach, which brought about Firefox. FYI, Firefox used to be Firebird, which used to be Phoenix. Phoenix was started by someone else who took the source code to the Mozilla suite and shaved it down to just the browser stuff. It seemed to be such a good idea that the Mozilla team accepted it, and plans to move the Mozilla suite to a package of separate programs instead of one huge executable.

http://www.theregister.co.uk/2004/06/10/ms_inpatched_ie_flaw/ has more info on the vulnerability too. VirusScan did catch it as VBS/Psyme when I downloaded a copy of the exploit to examine. However, the harmless demo didn’t trigger any alerts, so I’m guessing that this specific exploit just happens to use an old payload – updating that script or using a different one would probably let it slip past virus scanners.

This rant isn’t about eBay itself, this rant is about people ranting about eBay. I’ve heard some other people complaining about eBay lately, and their issues with it really boil down to them not doing it right.

A big issue is the person getting sniped. At the last second, someone outbid them by $1. They would have paid another dollar to get the item, but they weren’t sitting at the PC or they couldn’t bid again in time before the auction ended. The core of the problem is that the person placed a lower bid than what they were really willing to pay. If you’re willing to pay $100, you’re probably willing to pay $102 to outbid the guy that said $101. But if he’s willing to pay $101, he’s probably willing to pay $103 to outbid you again. And it just keeps going back and forth, raising the price. If you’re willing to go up to $110 this way, then just put $110 in as your bid to begin with. If you put in an honest max bid, then there are only two possible outcomes – you either win the item for that price or lower, or you lose because someone else was willing to spend more than you.

I’m not sure why people put lower bids. I guess they’re just entering the amount they want to spend, rather than the highest they’re willing to spend. If you want to spend $80, but you’re willing to go up to $100 in a little bidwar, then just enter $100. You really have to be willing to spend $100 to get the item. As long as you really aren’t willing to spend more than that, there’s no stress involved. You either get the item or it’s too expensive. With a real auction, you have to raise your paddle every ten seconds to outbid the other guy. eBay’s proxy bidding system will automatically raise your paddle to beat the other guy (up to your max bid) who just outbid you. Nobody can see your max bid, so don’t worry about the other guy just bidding $1 more than that. He has no way to see what your max bid is, just like you have no idea how high he’s willing to go.

Somebody else posted a good suggestion for eBay bidding. If you’re really interested in an item, place a low bid early on. This is basically just for tracking, though you may end up getting it for next to nothing. During the auction, think about how much you’re really willing to spend to get the item. Don’t forget to include shipping costs. Nothing like winning something $10 cheaper than at the store, then noticing that shipping is $20. Toward the end of the auction (with 24 hours left or so), enter your max bid, even if you’re still the highest bidder. Sit back and see how it unfolds. Just as I stated above, the only two possible outcomes are that the price will jump up over the maximum you were willing to spend, or you’ll get the item at or below your max bid.

See? Nothing to it…

I just found Notepad2 from a Lockergnome RSS feed. I’ve only used it for a grand total of about two minutes, but it looks pretty good so far.

What’s this?

The original Notepad shipped with Windows is probably the handiest program of all times, small, fast, without frills! Notepad2 tries to follow this principle, it’s a small, fast and free text editor with syntax highlighting for HTML and other common languages.

Features

• Customizable syntax highlighting:

• • HTML, XML, CSS, JavaScript, VBScript, ASP, PHP, CSS, Perl/CGI

• • C/C++, C#, Java, VB, Pascal, Assembler, SQL, Python, NSIS

• • INI, REG, INF, BAT, DIFF

• Drag & drop text editing inside and outside Notepad2

• Basic regular expression search and replace

• Useful word, line and block editing shortcuts

• Rectangular selection (Alt+Mouse)

• Brace matching, auto indent, long line marker, zoom functions

• Support for Unicode, UTF-8, Unix and Mac text files

• Open shell links

• Mostly adjustable

It appears to offer more features than NotePad+, which I’ve used for quite a while. It also seems to be even faster. The “Windows 2000 Issues” page for NotePad+ is still handy if you want to replace the default notepad.exe with Notepad2, and have to get around Windows’ builtin file protection stuff. I’ll have to use Notepad2 some more, but it doesn’t look good for NotePad+ at the moment.

It’s also open source too. If there’s something that you don’t like that can’t be changed from within the program, you can edit the program itself.

http://yeti3.yetisports.org/beta/yetisports4/

Wow, these are getting complicated. Launch the penguin into the air so an albatross catches him, then flap the bird’s wings to carry him. You get three rounds, and you can upload your score when you’re done.

I replaced the SecurityNewsPortal RSS feed on the left with the Microsoft Security Bulletin feed. SNP seemed like a good idea, but they don’t seem to do a whole lot of updates, and the RSS isn’t even kept in sync with the site. I figure having MS bulletins there will be more helpful overall.

I never really got into them, but the price is right. =) They are/were very popular in some groups, and being a few years old now, Tribes2 should even run on mediocre (by today’s standards) PCs.

http://www.filerush.com/torrents/tribes_gsi.exe.torrent is the BitTorrent for Tribes1. See http://www.fileplanet.com/files/140000/140246.shtml for more info.

http://www.filerush.com/torrents/tribes2_gsi.exe.torrent is the BitTorrent for Tribes2. See http://www.fileplanet.com/files/140000/140247.shtml for more info.

If you haven’t heard of BitTorrent, check out the intro for a brief explanation. Basically, each downloader also shares the file to other downloaders. Rather than having one server acting as the sole source, the clients can each download different parts of the file from different sources. Let’s say a server has a file available that takes 100 minutes to download. With BitTorrent, 10 users could each download 1/10 of the file in 10 minutes. After everyone has downloaded for 10 minutes, there’s now a whole second copy of the file available on the network. The original server could die then, and everyone could still get the file. This is a great way to spread download traffic off one central server. The only problem is that setting up a file to be distributed via BitTorrent isn’t as easy as just plopping the file on a server somewhere. Which is another one of my great ideas that will probably never get anywhere: an all-in-one system where the owner of the server can just plop a file in a directory, and the BitTorrent server program would automatically take care of all the other related stuff.

Since there’s still over an hour wait to download the files from FilePlanet, I’m sure they appreciate me giving a little bit of my bandwidth to help out their overloaded servers. Do your part to help, and don’t use FilePlanet’s servers. =)

W32/Sasser.worm is out and about now, taking advantage of the Windows holes I mentioned in the previous entry. If for some reason you haven’t patched yet, you’d best do so. This is being compared to Blaster. If you aren’t familiar with it, even to this day, it’s such a problem that many unpatched PCs are infected within seconds of being connected to the internet.

http://isc.sans.org/diary.php?date=2004-04-15

Dave Aitel of Immunity Security has stated publicly that they have released working exploits of two vulnerabilities patched by MS04-011 to their CANVAS customers:

http://lists.immunitysec.com/pipermail/dailydave/2004-April/000500.html

The LSASS.EXE vulnerability can be exploited to run arbitrary code with system privileges on vulnerable servers. eEye Digital Security has more details and also confirms the ability to run arbitrary code with system privileges using this vulnerability:

http://www.eeye.com/html/Research/Advisories/AD20040413C.html

Immunity’s claim that they have a working ASN.1 exploit has not been directly confirmed, but we have several anonymous confirmations that working exploits exist.

IT IS IMPERATIVE THAT THE PATCHES PROVIDED BY MICROSOFT IN ITS APRIL SECURITY RELEASE BE APPLIED TO SYSTEMS AS SOON AS POSSIBLE. It is our belief that the likelihood of a worm being released SOON that exploits one of the vulnerabilities addressed by these patches is VERY HIGH.

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx is the MS bulletin.

You’ve been warned. Get your stuff patched ASAP.

http://slashdot.org/article.pl?sid=04/04/14/1415217

Lathiat writes “It seems that spammers have taken a new distributed approach to sending spam, and you get paid for it. Virtual MDA will pay you $1 per CPU hour their program is running to relay spam around the world. Obviously this is not something you should do, most users are all to familiar with the atrocity of sorting through up to hundreds of spams a day just to find one real email, Although it has been previously reported that some users love spam, I for one don’t. Is there any way end users can fight back against people like this?” At $1/hour, this sounds like a low-gain way to infuriate both your friends and perfect strangers.

As many comments there suggest, doing this on your PC is most likely prohibited by your ISP’s TOS and the act of spamming is possibly illegal too. It will definitely get your PC put on spammer blacklists. The cash is pretty tempting, but you should only do it if you don’t mind having all your legitimate email blocked, losing your internet service, and/or being convicted of a crime. They also have this neat little clause in the contract where if they happen to lose your account info, it gets reset to $0.00. Wouldn’t it be funny if every time just before you got to the $50 cash out, their DB screwed up and your account got reset? Also note that it’s per CPU hour, not actual hour. Most of the email sending is going to be network traffic, not actual processing. It will take a long time to generate one hour worth of CPU usage by this program.

Then again, a bunch of people have already found ways to turn this against them. Use a firewall to block the outgoing spam, so you still get paid (in theory) but no spam is actually sent anywhere. Sign up for this and just collect the spam they try to send to add to spam filters.

http://www.virtualmda.com is the site. You’ll have to cut and paste the URL if you want to go there. I realize that even bad publicity is still publicity, but I think that most people reading this should now understand this situation. If you know what you’re doing, you can use this for good. If you don’t know what you’re doing, participating in this program (even exactly as intended) is very likely to get you in trouble in one form or another. Also, the site is currently slashdotted. =)

It happened again. I’m mentioned by someone more-famouser-than-me. This time it’s at WindowsDevCenter. It’s an article about filtering out web ads, and I’m mentioned on the second page for contributing a .reg file that added an option to IE to change one of the required settings for a PAC filter to work. Proxy Auto Configuration allows for dynamic proxy usage (i.e. use Proxy A for these URLs, but use Proxy B for those URLs), but IE doesn’t check the PAC file every time by default – it checks each server once, then always uses that result for anything else from that server. Obviously, that’s bad if you’re trying to keep good content from a server, but block ads and other junk on the same server. Also, the .reg file has been updated to a .inf file. Same thing, different format. It’s been a while since I even looked at these (since I only use IE when I’m forced to), but I believe the .inf adds an icon to the menu item also. Because MS changes the location of icons around inside files between different versions (i.e. #123 might be a globe in this version of the file, but #123 in the next version is a computer), it might not look right. I think I ended up with one that didn’t look too out of place for the menu option, but seemed to be consistent across a few versions. I make no guarantees though.