Microsoft – Page 22 – Paul's Tech Talk

BREAKING NEWS : Microsoft issues 961509

PaulDecember 30, 2008

Microsoft as issued an new security advisory about the possible way someone might be able to take your sensitive information using an invalid digital signature:
[ad#ad2-right-1]

Microsoft is aware that research was published at a security conference proving a successful attack against X.509 digital certificates signed using the MD5 hashing algorithm. This attack method could allow an attacker to generate additional digital certificates with different content that have the same digital signature as an original certificate. The MD5 algorithm had previously shown a vulnerability, but a practical attack had not yet been demonstrated.

[via Windows Technet]

Although Microsoft has stated in the advisory most companies are using the SHA-1 algorithm. Some are still using the MD5 and should stop using it immediately. Microsoft says there is none in the wild but you can be bet on it someone will do it sooner or later. Certificate Authorities should stop using MD5 and go to a much stronger better Algorithm. This is what Microsoft is saying and they aren’t providing much information for the end-user on how to prevent from using MD5 certificates on your system. You can remove the MD5 certificate manually if you are a system administor and want to protect the computers at the office. Please don’t do this unless you know what your doing, you could very well break your system if you did something like this.

Microsoft Knows about the SQL Bug — KB961040

PaulDecember 30, 2008

Microsoft confirmed some information about the this little SQl bug and issued a Statement in an Security Advisory 961040 and in it Microsoft said:

Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.

[via Microsoft Technet]

[ad#ad2-left-1]One researcher, a Bernhard Mueller, is claiming that Microsoft has the patch available and ready to patch this bug. According to him Microsoft this patch is done and isn’t scheduled to be release yet. I don’t know when they will patch this but if Techworld is right it will be an out of cycle patch. I am sure that if Microsoft does release it in cycle then it will be this coming patch cycle. January 13, 2009 is the next cycle of patches for Microsoft and should be available at 10pm PST time. If Microsoft doesn’t release the patch soon they will undoubtedly wait till Patch Tuesday. In my previous article I talked about this to a point the workaround so if you are using an SQL server you need to do this work around.

Upcoming CES 2009 — Juicy Stories

PaulDecember 27, 2008

So we are getting close to CES or Computer Electronics Show to some. This is going to be a very interesting year, due to the depressing economy. So I wanted to talk about some of the upcoming announcements at CES so people could get ready for the upcoming 2009 Show:

Skype will announce free US and Canada calling to cellular numbers or land lines. This will undoubtedly be an Ad supported service and have a limited amount of minutes per call. This will be good for people on the road who need to make a quick call here and there without having to pay for anything. They have given some of the tidbits out already but I can’t wait to find out what else they will announce at CES.

[ad#cricket-1-1]Windows 7 Beta — People seem to think they will release the beta the same day they announce just like they did at the PDC(Professional Developers Conference) and also give it out to people at CES. Although that might work to a point it will be very hard for people to get in the BETA. There is a list brewing of people wanting to get onto the beta in the Microsoft Connection Community Site. I can’t wait for next month but I am sure it is going to be nice.

Windows Live Beta — Here is another Microsoft product that might also be combined with Windows 7, it is a possibility and might be intergrated into Windows 7 for some but I am not sure what will happen all to much. I am sure they will announce something about this at CES and only time will tell.

IE 8 Beta — Although this isn’t something unexpected. It however will be interesting to see how they throw this one out to testers because they will undoubtedly test it on Windows 7 and they will be sending these out in the same time. I think they will be also intergrating this into Windows 7 Beta release as if it will be on the new system. I do not know what they are going to do but I am sure something will happen.

[ad#ad2-left]This is just a small bit of possible out comes, and there is still more to come. I wanted to point out that these are not confirmed and should be considered as a rumor nothing more nothing less. Don’t put to much money on what will happen to much. We do know that the Betas are probably going to come out due to Microsoft announcing these to be out by the first of year. Only time will tell for what will happen in the coming year though. I can’t wait to find out what happens.

Microsoft released KB960714 to fix THE IE Problem

PaulDecember 17, 2008

[ad#ad2-right]This is the update to fix the IE Vulnerability and if you have any questions please make sure to check my other post about this little update. This was sent out today and should be patch ASAP, on all systems. If you want to patch the easy way, I suggest downloading Clone to Autopatcher. This seems to help make an ISO file on a DVD so you don’t have to update a system the old way.

Microsoft to Release KB961051 on the Dec 17, 2008

PaulDecember 17, 2008

According to McAfee and I will quote:

December 16, 2008: Microsoft has announced an out-of-cycle patch release for a critical, remote-code-execution, vulnerability in Microsoft Internet Explorer (CVE-2008-4844). The patch, to be released on December 17, will address the vulnerability across multiple versions on Internet Explorer running on supported Windows platforms.

[via McAfee Threat Center]

[ad#ad2-right]From what I am understanding it will be KB961051 and will be a critical update on all Windows platforms. Microsoft issued a security advisory for this on there Technet support website. This will probably be put online sometime tomorrow and will be available to download after 10am PST although this is just a rumor because when I go to that article they talk about the work around and how to fix it temporary until they release the patch. This is releated to the IE Vulnerability that is in the wild and has been causing havok on the internet.