Author: Jason Frisvold

Firefox 2.0

The latest incarnation of the Firefox browser is nearing release. Version 2.0 brings with it a smattering of nifty features as well as an updated UI and enhanced add-on handling.

I’m particularly fond of the built-in spell checker which comes in really handy. It works in a fashion similar to how the spell checker in MS Office and Openoffice works. Each misspelled work is underlined in red. When you right click on the underlined word, Firefox pops up a list of suggestions. You can choose one of the suggested replacements, or add the word to your dictionary. The spell checker only checks text boxes by default, but you can right click on any text entry field to force a spell check.

The new UI places a close icon on each tab, allowing you to close a tab in a rapid fashion. I can see this causing slight problems with people that are too quick to click as it doesn’t prompt you to close the tab. If you have a large number of tabs open, it begins to suppress the close button on all but the current tab. There is also a drop down on the far right side of the tab bar that shows you all of the open tabs in a list, allowing you to read the full title before jumping to the tab you need.

Firefox now defaults to opening all links in new tabs instead of new windows. I prefer this behavior to simply opening new windows. In addition, the popup blocker has apparently been enhanced. Since installing 2.0, I have not seen a single popup.

The default search bar now supports suggestions. As you type, the search engine you have chosen will offer suggestions for search terms, helping you find the information you want. This is the same technology that Google uses for Google Suggest. The new search engine manager allows you to add in additional search engines as well.

Overall, I think this is a real positive step in Firefox’s evolution. You should check it out, it’s a really great browser!

Think of the Children!

Wil Wheaton (Wesley from Star Trek) wrote an entry in his blog the other day about the current state of our government. This got me to thinking and I thought I’d toss out my thoughts as well. This is the first political statement I’ve made in this blog and I’m hoping it doesn’t become a habit..

 

 

I don’t much like politics and I try to avoid it whenever I can, but sometimes it’s necessary to dive in for a short time. Our country was founded on a few important principles. I’m sure you’ve heard them before, Life, Liberty, and the pursuit of happiness. The first congress did everything in their power to create a stable, secure government. But, they knew that nothing is perfect and put in provisions to allow for changes to the founding principles. Since that time our government has been progressing ever forward towards the very form of government that we seek to eradicate.

The September 11th tragedy is being manipulated and twisted in ever more horrible ways as our government seeks to strip us of our liberties, all in the name of security. From illegal wiretapping to prisoner torture. And now they seek to make both of these things legal! For example, our illustrious president is seeking to have a bill passed to allow warrantless wiretapping. Thus far, this bill is intended to allow wiretapping only for suspected terrorist activities, but once the door is open… *sigh* With cries of “protect the USA” and “think about the children”, the government seeks to strip us of our rights and create what is essentially a police state

Other liberties are at risk as well. Are you aware that the government is currently seeking to pass a bill that forces ISPs across the US to keep detailed records of all internet activity? We’re talking more than just the standard radius records that are used to tie a user and IP together. This bill seeks to force ISPs to keep records of IM conversations, web browsing, email, and anything else they can use to “fight child pornography.” I work for an ISP and I can’t figure this out. They want this data recorded in advance of any wrongdoing. In other words, guilty until proven innocent. All they need is a warrant to go digging through all that data! I’m sure it will start out with a warrant that specifies exact IP addresses and time frames, but that will quickly change. I’ve had to deal with warrants that are very vague about what they want. In other words, give me EVERYTHING that deals with this IP between these two times. And, of course, if they find anything else out during their legal search then they can act on that. Imagine what can happen if they suspect a pedophile used your system between 1am and 4am on Saturday, but they don’t know the exact IP. And then they ask for everything between those times! Imagine the possibilities. Perfectly innocent people are at risk here!

“Well think of the children!” Yes, lets. I will agree that if the data is already available, it may be quicker to pull a predator off the streets. However, we’re dealing with child pornography here. Most of these cases deal with people downloading the porn. In that case, it’s safe to assume that they will do it again. Getting a warrant that asks the ISP to capture the data for a period of time is perfectly valid at that point. Besides, most ISPs retain logs for at least a week anyway. This is done purely for statistical and debugging purposes, but that should be plenty of time to get a warrant. Or, try this one out. How about creating something specific to the computer industry called a suspicion warrant. When served with one of these, the ISP starts collecting data. That data is not available to the police force until a “real” warrant is obtained via the court system. This at least gives the police a chance to save any data that may be rolled off after a period of time. Again, this is something I would be more than happy to do for the police if it helps get these predators off the street.

 

Well, enough ranting. The long and short is this. The government is trying to steal away our liberties, all in the name of good causes. And put that way, it makes you look like the bad guy if you don’t agree and fight against it. But please, if you truly care about this country and the freedoms you have, look hard at the issues. Vote in the next election and make your voice heard. I won’t tell you who to vote for, and beyond the above, I won’t even hint at it. Just get out there. Do a little research, and make your voice heard!

ZERT Patch for IE Vulnerability

ZERT is back at it again. They’ve released a patch for the latest Microsoft Internet Explorer vulnerability. Actually, it’s more of an automated script that disables the ActiveX controls that are vulnerable. Much easier than hand-editing the registry. Check it out if you use IE.

Small but amazing PC Games

There’s a post over at LetsKillDave about a small, 96kb, game called .kkrieger. It’s more of a demo than anything, but still interesting. It’s pretty amazing what computers can do these days. As I understand it, all of the graphics and levels used within the game are generated using procedural content generation. Essentially, they’re created using a mathematical algorithm. Quite amazing stuff.

 

I’d like to highlight some other really great games as well. Each of these is pretty small, the largest weighing in at just over 2 megs. They’re incredibly fun to play and very well written. The first two are written by Hikoza.T.Ohkubo.

Ray Hound is a unique 2D shooter where the object is to destroy the turrets that are firing at you. Problem is, you have no weapons. So, you use a tractor beam of sorts to capture the missle fired at you and sling it back at the turret. It takes a few minutes to get used to, but once you do, it’s incredibly addictive.

Warning Forever is a top-down shooter similar to 1942. The biggest difference is that there is no general gameplay, it’s all boss battles. And depending on how you destroy each boss, the next boss is adapted to defend against the strategies you used to kill the previous bosses. There’s a great article over at Wikipedia describing how the bosses evolve.

The last game is called Cave Story. I don’t know who wrote the game, but all the information you need to download and run it can be found here. This is quite the amazing side scroller, reminiscent of Castlevania or Wonderboy. I’ve played through once so far and found the story to be pretty deep and engaging. I’m planning on checking it out again as there are apparently multiple endings. It’s a pretty addictive little game and I suggest checking it out!

Holy Pink?!?

You’ve probably noticed the pink by now. Yeah, it’s a little blinding, but it’s for a good cause. There’s a site called Pink for October which is all about breast cancer awareness. Being a guy and liking breasts just as much as the next guy, I thought I’d try to help out a little. If you have your own website, perhaps you’ll join as well. Every bit of awareness helps!

More IE Exploits

Another day, another Microsoft exploit. This time it’s an exploit in the WebViewFolderIcon function. So far this only seems to affect Internet Explorer, or more accurately, ActiveX. The vulnerability in this instance is an integer overflow in the COMCTL32.DLL file which means that other attacks, possibly more serious, may be on the way. COMCTL32.DLL is the “Common Controls” library used in many Windows applications. This is the same library that displays the list boxes, combo boxes, etc. in Windows. Saying this is an important DLL may be quite the understatement.

 

The Internet Storm Center has more details about this vulnerabilty and some recommendations as to how to fix it. In short, they suggest keeping your Anti-Virus up-to-date, and setting some killbits. Killbits, however, are not for the faint of heart. Unless you really know what you’re doing, my suggestion is to drop IE for the time being and switch to another browser. Firefox is my browser of choice, but you can use whichever you’d like. If you absolutely need to use IE for specific web pages that you can trust, then I suggest checking out Firefox and the IE Tab extension. With that, you can create a list of sites that will be displayed in IE while the rest are displayed using the Firefox engine.

 

Microsoft has acknowledged the vulnerability and is working on a patch for it. Again, they promise an October 10 release. Hopefully they see reason once again and can patch this as soon as possible.

IE VML Exploit Update

Kudos to Microsoft for releasing a patch for the recent VML security bug (CVE-2006-4868). The patch is available for download via the MS06-055 Security Bulletin they released earlier today.

 

I’m impressed that they thought this was a severe enough problem to warrant an earlier release than the October 10th date they stated in the original Security Advisory. They have updated the original advisory and removed most of that content, however, so you’ll just have to take my word for it. And, funnily enough, they apparently used the cut and paste approach as the current revision points this out as the “Powerpoint Mso.dll Vulnerability” and not the Vgx.dll vulnerability. Well, noone’s perfect..

 

Now get out there and patch! And while you’re at it, check those anti-virus definitions and make sure those are up to date. And if you don’t already have some sort of firewall, get one!

Internet Explorer VML Vulnerability

Looks like there’s yet *another* IE vulnerability on the loose. This particular vulnerability uses a bug in VML (Vector Markup Language) to cause a buffer overflow and allow the attacker to gain access to the system. I’m a little late to the scene, but this was initially reported on September 18th. But FEAR NOT! Microsoft has happily released a security advisory in which they explain that they know about the vulnerability, and that they’ll release a patch on October 10th.

 

.

.

.

Umm.. October 10th? That’s almost a month *AFTER* the report was made public.. This happens to be a really nasty bug that can cause your computer to be completely compromised and they admit to knowing about code in the wild exploiting this bug!

The person who reported this was not being irresponsible and revealing a “potential” security issue the the hacker community. Quite the opposite, in fact, they were reporting a known in-the-wild exploit with the intention of informing the masses so they could act accordingly. For Microsoft to not release a patch quicker, or even publish some viable mitigation strategy is incredibly irresponsible. At the very least they could explain how to unregister the VGX.DLL file that is the source of the expoit. Luckily, Sunbelt has instructions on how to do this.

If you’re interested in a better solution, ZERT (Zeroday Emergency Response Team) has created a patch to fix the problem. Be aware that this is not sanctioned by Microsoft and is supplied As-Is. However, if you rely on IE and want a reasonable sense of security, this may be your only choice until the behemoth from Redmond decides to release an “official” patch.

My recommendation? Switch to something else. There’s Firefox (my personal choice), Opera, and others. IE just has too many problems.

 

If you’d like to read more about this vulnerability, check out these links :

 

SunbeltBLOG – These are the guys that first reported the problem

TaoSecurity – A report about ZERT and how they’re proving that the closed source security model is broken

eWeek – A report about the vulnerability and the patch that ZERT created

 

I also want to point out that I’m not necessarily anti-Microsoft. I believe they’ve helped out the computer industry in many ways. However, I dislike many of their practices, and this is definitely one of them. It’s important for any software developer to release security patches when necessary. It is of utmost importance for a closed-source developer to release security patches as fast as possible because they’re the only ones who can truly patch the hole. Open source allows anyone, with the necessary skills, to patch the hole. I’m not saying Microsoft should open-source Windows, but maybe they should work a little harder to put together patches with more speed.

Windows XP ISO Mount Utility

I was looking around earlier today for a tool that would allow me to mount .iso images in Windows XP. I stumbled across a tool Microsoft wrote called the Virtual CD Control Panel. Unfortunately I can’t seem to find a page on the Microsoft web site that directly references this tool, but it is a download from a Microsoft site, and it made it through my virus checker, so my best guess is that it’s ok.

 

 

It’s pretty easy to install. Copy the VCdRom.sys file into your system32\drivers folder and then run the executable. From there use the Driver Control button to load and start the driver and then you can add virtual drives that can be used to mount .iso files. Simple!

Just thought I might share my find. I find it extremely easy to mount .iso files in Linux and wanted something on the Microsoft side as well.