Bink Newsflash 20

 

http://www.bink.nu

 

http://www.windowsxp.nu

 

in collaboration with

 

Hi,

 

Merry Christmas everyone! this will be the last newsletter of 2001 and I write it just before I go on an 8 day trip to the sun :-). The next Newsletter will be sent in the style of my companies website: http://www.it-solutions.nl

 

 

 

Email turns 30

 

This email is sent out about 8500 subscribers, it takes less then an hour to sent most of it out. Amazing to reach so many people in so little time, Who would have imagined that 20 years ago. Actually e-mail just turned 30 !

"Today, almost 10 billion electronic mail messages are sent each day around the world, but 30 years ago, email was still a nascent technology with no clear future. To be fair, email existed in the 1960s, but it wasn't until 1971 that a computer scientist devised a way to send email from machine to machine over a network. In fact, the first implementation was called network mail for obvious reasons, and use grew slowly until developers added features such as Reply (originally Answer) and Delete."
 News source:  Wininformant

At the bottom of this message is a sent report of the Lyris email list server of sunbelt  which sends my newsletter.

 

Download mirrors

 

Getright is a download manager and accelerator, it was one of the first software tools I actually bought. In the days of 33.6 modems the resume capabilities we're a powerful tool to get large files which you could download in a week with only being online when you wanted. It uses multithreads to get the download and automatically searches mirrors of the file you want to download. In that way you get a faster mirror site so you file is ready more quickly.

Getright website

Now getright has a site where you can search through their filrmirror database! So without the download manager you can search mirrors your self.

Check it out: http://www.filemirrors.com

 

 

Internet Explorer 6 Service Pack 1 Beta leaked

 

I was surprised by the time it took before this one leaked out. I don't recommend to install this pack cause it is still in Beta, but for beta freaks among you here is a link found at www.iexbeta.com. Fir the rest of you read the next section!

ftp://ftp.iexbeta.com/ie6/ie6sp1_b1114_w2kxp.zip

 

Cumulative Patch for IE

 

This patch is a must for all of you IE users!

 

This is a cumulative patch that, when installed, eliminates all previously discussed security vulnerabilities affecting IE 5.5 and IE 6. In addition, it eliminates three newly discovered vulnerabilities.

  • The first vulnerability involves a flaw in the handling of the Content-Disposition and Content-Type header fields in an HTML stream. These fields, the hosting URL, and the hosted file data determine how a file is handled upon download in Internet Explorer. A security vulnerability exists because, if an attacker altered the HTML header information in a certain way, it could be possible to make IE believe that an executable file was actually a different type of file -- one that it is appropriate to simply open without asking the user for confirmation. This could enable the attacker to create a web page or HTML mail that, when opened, would automatically run an executable on the user's system. This vulnerability affects IE 6.0 only. It does not affect IE 5.5.
  • The second vulnerability is a newly discovered variant of the "Frame Domain Verification" vulnerability discussed in Microsoft Security Bulletin MS01-015. The vulnerability could enable a malicious web site operator to open two browser windows, one in the web siteís domain and the other on the userís local file system, and to pass information from the latter to the former. This could enable the web site operator to read, but not change, any file on the userís local computer that could be opened in a browser window. This vulnerability affects both IE 5.5 and 6.0.
  • The third vulnerability involves a flaw related to the display of file names in the File Download dialogue box. When a file download is initiated, a dialogue provides the name of the file. However, in some cases, it would be possible for an attacker to misrepresent the name of the file in the dialogue. This could be invoked from a web page or in an HTML email in an attempt to fool users into accepting unsafe file types from a trusted source. This vulnerability affects both IE 5.5 and 6.0.

IE 6 Download FileSecurity Update

 

IE 55sp2 Download FileSecurity Update

 

Other IE bugs with no fix yet:

SecurityTracker is reporting that a flaw has been reported in the "document.open()" function of IE which lets a remote user steal cookies, read local files and spoof web sites...

Vulnerable software: IE 6.0.2600.0000 + Windows 2000 Update Versions: Q312461; Q240308; Q313675

A remote user can create HTML containing scripting that uses the document.open method but not the document.close method. Then, when this code is executed on another user's browser, the code can steal cookies, read local files that are parsable by IE (i.e., text/html MIME types), and spoof other web sites.

Example code can be found at the link below. Microsoft have been notified (via secure@microsoft.com on
the 19th December 2001), but as yet, no fix has been produced.

News source:
Security Tracker
View:
IE Document.Open() Advisory from www.osioniusx.com

Also, another vulnerability has been found, this one concerns "Cross-Frame, About Pluggable Protocol, Security Zone Spoofing". By appending merely a percent sign after an about url which has opened in a window you can access some elements of the previous document's document object model.

Vulnerable: IE 6.0.2600.0000 + Windows 2000 Update Versions: Q312461 IE 5.50.4134.0100 Update Versions: q269368 + Windows ME

Example code can be found at the link below. Microsoft have been notified (via secure@microsoft.com on
11th December 2001), but as yet, no fix has been produced.

View:
Vulnerability Notice: IE About:,Security Zone Advisory from www.osionusx.com

 

Unchecked Buffer in UPnP can Lead to System Compromise

Microsoft strongly urges all Windows XP customers to apply the patch immediately. Customers using Windows 98, 98SE, or ME should apply the patch if the Universal Plug and Play service is installed and running.

The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP. This bulletin discusses two vulnerabilities affecting these UPnP implementations. Although the vulnerabilities are unrelated, both involve how UPnP-capable computers handle the discovery of new devices on the network.

The first vulnerability is a buffer overrun vulnerability. There is an unchecked buffer in one of the components that handle NOTIFY directives Ė messages that advertise the availability of UPnP-capable devices on the network. By sending a specially malformed NOTIFY directive, it would be possible for an attacker to cause code to run in the context of the UPnP service, which runs with System privileges on Windows XP. (On Windows 98 and Windows ME, all code executes as part of the operating system). This would enable the attacker to gain complete control over the system.

The second vulnerability results because the UPnP doesnít sufficiently limit the steps to which the UPnP service will go to obtain information on using a newly discovered device. Within the NOTIFY directive that a new UPnP device sends is information telling interested computers where to obtain its device description, which lists the services the device offers and instructions for using them. By design, the device description may reside on a third-party server rather than on the device itself. However, the UPnP implementations donít adequately regulate how it performs this operation, and this gives rise to two different denial of service scenarios.

In the first scenario, the attacker could send a NOTIFY directive to a UPnP-capable computer, specifying that the device description should be downloaded from a particular port on a particular server. If the server was configured to simply echo the download requests back to the UPnP service (e.g., by having the echo service running on the port that the computer was directed to), the computer could be made to enter an endless download cycle that could consume some or all of the systemís availability. An attacker could craft and send this directive to a victim's machine directly, by using the machine's IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines within earshot, consuming some or all of those systems' availability.

In the second scenario, an attacker could specify a third-party server as the host for the device description in the NOTIFY directive. If enough machines responded to the directive, it could have the effect of flooding the third-party server with bogus requests, in a distributed denial of service attack. As with the first scenario, an attacker could either send the directives to the victim directly, or to a broadcast or multicast domain.

Patch availability

Download locations for this patch

 

MS Project 2002 Beta 3...server!

On the MSDN subscriber download site Project 2002 was posted, I downloaded but haven't looked at it yet. I'm not a project expert anyway.

What surprised me that there was also Project 2002 Server(!) available for download. Hmmmmm, next time I hope to have more info in this.

 

MIS 2002 RTM

Mobile Information Server 2000 has been out for about 6 months? Well 2002 is released to manufacturing this week and will be available in Q1 2002.

"Microsoft backs away from the lofty goals it set forth in the original MIS platform. After taking some hard knocks from enterprise customers and wireless carriers, Microsoft has taken a more realistic approach with the updated MIS product. Instead of a solution that is all things to all customers, MIS now

simply provides a platform for using Exchange and custom Microsoft .NET applications to enable mobile-device solutions."

 News source: can't remember, sorry..

 

 

 

Slipstream Office XP to sp1

 

Like Windows 2000 and XP you can apply a service pack to your installation source files of Office. So when you install your software is at SP level!

 

  1. download the admin version of Office XP sp1
  2. double-click the oxpsp1a.exe file.
  3. Click Yes to accept the License Agreement.
  4. In the Please type the location where you want to place the extracted files box, type D:\oxpsp1a , and then click OK .
    Click Yes when you are prompted to create the folder.
  5. Copy your XP CD to your harddisk, say: d:\offxp OR make an administrative install point to d:\offxp : setup /a
  6. Then use this command:
        msiexec /a d:\offxp /p d:\oxpsp1a\MAINSP1_Admin.msp SHORTFILENAMES=1
  7. Now when update is done, burn the d:\offxp content to CD and you have your own Office XP sp1 slipstreamed CD!!

NOTE : You can append /qb+ to the preceding command line to avoid receiving the Office XP Administrative Installation dialog box and the End User License Agreement dialog box.

 

 

MSI reboots

To prevent software installed by MSI pacakages to require reboots,make sure you install Windows Installer 2.0

This does not guarantee no reboots but good designed MSI packages will do.

 

Windows Installer 2.0 Not necessarily for Windows XP users! NT4 needs sp6 !

 

New MS support site is buggy

 

Every time I query the Knowledge base and click on a result the frame where the article should appear stays empty !

Very irritating, I have this from all kind of PC's so it is not my PC only. So I guess more people have this. I don't understand why it doesn't get fixed.

To workaround this just press F5 and the article appears

 

http://support.microsoft.com

 

 

Screensaver for XP

MS released a new screensaver for XP: a lot of grass, blue sky and white clouds.....

 

Bliss screensaver

 

USB 2.0 drivers for XP (BETA)

The beta drivers for USB are available in the document section of my XP Forum.

In Q1 of 2002 they will be final and available on Windows Update, together with BlueTooth drivers!

Visio 200x viewer

"The Microsoft Visioģ 2002/2000 Viewer: Web Component is a technology preview. This component allows Microsoft Visio users to freely distribute drawings and diagrams to team members, partners, customers, or others without requiring that they have Visio installed on their computers. With the Visio Viewer Web Component, your team members can view and print Visio diagrams (Visio 5, 2000, or 2002) from within their Microsoft Internet Explorer (5.0 or later) Web browser. Currently, the Visio Viewer Web Component can correctly display drawings containing Western European, Japanese, and other East Asian fonts."

http://download.microsoft.com/download/visiostandard2002/vwc10/1/w982kmexp/en-us/vwc10.exe

 

 

 

 

OK, I'll be on holiday next week so happy new year and I hope you'll keep reading me next year !

 

Steven Bink

Amsterdam

 

 

 

Newsletter 19 sent report:

 

Thu, 13 Dec 2001 20:22:39

- Successfully sent to 7433 out of 7965 remaining recipients (93%) in

47 minutes and 46 seconds.

Delivery statistics:

* 7433 successful recipients (93%)

* 532 undeliverable recipients (6%)

Thu, 13 Dec 2001 20:22:39

- Next retry scheduled for: Thursday, Dec 13 at 08:52 PM (in 30 minutes)

Thu, 13 Dec 2001 20:53:34

- Preparing to deliver outgoing email message.

Thu, 13 Dec 2001 21:34:47

- Successfully sent to 43 out of 532 remaining recipients (8%) in

41 minutes and 13 seconds.

Delivery statistics:

* 7476 successful recipients (93%)

* 489 undeliverable recipients (6%)

Thu, 13 Dec 2001 21:34:47

- Next retry scheduled for: Thursday, Dec 13 at 11:34 PM (in 2 hours)

Thu, 13 Dec 2001 23:35:42

- Preparing to deliver outgoing email message.

Thu, 13 Dec 2001 23:46:59

- Successfully sent to 21 out of 489 remaining recipients (4%) in

11 minutes and 17 seconds.

Delivery statistics:

* 7497 successful recipients (94%)

* 468 undeliverable recipients (5%)

Thu, 13 Dec 2001 23:46:59

- Next retry scheduled for: Friday, Dec 14 at 03:46 AM (in 4 hours)

Fri, 14 Dec 2001 03:46:00

- Preparing to deliver outgoing email message.

Fri, 14 Dec 2001 03:54:41

- Successfully sent to 28 out of 468 remaining recipients (5%) in

8 minutes and 41 seconds.

Delivery statistics:

* 7525 successful recipients (94%)

* 440 undeliverable recipients (5%)

Fri, 14 Dec 2001 03:54:41

- Next retry scheduled for: Friday, Dec 14 at 11:54 AM (in 8 hours)

Fri, 14 Dec 2001 11:55:13

- Preparing to deliver outgoing email message.

Fri, 14 Dec 2001 12:08:48

- Successfully sent to 20 out of 440 remaining recipients (4%) in

13 minutes and 35 seconds.

Delivery statistics:

* 7545 successful recipients (94%)

* 420 undeliverable recipients (5%)

Fri, 14 Dec 2001 12:08:48

- Mail job stopped because the application is shutting down.

Fri, 14 Dec 2001 12:08:48

- Next retry scheduled for: Friday, Dec 14 at 12:08 PM (in 8 hours)

Fri, 14 Dec 2001 12:14:29

- Preparing to deliver outgoing email message.

Fri, 14 Dec 2001 12:31:20

- Successfully sent to 1 out of 420 remaining recipients (0%) in

16 minutes and 51 seconds.

Delivery statistics:

* 7546 successful recipients (94%)

* 419 undeliverable recipients (5%)

Fri, 14 Dec 2001 12:31:20

- Next retry scheduled for: Saturday, Dec 15 at 04:31 AM (in 16 hours)

Sat, 15 Dec 2001 04:32:52

- Preparing to deliver outgoing email message.

Sat, 15 Dec 2001 04:39:44

- Successfully sent to 20 out of 419 remaining recipients (4%) in

6 minutes and 52 seconds.

Delivery statistics:

* 7566 successful recipients (94%)

* 399 undeliverable recipients (5%)

Sat, 15 Dec 2001 04:39:44

- Done sending this message.

 

[bink@bink.nu] This is a posting from the
BinkNewsFlash List. To unsubscribe, forward this message (Including these lines) to <unsub-BinkNewsFlash@lyris.sunbelt-software.com>.

[bink@bink.nu] This is a posting from the
BinkNewsFlash List. To unsubscribe, forward this message (Including these lines) to <unsub-BinkNewsFlash@lyris.sunbelt-software.com>.