Hi everyone, On Friday 2/26/2010, an issue was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box. We are not aware of any attacks seeking to exploit this issue at this time and in the current state of our investigation, we have determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue. The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as ?unsafe file types?. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system. To help customers better understand unsafe file types, we have published a white paper on the topic which you can find by clicking this link. Once we have completed our investigation, we will take appropriate action to protect customers. To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. Reporting vulnerabilities directly to vendors without further disclosure helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of ? and work to exploit ? a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm. Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge (for computer security related issues) using the PC Safety hotline at 1-866-727-2338 (PCSAFETY). Customers outside of the United States can visit http://support.microsoft.com/international to find local support information. We continue to encourage customers to follow the ?Protect Your Computer? guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at: www.microsoft.com/protect. We will provide more information on this issue as it becomes available. Thanks, Jerry Bryant
Sr. Security Communications Manager Lead *This posting is provided "AS IS" with no warranties, and confers no rights.*
Free Tools
Great Deals to Protect Your Children
Is your child safe surfing the Internet?Click Here for a free trial
of Net Nanny, the leading Internet filter.To see an example of Threat Detector in action
Click Here
KidsWatch™ Parental Control Software
Netmop protects families from porn, parents too. Works with any ISP and High Speed Internet. Easy install and it just works.
Prevent Internet Addiction
Protect your child with Safe Chat. Find out how. 100% Guaranteed.
Advanced Parental Control can block any application for any user and filter web sites based on keywords YOU specify. You can even record select activities including screenshots, keystrokes typed, web sites visited and more for complete activity monitoring. APC also includes System Restriction Tweaks ideal for limiting a child's access.
Let?s do a little experiment right now and see what we find. First, go to ROTTEN TOMATOES: Top Rentals and check out the top rentals.
Next go to Netflix Popular New Releases (all) page. Notice anything?
Read the full details, with screenshots for those of you without a Netflix login, at Netflix Popular New Releases ? Not So Much!.
Squids make great examples.
This video showing how Hitler would have responded to a breach of his Cloud Computing infrastructure was especially funny to me coming on the tail of sitting in on this week’s Cloud Audit conversation. This is also a good example of why we’re not quite ready for ‘PCI compliance in the Cloud’.
Serious threat to the web in Italy: “Posted by Matt Sucherman, VP and Deputy General Counsel – Europe, Middle East and Africa
(cross-posted from the Official Google Blog)
In late 2006, students at a school in Turin, Italy filmed and then uploaded a video to Google Video that showed them bullying an autistic schoolmate. The video was totally reprehensible and we took it down within hours of being notified by the Italian police. We also worked with the local police to help identify the person responsible for uploading it and she was subsequently sentenced to 10 months community service by a court in Turin, as were several other classmates who were also involved. In these rare but unpleasant cases, that’s where our involvement would normally end.
But in this instance, a public prosecutor in Milan decided to indict four Google employees —David Drummond, Arvind Desikan, Peter Fleischer and George Reyes (who left the company in 2008). The charges brought against them were criminal defamation and a failure to comply with the Italian privacy code. To be clear, none of the four Googlers charged had anything to do with this video. They did not appear in it, film it, upload it or review it. None of them know the people involved or were even aware of the video’s existence until after it was removed.
Nevertheless, a judge in Milan today convicted 3 of the 4 defendants — David Drummond, Peter Fleischer and George Reyes — for failure to comply with the Italian privacy code. All 4 were found not guilty of criminal defamation. In essence this ruling means that employees of hosting platforms like Google Video are criminally responsible for content that users upload. We will appeal this astonishing decision because the Google employees on trial had nothing to do with the video in question. Throughout this long process, they have displayed admirable grace and fortitude. It is outrageous that they have been subjected to a trial at all.
But we are deeply troubled by this conviction for another equally important reason. It attacks the very principles of freedom on which the Internet is built. Common sense dictates that only the person who films and uploads a video to a hosting platform could take the steps necessary to protect the privacy and obtain the consent of the people they are filming. European Union law was drafted specifically to give hosting providers a safe harbor from liability so long as they remove illegal content once they are notified of its existence. The belief, rightly in our opinion, was that a notice and take down regime of this kind would help creativity flourish and support free speech while protecting personal privacy. If that principle is swept aside and sites like Blogger, YouTube and indeed every social network and any community bulletin board, are held responsible for vetting every single piece of content that is uploaded to them — every piece of text, every photo, every file, every video — then the Web as we know it will cease to exist, and many of the economic, social, political and technological benefits it brings could disappear.
These are important points of principle, which is why we and our employees will vigorously appeal this decision.
(Via Google Public Policy Blog.)
