Oh joy! Reports of a really bad exploit in WMF, which will affect fully patched Windows XP systems. Ed Bott sums it up nicely:

This is a zero-day exploit, the kind that give security researchers cold chills. It works by exploiting a weakness in the Windows engine that views graphics in the Windows Metafile (WMF) format. You can get infected by simply viewing an infected WMF image.

Fun stuff. Until there’s a patch, beware the metafile, my son! The jaws that bite, the claws that catch!

• Sunbelt blog report
• Ed Bott

Update Saturday: Some computers are already protected from this, via Data Execution Prevention. Read about it (including how to check) here.

A new vulnerability, in Sony’s other copy-protection software, has been found. Sony’s vendor Suncomm has already issued a patch.

Meanwhile Sony has also issued an update and (finally!) removal of the XCP rootkit. Without needing to jump through hoops, this time.

For those of you still using it (I certainly am on one of my machines) Windows 2000 SP four-and-a-bit is out. I’m not totally convinced they couldn’t have just slapped an SP5 together, but oh well, there you go.

So, in building the broadband access machine I’ve found a gift computer (twice as powerful as anything else I owned) that was ‘not working’. After loading XP onto and futzing with it for a while, I figured out that doing anything with the USB port locked up the computer… after a while. I tested the theory by running up a memory/CPU intensive game and letting it run for a few hours. It was happy until I transfered some files off the USB stick. Fault identified. If I want to transfer stuff off the machine, I’ll need to get a USB card, or hook up a network. And I think I’ll do the later.

With fault identification complete, I hooked up the broadband modem (Netcomm NB5) via the ethernet connection (given the USB connection wasn’t going to be working on this machine). Entered the IP of the modem into the browser, and got the modem’s login screen. Everything was good, and I shut down all access other than web via port 80 using the modem’s built-in firewall. Connection to the ISP was established, proxies entered into Firefox (not IE – CERT says there are no secure versions), and Google was available. Connectivity proven.

The web browsing machine got Fedora Core 3 loaded on (a simple process), and the proxy setup was repeated with the same results. FC3 comes with a pre-release version of Firefox, so I loaded up the CD with the .gz for 1.0.4 and loaded that onto the desktop. Then I spent a couple of hours figuring out that I needed to be root to install the browser, and where to install it. Having done that, I still haven’t got it as the default browser – that’s still the prerelease Firefox. But I can run up 1.0.4 from the command line, so at least it’s available, and adBlocker is installed, so well and good.

I figure that I’m going to lock the modem down to a single IP address it’s going to talk to, the FC3 machine. Anything else that wants data from the net is going to have to transfer it from the FC3 machine and won’t be exposed to the big bad internet, because I’m not ready to migrate our entire PC collection over to Linux just yet.

Which means I need to buy a switch.

With Firefox trumpeting itself as “Safer, faster, better” it’s fashionable to think of the product as being inherently safer than its opposition (primarily IE). It’s not. Mozilla has acknowledged a major vulnerability in Firefox, and with no fix available, is saying that the workaround is to switch off Javascript, and disable software installation.

Switching off Javascript renders a large chunk of the web unusable. Yeah, you can manually turn it back on for sites you trust… but who has the time to do that? And among the general non-geek populace, who has the knowledge to do it?

Of course, the likelihood of actually falling victim to this problem is pretty small. But if you’re tempted to switch back to IE, make sure it’s securely set up. One option is to use a security lockdown registry hack.

Meanwhile the neato Tiger Dashboard widgets facility that Andy’s been talking about appears to have its weaknesses too. Whoops.

Okay, so maybe I shouldn’t be so critical, especially since the stuff I code isn’t necessarily miraculously vulnerability-free. But then, I’m not coding browsers installed on millions of desktops.

Firefox 1.0.1 is out, and fixes a bunch of security vulnerabilities.

BUT before you go and download it, be ware: apparently there’ll be trouble if you install it over 1.0 and earlier versions. Be sure to read the release notes first.

The weird bounces I was getting a while back are apparently due to a bug in QMail. They’re also causing some mails to be sent multiple times from webmail. Triffic. But I’ve switched webmails from SquirrelMail to IMP, and that seems to help. I don’t like IMP’s “This mail was sent by IMP” footer, but I do like its features, especially the timezone setting, which was never satisfactory in SquirrelMail.

A big batch of Microsoft patches are out. Through as someone at work pointed out, they shouldn’t be due to buffer overflows, ‘cos MS claimed years ago that they’d eliminated them in Windows XP. (Thanks Ian)

Mr 99Zeroes has apparently been sacked from Google. As Scoble remarks, the rule for blogging about work really needs to be: Don’t piss off your boss. The alternative is simply not to blog about work.

C/Net’s new online news/RSS reader/aggregator: NewsBurst. (via Steve Rubel who features on the latest G’day World podcast)

An Englishman was arrested after he used the text-only browser Lynx to donate money to a tsunami fundraiser. Apparently British Telecom technicians looking through the web site logs thought it was a hacking attempt.

I don’t run Windows XP (my PCs are a couple of years old and happy on Win2K… I don’t feel compelled to lumber them with the beautiful XP), but a lot of people I know do. I want to give one of them a copy of SP2 to install, to save a long boring troublesome download via dialup.

Problem? The SP2 download page lets you install it via Automatic Updates or Windows Update. Or you can order a CD. You can order it in any country, not just North America (good) but it takes four to six weeks to arrive (bad). If the average unpatched computer can be compromised in 20 minutes, in four weeks it could be compromised 2,016 times. (Okay okay it’s on dialup, so it wouldn’t be connected all that time.) Gimboids. Even the Download.com page for it pointed me back to Microsoft.

Happily, I did find it on an APC Magazine CD. I also eventually found the Butch Microsoft Technet Geeky Professional Developers’ download page.

Yesterday was the 13th of the month, and you know what that means… time for Microsoft’s monthly patch roundup.

Clinging to IE, but wishing there were more security zones, so you can tighten the thumbscrews to varying degrees where appropriate? Add a fifth security zone to IE. (via Greg)

Once upon a time to display JPEGs in DOS, you had to run an obscure JPEG Viewer program, and on my ancient rattling 286, it took a good few seconds to look at the file and actually show it on the (16 colour) VGA screen. Nowadays JPEG display is built into practically everything. Which makes Microsoft’s JPEG display vulnerability doubly-scary. Affected software: just about everything they sell. (Microsoft thanks those who work with them to protect customers, by putting their e-mail address on their web page so they can be bombarded with spam.)

Looking for a freebie FTP client for Windows, but sick of CoreFTP’s vagaries, WSFTP’s oldness (is it even Y2K compliant?), and IE/Explorer’s astounding lack of functionality? FileZilla rocks.