|
Please note: Older issues may contain information that is now out of date. How To Subscribe
and Unsubscribe is at the end of this note. Mailing List Trouble? See http://www.langa.com/help.txt Please recommend the LangaList to a friend! (And maybe win $10,000 !) An easier-to
read formatted HTML version of this newsletter is available on line at The LangaList 2000-08-14 A Free Email
Newsletter from Fred
Langa 1) Save Your Butt With DOS, Part 3DOS's days are numbered, and that's mostly a good thing: In normal operation, a well-developed graphical user interface (GUI) is much easier to use than a command-line interface (CLI). But when things go wrong with your system--- badly wrong--- sometimes you can't get to the point where your GUI loads. All the GUI-based tools in the world won't do you any good at all if you can't run them. Worse, sometimes an entire hard drive can become unbootable. If all your diagnostic and repair tools--- GUI or CLI--- are on your hard drive, you're toast. That's why it's smart to have easy access to a bootable DOS floppy and a custom DOS toolkit. In fact, if you rely on your PC for your work or for important personal information and use, I'd say having a bootable floppy and toolkit is an absolutely essential safeguard. Trouble is, Microsoft is inexorably moving to the day when all versions of Windows are DOS-free. Indeed, Windows 98SE may be the last version of Windows in which you can easily make bootable DOS floppies! The current series of WinMag "Explorer" columns is about ensuring that you'll always have access to useful low-level diagnostic and repair tools that can help get you out of even the worst jams: a complete and practical DOS toolkit you can store in a safe place against future need -- even if, or when, you eventually end up using a DOS-free version of Windows. Part One of this series ( http://content.techweb.com/winmag//columns/explorer/2000/15.htm )set the context and gave the essential ground-zero information; it also contained a plethora of DOS-related links to get you started. Part Two ( http://content.techweb.com/winmag//columns/explorer/2000/16.htm ) detailed how to create a custom boot or "emergency" disk--- a better boot disk than the one that may have come with your copy of Windows, or that you can make via the Control Panel "Add/Remove Software" applet. Now it's time to finish stocking your DOS toolkit. In each of the first two columns, I invited readers to post their suggestions for items to add to a DOS toolkit, and many of you did so (thanks!). If you haven't seen the posts yet, click over to the discussion areas for Part One ( http://bbs.winmag.com/forum/default.asp?forumid=88&messageid=44675 ) and Part Two ( http://bbs.winmag.com/forum/default.asp?forumid=89&messageid=45101 ) to take advantage of the good information there. Many more of you choose to write to me directly, by email. That's fine (and I thank everyone who wrote in!). But the drawback to email is that it's a one-to-one mechanism. So the Part Three column, I'll present the best of the emailed reader suggestions so everyone can benefit. I'll list almost two dozen tools that are all worthy--- and almost all are available for free! Plus, I'll list additional resources that can bring you to close to a thousand other DOS programs--- again, almost all for free! When you're done, your custom boot disk and DOS toolkit will give you more control over your system than ever--- even if Microsoft chooses to completely kill DOS in the future. Join in at http://content.techweb.com/winmag//columns/explorer/2000/17.htm ! Click to
email this item to a friend --- ( Your Clicks On Ad Links Help Keep The LangaList Free! ) ---
--------------(
the above is an advertisement )--------------
There have been lots of bugs
discovered and corrected in many products over the last few weeks, but the pace
seems to be picking up even more. Rather than dribble this information out to
you (which might mean you'll get the info too late to help), let's bite the
bullet and plow through all the current major security issues. It's a summer bug
fest! Let's start with Netscape: Reader "Wayne Jr" was the
first to alert me to a security hole discovered in Netscape browsers. It's quite
serious: It can let your web browser act as if it were a web server, letting
anyone connect to your machine and read any file. The bug is in the Java
"virtual machine" that's in all current Netscape browsers. It's been
there for a long time, too. The problem was given the nickname
of "Brown Orifice" (!) by the folks who discovered it. Their site
shows the problem in graphic terms: See http://www.brumleve.com/BrownOrifice/
. If you run the code on their page in a Netscape browser, their site will know
what's on your hard drive, and then anyone else visiting the site can download
those files from your PC! Netscape says: This vulnerability has been
identified in Netscape Communicator versions 4.0 through 4.74 on Windows,
Macintosh and Unix operating systems. This vulnerability does not affect
Netscape 6 Preview Release 1 or Preview Release 2. Netscape will soon release a
version of Netscape Communicator that is not subject to this vulnerability.
Users of Communicator 4.04 through 4.74 can disable Java to prevent the
exploit.... 1. In Communicator, select
Preferences from the Edit menu. The Preferences dialog box will appear. The other solution, recommended by
the guy who discovered the bug, is simply to shut down your Netscape browser:
The vulnerability exists only when the browser is open. A decent personal firewall that
detects when applications attempt to act as a sever also can help; ZoneAlarm is
one. ( http://www.zonelabs.com
) Click to
email this item to a friend Two new security vulnerabilities
came to light in Microsoft IE 4 and 5. According to Microsoft: 1) The ActiveX
control that is used to invoked scriptlets is essentially a rendering engine for
HTML. However, it will render any file type, rather than rendering HTML files
only. This opens the door to a scenario in which a malicious web site operator
could provide bogus information consisting of script, solely for the purpose of
introducing it into an IE system file with a known name, then use the Scriptlet
control to render the file. The net effect would be to make the script run in
the Local Computer Zone, at which point it could access files on the user's
local file system. 2) A new variant of the
"Frame Domain Verification" vulnerability. As discussed in [a previous
security bulletin], two functions do not enforce proper separation of frames in
the same window that reside in different domains. The new variant involves an
additional function with the same flaw. The net effect of the vulnerability
would be to enable a malicious web site operator to open two frames, one in his
domain and another on the user's local file system, and enable the latter to
pass information to the former. Grab the patch at: Click to
email this item to a friend --- ( Your
Clicks On Ad Links Help Keep The LangaList Free! ) ---
--------------(
the above is an advertisement )--------------
Most "reader-" type products offer little security risk because
they more or less passively display text or images. But Abobe Acrobat reader is
different, and it contains a "buffer overrun" vulnerability. Adobe
says: This vulnerability could be
exploited by a malicious user who could create a PDF file that, when viewed in
Acrobat on Windows, would cause Acrobat to crash or to run arbitrary code on the
machine. Acrobat 4.05 Update 2 supersedes Update 1 and includes patches that
remedy these security vulnerabilities in the Acrobat Reader and related
plug-ins. Grab the clean code at: (Thanks to reader "JW" for
bringing this to my attention.) Click to
email this item to a friend Hackers love to dupe people into
opening files---email, word processing documents, spreadsheets, etc.--- that
contain malevolent scripts or objects hidden inside. There have been many, many
vulnerabilities of this sort in the past, and more come to light all the time.
For example, Microsoft just sent out a security bulletin that says: Microsoft Office 2000
applications are capable of reading HTML files saved as Office documents. A
malformed data object tag embedded in one of these documents could cause the
Office application to crash and allow arbitrary code to be executed. In order
for this behavior to occur, a malicious user would need to entice a user into
opening the malformed Office document. Word 2000 users can protect themselves
from opening malformed HTML documents within Word by enabling "Confirm
conversion at Open" from the Tools-Options-General tab. In addition,
Outlook users who have applied the Outlook Security Update will be prompted
before opening web hosted or mail-borne Office documents. This problem affects Word 2000,
Excel 2000 and PowerPoint 2000. You can either avoid the problem (via the
suggestion above) or grab the patch: http://officeupdate.microsoft.com/2000/downloadDetails/Of9data.htm FAQ: Click to
email this item to a friend If you think the
LangaList is a worthwhile read, just use the following link to recommend the
LangaList to a friend. Your friend just may find a new source of useful
information; I just may gain a new subscriber; and you just may win $10,000(!)
for your trouble (full details also available via this link): http://www.langa.com/recommend.htm#1 Or, win a copy of
"Poor Richard's E-Mail Publishing: Creating Newsletters, Bulletins,
Discussion Groups and Other Powerful Communications Tools." This book has
been described as "An excellent, straightforward manual on email
publishing, banner ads, driving traffic and especially ethics." (Full
details also available via this link): http://www.langa.com/recommend.htm#2 Either way, thank you,
and good luck! Click to
email this item to a friend Hang on--- this is the last one.
(Whew!) Microsoft also just released an update for a previously-released patch. I already told you about the
original patch for the "Office HTML Script" vulnerability; at the time
that patch was released there was no similar patch to close the same security
hole in IE. Instead, Microsoft only offered a workaround. Now, they've released
the patch for IE. Original Patches: Microsoft Excel 2000 and PowerPoint
2000: Microsoft PowerPoint 97: New IE Patch: Note that this is the same patch
listed in item #3, above: If you grab that patch, you're automatically protected
against this vulnerability, and vice versa.) More info on this problem: Click to
email this item to a friend Do you have a home page or website?
(It doesn't matter what size.) Please click over to http://www.langa.com/code.htm,
and maybe you can join the hundreds and hundreds of LangaList readers who have
"Loaded the Code!" (If you've already "Loaded The Code" and
are wondering if your site will appear here or on the Langa.Com web site, please
see http://www.langa.com/link.txt
) Speaking of which: Here's another
eclectic sample of reader sites--- some professional, some very personal: Click to
email this item to a friend --- ( Your
Clicks On Ad Links Help Keep The LangaList Free! ) ---
--------------(
the above is an advertisement )--------------
In the last issue ( http://www.langa.com/newsletters/2000/2000-08-10.htm#1
) I mentioned that the makers of Sygate had released a free-for-personal-use
firewall, and that I'd be testing it soon. Several readers beat me to the punch.
8-) Edeljko Visnjic found a head-to-head
review at http://www.nwfusion.com/reviews/2000/0807rev.html
that gives the nod to Sybergen Secure Desktop; it barely edges out ZoneAlarm in
their tests. Interestingly, their site also offers an interactive scoresheet so
you can weight the test results according to your own preferences. But reader Ted LaJeunesse sent a
link from some PC World head-to-head tests that came out quite differently (see http://www.pcworld.com/heres_how/article/0,1400,17759+1+6,00.html
). There, Sybergen Secure Desktop didn't fare all that well. PC World's
conclusion: "Zone Labs' ZoneAlarm can be a bit cantankerous when dealing
with applications, but it offered the tightest security in our simulated attack
tests. And the price can't be beat: It's free for home users and nonprofit
organizations." And although my own tests weren't
exhaustive--- I spent about a day with Secure Desktop--- I have to say I also
prefer ZoneAlarm. I also mentioned last week that
Microsoft Win2K's SP1 doesn't get along well with firewalls; well, ZoneLabs has
released a patch for ZoneAlarm that takes care of that. See http://www.zonelabs.com Another ZoneAlarm user, reader
"JIM32566" writes: Read with favor your brief
on Zonelabs. I have been using it for sometime now and have high praise for it
also. Along with ZoneAlert I also use Tracer which is very useful in finding out
more about sites that ZoneAlert blocks. It's a short batch file and runs from
the start/run command 'trace' and the ip address of the site your interrogating.
Handy to have (also free). Available at http://www.pc-help.org/ Thanks to all who wrote in! Click to
email this item to a friend Have any vegetarian/vegan friends?
Show them this timely clipping from the current New Scientist ( http://www.newscientist.com/nlc/0812/feedback.html
) DINOSAURS were not wiped
out by a meteorite or a planetary catastrophe but by a serious flatulence
problem, according to a Chinese news report. The report, cited last week by BBC
News Online, comes from the China Youth Daily. In 1991 Associated Press
attributed the idea to geochemist Simon Brassell; this time it's an unnamed
French scientist. The problem was apparently
the amount of methane expelled by the dinosaurs-- enough to blast a hole in the
ozone layer. This in turn damaged terrestrial vegetation and caused a food
shortage which ended the dinosaurs' reign. "The animals, weighing
from 80 to 100 tonnes, would eat on average between 130 and 260 kilos of food
every day. They would fart non-stop," the Chinese paper tells its surprised
readers. Click to
email this item to a friend --- ( Your
Clicks On Ad Links Help Keep The LangaList Free! ) --- Almost
120,000 potential customers and clients Advertising
in the LangaList --------------(
the above is an advertisement )--------------
See you next issue! Best, Please recommend
the LangaList to a friend! (And maybe win $10,000!I) An easier-to read formatted
HTML version is available in the "Current Issue" section of http://www.langa.com.
(The HTML version of each issue normally is available by 9AM EST [UT-5] of the
issue date.) All past LangaList issues are also available at the Langa.Com site. Why are you getting this
newsletter? This is a 100% OPT-IN newsletter: There are only three ways to get
on the list--- signup via direct email request from you, or signup via the
WinMag newsletter page or signup via BrowserTune's email-notification service.
If you're getting this newsletter; your name came to me through one of those
signup channels. At signup, you also received a confirmation email from my list
software---no one is signed up secretly or against their will. SUBSCRIBE (it's free!):
Create and send a new email address it to subscribe-langalist@lyris.dundee.net UNSUBSCRIBE: From the same
address you used to sign up with (it's shown on the first line in the body of
each email issue you receive), create and send a new email address to unsubscribe-langalist@lyris.dundee.net
. CHANGE ADDRESS? LIST
TROUBLE? HAVE QUESTIONS? NEED HELP? See http://www.langa.com/help.txt About
the advertisers: Langa Consulting LLC will never knowingly accept
advertising for a fraudulent product, company or service. However, Langa Consulting LLC makes no implied or explicit warranty, recommendation or endorsement
of or for the products, companies or services mentioned in the ads. Disclaimer:
(Please see full disclaimer here: http://www.langa.com/legal.htm.)
Abbreviated version: The tips and other information given in the newsletter are
researched and are believed to be accurate, but we cannot and do not guarantee
that all the information here will work on all systems, for all users, all the
time. All information herein is offered as-is and without warranty of any kind.
Neither Langa Consulting LLC, nor its employees nor contributors are responsible for
any loss, injury, or damage, direct or consequential, resulting from application
of any information presented here. This newsletter is a free
service of Langa Consulting LLC and is Copyright © 2000 Langa Consulting LLC. All
rights reserved. |
|
|