Blog Box

This is the official Security Advisory from Microsoft.

Microsoft is investigating new public reports of a possible vulnerability in Windows. Microsoft will continue to investigate the public reports to help provide additional guidance for customers.

Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s Web site.

Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.

Customers who believe they may have been affected by this issue can contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.

Read the full Microsoft Security Advisory (912840) from Microsoft

Extremely critical!

Effected:
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Small Business Server 2003
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Microsoft Windows Small Business Server 2003
Microsoft Windows Storage Server 2003
Microsoft Windows XP Tablet PC
Microsoft Windows XP Media Center 2004/2005
Microsoft Windows XP Embedded??
Microsoft Windows Server 2003 R2 Enterprise Edition
Microsoft Windows Server 2003 R2 Standard Edition

Description:
A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (”.wmf”). This can be exploited to execute arbitrary code by tricking a user into opening a malicious “.wmf” file in “Windows Picture and Fax Viewer” or previewing a malicious “.wmf” file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.

NOTE: Exploit code is publicly available. This is being exploited in the wild.

The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.

Solution:
Do not open or preview untrusted “.wmf” files and set security level to “High” in Microsoft Internet Explorer.

The Excel Add-in for Analysis Services enables users to access and analyze data from multiple Analysis Services Cubes, and to create rich, customized reports directly in Microsoft Office Excel 2003 or Microsoft Excel 2002. This download can improve data analysis, shorten reporting cycles, and enhance your company’s ability to respond to customers.

This download not only reduces the time and resources required to train users, but it also eliminates the need for organization’s to support specialized reporting systems and tools. The key business benefits of Excel Add-in for Analysis Services include:
- Visibility in Excel into business trends
- Increased speed and quality of decision-making
- Streamlined data analysis that shortens reporting cycles and saves resources
- Increased reporting flexibility through rich, highly customized, and refreshable reports
- Access to relevant information from multiple data sources

About the Excel Add-in for Analysis Services

With the Excel Add-in for Analysis Services, individual users can manage the reporting cycle from beginning to end and eliminate the need to cut and paste data from multiple systems.
Access: Easily create and maintain live data connections to multiple Analysis Services cubes, ensuring data consistency and integrity, and combine data from multiple sources into a single report.

Analyze: Conduct detailed analysis using native Excel capabilities. Extend the richness of analysis through “what if” and drill through capabilities.

Author: Easily personalize and refresh report layouts. Minimize end user training and reduce reliance on IT due to Excel’s popularity and ease of use.

For more information about this download, visit the Excel Add-in for SQL Server Analysis Services page.

Grab a copy of the Microsoft Excel 2002/2003 Add-in for SQL Server Analysis Services

Yet another addition to GMail’s growing list of pretty useful features.

Here is a snippet from their website:

Now you can access your Gmail account from your mobile phone or device. Just point your phone’s web browser to http://m.gmail.com. Your Gmail account stays synched, whether you access it from the web or the mobile interface. It’s easy to use and it’s free (but yes, your wireless plan could still charge you).

It also has these cool features:
• Automatically optimizes the interface for the phone you’re using
• Opens the attachments you receive in messages, including photos, Microsoft Word documents and .pdf files
• Lets you reply by call to people whose phone numbers are in your Gmail Contacts list

Get more info @ GMail Mobile

I was checking my mails in yahoo this morning when I noticed the link stating “New! - Yahoo! Mail Beta. Try it now”

But I think this will initially be available to the Yahoo! Mail Plus subscribers.

My first impression of Yahoo! Mail Beta was pretty good. It looks pretty much like Microsoft’s Outlook Web Access. This probably is Yahoo’s version of Hotmail Plus.

Here is a snippet of what I received in my inbox after trying out Yahoo! Mail Beta:

Features by the bucket-full.
Enjoy a fast, intuitive new interface that makes it so much easier to stay in touch and organize messages. You can drag & drop email here and there, and have lots of messages open at once. You also get email automatically (no need to keep checking), and it’s easy to preview messages.

But you gotta see it to believe it.
Words don’t begin to explain it all. Explore the Yahoo! Mail Beta by checking out our tutorial. Or forgo the theatrics and jump into our Mail Beta FAQ.

Feeling separation anxiety?
Relax –– all your messages, preferences, and contacts go with you to the Yahoo! Mail Beta. And you can easily switch back to original Yahoo! Mail anytime.

Power users that are familiar and comfortable with the Microsoft Outlook interface will find this as a welcome feature. Another nice thing about this is that everything is still web based and you can switch to and fro the classic version and the beta version of Yahoo! Mail.

This just in from the ITIL Newsletter…

ISO 20000 PUBLISHED TODAY
=========================

The ISO 20000 Service Management Standard has today been published.
Based upon BS15000, the widely used standard from BSI, ISO 20000 comprises two distinct publications:

ISO 20000-1
This is the Specification for Service Management. It is this part against which the formal certification scheme operates.

ISO 20000-2
This is the Code of Practice for Service Management. It offers practical guidance and recommendations, and supports the first part of the standard.

THE IMPLICATIONS
This is an extremely significant development, for the first time creating a truly globally recognized certifiable corporate framework for ITSM. It defines an integrated process approach for delivery of managed services, and potentially offers a range of substantive
benefits to the organizations adopting it.

THE RELATIONSHIP WITH ITIL
Importantly, it aligns fully with the IT Infrastructure Library (ITIL) . This relationship, however, is probably best illustrated by means of a diagram, the so-called ‘ITSM Pyramid’, produced on the following web page: http://20000.fwtk.org/20000-itil.htm

This top-down relationship is also perhaps re-enforced via the certification schemes:
- ISO 20000 offers ORGANIZATIONAL certification
- ITIL offers PERSONAL certification

There is some overlap between ITIL and ISO 20000, but the two work together side by side, and compliment each other.

OFFICIAL SOURCES OF THE STANDARD
The new standards can be downloaded from:
StandardsDirect (BSI): http://20000.standardsdirect.org

It will also be available from SNV (Swiss Standards) shortly from:
Standards Online: http://www.standards-online.net

Finally, the standards are available as part of the ISO 20000 Support Kit:
http://www.20000-toolkit.com

ITIL and ISO 20000 Newsletter
http://itsm.the-hamster.com

Technorati Profile

The prediction for 2006 is quite interesting…

#10: Linux Professional Institute Certification, Level 2 (LPIC 2)
# 9: Systems Security Certified Practitioner (SSCP)
# 8: MCSE: Security
# 7: Cisco Certified Network Professional
# 6: Cisco Certified Internet Expert
# 4: (TIE): Cisco Certified Security Professional (CCSP), Project Management Professional (PMP)
# 3: Microsoft Certified Architect
# 2: Microsoft Certified Technical Specialist: SQL & .NET
# 1: Red Hat Certified Engineer

More details @ CertCities

Microsoft has released two new security bulletins, one rated as critical and the other as
important on the company’s security rating scale.

The critical bulletin (MS05-054) includes a patch for Internet Explorer that addresses the ‘zero
day exploit’ that has been discussed in the media over the last few weeks. Visiting malicious
websites without this patch could allow attackers to take complete control of your computer. The
MS05-054 patch addresses this issue, helps prevent three other new vulnerabilities, and also protects
against the Sony rootkit vulnerability.

Microsoft’s second bulletin, rated important, addresses a vulnerability in the Windows Kernel that
could allow elevation of privileges on an affected system.

Below is more detail regarding the new Microsoft Security Bulletins:

Microsoft Security Bulletin MS05-054 (Critical) Cumulative Security Update for Internet Explorer
(905915)

Microsoft Security Bulletin MS05-055 (Important) Vulnerability in Windows Kernel Could Allow
Elevation of Privilege (908523)

Additional information about these Security Bulletins can be found at Microsoft’s TechNet Web
site: http://www.microsoft.com/technet/security/bulletin/ms05-dec.mspx

The samples download provides over 100 samples for SQL Server 2005, demonstrating the following components:

Database Engine, including administration, data access, Full-Text Search, Common Language Runtime (CLR) integration, Server Management Objects (SMO), Service Broker, and XML
- Analysis Services
- Integration Services
- Notification Services
- Reporting Services
- Replication

The samples databases downloads include the AdventureWorks sample online transaction processing (OLTP) database, the AdventureWorksDW sample data warehouse, and the AdventureWorksAS sample Analysis Services database. These databases are used in the samples and in the code examples in the SQL Server 2005 Books Online.

Since its original release, new samples have been added for the following technologies: CLR, SMO, Integration Services, Replication, and Reporting Services. See the SQLServerDatabasesAndSamplesOverview.htm file for descriptions of the new and original samples.

Also see: SQL Server 2005 Express Edition Documentation and Samples (December 2005)

Grab a copy of the Microsoft SQL Server 2005 Samples and Sample Databases (December 2005)