Spy Journal 3.0 Filtering the web for you

More interesting things I have found since yesterday.

Australian residents can go in the draw for a Windows 7 T-shirt courtesy of Long Zheng.

And if you are running Windows 7 some important news about the UAC. – especially take note of the the last paragraph which says:

Update: I’d also like to reiterate, until the RC build of Windows 7 is available, everyone using the Windows 7 Beta should change their UAC setting to “max” to ensure they are safe from either UAC vulnerabilities.

Following is the letter I wrote to Mr Stephen Conroy today. He is a Federal Senator. Senator Conroy was appointed Minister for Broadband, Communications and the Digital Economy on 3 December 2007.

He is proposing a “clean feed”. The current webpage for this policy at the ALP is “offline”. Here is the plan for cyber safety that has on page 2 the intention to provide a mandatory clean feed.

And here is the EFA Australia’s analysis of the plan and why it wont work.

In light of the furore that has erupted around the nets with this proposal I have written a letter to Mr Conroy.

Microsoft released an extraordinary security patch yesterday.

Microsoft Security Bulletin MS08-067 – Critical

Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Published: October 23, 2008

Seeing as Microsoft only release patches once a month, this is totally unexpected, and indicates the critical nature of the flaw. One surmises that there are already hackers and other criminals already exploiting this flaw.

There are lots of details in the MS08-067 bulletin and there is starting to be a fair bit of chatter on the tubes about it – see this from Nick MacKechnie for example where he points to the Security Vulnerability Research and Defense blog.

We emailed all our clients and suggested they patch immediately, or invite us to remotely connect to them and manage that for them.

Drupal has today announced Version 5.8 and 6.3, releasing security patches to fix some security flaws.

Here is the announcement:

Multiple vulnerabities and weaknesses were discovered in Drupal. Neither of these are readily exploitable.

CROSS SITE SCRIPTING

Free tagging taxonomy terms can be used to insert arbitrary script and HTML code (cross site scripting [ http://en.wikipedia.org/wiki/Cross-site_scripting ] or XSS) on node preview pages. A successful exploit requires that the victim selects a term containing script code and chooses to preview the node. This issue affects Drupal 6.x only.

Some values from OpenID [ http://openid.net/what/ ] providers are output without being properly escaped, allowing malicious providers to insert arbitrary script and HTML code (XSS) into user pages. This issue affects Drupal 6.x only.

filter_xss_admin() has been hardened to prevent use of the object HTML tag in administrator input.