Everything, Everything

Have you seen the hair adverts recently? Garnier, L'Oreal and Clairol all claim to have products that can cover up to 100% of grey hairs. Given that 100% is the best you can possibly do (short of magically growing new hairs that aren't grey), all they are claiming is that all of them can potentially cover all of your grey hairs. It reminds me of ADSL broadband, where you can get "up to 24Mbps", which in reality means about 12Mb if you're lucky. Does this mean that these hair products only cover around half of your grey hairs?

A number of people seem to think that Adobe will have a rough year. I'm not surprised, their products seem to have a shocking number of vulnerabilities. But what amazed me was how slow they are at fixing things. Yes, the delay in producing a patch for the Doc.media.newPlayer method vulnerabilty in Adobe Reader was probably the wrong decision. But if you thought a few weeks was bad, how about this:

Secunia Research 12/01/2010
Microsoft Windows Flash Player Movie Unloading Vulnerability

Before anyone says anything, it's only a Microsoft issue because they included Flash in Windows XP. They didn't make that mistake again in future operating systems.

5) Time Table

18/10/2007 - Vendor notified.
18/10/2007 - Vendor response.
01/11/2007 - Microsoft states that the vulnerability is fixed by the patches released in MS06-069.
02/11/2007 - Vendor informed that MS06-069 does not fix the vulnerability, which was tested against a fully patched system.
23/11/2007 - Vendor contacted (status update requested).
23/01/2008 - Vendor contacted (status update requested again).
05/02/2008 - Vendor informed that due to no response to status requests an advisory will be published in two weeks).
05/02/2008 - Vendor response (vulnerability successfully reproduced and asks for coordinated disclosure).
07/02/2008 - Vendor informed that disclosure will be coordinated.
18/03/2008 - Vendor provides status update.
02/05/2008 - Vendor provides status update (waiting for Adobe).
15/08/2008 - Status update requested.
19/08/2008 - Vendor provides status update (coordinating with Adobe).
15/06/2009 - Status update requested.
22/06/2009 - Vendor response (working on a solution).
20/11/2009 - Status update requested. Vendor also informed that disclosure of the advisory won't be postponed for much longer.
30/11/2009 - Status update requested again.
30/11/2009 - Vendor response (coordinating with Adobe on recommending users to install the latest version of Adobe Flash Player instead).
07/12/2009 - Vendor informed that Secunia has scheduled the advisory for disclosure on 12th January 2010.
15/12/2009 - Vendor response (more time requested along with draft of Secunia advisory).
21/12/2009 - Draft of Secunia Research advisory sent to the vendor. Vendor also informed that disclosure won't be postponed.
07/01/2010 - Vendor informs that an advisory will be released on 12th January 2010 at the same time as the Secunia advisory is published.
12/01/2010 - Public disclosure.

So Adobe have had since 2007 to fix this issue, or at the very least co-ordinate the disclosure in the form of an advisory even if there is no fix. In the end Secunia chose to disclose the vulnerability, which forced Adobe into releasing their own advisory. Sure, most XP users have probably already upgraded to the latest version of Flash 10, but some (especially corporate users?) might be on the old and vulnerable version. Why Adobe? Why? Why does it take you forever (years!) to do anything? Why are your products so buggy? Why?

I discovered a small problem when trying to sign a PDF file on Windows 7 using PDFCreator. It turns out that pdfforge (pdfforge.dll) hadn't been installed. I tried copying the dll across from SourceForge's SVN, but that was foolishly optimistic of me, as it seems that it relies on .NET Framework 1.1. being present. Windows 7 doesn't have it by default. To make matters worse, you can't install it on Windows 7 either. If you try, it fails. Microsoft fixed this in SP1, but you can't install .NET Framework 1.1. with SP1. Well, not unless you follow Saran's guide.

The trick is to slipstream SP1. I've done slipstreaming with drivers and service packs to operating systems in the past, but never with .NET Framework. To be honest I wish people wouldn't use 1.1, I'd much prefer they moved to 2.0 (or higher). Sadly sometimes you have to install such things:

1. Create a new folder named dotnet in C:\ drive.
2. Download Microsoft .NET Framework 1.1 Redistributable Package (dotnetfx.exe). Make sure the setup file is saved as dotnetfx.exe.
3. Download Microsoft .NET Framework 1.1 Service Pack 1 (NDP1.1sp1-KB867460-X86.exe). Rename the file to dotnetfxsp1.exe.
4. Copy both installation files into the same directory (i.e. C:\dotnet).
5. Open Command Prompt as Administrator.
6. Change to the directory where the two installation files are stored (i.e. C:\dotnet).
7. Run the following bold commands one by one:

C:\dotnet>dotnetfx.exe /c:"msiexec.exe /a netfx.msi TARGETDIR=C:\dotnet"

Click on Yes and wait for this dialog which says installation complete.

C:\dotnet>dotnetfxsp1.exe /Xp:C:\dotnet\netfxsp.msp

C:\dotnet>msiexec.exe /a c:\dotnet\netfx.msi /p c:\dotnet\netfxsp.msp

Wait for the installer to disappear automatically.

8. Install Microsoft .Net Framework 1.1 with slipstreamed Service Pack 1 by running netfx.msi from the working folder.

C:\dotnet>netfx.msi

After that, I reinstalled PDFCreator and the readme.txt in C:\Program Files\PDFCreator\PlugIns\pdfforge\ now says pdfforge was installed correctly. And I can now sign my PDF files again with PDFCreator!

Thanks Saran!

Be careful. Be very careful. Thankfully I haven't become a victim, but sadly Cheryl was the other day. She was lucky that no one added an authenticator to her account or stole her characters' items, but they did steal all the gold from her main account (although she didn't have that much).





Thankfully IE's SmartScreen Filter seems to spot them after a while (for some reason it didn't spot it on Cheryl's main PC, even though mine and the PC downstairs did :-S), and Google has presumably removed some of the adwords as it keeps coming back with a different folder, and more recently has changed domain name to one that's easier to spot as a fake (armory-worldofwarcrafe.com - seriously?). I've been reporting the AdWords to Google and the sites to Microsoft and hopefully that's helping people.

The site itself is pretty clever. It loads CSS files directly from the official site (eu.battle.net), it looks like the real site (probably a copy and paste of the code), but there are a few obvious flaws. The links to different languages (and other links across the page) don't take you anywhere. No matter where you try and go, all the other links take you to a static login page. This is where it gets clever though, as the form is submitted to the real server. What they appear to have done is changed the onsubmit code so it runs a local JavaScript function. I had a quick look, but the code is partially obfuscated (nothing an unpacker couldn't decode, I'm sure), and I suspect all it does is capture the username and password and (perhaps depending on the response from the server) sends it to the phishers.

But it's the end of an era. I quite like Christopher Eccleston's single season of Doctor Who, but for the last few years David Tennant has done a fantastic job making the role his own. I'm sad that it's finally over; but I'm also disappointed with the introduction to the new Doctor (Matt Smith), based on the short trailer. I doubt it'll ever be the same again. Much like Spooks once Tom had gone, or Teachers when Simon left.

The other disappointment was how the Doctor was making questionable decisions at the end of The Waters of Mars, but this was practically forgotten in the rest of the episodes.

PS On the plus side, the (real) four knocks couldn't have been done any better.

We weren't able to properly celebrate the new year with friends like we usually do each year, so we did the next best thing and celebrated in a (rather quiet) Booty Bay, dancing as we watched the fireworks. I know, we're sad.