Mike Bazarewsky: Stuff I want to post

Office 2003 SP2 Released!

Go get Office 2003 SP2 or just let Microsoft Update offer it to you! :)

MD5 Collisions in Real Life

I just found, through a link to a link sort of thing. a proof of concept usable MD5 collision.  If you are interested in cryptography "in real life" and think that has collisions are still in the "theoretically neat but useless" category, please go see that site.  It's actually quite cool and scary at the same time to see the demo .PS files.

Firefox drops the ball on updates :(

http://www.securityfocus.com/news/11327As someone who is currently using Firefox for my daily browsing tasks as my default Windows browser, I like to keep up on what's happening with it.  I use it mainly because there's some functionality that I rely on (in particular, tabbed browsing, which although not perfect [open shortcuts in new tab turned on, active Firefox window has no decorations such as a site popup, and oops, you're screwed unless you know keyboard shortcuts to work with tabs], is quite nice) and because we have multiple customers starting to use it to avoid spyware.  It also forces me to try to keep work I do cross-browser. 

All of that said, the whole project is frankly starting to come apart, which worries me.  Besides the tab bug I just mentioned, which has existed forever (and don't tell me I'm the only one who sees it; it's sloppy UI that this happens), there has been an increase in security holes as the browser gains in popularity.  This matches what I tell students, and what my coworkers (and most students and customers) believe, which is that it had a free ride for a long time because no one cared about it.

This is all coming up now because there is right now a full system compromise exploit out there (cf. FrSIRT or Slashdot or Milw0rm) which is patched in 1.0.7, but here's the problem.  Right now, as I type this, the Firefox built-in update mechanism isn't offering the update, even if you ask it to check for updates.  In other words, the patch exists, for a serious exploit, but you can't tell unless you go to the Firefox site and find it.  This is completely unacceptable.  What's the point of automatically checking for updates if it can't find them?  A lot of people think Microsoft security is awful, but you know what?  Automatic Updates generally works, and Windows/Microsoft Update generally work, and that's been true for years.  What's the excuse here?  There is none.

Think I'm full of it?  A very recent SecurityFocus article agrees that security is failing right now in the project.  (The article also says that exploit counts are not the full picture, which is completely true.  However, that doesn't change that right now, a serious, exploitable hole exists in Firefox, and you don't know unless you know where to look.)

Microsoft has re-released Windows 2000 SP4 Roll-up

We actually had a customer bit really hard by this, so it's good news to see that the "fixed" version of the post-SP4 roll-up patch has been released by Microsoft.

IE developer toolbar

Although Firefox has had some nice developer support for quite some time, Microsoft has released a nice new toolbar for IE, the Internet Explorer Developer Toolbar Beta.  This tool will show you your document object model, allow you to toggle display of table grids, and do other very cool things.  I wonder how I lived without it for so long... (of course, you could say, "but Firefox could do it!", but how does that relate to three years ago?)

ASP.NET Atlas

Microsoft has released their ASP.NET "Atlas" beta for developing smart web applications (similar to Google Maps or Outlook Web Access).... check it out!