A colder stratosphere in 1998 and 2005 (relative to the warmer troposphere in the active months) allowed greater cooling of ice in the eyes of major hurricanes. Whenever the up flows of ice hit the down flows of ice falling from partially collapsed eyes it produced lightning.
I predict the 2006 summer temperature anomaly differences between the global troposphere and stratosphere temperatures will remain high yielding a troposphere which is over 1 degree Celsius warmer than the stratosphere on average, to produce additional major hurricanes with lightening.
Temp_tropos_1998 = +.65 degrees C Temp_strato_1998 = -.40 degrees C delta_1998 = 1.05 degrees C
Temp_tropos_2005 = +.30 degrees C Temp_strato_2005 = -.75 degrees C delta_2005 = 1.05 degrees C
Prediction: Temp_tropos_2006 = +.40 degrees C Temp_strato_2006 = -.65 degrees C delta_2006 = 1.05 degrees C
Perhaps this flaw hurts so much because many people who thought they were computer savvy found themselves as vulnerable as everyone else. Remember the first pop up windows that had fake close buttons? With the introduction of this new image file flaw IT professionals are reminded how the novice feels daily.
This MS image file flaw is further complicated because so many fixes contradict each other and leave systems vulnerable. Security professional may want to step back and focus on the real problem.
1. Microsoft needs to declare a new wmf standard. 2. All programs using flawed dll's need to be clearly listed on one of Microsoft's security sites. 3. Microsoft Update must request updates from each vender to be automatically distributed via Microsoft Update.
While I'm no MS fan, I hope this issue is quickly resolved.
I may be a bit paranoid but I'd like to turn off images and video for a few days until this ".wmf" issue is resolved.
".wma" and ".wmv" file extensions seem closer to the ".wmf" extension than ".jpg" or ".tif" extensions, so they may also be loaded by programs that open ".wmf" files only to read the internal label and execute the malicious code.
I unchecked the box called "load images" in Firefox, but animated web sites still come up. So I reinstalled Firefox (also deleting the directory) to try to return to Firefox's original default settings, but my settings were still active. Apparently, Firefox saves personal settings in the registry even after it is uninstalled.
Pete Lindstrom, research director for Spire Security LLC, said, "There's no such thing as 'extremely critical' when user interaction is required. [...] That's just silly."
Lisa Vaas of eweek.com says "Google had no immediate comment. To avoid the problem, security experts suggest disabling the feature's indexing of media files, or to remove Google Desktop altogether." http://www.eweek.com/article2/0,1895,1906177,00.as p
Jay Wrolstad at CIO-Today says, "Current exploits use the Windows Picture and Fax Viewer to attack any application that can handle Windows Metafiles. Disabling the Windows Picture and Fax Viewer will not eliminate the risk as the flaw exists in the Windows Graphical Device Interface library". http://www.cio-today.com/news/Flaw-Detected-in-Win dows-Metafile/story.xhtml?story_id=131004IKPNAU
Alex Eckelberry, president of Sunbelt Software. "There is no user interaction required," he wrote in an e-mail exchange. "You hit the Web site, you get hit immediately. No prompts, nothing." http://www.eweek.com/article2/0,1895,1906489,00.as p
If I understand you correctly, a tiff file could actually be internally labeled as a wmf file, and if you download a tiff you may actually be downloading a keystroke logger. So just how many pic types can be interpreted as wmf files?
Trojan pics may be kept as a safe tiff on your patched system only to become a keystroke logger when emailed to your relative's unpatched system.
I fear the Internet may be down at work sometime this week because companies will have to stop using IE until the next MS patch is released.
Sounds like the lawyers thoroughly edited these lines:
"Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site."
Microsoft makes it sound like we have nothing to fear, because the attacker can't make you go to his site, but how many times a day do you misspell a URL and go to some strange site?
Luke: "I am not scared master." Yoda: "Oh you will be, you WILL be..."
..."for the next 20 years developers will still have things to do to the codebase."
Great, now that we finally agree that the kernel needs work; can we agree that kernel developers should fix it so that browsers recognise industry standard media formats by default?:-)
Let's not get wrapped up in false restrictions for Linux by overlooking opportunities for improvement.
How will chip developers ever build for Linux rather than simply for Microsoft or Apple if Linux kernel developers can't imagine improvements for the Linux OS? Would you rather lead or follow? Here's how:
Rather than simply fixing the OS for 64 bit processors, or multiple processors, why not build a better OS for everyone?
Remember when they put the math coprocessor onto the same chip as the CPU? If most people listen to sounds and watch video, then why not service the decoding of open source sound formats at the kernal or coprocessor level? Why not have the Linux OS support kernel level software or coprocesser decoding of open source video files? If the Linux kernel could make use of music and video coprocessors on the same chip as the CPU don't you think other operating systems would soon follow?
Once the decoding software is written in kernel software, it is a simple matter to burn it to hardware. If Linux would actually accept generic music and video coprocessor standards into the OS (whether or not those coprocessors are present on the chip) then companies like Intel and AMD could make chips with those extra fast coprocessors for Linux or any other OS.
If Linux developers can not even imagine incorporating a standard open source sound or video driver into the OS then what work will be left to do if people choose to continue to buy a 64 bit processor for the next 20 years? Will the kernel developers simply be out of a job, or are they going to actually improve anything at all?
Computer users just expect the sound and video to play on their computers. Kernel developers are part of the problem when they fail to address the clear needs of the user. You know something is wrong when even chip makers are more open minded than kernel developers. Yes, there certainly is a problem with open source developers these days.
This is why I say we still have a long way to go now kiddies.
First step: Accept a GNU signal encoding software standard such as Ogg Vorbis 1.0.
I don't buy the idea of the Linux kernel being somehow separate from the other software built above it. The Debian group may like to call Linux "GNU/Linux". Whatever... Try to imagine that argument flying over at Apple or Microsoft. Programmers would be fired.
No programmer should hide behind the concept of a kernel.
Your arguments make my point precisely. Too many Linux kernel programmers say "that's not my responsibility" when it comes to usability. Or they say that an OS can't be made both secure and user friendly, when it can.
As much as "de" Raadt would like us to believe, the entire operating system, called Linux, will not be judged on its kernel. The users are the ultimate judge of its quality.
The Linux kernel programmers are nothing without the Linux Operating System. So it is in their best interest to seriously consider how the Linux kernel interacts with Linux applications, and most importantly, the user.
As one of the operating systems most used applications, the internet browser should work flawlessly with the kernel, as the kernel works seamlessly with KDE or Gnome. Sometimes the kernel must give a little so that applications may function more effectively. Kernel programmers too often say "it's not my problem." Well, sometimes it is.
Because browsers are so critical to the end users, Linux kernel programmers should seriously focus on seamless kernel support for open source browsers.
On a side note, Nimrangul, I'd rather we avoid derogatory language now.
How about just adding the term "super" to the front of any gas, solid, or fluid whenever the atoms in a substance begin to all interact as one?
So all condensate would simply be "super."
What must I do to be the first person to predict Superplasma? May I simply make the argument that all the other forms exist, so it is the only one left undiscovered?
What's the use? The geniuses at MIT will take all the credit anyway...
They'll make some ridiculous claim that it's a "quantum heat matrix" that both binds and shakes the atoms to make superplasma both a plasma and a condensate at the same time.
If Raadt cares not to compete with Windows or Apple operating systems on ease of use, then what ground has he to criticize the quality of those efforts by other operating systems such as Linux?
What is worse... a "loser's" attempt by Linux developers to help most of humanity or Raadt's insults directed at all those who give it a try?
My interest is not to debate technicalities. Too many geeks have tunnel vision like this. I rather remind Raadt of the value of satisfying the 99% of Linux users who simply expect to be able to surf the net without a PHD.
Novice users just expect Linux to work.
Raadt and Torvalds might find a way for Linux to include the media plugins with Linux in such a way that Linux remains secure. That is, if the two ever come around to actually caring more about the end user than their personal status in the press.
If Raadt can make Linux more secure, then he should show his proposed changes to Linux code.
Perhaps Torvalds and Raadt should only use XP and Tiger OS for the next month in order to better evaluate how a computer should or shouldn't work on initial install.
Then they should make an OS which automatically surfs the net without having to get a PHD to install drivers to listen to streaming music, video, and post a web page, etc... We still have a long way to go guys... (So stop the bickering.)
Does anyone know why Raadt doesn't just help Torvalds write some better Linux code if he has a better solution?
The rise of the Linux Desktop is not just technically difficult. It is politically difficult.
I suggested a few months back that the OSDL use the command line command "linux" to start a default windows GUI so that the computer illiterate (my relatives) might have a method to "fix" their computers if they ever found themselves at the Linux command line.
The OSDL response, "Linus is only interested in writing software for the Linux kernel now. Try contacting the guys at Gnome."
Linus himself is the one who is willing delay 10 years before developing a user friendly desktop. So until then, I'll throw my support behind Apple.
Slashdot Mirror
Shouldn't Diebold executives face charges for treason?
A colder stratosphere in 1998 and 2005 (relative to the warmer troposphere in the active months) allowed greater cooling of ice in the eyes of major hurricanes. Whenever the up flows of ice hit the down flows of ice falling from partially collapsed eyes it produced lightning.
h tml
c trichurricanes.htm?list749825
http://www.ghcc.msfc.nasa.gov/MSU/hl_temp_glbave.
http://science.nasa.gov/headlines/y2006/09jan_ele
I predict the 2006 summer temperature anomaly differences between the global troposphere and stratosphere temperatures will remain high yielding a troposphere which is over 1 degree Celsius warmer than the stratosphere on average, to produce additional major hurricanes with lightening.
Temp_tropos_1998 = +.65 degrees C
Temp_strato_1998 = -.40 degrees C
delta_1998 = 1.05 degrees C
Temp_tropos_2005 = +.30 degrees C
Temp_strato_2005 = -.75 degrees C
delta_2005 = 1.05 degrees C
Prediction:
Temp_tropos_2006 = +.40 degrees C
Temp_strato_2006 = -.65 degrees C
delta_2006 = 1.05 degrees C
Perhaps this flaw hurts so much because many people who thought they were computer savvy found themselves as vulnerable as everyone else. Remember the first pop up windows that had fake close buttons? With the introduction of this new image file flaw IT professionals are reminded how the novice feels daily.
This MS image file flaw is further complicated because so many fixes contradict each other and leave systems vulnerable. Security professional may want to step back and focus on the real problem.
1. Microsoft needs to declare a new wmf standard.
2. All programs using flawed dll's need to be clearly listed on one of Microsoft's security sites.
3. Microsoft Update must request updates from each vender to be automatically distributed via Microsoft Update.
While I'm no MS fan, I hope this issue is quickly resolved.
Any attached gmail files with the ".txt" extension can not be safely opened to notepad directly from the Firefox browser.
This is probably about as in depth as I care to research or discuss this ".wmf" problem for now.
The holes are leaking all over the place.
To test this I emailed an ".rtf" file to myself and the ".wmf" (dragged and dropped via wordpad) was carried within it.
I may be a bit paranoid but I'd like to turn off images and video for a few days until this ".wmf" issue is resolved.
6 69
- attack-zero-day-windows
s p
n dows-Metafile/story.xhtml?story_id=131004IKPNAU
s p
".wma" and ".wmv" file extensions seem closer to the ".wmf" extension than ".jpg" or ".tif" extensions, so they may also be loaded by programs that open ".wmf" files only to read the internal label and execute the malicious code.
I unchecked the box called "load images" in Firefox, but animated web sites still come up. So I reinstalled Firefox (also deleting the directory) to try to return to Firefox's original default settings, but my settings were still active. Apparently, Firefox saves personal settings in the registry even after it is uninstalled.
Security web sites seem to be of little help:
Secunia, Kaspersky strongly caution against opening any untrusted *.wmf files
http://secunia.com/advisories/18255/
http://www.viruslist.com/en/alerts?alertid=176701
VNUNet.com says Firefox will first ask the user before opening the file.
http://www.vnunet.com/vnunet/news/2147909/hackers
Pete Lindstrom, research director for Spire Security LLC, said,
"There's no such thing as 'extremely critical' when user interaction is required. [...] That's just silly."
Lisa Vaas of eweek.com says "Google had no immediate comment. To avoid the problem, security experts suggest disabling the feature's indexing of media files, or to remove Google Desktop altogether."
http://www.eweek.com/article2/0,1895,1906177,00.a
Jay Wrolstad at CIO-Today says, "Current exploits use the Windows Picture and Fax Viewer to attack any application that can handle Windows Metafiles. Disabling the Windows Picture and Fax Viewer will not eliminate the risk as the flaw exists in the Windows Graphical Device Interface library".
http://www.cio-today.com/news/Flaw-Detected-in-Wi
Alex Eckelberry, president of Sunbelt Software.
"There is no user interaction required," he wrote in an e-mail exchange. "You hit the Web site, you get hit immediately. No prompts, nothing."
http://www.eweek.com/article2/0,1895,1906489,00.a
If I understand you correctly, a tiff file could actually be internally labeled as a wmf file, and if you download a tiff you may actually be downloading a keystroke logger. So just how many pic types can be interpreted as wmf files?
Trojan pics may be kept as a safe tiff on your patched system only to become a keystroke logger when emailed to your relative's unpatched system.
I fear the Internet may be down at work sometime this week because companies will have to stop using IE until the next MS patch is released.
http://en.wikipedia.org/wiki/Windows_Metafile/
(If any pic can be loaded from a web page, can we even trust your Wiki?)
Sounds like the lawyers thoroughly edited these lines:
"Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site."
Microsoft makes it sound like we have nothing to fear, because the attacker can't make you go to his site, but how many times a day do you misspell a URL and go to some strange site?
Luke: "I am not scared master."
Yoda: "Oh you will be, you WILL be..."
Just wait until robots join the daily commute. Then tell me how good things are.
SCO spent years living large off of investors such as Microsoft.
..."for the next 20 years developers will still have things to do to the codebase."
:-)
Great, now that we finally agree that the kernel needs work; can we agree that kernel developers should fix it so that browsers recognise industry standard media formats by default?
Let's not get wrapped up in false restrictions for Linux by overlooking opportunities for improvement.
How will chip developers ever build for Linux rather than simply for Microsoft or Apple if Linux kernel developers can't imagine improvements for the Linux OS? Would you rather lead or follow? Here's how:
Rather than simply fixing the OS for 64 bit processors, or multiple processors, why not build a better OS for everyone?
Remember when they put the math coprocessor onto the same chip as the CPU? If most people listen to sounds and watch video, then why not service the decoding of open source sound formats at the kernal or coprocessor level? Why not have the Linux OS support kernel level software or coprocesser decoding of open source video files? If the Linux kernel could make use of music and video coprocessors on the same chip as the CPU don't you think other operating systems would soon follow?
Once the decoding software is written in kernel software, it is a simple matter to burn it to hardware. If Linux would actually accept generic music and video coprocessor standards into the OS (whether or not those coprocessors are present on the chip) then companies like Intel and AMD could make chips with those extra fast coprocessors for Linux or any other OS.
If Linux developers can not even imagine incorporating a standard open source sound or video driver into the OS then what work will be left to do if people choose to continue to buy a 64 bit processor for the next 20 years? Will the kernel developers simply be out of a job, or are they going to actually improve anything at all?
Computer users just expect the sound and video to play on their computers. Kernel developers are part of the problem when they fail to address the clear needs of the user. You know something is wrong when even chip makers are more open minded than kernel developers. Yes, there certainly is a problem with open source developers these days.
This is why I say we still have a long way to go now kiddies.
First step: Accept a GNU signal encoding software standard such as Ogg Vorbis 1.0.
I think BSD may have already done something just like this at: http://www.xiph.org/ogg/vorbis/
I don't buy the idea of the Linux kernel being somehow separate from the other software built above it. The Debian group may like to call Linux "GNU/Linux". Whatever... Try to imagine that argument flying over at Apple or Microsoft. Programmers would be fired.
No programmer should hide behind the concept of a kernel.
Your arguments make my point precisely. Too many Linux kernel programmers say "that's not my responsibility" when it comes to usability. Or they say that an OS can't be made both secure and user friendly, when it can.
As much as "de" Raadt would like us to believe, the entire operating system, called Linux, will not be judged on its kernel. The users are the ultimate judge of its quality.
The Linux kernel programmers are nothing without the Linux Operating System. So it is in their best interest to seriously consider how the Linux kernel interacts with Linux applications, and most importantly, the user.
As one of the operating systems most used applications, the internet browser should work flawlessly with the kernel, as the kernel works seamlessly with KDE or Gnome. Sometimes the kernel must give a little so that applications may function more effectively. Kernel programmers too often say "it's not my problem." Well, sometimes it is.
Because browsers are so critical to the end users, Linux kernel programmers should seriously focus on seamless kernel support for open source browsers.
On a side note, Nimrangul, I'd rather we avoid derogatory language now.
How about just adding the term "super" to the front of any gas, solid, or fluid whenever the atoms in a substance begin to all interact as one?
So all condensate would simply be "super."
What must I do to be the first person to predict Superplasma? May I simply make the argument that all the other forms exist, so it is the only one left undiscovered?
What's the use? The geniuses at MIT will take all the credit anyway...
They'll make some ridiculous claim that it's a "quantum heat matrix" that both binds and shakes the atoms to make superplasma both a plasma and a condensate at the same time.
If Raadt cares not to compete with Windows or Apple operating systems on ease of use, then what ground has he to criticize the quality of those efforts by other operating systems such as Linux?
What is worse... a "loser's" attempt by Linux developers to help most of humanity or Raadt's insults directed at all those who give it a try?
My interest is not to debate technicalities. Too many geeks have tunnel vision like this. I rather remind Raadt of the value of satisfying the 99% of Linux users who simply expect to be able to surf the net without a PHD.
Novice users just expect Linux to work.
Raadt and Torvalds might find a way for Linux to include the media plugins with Linux in such a way that Linux remains secure. That is, if the two ever come around to actually caring more about the end user than their personal status in the press.
If Raadt can make Linux more secure, then he should show his proposed changes to Linux code.
BSD can't complain about the Linux mess until BSD easily installs the plugins required to enjoy popular content on the net.
Until then Raadt is comparing apples to oranges.
Perhaps Torvalds and Raadt should only use XP and Tiger OS for the next month in order to better evaluate how a computer should or shouldn't work on initial install.
Then they should make an OS which automatically surfs the net without having to get a PHD to install drivers to listen to streaming music, video, and post a web page, etc... We still have a long way to go guys... (So stop the bickering.)
Does anyone know why Raadt doesn't just help Torvalds write some better Linux code if he has a better solution?
The rise of the Linux Desktop is not just technically difficult. It is politically difficult.
I suggested a few months back that the OSDL use the command line command "linux" to start a default windows GUI so that the computer illiterate (my relatives) might have a method to "fix" their computers if they ever found themselves at the Linux command line.
The OSDL response, "Linus is only interested in writing software for the Linux kernel now. Try contacting the guys at Gnome."
Linus himself is the one who is willing delay 10 years before developing a user friendly desktop. So until then, I'll throw my support behind Apple.