Previous month:
January 2010
Next month:
March 2010

February 2010

Do more than patch Windows, patch Office as well

Microsoft Security Intelligence Report is a statistics-rich security bulletin that analyzes malware, software vulnerabilities, exploits and security breaches involving Microsoft and 3rd party software. Volume 7 of the bulletin examines the first half of 2009. Among the many findings in the bulletin is the following discussion under Microsoft Office file format exploits:

The most frequently-exploited vulnerabilities in Microsoft Office software during 1H09 were also some of the oldest. More than half of the vulnerabilities exploited were first identified and addressed by Microsoft security updates in 2006.

71.2% of the attacks exploited a single vulnerability for which a security update (MS06-027) had been available for three years. Computers which had this update applied were protected from all these attacks.

The majority of Office attacks observed in 1H09 (55.5 percent) affected Office program installations that had last been updated between July 2003 and June 2004. Most of these attacks affected Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003.

In 2005, I did a series of keynote speeches, 10 Commonly Overlooked Security Hazards. One slide from that presentation is relevant to this article.

Most incidents exploit known vulnerabilities. Too many vulnerabilities remain so because users fail to apply patches. In this case, the patch has been around since 2006, and nearly three of four exploits in 2009 alone could have been averted had users applied the patch.

Patching is not hard. If you use Office, please check that you've installed MS06-027 now

If you find you don't have MS06-027, become part of the solution, and stop serving your PC on a silver platter to malware writers. Microsoft Update provides all of the updates for the Microsoft Office system. I've provided the URL, please visit the site using IE and check that not only your Windows but Office updates are current. 

Podcast on Internationalized Whois

In I can't read this WHOIS output! I note how people are growing accustomed to using their local languages or scripts when they visit web pages and use Internet applications. I explain how the Whois, an application that provides contact and DNS information associated with Domain Names, largely continues to use US-ASCII7 characters.

This is convenient for WHOIS users who read English, but not so much for those who do not. While conventions and guidelines now exist for composing domain names in virtually any language using the fuller UNICODE character set1, the potential for a WHOIS Babel effect exists.


I recently recorded a podcast with Scott Pinzon where I explain the complexities around making Whois function for a global, multi-lingual audience. Click on the above image to play the podcast.

1 Why virtually any language but not all? Certain languages are not part of the UNICODE standard. Lamentably, neither Vulcan nor Klingon are present; Klingonare fans can take some comfort that a Unicode Private Use Area has been defined for Klingon alphabet and the assignment block is registered at the ConScript Unicode Registry.