January 2008

A complaint was filed last Friday in Cook County on behalf of plaintiff Christine Desantis, a New Jersey resident, by the law firm of KamberEdelson

We are committed to the principle that large companies should not be able to escape responsibility for their actions simply because they can afford to hire teams of well-paid lawyers.

We make it a fair fight..and then some.

If the name sounds familiar, this is the same New York City based law firm that successfully pursued Sony BMG Music Entertainment, after the music CDs containing spyware debacle. Washington Post

The complaint seeks class-action status, and more than $5 million in damages, including attorneys’ fees and payments to affected consumers plus the cost of injunctive relief.

Hmmm wonder if my local Sears will be holding a sale.

{ 0 comments }

Microsoft January 2008 Bulletin Release included a Windows Sidebar Protection update for Windows Vista.

SUMMARY
This article documents the Windows Sidebar Protection update that was made to the Windows Sidebar for Windows Vista. The update was made to allow for the Windows Sidebar to perform the following actions:

• Generate unique identifiers for all gadgets that run in the Windows Sidebar

• Receive a list of known vulnerable gadgets from Microsoft by using Windows Update

• Stop a gadget from running in the Windows Sidebar if the gadget has been determined to be vulnerable

• Stop a gadget from being installed if the gadget has been determined to be vulnerable

Please see the Microsoft Knowledge Base Article 941411 for information and screenshots: http://support.microsoft.com/kb/941411

{ 0 comments }

It has been nearly a week since security vendor Fortinet posted an advisory implying Zango was responsible for a malicious widget on Facebook.

Zango fires back at Fortinet over Facebook adware accusations

“It is not associated in any way, shape or form with Zango,” Zango Chief Executive Officer Keith Smith told SCMagazineUS.com today. “Based on the fact that a [Zango] ad showed up after this widget was installed, [the advisory] implied that spyware was being bundled with this widget, which was not the case at all.”

Fortinet Facebook Widget Advisory Untrue
Posted: 5:27 PM, Jan 08, 2008

In follow-up to Friday’s blog post entitled: Fortinet’s ‘Facebook Widget’ Advisory False, Zango earlier today announced a Zango press release showing the company’s involvement with a “malicious Facebook Widget” as blatantly untrue.

As a result of the press release, as well as a number of other communications, Matt Hines of InfoWorld posted a blog this afternoon that calls Fortinet’s advisory in question. In his post entitled “Zango strikes back over reported Facebook hack,” Mr. Hines graciously admitted that upon further review, it appears, at least in part, there was a mistake in interpretation of the advisory and he cautioned that, “We in the security community who picked up on this story so eagerly should also be reminded to look into all the details of any security bulletin before we report on it.”

Chris Boyd, security searcher at FaceTime Communications, aka PaperGhost,(Vitalsecurity.org) Sorry to ask, but this whole Zango on Facebook thing…

In it’s original incarnation, did this application

A) open a box for Zango and only Zango every single time it was tested, or

B) did it just happen to randomly show a Zango advert (out of a big pile of other things it could have displayed)?

{ 2 comments }

The official, full length, high quality version from Channel 10.

It’s a clever funny video which made me laugh, although I also felt a twinge of nostalgia at the same time.

{ 0 comments }

A FortiGuard Advisory January 2, 2008 warned their researchers had discovered a malicious widget called “Secret Crush” spreading on Facebook, the social networking site, which prompted users to install the application.

Users were informed they needed to invite at least five more friends to Secret Crush before proceeding, and then were invited to download a Crush Calculator application which contained Zango software. Zango or its affliates are often depicted in the media as adware/spyware.

Zango has publicly denied involvement with Secret Crush.

Fortinet’s so-called “Advisory,” issued Wednesday with the attention-seeking headline “Facebook Widget Installing Spyware,” is completely false as it relates to Zango. A thorough investigation by Zango security personnel reveals no silent or surreptitious installation of any software, much less any “spyware,” by or in connection with the “Secret Crush” widget.

CNET News.com’s Caroline McCarthy writes that on Monday, January 6, 2008 Facebook announced:

Facebook is committed to user safety and security and, to that end, its Terms of Service for developers explicitly state that applications should not use adware and spyware,” a statement from the company read. “We have contacted the developers and have disabled the Secret Crush application for violating Facebook Platform Terms of Service.

Zango said the Secret Crush widget on Facebook is now called the “My Admirer” widget.

Apprantly Zango is making the rounds posting disclaimers, such as the comment left on Security MVP Shaba’s pcsecurity blog.

{ 0 comments }

Bits from Bill: Your Sears Purchase Details Available to World

Ben Edelman update January 4, 2008.

Sears Exposes Customer Purchase History in Violation of Its Privacy Policy.

Sears’s Response

I wrote to Sears ManageMyHome via the addresses on their Contact Us page. To their credit, they responded quickly (less than ninety minutes). However, their reply does not address the seriousness of this situation. Their reply follows:

“We appreciate that you have a security concern. Thank you for taking the time to share your comments with us. We appreciate hearing feedback from our customers, and will pass this information to the appropriate area to research.”

Update (January 4, 5pm): Sears has disabled the search feature described above. Attempts to retrieve a purchase history now yield the message “We’re sorry, this feature is currently disabled.”

Let’s hope it stays that way else all Sears customers join in filing a class action suit.

{ 0 comments }

Scheduled January bulletin release day, Tuesday, January 8, 2008.
The Microsoft Security Response Center (MSRC)

It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.

As part of our regularly scheduled bulletin release, we’re currently planning to release:

• Two Microsoft Security Bulletins affecting Microsoft Windows – one Critical and one Important. These updates will require a restart and will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool.

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

Finally, we are planning to release five high-priority, non-security updates on Microsoft Update and two high-priority, non-security updates on Windows Update.

TechNet Advance Notification

{ 0 comments }

My hosting company did something in the wee hours that caused 404 errors.

Thank you dgosling and Corrine for notifying me.

My gratitude to a friend in the community known as LWM who was able to locate and resolve the problem.

{ 5 comments }

This time STOPzilla which was a 11.73MB download, 25.17MB install.

STOPzilla uses the ASK search engine. On performing a search the results page promoted the ASK toolbar, which I chose not to install. The less toolbars the better.

I uninstalled STOPzilla from Add/Remove, the only event being a questionnaire popping up asking for feedback.

Source: Sunbeltblog

{ 0 comments }