A nasty Windows exploit was uncovered recently that could provide yet another route for viruses and other malware to infect your computer and generally crap in your Cheerios.

This has been brewing for at least a week now, but with all good people being away for the holiday, it either hasn’t gotten as much attention as it has deserved because everyone is wondering how their pants suddently got so small, or it’s gotten too much attention because there hasn’t been much other technews to report while digesting piles of Christmas sweets.

Now that it’s the new year though, more of Microsoft is back from using up some of their 4+ weeks of vacation a year before it expires, and are trying to reassure people who are freaking out about the fact that there still isn’t a patch for this thing. One of the people doing the reassuring is Jesper who describes himself thusly:

“a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figure out how to make it possible to do so.

Jesper has some good tips on mitigating exposure to this exploit here: Jesper’s Blog : Conscientious Risk Managenent and WMF

Unfortunately, he can’t resist the opportunity to trash the people outside of Microsoft who have been working to bring the details of this exploit to light. One example, when explaining how an unofficial non-Microsoft patch against this vulnerability works he says it does so “using basic rootkit technology” (no innuendo in that description, none at all). Elsewhere he complains that the people publically sharing information about this vulnerability “make it possible for even criminals who barely know how to use a computer to exploit this issue.”

So, lets break this down. The people who are sharing the information that Jesper complains about may well be making it easier for criminals to exploit the issue. They are also making it possible for people like the fellow who released the patch to get something out there while half of Microsoft was off skiing at Whistler (or someplace with better snow this year). It would be a lot easier for Microsoft if independent security researchers kept info about this vulnerability under their hats until after the holidays, so you can forgive Jesper for being cranky. (The photo in his blog masthead makes it look like he had to come in early from SCUBA diving in the Virgin Islands to whip out a blog entry for Microsoft’s concerned customers.)

Unfortunately, this vulnerability has been around for years and Microsoft hasn’t done anything about it. Not a suprise really, since they designed it into the OS in the first place. I have some sympathy for Microsoft, its got to be hard to find and patch all the security problems that have been incorporated into Windows over the years. Who was to know back in 1995 that security would be be a big issue in a world where every computer was networked to every other computer? I mean, come on, it was 1995! Microsoft was too busy giving demos to developers about how their new Internet aware dev tools let you do remote SQL queries over the net by sending freetext passwords in e-mail. They were much too distracted with kicking Netscape’s ass and controlling the Internet to worry about unforseen things like network security. And please, who was even thinking about creating restricted exectution environments for untrusted code running in a Java-like virtual machine (besides James Gosling, I mean). And then, you know, as the years wore on, there was a monopoly to exploit before the feds caught up to them.

So, it seems our choice is either to trust Microsoft, again, and hope that some smart little punk out there somewhere doesn’t figure out an exploit of his own before MS gets around to fixing things, or to actually share as much information as possible in order to understand and guard against this problem, with or without MS.

Appearantly the latest “Coldplay”:http://www.coldplay.com/index.php CD comes “locked down with DRM”:http://www.boingboing.net/2006/01/01/coldplays_new_cd_has.html and comes with a “handy little card”:http://itch.in/journal/bad-bad-coldplay outlining all the things you can’t do with the CD you just bought. Things like play it on your iPod, or return it because you can’t do shit with it.

Even more amusing, it’s the Indian release of the album that comes so loaded with shit.

The solution is obvious, screw Coldplay, and screw Virgin Records. Go and “download a high quality, DRM-free encoding of Little by Little”:http://harveydanger.com/downloads, the latest album from “Harvey Danger”:http://harveydanger.com. If you like it, you can donate or buy a DRM-free physical copy, complete with cool album art and an awesome bonus disc “directly from the band.”:http://harveydanger.com/store

Looks like WordPress 2 is done. I’m looking forward to some of the editing improvements, particularly the better image management.

I may try installing it on Geekfun over the weekend, or I might give it a couple of weeks until the first bugfix comes out.

I’ve been awaiting a package I ordered from Dell. It was supposedly picked up by “DHL”:http://www.dhl-usa.com/home/home.asp from a distribution in Fontana, California on Tuesday the 27th in the early afternoon. The estimated delivery date was supposed to be today. The tracking information hasn’t changed since Tuesday, it’s still showing an estimated delivery date of today even though there isn’t any indication that it has even arrived in Seattle.

I realize that their front end might be lagging their logistics system, but it is now 5pm. I’ll be very suprised if it arrives before next Monday or Tuesday, at this point. I wonder when they’ll finally get around to updating their delivery estimate.

My theory, it fell of a truck and they still haven’t realized its gone.

Update (1/2/06):Three days later, they’ve finally updated the shipping info. My package is in f’ing Chehalis (half way to Portland). Estimated delivery date? Still 12/30/2005.

Another Update: A few months later, I order something else from Dell. It also ships via DHL. It also ends up being very late. I called Dell days after the package was due, which was also days after DHLs tracking system said it had arrived in Seattle. The Dell rep tells me that DHL has determined the package was lost and that a new one will be shipped out. A few days later, the package arrives, same tracking number and info as the original package.

I’m starting to suspect that Dell gets DHL to fudge the tracking information so that Dell can actually ship products days after they say they do.

Note: My wife uses DHL for pretty much all our personal packages and has been very happy with them.