Jump to content

tglogo.png

err0r

Member Since 25 Feb 2004
Offline Last Active Today, 04:03 PM
*****

Topics I've Started

Critical updates to Windows 10, XP and Vista for June Patch Tuesday

17 June 2017 - 02:22 PM

This June Microsoft Patch Tuesday is pretty unique. Excluding the fact that Microsoft is attempting to address a record 94 vulnerabilities, we are seeing Microsoft provide security updates for several operating systems that are no longer supported, including Windows XP and Vista. In addition, Microsoft has moved from its usual approach of mentioning a few select security issues with its Security Advisories notes.
 
This month, we saw Microsoft issue a large number of high-priority issues and the incredible statement, “Microsoft is announcing the availability of additional guidance for critical security updates, that are at heightened risk of exploitation due to past and threatened nation-state attacks and disclosures.” Now is not the time to be relaxed about patching your environment. In addition, Microsoft is attempting to address two serious remote code execution vulnerabilities (CVE-2017-8543 and CVE-2017-8464) that have been reported as exploited in the wild.
 
Although Microsoft no longer uses the update bulletins methodology the following product families will receive updates this month:

    Adobe Flash Player
    Internet Explorer and Microsoft Edge
    Microsoft Windows
    Microsoft .NET
    Silverlight
 

Read full article @ http://www.computerw...ch-tuesday.html

mIRC 7.49 has been released! (May 25th 2017)

27 May 2017 - 12:21 AM

This is a small update that addresses a number of issues reported by users since the last release. It includes improvements, changes and fixes to a number of features, including:
 
  • Changed CAP invite-notify so that invite notifications are now displayed.
  • Added CAP 3.2 support so mIRC now sends LS CAP 302 when logging on.
  • Added CAP cap-notify support.
  • Changed Add/Edit server dialog to allow use of seperate server and logon method passwords.
  • Changed /server -w and -l switches to support separate passwords.
  • Fixed window treebar/switchbar focus bug.
  • Fixed $regmlex() bug.
  • Fixed CAP SASL external bug.
  • Added CTCP DCC resume error message when file is smaller than the existing file.
  • Added support for evaluation of highlight tip messages.
  • Added /sockopen -n switch to disable Nagle algorithm on socket.
  • Fixed IAL gpf bug when IAL was turned off and channel was joined.
For a more detailed list of recent changes, please see the whatsnew.txt file.
As always, the latest version of mIRC can be downloaded from the download page.

mIRC 7.48 has been released! (April 15th 2017)

16 April 2017 - 07:14 PM

mIRC 7.48 has been released! (April 15th 2017)
This is a small update that addresses a number of issues reported by users since the last release. It includes improvements, changes and fixes to a number of features, including:
  • Added SASL/NickServ support as a per server setting.
  • Added channel central support for +q quiet list.
  • Added "Control key enables mark/copy" option and the ability to copy single characters.
  • Added support for middle-click mouse button to close tabs in switchbar/treebar.
  • Added CAP support for extended-join, account-notify, away-notify, account-tag, invite-notify, and chghost.
  • Extended $com() to handle one dimensional single-byte array results.
  • Added sha256 fingerprint to server SSL certificate dialog.
  • Fixed if/while statement parsing bug.
  • Updated to OpenSSL 1.0.2k library.
  • Added /ialfill #channel command and extended $ial() identifier.
  • Extended /ialmark to allow setting multiple, arbitrary marks.
  • Fixed windows shutdown handling bug that prevented mIRC from saving settings correctly.
  • Extended $regsub() and $regsubex() to support output to a &binvar.
  • Changed sound-related routines to use DirectSound to play sounds.
  • Added "Create new certificate" button to SSL dialog that creates a new self-signed client certificate.
  • Added $sslcertsha1 and $sslcertsha256 identifiers that return fingerprint of currently loaded client certificate.
  • Added /drawsize @ <w h> that sets the bitmap size for picture windows.
In total there have been around 50 changes since the last release and although most of them are only small fixes and tweaks, we hope that they result in a more useful and stable mIRC for you.
For a more detailed list of recent changes, please see the whatsnew.txt file.
As always, the latest version of mIRC can be downloaded from the download page.

Read full article @ http://www.mirc.com/whatsnew.txt

Microsoft Apparently Ramping Up Heavy-Handed Tactics To Force Windows 10 Migrations

19 March 2017 - 10:46 PM

The clock is ticking for users holding out on Windows 7 and 8. For starters, Microsoft is blocking Windows 7 and 8 updates for Intel's seventh generation Core i3, i5 and i7 (Kaby Lake), AMD's Ryzen (Bristol Ridge) and Qualcomm's 8996 processors. The low-level Vulkan API will also not be supporting multiple GPUs on Windows 7 or Windows 8.1 and users will need to update to Windows 10 in order to support SLI or CrossFire with Vulkan.

Microsoft’s main argument is that this lack of updates will help them to focus on the deep integration between Windows and new silicon generations. Windows 7 was designed nearly a decade ago before the introduction of x86/x64 SOCs. Windows 7 is unable to run on any modern silicon without device drivers and firmware emulating Windows 7’s expectations for interrupt processing, bus support, and power states. According to Microsoft, “redesigning Windows 7 subsystems to embrace new generations of silicon would introduce churn into the Windows 7 code base” and break the company's commitment to security and stability.

This lack of support has many Windows users riled up, especially since Microsoft has employed some rather aggressive practices in the past to push Windows 10 migrations and updates. Many already on Windows 10 have also expressed concerns about the operating system switching background updates on, even on metered connections, or other less than optimal scenarios considerate of the end user.

Read full article @ http://hothardware.c...s-10-migrations

Everything You Need to Know About Cloudbleed, the Latest Internet Security Disaster

26 February 2017 - 09:32 PM

Have you heard? A tiny bug in Cloudflare’s code has led an unknown quantity of data—including passwords, personal information, messages, cookies, and more—to leak all over the internet. If you haven’t heard of the so-called Cloudbleed vulnerability, keep reading. This is a scary big deal.

Let’s start with the good news. Cloudflare, one of the world’s largest internet security companies, acted fast when security researcher Tavis Ormandy of Google’s Project Zero identified the vulnerability.

The bad news is that the Cloudflare-backed websites had been leaking data for months before Ormandy noticed the bug. Cloudflare says the earliest data leak dates back to September 2016. It’s so far unclear if blackhat hackers had already found the vulnerability and exploited it secretly before Cloudflare fixed its code. Cloudflare’s clients include huge companies like Uber, OKCupid, 1Password (Update: 1Password claims its user data is safe), and FitBit. That means a holy fuck ton of sensitive data has potentially been compromised.

 

 

Cloudbleed Is a Problem But It Gets Worse

As with any major security vulnerability, it will take some time before we can fully comprehend the level of destruction caused by Cloudbleed. For now, you should change your passwords—all of them—and implement two-factor authentication everywhere you can. You’ll figure out why this is a good idea when you read about how this nasty little security disaster unfolded.

 

 

What is Cloudflare?

You might not be familiar with Cloudflare itself, but the company’s technology is running on a lot of your favorite websites. Cloudflare describes itself as a “web performance and security company.” Originally an app for tracking down the source of spam, the company now offers a whole menu of products to websites, including performance-based services like content delivery services; reliability-focused offerings like domain name server (DNS) services; and security services like protection against direct denial of service (DDoS) attacks.

The fact that Cloudflare is a security company makes the dustup around this new vulnerability supremely ironic. After all, countless companies pay Cloudflare to help keep their user data safe. The Cloudbleed blunder did the opposite of that.

“I’ve informed Cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” Tavis Ormandy wrote in an advisory. “We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.” Ormandy also said that the Cloudbleed vulnerability leaked data across 3,438 unique domains during a five-day period in February.

 

 

How does Cloudbleed work?

For you geeks out there, Cloudbleed is especially interesting because a single character in Cloudflare’s code lead to the vulnerability. It appears to be a simple coding error, though we’ve reached out to Cloudflare for information on what exactly happened. (Update: Cloudflare called us back and explained some things.) Based on what’s been reported, it appears that Cloudbleed works a bit like Heartbleed in how it leaks information during certain processes. The scale of Cloudbleed also looks like it could impacts as many users as Heartbleed, as it affects a common security service used by many websites.

According to a Cloudflare blog post, the issue stems from the company’s decision to use a new HTML parser called cf-html. An HTML parser is an application that scans code to pull out relevant information like start tags and end tags. This makes it easier to modify that code.

Cloudflare ran into trouble when formatting the source code of cf-html and its old parser Ragel to work with its own software. An error in the code created something called a buffer overrun vulnerability. (The error involved a “==” in the code where there should have been a “>=”.) This means that when the software was writing data to a buffer, a limited amount of space for temporary data, it would fill up the buffer and then keep writing code somewhere else. (If you’re dying for a more technical explanation, Cloudflare laid it all out in a blog post.)

In plain English, Cloudflare’s software tried to save user data in the right place. That place got full. So Cloudflare’s software ended up storing that data elsewhere, like on a completely different website. Again, the data included everything from API keys to private messages. The data was also cached by Google and other sites, which means that Cloudflare now has to hunt it all down before hackers find it.

 

 

Have you been pwned?

It’s unclear who exactly has been pwned. Cloudlfare claims that only a very small number of requests led to leaked data, but since the vulnerability has been almost six months, who knows how much information is out in the wild. Furthermore, the fact that so much of that data was cached across different sites means that, while Cloudflare’s initial patch stopped the leaking, the company needs to do lots of hunting around the web to ensure that all of the leaked data gets scrubbed. And even worse, even sites that don’t use Cloudflare’s service—but have a lot of Cloudflare users—might have compromised data on their servers.

Read full article @ http://gizmodo.com/e...ates-1792710616