Blackmoor Vituperative

File under “as if you needed yet another reason to swich to OpenOffice”:

A weakness in how Office applications handle Macromedia Flash files exposes Microsoft customers to cyberattacks, experts have warned.

Flash files embedded in Office documents could run and execute code without any warning, Symantec said in an alert sent to customers on Thursday. The security issue is the third problem reported within a week that affects Microsoft Office users.

“A successful attack may allow attackers to access sensitive information and potentially execute malicious commands on a vulnerable computer,” Symantec said in the alert, which was sent to users of its DeepSight security intelligence. The vulnerability was reported by researcher Debasis Mohanty.

The issue relates to the ability to load ActiveX controls in an Office document and is not a vulnerability but an Office feature, a Microsoft representative said. “This behavior is by design and by itself does not represent a security risk to customers,” he said. An ActiveX control is a small application typically used to make Web sites more interactive.

(from ZDNet, Microsoft Office hit by another security problem)

Microsoft Office, Flash, and ActiveX? Wow, that’s a trifecta. If it was put to music, it’d be a country music song. All it’s missing is a Sony rootkit, and you’d have the four horsemen of the software apocalypse.

A major spammer who was accused of sending up to 25 million e-mails per day has settled a lawsuit with Microsoft and the state of Texas.

The settlement has cost Ryan Pitylak $1 million, as well as the seizure of many of the assets he accumulated during a short-lived career as one of the world’s worst spammers.

At the peak of his spamming activity, the 24-year-old Texas resident was listed as the world’s fourth most-prolific spammer by antispam group Spamhaus.

Now Pitylak is claiming something of an epiphany, saying he has seen the error of his ways and will dedicate his efforts to trying to rid the world of nuisance e-mail. He has even taken to referring to himself as an “antispam activist” in an apparent change of heart of epic proportions.

(from ZDNet, Spammer settles suit for $1 million)

Well of course he’s seen the error of his ways — his business has been shut down, and his only hope of recovering from this catastrophe is to switch gears and try to leverage his experience as a scumbag spammer into a consulting gig.

Maybe he really has learned his lesson. One million dollars is a lot of money to most individuals. But I’m still not sure that’s as good a deterrent as the alternative.

I currently work at Circuit City as a programmer/analyst. From time to time I make suggestions intended to bring my department into compliance with widely-known best practices concerning security, server administration, the development process, and so forth. Thus far, not a single one of these suggestions has been recognized as addressing a valid concern, much less implemented.

So it was with some interest that I read that Circuit City’s online forum was hacked to infect users with spam bots. To be fair to Circuit City, in this instance I do not believe they were any more irresponsible than most companies who run web sites — including my own. The patch for their forum software was released on 2006-05-17. Their forum was hacked on 2006-05-30. That’s less than two weeks.

Of greater concern to me is that the people who are the real victims of this hack, the visitors to Circuit City’s web site, would only have been affected if they were stupidly, inexplicably still using Internet Explorer as their web browser. What the hell is wrong with you people? For crying out loud, switch to Firefox already!