The boys and girls at FrSIRT have done it again. Earlier this week, they published a security advisory along with exploit code of a vulnerability in an ActiveX(ploit) module named "msdds.dll" when instantiated in Internet Explorer. A number of sites in the infosec community raised the alarm, and yesterday Microsoft released a Security Advisory, describing workarounds, and in which they repeat their oft-heard vent that

Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

Normally, I would be inclined to agree with them. However, in this case, they have already released not one, but two (MS7 and MS8) patches for essentially the same vulnerability (ActiveX objects that shouldn't be instantiatable inside of IE were; and doing so could result in remote code execution) in the past 2 months, so despite the hype this is not really a "zero-day" exploit. And, to be quite honest, after the MS8 patch (where the "kill bit" was set for a whole slew of ActiveX(ploit) objects), the bad guys were bound to run through the list, and see what other exploitable goodies MS forgot to take out.

One good thing about this one is that the major anti-virus vendors appear to already protect against this exploit, since it is so similar to others they already protect against.

So, expect another IE patch from MSFT next month on "Microsoft Tuesday" for this one. And, as always, practice safe surfing, and keep your A/V signatures up to date.

This previous weekend, exploits of the vulnerability in MS9 were released to the public. Microsoft has issued a Security Advisory concerning this problem, and has reiterated the need for people to apply the patch -- quickly.

Simply put, the "patch window" -- the time between when a vulnerability is publicly acknowledged by a vendor and a patch is made available, and the date that an exploit for said vulnerability is made available, has effectively disappeared. "Zero-Day" exploits (which are exploits released before a patch is available) are becoming more commonplace. We can't simply reply on patching to protect us any longer, nor can we defer patching until it is convenient for us.

Yesterday, Microsoft released their August patches. You can read the bulletins and download the patches manually (if you don't use Windows Update or Microsoft Update) from the following location: Microsoft Security Bulletin Summary for August, 2005 An excellent write-up on these bulletins can be found at SANS Internet Storm Center: Handler's Diary August 9th 2005.

Pay close attention to MS8 (MS IE Cumulative Update) and MS1 (Remote Desktop Protocol vulnerability), as proof of concept (exploit) code for both of these has already been published.

Well, it is semi-official. Microsoft has sent out their heads-up on next weeks crop of security patches. According to their bulletin:

On 9 August 2005 Microsoft is planning to release:

Security Updates

• 6 Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).

The full text of the announcement can be found right here.

So, folks, if you don't have Windows Update set for "automatic", remember to put on those patches next week!

The 2-hour finale was certainly a fitting end to this show. Ralph and Michael, the two culinary gladiators left standing at the end of the last episode, got to experience what it meant to have their own restaurant -- as HK was split down the middle. The dining areas were remodelled, new plates, glasses, and silverware were brought in, they got to create their own menus and select attire for their waitstaff. All this in preparation for the final battle.

While Michael went with a modernistic theme, Ralph did his interpretation of a steak house, Italian-style. The 'street competition' had Michael soundly trouncing Ralph, as his short ribs were much better received than Ralph's porterhouse steak was (I guess that people don't want to eat porterhouse while walking down the sidewalk.) In addition, the two chefs got to get a practice run while feeding the construction crew, which allowed the element of 'strategy' to come into play when Michael sent out the 'crab risotto' without crab, something that Ralph (as head chef) didn't catch but that a construction worker (complete with hard hat) did. Oopsie... And, after being exhorted by Chef Ramsey to be more assertive, Michael did his impression of someone with Tourette's Syndrome, as he cut loose with a completely inappropriate comparison of his staff's cooking skills and the mating habits of the elderly (completely out of the blue, no less.)

Then, it was time to announce the staff. Assisting in the kitchen were: Dewberry, Andrew, Jessica, Wendy, Jimmie, and Elsie came back for 15 more minutes of fame. Splitting up into three teams, they furiously prepare for the night's service, during which Andrew slices open a finger, and has to take off for the ER.

Come 7 PM, the restaurants open. On Ralph's side, Andrew has returned, but Dewberry starts feeling faint (maybe he was thinking of the squid guts he had worked with on his earlier visit?), and had to leave the kitchen for awhile. On the other side, Michael's staff sent out one steak waaay undercooked, and another dish was sent out with some plastic still embedded in the food as a sort of garnish. However, in the end, everyone was served, and everyone seemed to be happy. Nobody walked out of the kitchen in a huff, and there was remarkably little use of the naughty-word filter.

In the end, there could be just one... and it was Michael, based on a 94% positive response to the question "would you come back to this restaurant?", while Ralph only got a 90% favorable response. (Wow, if I were looking to hire a chef for an Italian-style steak house in the Big Apple, guess who I would call?) As Michael proceeded to make out with his spouse (and a lot of horny males were wishing that Jessica had won, instead), Chef Ramsey offers him the choice of: his own restaurant, or the chance to apprentice under Ramsey himself, in London. Micheal showed he is a true culinary artiste, by taking Ramsey up on his offer, which means some day we will be treated to a Neo-California restaurant that specializes in English food. Yumm, Yumm...

Anyway, the Kitchen is Closed... at least until next season.