DataLinkControl

The Microsoft Outlook Team released a standalone tool for printing calendars from Outlook 2007 - The Outlook Calendar Printing Assistant

It has a variety of useful templates that have nice layouts. Useful for making wall calendars, or conference room schedules and much more.

Download it here

Numerous articles have been circulating about an annoucement made by researchers claiming to be able to break WPA in 12 minutes. While the paper seems to be valid, it is not exactly as has been reported. Erik Tews and Martin Beck found a way of breaking the TKIP component of WPA, which was known to be imperfect.

• They were able to read the traffic being sent from the router to the client, not the other direction as of yet.
• It only affects networks using TKIP, not those using AES.
• WPA2 is not a guaranteed fix. Many vendors implemented TKIP in WPA2, and many operated in a mixed TKIP/AES mode by default.
• All WPA networks are not broken. Many vendors optionally implemented AES in WPA.
• Enterprise networks that use EAP/PEAP/LEAP are not relying on TKIP and not at risk from this vulnerability.

More in depth information from Errata Security and Schneier on Security.

The IE7 development team has introduced a new browser concept based on color coding the address bar that should enable users to better protect themselves on the net. Currently most users are used to the idea of looking for the padlock icon on the status bar to know if they have a secure connection and some browsers out there also change the address bar to a different color (yellow in FireFox) to show SSL status. The next evolution of this idea is to have several color codes to represent different security levels (green for newer "high-assurance" SSL certificates, yellow for suspected phishing site, red for known fishing sites). Another improvement to go along with this idea is to show the organization name alternating with the certificate authority from the certificate on the address bar at the same time. I believe that this will ultimately result in users having a much better understanding of what it means to use a secure connection, expect this more often, and the implications of different certifying authorities. IE will also always show the address bar when new windows are opened so that the user can always see this information (and preventing sites from hiding their location from you with menu-less windows).

Since this was previewed on the IEBlog, there has been discussion between the various browser developers out there to coordinate and standardize this behavior - an excellent example of when competition & cooperation come together for the benefit of the consumer.

Read more at IEBlog

Microsoft has released their patch bundle for December, comprised of two patches. Included in the IE patch (MS05-054) is a fix to the previously mentioned JavaScript flaw, as well as several others rated as critical. Additionally if you have been following the Sony DRM fiasco, the fix released by Sony left a security hole behind that allows websites to install software (and is being used in the wild), the IE patch specifically addresses this issue also.

MS05-055 fixes a local kernel exploit that allowed a locally logged on user to elevate their priviledges.

Sample exploit code was published that takes advantage of a known JavaScript hole in Internet Explorer. It allows for arbitrary execution on the host machine by simply viewing a webpage. I does not require any interaction from the user. The sample code demonstrates the exploit, but simply opens calc.exe. Understand that the hole allows for pretty much any code to be executed, including downloading remote control apps, keyloggers and worms. Complete compromise by viewing a web page!