%@LANGUAGE="JAVASCRIPT" CODEPAGE="1252"%>
Security experts are monitoring widespread use of exploit code that takes advantage of a recently disclosed vulnerability in Windows.
Security experts are monitoring widespread use of exploit code that takes advantage of a recently disclosed vulnerability in Windows, but a worm, although anticipated, hasn't yet been spotted. The vulnerability, which has been known for months but only disclosed on April 13 as part of Microsoft's monthly security updates, stems from a flaw in Windows Protected Communications Technology 1.0, a packet protocol within Microsoft's SSL library. Secure Sockets Layer is an encryption technology typically used to secure communications with Web sites, such as those for processing credit-card orders, and for locking down E-mail. The April bulletin from Microsoft rated the vulnerability as critical, the highest threat warning that the company uses, for Windows NT and Windows 2000. At the time, it warned that an attacker could create a buffer overflow condition on vulnerable Windows servers, then follow by inserting its own code into the system to take control. Windows XP and Windows Server 2003 systems also are vulnerable. "We're not seeing a worm yet, but we're seeing a large, large number of exploit attempts," said Neel Mehta, a research engineer at Internet Security Systems' X-Force research team. Mehta and Mark Dowd, another member of the X-Force group, first discovered the vulnerability last September. "The exploit code is fully functional, very friendly to hackers, and can be used by script kiddies,' said Mehta, referring to the less-than-technically-astute hackers who pick up tools created by others to launch attacks. The first form of the exploit code was discovered within days of the disclosure of the SSL vulnerability, added Ken Dunham, director of malicious code research at iDefense Inc. That code was updated last week to include a "phone home" feature that allowed hackers using it to be notified when they'd compromised a server. The next step, if previous patterns prove true, is for a worm to appear. "It makes more sense that that will happen," Dunham said. "That's what we've seen with every other vulnerability in the past, where exploit code leads to a bot and that leads to a worm." Mehta has the same take. "An exploit appears, and individual attackers use that to compromise servers," he said. "Once it begins to be less useful to them, they'll turn it into a worm." Although Mehta couldn't begin to guess an exact data when such a worm might appear, he thought it could be soon. "This activity is the natural precursor to a worm," he said. Security professionals urged companies to patch their servers--the exploit primarily targets Microsoft Internet Information Server, although Exchange and Active Directory servers also can be exploited--as soon as possible to protect against the current exploit code and any possible worm. If that's not possible, workarounds are available. Microsoft has posted a document on its Knowledge Base site that outlines the steps IT staffs can take to disable PCT 1.0 or SSL 2.0, both of which must be active for the exploit to work. The Microsoft security bulletin outlining this vulnerability and pointing to the patch can be found here . In the end, said Dunham, this is but another skirmish in the battle between hackers on one side, and security pros and enterprise IT on the other. "This is just one more blip," Dunham said, in the monthly cycle of vulnerabilities and ensuing exploitation. "Next month may be the same, as cumulative patches get released that result in multiple exploits and create a flurry of activity in enterprises." Although most companies manage to patch relatively quickly, Dunham added, "and the heat turns off for a bit, in just a few weeks everyone will have to process all this information from Microsoft and decide which [vulnerability] is most important. We just have to brace ourselves again for the same next month. It's the nature of where we're at right now."
Apple refuses to PlayFair By Mike Magee : Monday 26 April 2004, 06:42 APPLE HAS SHUT down a project that can be used to enable fair use of music purchased from Apple's iTunes music service.M'learned friends from Job's mob ordered the Indian organisation Sarovar which was hosting the project called Playfair to stop doing it. Sarovar is a facility for free software creators. It was in the process of developing PlayFair which allows people to play music on non-Apple authorised hardware, provided an authorised key is available. Playfair was originally hosted at the US Sourceforge, but Apple's briefs invoked the US Digital Millennium Copyright Act (DMCA) and) and forced the takedown of the program. However, since hosting the project in India was not illegal, the creator of Playfair approached Sarovar and got backing from two Indian companies. India was not far enough away for Job's mob who have targeted the hosting ISP and sponsors of Sarovar. The organisation decided to take down PlayFair, however they issued a stinging attack on Apple saying that: "...a corporation is using legal means to shut down a free software project in India for the first time and the small project is left defenceless even though they believe that they are right. This letter from Apple will have a profound impact on freedom for Indians and people all over the world. If we do not fight back, we will be on our way on a slippery slope. If we win, it will be a momentous victory with impact all over the world." µ Commander: Space station breakdowns routineEquipment failures on the International Space Station including the loss of half of the gyroscopes stabilizing it are nothing to really worry about, the station's outgoing commander said on Friday. I don't believe there's any crisis, said British-born NASA astronaut Michael Foale, who is in the middle of turning over the station to the incoming commander, Gennady Padalka of Russia. Only two of the four control gyros work. Another failure would force the station to begin consuming precious fuel for thrusters that would take over that work. The station uses the control gyros -- essentially large flywheels -- to orient the 200-ton complex so that solar-power panels can absorb sunlight. One gyro failed last year and will be replaced after NASA's space shuttles return to flight. They have been grounded since the shuttle Columbia broke up on re-entry in February 2003. The second gyro malfunctioned on Wednesday. The problem apparently involves a power relay system outside the station. Spacewalking astronauts from the station can fix it, NASA said. There also have been failures of the oxygen generation system and an exercise treadmill used by the astronauts to ward off muscle atrophy while they are weightless. All of these things have been anticipated long ago, a series of possible failures that do in the end turn out to be real, and we have prepared for them, Foale said. Foale and his crewmate, Russian Alexander Kaleri, are ending a six-month stay on the station and will return to Earth April 29 aboard a Russian Soyuz capsule. Padalka and U.S. astronaut Michael Fincke arrived on Wednesday, the ninth crew in residence aboard the station. Copyright 2004 Reuters Limited. All rights reserved. Republication or redistribution of Reuters content is expressly prohibited without the prior written consent of Reuters. Happy 14th birthday, Hubble!
During its life in orbit, the Hubble Space Telescope has delivered transporting views of the heavens, pictures that fire the imagination of an unimaginably vast portion of the universe that we can't otherwise see. To celebrate Hubble's 14 th birthday this Saturday, mission managers have given fans and supporters a diamond ring of sorts, a star-studded galaxy in an odd configuration. And as with many Hubble pictures, this one provides plenty of cause for wonder. The unusual galaxy is made of bright blue star clusters circling a yellowish center. It was long ago victim of a violent collision, which created a sight we earthlings can only try to envision: Anyone living on a planet in the ring would see a brilliant band of blue stars arcing across their night sky, Hubble astronomers said today. Bad vision Hubble didn't work well at first. Its 8-foot (2.4-meter) mirror was less than a hair's width out of shape, and the images were blurry. Astronauts installed corrective glasses in 1993. The observatory has made 645,000 exposures of more than 20,000 targets while racking up more than 2 billion miles frequent flier miles in its 82,000 orbits around Earth. Hubble's data archive is equal in volume to all the books at the Library of Congress, officials say. Observations in visible, infrared and ultraviolet light from Hubble have generated more than 5,000 scientific papers. Among its greatest achievements is an ongoing set of observations of supernovas that shows the universe is not just expanding, but doing so at an ever-increasing pace. The blockbuster finding means something called dark energy , which scientists know almost nothing about, is working against gravity -- and winning. Hubble sees things near and far and in between. Earlier this year Hubble cranked out the Ultra Deep Field, which contains a zoo of galaxy types and, astronomers expect, the most distant objects ever photographed. The light from the young galaxies traveled for more than 13 billion years to reach Hubble's digital camera. Somewhat closer to home, Hubble in 2001 made the first direct measurements of the composition of a planet's atmosphere outside our solar system.
Sun's Java Desktop System shows promiseWhen it comes to operating systems, Microsoft, IBM and Apple aren't the only mega-companies with all the knowledge. Sun, with its Solaris OS, has years of expertise with Unix-based operating systems. But in the 21 st century, Sun has decided to add Linux to the mix. It includes full support for the company's Java system plus a suite of office software in one package.
|
|||||||||||||
It's called Sun Java Desktop System, or JDS for short. Like Solaris, it's designed for offices and businesses more than for extensive home use. But, Sun has just announced that hardware manufacturer Microtel will now make you a computer with the JDS operating system inside for $298-698 depending on the configuration. They're for sale on Wallmart.com.
JDS 1.0 is based on a well-established and popular flavor of Linux called SuSE. Sun, in its own literature has high hopes for the new offering: With the Sun Java Desktop System, Sun has delivered the first viable Microsoft Windows alternative. The Java Desktop System is a more affordable, secure desktop that is designed to thrive in a Windows-centric world. It's also the only environment with fully integrated Java technology, making this out-of-the-box desktop ready to run thousands of Java technology-based applications with a consistent look and feel. With that type of bragging I couldn't resist. I've been playing with JDS for a few weeks now and have some definite thoughts about where it stands among the modern-day operating systems. Using JDS If you intend to use JDS on a desktop computer the SuSE installation process is nearly perfect (only had to adjust the audio). All the hardware in the two desktop boxes was installed and configured properly. Surfing the Web, creating office documents, email and just about everything else that a basic office worker might need worked first time every time. The laptop installation was another story. It seems the version of SuSE that was used is old and getting older all the time. And that proved to be problematic for some simple items like a WiFi card. It would not install the first time or any time. I even had a number of Sun engineers trying to help. Nothing worked. Someone hinted that the version of SuSE Sun used had some ancient hardware drivers and that everything should be better in JDS version 2.0. Two problems with that scenario: first, since JDS was released, SuSE Linux was purchased by Novell. I'm not sure Sun will be able to persuade Novell to help. Second, I've just read a review of the brand-new SuSE 9.1 beta OS - and in addition to all the great new features the writer complained that his WiFi card wouldn't install. That doesn't bode well for JDS or SuSE especially when you consider that other Linux flavors, such as Linspire (the former Lindows) has no problem with installing my WiFi cards, or anything else I've thrown at it. All that aside, as a desktop computer operating system Sun's JDS is really nice to use. The GNOME desktop is simple and easy to master. The OS was smooth and quick on all my machines including the 4-year old box with a Celeron processor and 128MB of memory up to my 3.0GHz Pentium 4 with 512MB. Surfing the Web with Mozilla was a breeze, Evolution e-mail software is easy to figure out and the inclusion of the latest version of Suns' StarOffice software suite (a $75 option with Linspire/Lindows) makes this OS a real option for businesses and individual users alike. Sun is pricing JDS very competitively. It's $100 per user (with group discounts for enterprise customers.) Not bad when you consider that the office software is included. And, as a special promotion, individuals can purchase JDS at half price - $50 until June 2 on the Sun Website. And finally, looking ahead to JDS 2.0 and 3.0, Sun is proudly showing a future 3-D version with a very, very cool looking desktop. The next versions of JDS could be extremely interesting.
|
|||||||||||||