General discussion

NEWS - January 10, 2007

Discussion is locked

Reply to: NEWS - January 10, 2007
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - January 10, 2007
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Microsoft leaves Word flaws unpatched
- Collapse -
Symantec wants to lend a hand with Vista security

Symantec is thinking up ways to take the pain out of a security feature in Windows Vista.

The Cupertino, Calif., company has plans to create a technology that makes security decisions for Vista owners dealing with User Account Control. This feature in the operating system asks for permission to lift security barriers to the inner workings of a PC whenever software tries to access these. But it makes too many requests to be effective, according to Symantec.

Continue reading at

- Collapse -
Slow patching heightening security threats

IT security professionals are still struggling to keep systems patched in a timely fashion, according to a new survey.

A study by RedSeal Systems, found 63 per cent of respondents acknowledge they need at least one day, and in some cases up to one month, to implement a new patch and this is leaving systems vulnerable to attack.

Furthermore, 34 per cent of respondents said they do not use any type of proactive "vulnerability scanning", giving them no insight into the vulnerabilities on their networks.

An equal amount of respondents said that when the need for a patch is identified it takes between one day and one week to implement it, while 29 per cent of respondents need between a week and a month.

More at

- Collapse -
Microsoft To Offer Software-As-A-Service CRM This Summer

Hosted CRM already is available through Microsoft business partners, but the company plans to directly sell an offering it's calling Microsoft Dynamics CRM Live.

By Mary Hayes Weier

Jan 10, 2007 09:00 AM

Microsoft will offer its customer-relationship management product via a software-as-a-service (SaaS) model, but interested customers will have to wait until summer. The company will announce today it's starting to preview its next-generation CRM product to business partners, and expects to have it available for purchase in the third quarter.

Microsoft has been talking about Titan, which represents its first big push into SaaS, for about a year. Hosted CRM already is available through Microsoft business partners, but the company plans to directly sell an offering it's calling Microsoft Dynamics CRM Live that's based on Titan (also called Microsoft Dynamics CRM 3.0), it's next-generation product. Titan was built on what Microsoft calls a multi-tenant architecture, and is designed to work for both SaaS and on-premises deployments.

Read more:

- Collapse -
Malware: Windows is only part of the problem

On coding secure and resilient applications
By Dan Clarke

Published Wednesday 10th January 2007 15:36 GMT
We?ve all been hearing a lot about secure applications recently, or more accurately about insecure applications; specifically those that are exploited in identity theft raids or that we can be ?tricked? into running on our PCs.

Insecure applications are such a problem that Microsoft has spent the last five years and many millions of dollars re-engineering its operating system and much of its other software in order to improve the situation [and can one ever really overcome the temptation to bolt-on security to a fundamentally insecure design, in pursuit of ?backwards compatibility?, in such circumstances ? Ed].

Other software providers are doing the same thing and there has been an explosion of anti-virus and spyware removal vendors in the industry. It?s not that software has suddenly become insecure, rather with the internet there is now a viable means for criminals to exploit these insecurities to create ill-gotten gains.

Read more:

- Collapse -
Further Information on the Pocket PC MMS Exploit

Wednesday, January 10, 2007

We have done further study on the MMS exploit discovered by Collin Mulliner.

The exploit affects most Pocket PC phone edition and Windows Mobile devices that use versions of ArcSoft MMS composer predating August 2006.

Fortunately, most vendors are providing updates that patch the vulnerability, but unfortunately they don't necessarily mention this in their updates. If you are unsure whether your phone vendor is providing the update, we recommend checking the vendors support page and contacting them if they don't have information available.

We have tried the exploit with several devices, and unless the shellcode is crafted for that particular device and MMS application happens to be in correct memory slot, the only result is a crash of the MMS application.

Read more:

- Collapse -
Broken botnet cuts global spam by a third

But junk mail will still reach breaking point this year

Robert Jaques, 10 Jan 2007

New email monitoring data has revealed a "sudden" 30 per cent reduction in global spam volumes over the past week.

Security firm SoftScan believes that the drop is most likely to be the result of a major botnet temporarily losing control of its clients.

Another theory is that the reduction in spam might be attributed to the recent earthquake in Asia, preventing spamming activity from this region. However, this is considered to be less likely as the drop in spam distribution was not instant.

Read more:

- Collapse -
Adobe Patches Acrobat And Reader XSS Bug, 3 Other Flaws

The four fixed flaws include a cross-site scripting bug and three others that were patched with new versions of Acrobat and Reader.

By Gregg Keizer

Jan 10, 2007 01:43 PM

A week after acknowledging a serious flaw in older versions of its popular Acrobat and Reader software, Adobe patched multiple bugs to stop attackers from piggybacking malicious code on trusted PDF files and grabbing control of computers.

The four fixed flaws include a cross-site scripting (XSS) bug that one researcher last week said had the potential to be the "number one worst vulnerability of 2007." Three others, all which were rated as "critical" by Adobe, were also patched with new versions of Acrobat and Reader. According to Adobe, two of the three would let criminals take complete control of a victimized computer running Windows, Mac OS X, or Linux by getting its user to open a malformed PDF; the third could crash the applications in a denial-of-service attack.

Read more:

- Collapse -
Month of Apple Bugs project uncovers vulnerability in flaw-f

Month of Apple Bugs project uncovers vulnerability in flaw-fixing tool

Fiona Raisbeck Jan 10 2007 17:16
A vulnerability has been discovered in a tool used to patch bugs found in Apple software.

The flaw was disclosed earlier this week as part of the Month of Apple Bugs (MoAB) project. The two men behind the project, Kevin Finisterre and a former hacker known as LMH, aim to publicize bugs in Apple's OS X operating system throughout January and produce working code for any loopholes they find.

The latest vulnerability is in Application Enhancer (APE), used to apply run-time patches for published Apple flaws.

The bug allows local users to obtain root privileges - and possibly compromise a computer - by patching or replacing the APE binary code.

Read more:

- Collapse -
VeriSign Offers Hackers $8,000 Bounty on Vista, IE 7 Flaws

VeriSign's iDefense Labs has placed an $8,000 bounty on remote code execution holes in Windows Vista and Internet Explorer 7.

The Reston, Va., security intelligence outfit threw out the monetary reward to hackers as part of a challenge program aimed at luring researchers to its controversial pay-for-flaw VCP (Vulnerability Contributor Program).

The launch of the latest hacking challenge comes less than a month after researchers at Trend Micro discovered Vista flaws being hawked on underground sites at $50,000 a pop and illustrates the growth of the market for information on software vulnerabilities.,1759,2082014,00.asp?kc=EWRSS03129TX1K0000614

- Collapse -
RSA Catches Financial Phishing Kit

RSA, The Security Division of EMC, announced Jan. 10 that it has identified a new phishing kit that was being sold and used online by hackers to target users' personal information in real time.

The phishing kit, known as a Universal Man-in-the-Middle Phishing Kit, is meant to help online hackers create attacks involving financial organizations by enabling the hacker to create a fake URL through a user-friendly online interface. The fraudulent URL communicates with the legitimate Web site of the targeted organization in real time.

The target receives a standard phishing e-mail, and if the target clicks on the link, he or she is sent to the fake URL. The target thinks that he or she is working with content from the legitimate Web site, but in fact, the fake URL allows hackers to access the targets' personal information, RSA said.,1759,2082039,00.asp?kc=EWRSS03129TX1K0000614

CNET Forums

Forum Info