Microsoft posts work-around for IE flaw - News - ZDNet:
"Microsoft released on Friday a work-around for an Internet Explorer vulnerability that has left Windows users open to attacks for almost nine months.
The flaw, in an ActiveX scripting component, gained notoriety last month when it became the mechanism used by a network of compromised Web sites to install a malicious program on victims' computers. Microsoft has decided to plug the hole by turning off the ability for the ActiveX component to write to the operating system. The software giant published the work-around on its Web site and directed customers to use its Windows update service to download the patch. "
Though Microsoft intends the change to become a standard configuration for Windows, the software giant is working on a more comprehensive solution, said Stephen Toulouse, security program manager for Microsoft's security response center.
The change fixes a problem that allowed several compromised Web sites to infect visitors' PCs with a Trojan horse program, known as Download.Ject or JS.Scob.Trojan. The program would record the keystrokes and send them to an overseas e-mail address. That Internet Explorer security issue and several others lead some security experts to suggest that users should consider alternative browsers.
Microsoft's configuration change blocks the ability of the ADODB.screen ActiveX component to write to the PC's hard drive. ActiveX, which adds interactivity to Web sites viewed with Internet Explorer, has long been thought to have security issues.
This particular vulnerability has been known about for more than 9 months…
http://www.microsoft.com/security/incident/download_ject.mspx
http://zdnet.com.com/2100-1105_2-5256297.html
Saturday, July 03, 2004
Thursday, July 01, 2004
Web Searching Tips
Web Searching Tips:
"This section of Search Engine Watch provides tips on using search engines better, along with some fun facts such as what people search for on search engines. "
http://www.searchenginewatch.com/facts/index.php
"This section of Search Engine Watch provides tips on using search engines better, along with some fun facts such as what people search for on search engines. "
http://www.searchenginewatch.com/facts/index.php
Pop-up program reads keystrokes, steals passwords - News - ZDNet
Pop-up program reads keystrokes, steals passwords - News - ZDNet:
"A malicious program that installs itself through a pop-up can read keystrokes and steal passwords when victims visit any of nearly 50 targeted banking sites, security researchers warned on Tuesday.
The targeted sites include major financial institutions, such as Citibank, Barclays Bank and Deutsche Bank, researcher Marcus Sachs said Tuesday.
'If (the program) recognizes that you are on one of those sites, it does keystroke logging,' said Sachs, director of the Internet Storm Center, a site that monitors network threats. Even though all financial sites use encryption built into the browser to protect log-in data, the Trojan horse program can capture the information before it gets encrypted by the browser software. 'The browser does not encrypt data between your keyboard and computer. It's encrypting it (when it goes) out onto the Web.' "
Sachs said the Trojan horse was first discovered on the computer of "an employee at a major dot-com." The victim apparently picked up the program from a malicious pop-up ad that used a flaw in Internet Explorer's helper server to install itself on the user's PC. In this case, because of the computer's security settings, the installation failed. Microsoft said IE users should raise the security settings to high until the company issues a patch.
Two other IE flaws, which Microsoft has yet to fix, were used recently in two other hacking schemes, one last week that turned some Web sites into points of digital infection, and another, earlier in the month, that installed a toolbar on victims' computers that triggered pop-ups. This most recent Trojan horse differs from the attack software used in last week's Web site compromises but could be paired with that technique to spread spyware.
Researchers at the Internet Storm Center studied the Trojan horse file, called "img1big.gif," which was provided by the dot-com. Working through the weekend, the security experts reverse-engineered the program and discovered that it targeted a long list of banks and attempted to steal the account information of those institutions' customers.
The program points to a recent trend in computer viruses and remote-access Trojan horse, or RAT, programs: Attackers are increasingly after money.…
http://zdnet.com.com/2100-1105_2-5251981.html
"A malicious program that installs itself through a pop-up can read keystrokes and steal passwords when victims visit any of nearly 50 targeted banking sites, security researchers warned on Tuesday.
The targeted sites include major financial institutions, such as Citibank, Barclays Bank and Deutsche Bank, researcher Marcus Sachs said Tuesday.
'If (the program) recognizes that you are on one of those sites, it does keystroke logging,' said Sachs, director of the Internet Storm Center, a site that monitors network threats. Even though all financial sites use encryption built into the browser to protect log-in data, the Trojan horse program can capture the information before it gets encrypted by the browser software. 'The browser does not encrypt data between your keyboard and computer. It's encrypting it (when it goes) out onto the Web.' "
Sachs said the Trojan horse was first discovered on the computer of "an employee at a major dot-com." The victim apparently picked up the program from a malicious pop-up ad that used a flaw in Internet Explorer's helper server to install itself on the user's PC. In this case, because of the computer's security settings, the installation failed. Microsoft said IE users should raise the security settings to high until the company issues a patch.
Two other IE flaws, which Microsoft has yet to fix, were used recently in two other hacking schemes, one last week that turned some Web sites into points of digital infection, and another, earlier in the month, that installed a toolbar on victims' computers that triggered pop-ups. This most recent Trojan horse differs from the attack software used in last week's Web site compromises but could be paired with that technique to spread spyware.
Researchers at the Internet Storm Center studied the Trojan horse file, called "img1big.gif," which was provided by the dot-com. Working through the weekend, the security experts reverse-engineered the program and discovered that it targeted a long list of banks and attempted to steal the account information of those institutions' customers.
The program points to a recent trend in computer viruses and remote-access Trojan horse, or RAT, programs: Attackers are increasingly after money.…
http://zdnet.com.com/2100-1105_2-5251981.html
Java Technology Fundamentals Newsletter
Java Technology Fundamentals Newsletter:
"Java Developer Connection Java Technology Fundamentals Newsletter.
This monthly newsletter provides a way for you to learn the basics of the Java programming language, discover new resources, and keep up-to-date on the latest additions to Sun Developer Network's New to Java Programming Center.…"
http://java.sun.com/developer/onlineTraining/new2java/supplements/2004/june04.html
"Java Developer Connection Java Technology Fundamentals Newsletter.
This monthly newsletter provides a way for you to learn the basics of the Java programming language, discover new resources, and keep up-to-date on the latest additions to Sun Developer Network's New to Java Programming Center.…"
http://java.sun.com/developer/onlineTraining/new2java/supplements/2004/june04.html
The Java 2 Platform, Standard Edition version 1.5: new language features
J2SE 1.5 (Tiger):
"The Java 2 Platform, Standard Edition version 1.5 (J2SE 1.5) has introduced several enhancements as well as new language features that ease the development of Java applications. This major release is focused along certain key themes, such as quality, monitoring and manageability, performance and scalability, and ease of development. The codename for the J2SE 1.5 release is 'Tiger', and all the new features have been developed under the Java Community Process (JCP)."
http://java.sun.com/developer/technicalArticles/releases/j2se15langfeat/
"The Java 2 Platform, Standard Edition version 1.5 (J2SE 1.5) has introduced several enhancements as well as new language features that ease the development of Java applications. This major release is focused along certain key themes, such as quality, monitoring and manageability, performance and scalability, and ease of development. The codename for the J2SE 1.5 release is 'Tiger', and all the new features have been developed under the Java Community Process (JCP)."
http://java.sun.com/developer/technicalArticles/releases/j2se15langfeat/
Wednesday, June 30, 2004
Download details: Windows Application Compatibility Toolkit 3.0
Download details: Windows Application Compatibility Toolkit 3.0:
"The Windows Application Compatibility Toolkit (ACT) version 3.0 for Windows 2000 Service Pack 3 or later, Windows XP and Windows Server 2003 contains the tools and documentation you need to design, deploy, and support applications on these platforms. Tools include the latest versions of the Microsoft Windows Application Compatibility Analyzer that simplifies application inventory and compatibility testing, the Windows Application Verifier that assists developers and testers in locating common compatibility issues during the development cycle, and the Compatibility Administrator that provides access to the necessary compatibility fixes to support legacy applications in Windows."
http://www.microsoft.com/downloads/details.aspx?FamilyID=7fc46855-b8a4-46cd-a236-3159970fde94&displaylang=en
"The Windows Application Compatibility Toolkit (ACT) version 3.0 for Windows 2000 Service Pack 3 or later, Windows XP and Windows Server 2003 contains the tools and documentation you need to design, deploy, and support applications on these platforms. Tools include the latest versions of the Microsoft Windows Application Compatibility Analyzer that simplifies application inventory and compatibility testing, the Windows Application Verifier that assists developers and testers in locating common compatibility issues during the development cycle, and the Compatibility Administrator that provides access to the necessary compatibility fixes to support legacy applications in Windows."
http://www.microsoft.com/downloads/details.aspx?FamilyID=7fc46855-b8a4-46cd-a236-3159970fde94&displaylang=en
Microsoft Christens Cut-Rate Windows as 'XP Starter Edition'
Microsoft Christens Cut-Rate Windows as 'XP Starter Edition':
"Last summer, in response to the success that Linux was having in the Thai marketplace, Microsoft began offering Thai citizens a Thai-localized bundle of Microsoft Windows XP Home and Office XP Standard. As part of the deal, Microsoft also stripped out some unspecified features from both products and slashed the price for the pair to 1,500 Thai Baht, or about $38 U.S. Microsoft Windows XP Home sells at retail for $225; Office XP Standard retails for $499.
This past spring, Microsoft officials said they would decide whether to continue offering the combination based on customer feedback.
It's not clear if Microsoft also will use the "Windows XP Starter Edition" name in other countries. In March, Microsoft began offering a similar cut-rate Windows XP and Microsoft Works bundle customized for the Malaysian market as part of the Malaysian government's PC Gemilang Project.…"
http://www.microsoft-watch.com/article2/0,1995,1616618,00.asp
"Last summer, in response to the success that Linux was having in the Thai marketplace, Microsoft began offering Thai citizens a Thai-localized bundle of Microsoft Windows XP Home and Office XP Standard. As part of the deal, Microsoft also stripped out some unspecified features from both products and slashed the price for the pair to 1,500 Thai Baht, or about $38 U.S. Microsoft Windows XP Home sells at retail for $225; Office XP Standard retails for $499.
This past spring, Microsoft officials said they would decide whether to continue offering the combination based on customer feedback.
It's not clear if Microsoft also will use the "Windows XP Starter Edition" name in other countries. In March, Microsoft began offering a similar cut-rate Windows XP and Microsoft Works bundle customized for the Malaysian market as part of the Malaysian government's PC Gemilang Project.…"
http://www.microsoft-watch.com/article2/0,1995,1616618,00.asp
Monday, June 28, 2004
Wi-Fi security standard sealed and delivered - News - ZDNet
Wi-Fi security standard sealed and delivered - News - ZDNet:
"The 802.11i standard should give wireless networking a boost in the eyes of businesses. Previous security measures, such as Wired Equivalent Privacy, were easily broken by hackers, leaving many security-conscious IT managers wary about wireless networking. The 802.11i standard encrypts data sent along wireless networks to protect it from anyone who may intercept it.
The most significant feature of the 802.11i standard is Advanced Encryption Standard (AES), a strong encryption standard supporting 128-bit, 192-bit and 256-bit keys, said Robin Ritch, Intel's director of security industry marketing.
Ritch added that Intel's Centrino bundle of chips will begin to incorporate the 802.11i standard following interoperability certification by the Wi-Fi Alliance, expected in September. All Centrino products will be 802.11i-compliant by the end of the year, and the upgrades will be in software. "
http://zdnet.com.com/2100-1103_2-5248275.html
"The 802.11i standard should give wireless networking a boost in the eyes of businesses. Previous security measures, such as Wired Equivalent Privacy, were easily broken by hackers, leaving many security-conscious IT managers wary about wireless networking. The 802.11i standard encrypts data sent along wireless networks to protect it from anyone who may intercept it.
The most significant feature of the 802.11i standard is Advanced Encryption Standard (AES), a strong encryption standard supporting 128-bit, 192-bit and 256-bit keys, said Robin Ritch, Intel's director of security industry marketing.
Ritch added that Intel's Centrino bundle of chips will begin to incorporate the 802.11i standard following interoperability certification by the Wi-Fi Alliance, expected in September. All Centrino products will be 802.11i-compliant by the end of the year, and the upgrades will be in software. "
http://zdnet.com.com/2100-1103_2-5248275.html
ZDNet AnchorDesk: Why AOL users are saying, "I've got spam!"
ZDNet AnchorDesk: Why AOL users are saying, "I've got spam!":
"The good news is that AOL apparently segregates its data across different servers. The data that Smathers allegedly stole did not include individual passwords or credit card numbers, for instance. According to the Wall Street Journal (registration required), Smathers may have obtained the lists by searching letter by letter across nearly 30 different servers.
However, as of this writing, AOL has not offered a site where AOL members can see if their e-mail address, telephone number, and zip code was sold, nor has the ISP offered any further assistance to those affected beyond a simple apology. That's unfortunate, since the stolen lists contain enough information for direct marketers to add customers to e-mail and telemarketing lists. Affected AOL members can expect to hear their phones ringing more and see their in-boxes a little fuller in the near future. "
In addition to rogue employees, companies are also under attack from virus-infected laptops connecting inside their networks and Trojan horses installed on individual workstations that give outsiders inside access. Using that yardstick, last summer's MSBlast worm also qualifies as an inside attack. By installing personal firewalls and antivirus software on each workstation and laptop (even home computers that connect to the corporate network via VPN), companies can eliminate these dangers. Still, even these measures won't stop a determined cracker who gains employment in a company as a janitor or a temp to snoop around for vulnerable points of access.…
http://reviews-zdnet.com.com/AnchorDesk/4520-7297_16-5141384.html?tag=adss
"The good news is that AOL apparently segregates its data across different servers. The data that Smathers allegedly stole did not include individual passwords or credit card numbers, for instance. According to the Wall Street Journal (registration required), Smathers may have obtained the lists by searching letter by letter across nearly 30 different servers.
However, as of this writing, AOL has not offered a site where AOL members can see if their e-mail address, telephone number, and zip code was sold, nor has the ISP offered any further assistance to those affected beyond a simple apology. That's unfortunate, since the stolen lists contain enough information for direct marketers to add customers to e-mail and telemarketing lists. Affected AOL members can expect to hear their phones ringing more and see their in-boxes a little fuller in the near future. "
In addition to rogue employees, companies are also under attack from virus-infected laptops connecting inside their networks and Trojan horses installed on individual workstations that give outsiders inside access. Using that yardstick, last summer's MSBlast worm also qualifies as an inside attack. By installing personal firewalls and antivirus software on each workstation and laptop (even home computers that connect to the corporate network via VPN), companies can eliminate these dangers. Still, even these measures won't stop a determined cracker who gains employment in a company as a janitor or a temp to snoop around for vulnerable points of access.…
http://reviews-zdnet.com.com/AnchorDesk/4520-7297_16-5141384.html?tag=adss
Subscribe to:
Posts (Atom)
Posts
