“Full exploit code” has been published that would let attackers cut-and-paste their way to an effective assault on Internet Explorer installs, according to a report Monday from Websense Security Labs.
Microsoft reported Feb. 13 that the flaw – known since February to affect the ADODB.Connection ActiveX control in the Microsoft Data Access Components — would allow attackers to hijack targeted machines.
Security services providers and IT administrators who have not yet updated their IE installations can download the patch from Microsoft.
The flaw was discovered last July by Metasploit Framework creator H.D. Moore. Separatelym Moore announced Tuesday that version 3.0 of his popular penetration testing tool is now available.
The original version of this story appeared on TechTarget sister site SearchSecurity.com.
Protecting customers from malware can be like juggling grenades — hectic enough while things are going well, but positively frantic (for a little while) when they’re not. Whatever their positive characteristics, customers tend to get angry at VARs who did (or didn’t do) something that lets a worm, virus or Trojan into their system.
On the theory that a little help is welcome and a lot doesn’t hurt, either , check out SearchSecurityChannel.com‘s new AV resources, including the Antivirus Project Guide, then stay up-to-date on antivirus news, strategies and tips aimed at the channel on SearchSecurityChannel.com‘s Viruses, Worms, and other Malware topic center.
For the next level of support, try antivirus software vendors and information sites that offer instructor-led and online courses and training to give you and your support engineers some of the AV skills they need, not to mention help explaining to customers what the threats are and what you can do to protect them :
- Panda Software Companies’ Basic Virus Course (online, free with registration)
- Symantec Antivirus Corporate Edition Training (onsite, in metro areas, online, cost varies)
- Introduction to Computer Viruses on About.com (online tutorial, free)
- CA’s eTrust Antivirus SPT Training Course (8 hours, load on computer, $800)
- Network Associates Antivirus Software Solutions by CBT Direct (online, price available upon request)
Napoleon Bonaparte — who knew something about how to overcome a persistent threat — said “victory belongs to the most persevering.” The perseverance is up to you, but we can help with the information on tools and techniques you can use to keep up. Let us know how it’s going, and what kind of information you need — from vendors, customers or each other — and we’ll enlist all three in the initiative. Until then, keep juggling.
Blog: Exploit code is out for a critical Internet Explorer vulnerability that Microsoft reported in its MS07-009 bulletin. [eWEEK]
A new tool called Jikto can turn any PC or device with a browser into a site attacker. [eWEEK]
IT pros eye Windows Server 2003 SP2 with caution Despite its security and stability enhancements, IT pros say they are in no rush to deploy Windows Server 2003 SP2, which arrived with little warning two weeks ago. [SearchSecurity.com]
20 million copies of Vista reported sold Analysts questioned the figure and said it shed little light on the program’s popularity during its first month on the market. [NYT]
Linux kernel to add VMI The next stable update to the Linux kernel, Version 2.6.21, is slated to include a new feature submitted by VMware called Virtual Machine Interface. [eWEEK]
Next version of GPL to cover Novell-Microsoft deal The non-profit group that owns rights to much of the Linux operating system says it will seek to undermine a controversial deal between Microsoft Corp. and Novell Inc. through a new software licensing agreement to be unveiled on Wednesday. [Reuters]
Although Oracle’s lawsuit against SAP is directed against the German-based software giant, SAP’s channel partners could also be held culpable for any role they may have had for using software and documentation that turns out to have been illegally obtained, according to one lawyer specializing in intellectual property law.
Systems integrators (SIs) and consulting firms that provide support for Oracle products should prepare for any potential legal action by documenting what they did and didn’t know about the origins of materials given to them by SAP, according to Tucker Griffith, partner at McCormick, Paulding & Huber LLP.
Those partners are at risk if Oracle is “going on a theory that this was stolen material — and I’m pretty sure they are going on that theory — and if they’re going on the theory that some of the stuff was trade-secret protected,” Griffith said. “If you [the VAR] had reason to suspect it was stolen, or suspect it came from illegal means and illegal sources, then you might have some culpability.”
It would also be prudent for partners whose contracts with SAP do not include an indemnity clause to negotiate with the company to get one, he said. Indemnity clauses, in which one company insures another against lawsuits, can be written with generic language or be specific enough to, for example, specify whether the party offering indemnity will also cover court fees, he said.
Those partners who find themselves needing to negotiate for indemnity may have some leverage, though. Partners can point to the bad press the suit may generate for SAP and hint that they would consider migrating to other vendors if SAP does not earn their loyalty, Griffith said.
The lawsuit against SAP alleges that TomorrowNow, a provider of third-party Oracle support that SAP acquired in 2005, used Oracle customers’ login information to access Oracle’s support site. There, according to the 44-page complaint Oracle filed last week, TomorrowNow downloaded thousands of materials — software and documentation — which it then used to undercut Oracle’s own support.
But players at TomorrowNow, and SAP may have not thought they were doing anything wrong, Griffith said. They did not appear to try to cover up their tracks — the logins were traced back to computers in Bryan, Tex. where TomorrowNow is located — and Oracle did not take steps to prevent bulk downloads like those it accuses TomorrowNow of making.
“The defense would be well: we thought there was nothing wrong, because if we thought there was something wrong about it, we would have made it less obvious, less blatant,” Griffith said.
Oracle and SAP have continued to remain mostly silent about the suit, although SAP did issue a press release Friday saying that it will “aggressively defend against the claims made by Oracle.”
Vonage told to stop using Verizon technology A judge ordered the Internet-based telephone service to stop using technologies patented by Verizon Communications. [NYT]
SMBs face big challenges in meeting regulatory requirements Managed services and better policies can help SMBs deal with costs associated with archiving and protecting data in the name of compliance. [eWEEK]
Wireless industry gears up for WiMax Where does 3G wireless go from here? Many equipment makers and carriers are looking to the packet-based technology known as WiMax. [CNET]
Windows weakness can lead to network traffic hijacks Problem in the way Windows PCs obtain network settings could let attackers hijack traffic, researchers warn. [CNET]
The news that Oracle sued SAP shocked the IT industry yesterday, and the dust hasn’t begun to settle yet. In addition to SAP and its wholly-owned subsidiary TomorrowNow, Oracle named 50 “Doe” defendants who are still unknown but may include channel partners such as systems integrators and resellers.
TomorrowNow provides third-party support for Oracle products, especially its PeopleSoft and JD Edwards lines of applications, at half the cost Oracle charges. It also works with several consultancies and systems integrators to provide support on their behalf. About a dozen or so of these are smaller, regional-level firms, said Bob Geib, vice president of sales at TomorrowNow, in an interview with SearchITChannel.com earlier this month.
Because many of those firms fear retaliation from Oracle for providing support through TomorrowNow, Geib said, “many, many of our efforts with partners are what I would call under-the-radar opportunities.”
It is unclear whether any of those partners may be dragged into the suit. But one clause in Oracle’s filing reads:
“Oracle is currently unaware of the true names and capacities of Does 1 through 50, inclusive, whether individual, partnership, corporation, unincorporated association, or otherwise, and therefore sues these defendants by such fictitious names. Oracle will amend this Complaint to allege their true names and capacities when ascertained.”
According to the suit, TomorrowNow’s “cut rate support” was made possible, at least in part, from thousands of illegal downloads of software, patches, documentation and other information made by TomorrowNow using logins provided by Oracle customers whose service agreements were about to expire.
The nature of those service agreements does not allow Oracle’s customers to share those downloads with third parties, and many customers downloaded information they themselves were not authorized to access, Oracle chrged.
TomorrowNow was founded by former PeopleSoft employees and was acquired by SAP in January 2005, at about the same time Oracle announced it would acquire PeopleSoft. Oracle claims in the suit that the timing is not coincidental, but does not provide further evidence.
Oracle and SAP both declined to comment further on the lawsuit as of Friday evening.
Oracle sues SAP for ‘stealing software’ Oracle has filed a lawsuit against SAP, charging the German software giant with “corporate theft on a grand scale.” [SearchSAP.com]
SOA: SAP to offer standardized processes SAP has announced that it will offer standardized processes to help companies in designing business processes and implementing SOA plans.[SearchSAP.com]
Cisco slugs FTC-addled McData Cisco Systems appears to have made the most out of FTC scrutiny surrounding the union between Brocade and McData. Cisco’s share of the switch and HBA market rose 2.2%, while McData’s dropped 2.6 %.
802.11n will require upgrades 802.11n, the new Wi-Fi standard on the cusp of being ratified by the IEEE, offers greater throughput and better range than other standards but may require companies to upgrade their wireless network infrastructure.[SearchNetworking.com]
A federal appeals court (8th Circuit) has upheld the FCC’s 2004 conclusion that VoIP providers (like Vonage) provide an interstate service that frees them from state control.
This ruling confirms the FCC‘s jurisdiction over VoIP, acting as regulators over the digital communication technology in similar fashion to their authority over regular telecommunications.
Despite this case dealing mostly with the more consumer market-focused Vonage, it has overtones that will affect the channel and the businesses that look to networking consultants and VARs to provide solutions for their communications needs. In short, it’s much easier to trust and invest in a technology that has an established federal commission overseeing it.
As a result, businesses can be expected to view VoIP communications as an even more viable alternative to traditional circuit-switched telephones. For networking channel professionals looking for help and ideas for selling these systems, as well as suggestions for the actual set-up, SearchNetworkingChannel.com recently launched a VoIP Project Guide that answers many questions and offers helpful insight.
Thoughts on this ruling? Ideas on VoIP? Drop me a line!
Cisco’s Charlie Giancarlo is a pretty smart guy (he’s chief development officer, so that’s more of a job requirement than a compliment), but I’m not sure he has as tight a hold on differing forms of information as he does on different kinds of data.
In a blog yesterday, he seemed to recommend that reporters spend as much time talking online about their stories as they do researching and writing:
Some publications are even requesting (aka requiring) their reporters to blog as a part of their job. I would argue that tracking your stories in the blogosphere and participating as the bylined reporter in the conversation is more important than authoring your own blog as a reporter, but far be it from me to suggest what a major media outlet should have their employees doing…or not doing.
It’s not a bad point. News outlets typically stink at two-way conversations with readers, not least because journalists are often as thin-skinned about criticism from readers as the people they cover are about criticism from the media.
But what’s the benefit to readers of having a reporter write a story, then spend a ton of time blogging back and forth about how it should be interpreted, the research behind it, and the value of the sources or comments in it?