This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on January 21, 2010. The bulletin will be for Internet Explorer to address limited attacks against customers of Internet Explorer 6, as well as fixes for vulnerabilities rated Critical that are not currently under active attack.

This bulletin advance notification will be replaced with the January bulletin summary on January 21, 2010. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications.

Microsoft will host a webcast to address customer questions on the out-of-band bulletin on January 21, 2010, at 1:00 PM Pacific Time (US & Canada). Register now for the January 21, 1:00 PM Webcast. Afterwards, the Webcast is available on-demand. For more information, see Microsoft Security Bulletin Summaries and Webcast.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.

Source

The Honker Union, China’s most famous group of Hong Ke, shows the grey area between patriotic hackers and the state. The group has denied involvement in the Google attack.

“The Honker Union … has no interest in getting involved in politics. We work only for the security of Chinese websites,” one of its core members, Lyon, said in a telephone interview. Lyon, his hacker handle, is the head of a department in a major state-owned telecommunications firm and declined to disclose his real name.

Founded in 2001, it was involved in cyber-warfare with U.S. hackers over the Hainan spy plane incident in 2001 and last week attacked Iranian websites in retaliation for the Iranian Cyber Army’s temporary takeover of Chinese search engine Baidu.

“It is pretty clear that many Chinese hackers are motivated by patriotism,” said Trevor T, the pseudonym of an American who helps run Dark Visitor, a U.S.-based blog about Chinese hackers.

“China may not be where the U.S. is militarily, but it clearly has invested a lot of brainpower in developing capabilities that can offset the U.S. advantage in force-on-force conflict,” he said.

Google announced last week that a “sophisticated” attack coming from China resulted in the theft of its intellectual property. It cited the hacking episode, as well as censorship, as reasons it may leave China.

Google did not specify how it knew the attacks came from China, or why it and an estimated 34 other companies were targeted. Cyber experts say source codes may have been the prize.

SO YOU WANT TO BE A HACKER?

The popularity of hacking in China, and hackers’ use of multiple addresses and servers, in Taiwan and elsewhere, makes it hard to prove how or by whom they are coordinated. Would-be hackers in China don’t have to look far to figure out how to do it, thanks to a healthy hacking industry.

For $150, a keen student can buy all the modules online, from programing Trojans to evading anti-virus programs. Tutors are available via instant-messaging and interactive tutorials.

The market for malware in China includes a software known as Grey Pigeon, originally designed to remotely control users’ own computers, that turned out to be an ideal tool for hacking.

Grey Pigeon’s homepage says it was discontinued in 2007, because of rampant misuse for illegal activities, but the 2010 version of Grey Pigeon is easily found for sale online in China.

That market helps hackers quickly exploit any opening.

“Malware groups out of China have been very quick to adopt zero-day exploits,” software flaws for which there is no patch, said Nart Villeneuve, chief research officer at SecDev.cyber.

“They may be operating independently but there may be some sort of market for selling the information that they get.”

Some Chinese hackers train at schools like the Communication Command Academy in Wuhan to get sensitive information, cyber expert James Mulvenon told a congressional commission in 2008.

China now may have up to 50,000 military hackers trained or in training, he said. This could not be independently confirmed.

“Who is most likely to become the leading protagonist … of the next war? The first challenger who has appeared and is the most well known is the computer ‘hacker’,” two People’s Liberation Army (PLA) colonels, Qiao Liang and Wang Xiangsui, wrote in a 1999 book, “Unrestricted Warfare.”

Developing countries can beat more developed countries with war tactics that transcend boundaries, they argued.

“We urgently need to expand our field of vision regarding forces which can be mobilized, in particular non-military forces,” they wrote.

One of the best documented, and coordinated, hacking attacks out of China was reported last year. It took place against exiled Tibetans, an attack that seemed motivated by politics, not profit.

“It’s the political connection that many use to provide the link to the Chinese government,” Villeneuve said.

Similar attacks have targeted foreign reporters in China, and individuals and groups pushing for greater human rights.

(Additional reporting by Benjamin Kang Lim; Editing by Bill Tarrant.)

Source

Technology

The patch, due out on Thursday, “addresses the vulnerability related to recent attacks against Google and a small subset of corporations,” said Jerry Bryant, senior security program manager at Microsoft. “Once applied, customers are protected against the known attacks that have been widely publicized.”

Google said last week it had been the target of sophisticated cyber-attacks in China, along with more than 20 other companies. Microsoft acknowledged that the hackers took advantage of a weakness in Internet Explorer 6 to mount the attacks.

Microsoft said it continues to see some attacks, with the only successful attacks against Internet Explorer 6. The most recent version of the software is Internet Explorer 8.

(Reporting by Bill Rigby, editing by Leslie Gevirtz)

Source

(AFP) – 1 day ago

BEIJING — Google is checking whether any of its China staff helped hackers lead a major cyberattack against the US Internet giant, which is now mulling whether to leave the country, a report said Tuesday. 

The Wall Street Journal, citing unidentified sources, said the internal network access of some of Google’s 700-odd employees in China had been cut off for the duration of the internal investigation. 

It was not immediately clear if Google had found evidence to link any of its China-based staff to either the theft of its intellectual property or alleged attempts to access Gmail accounts of Chinese dissidents. 

Google said Monday it was “business as usual” in China and its employees were at work, after local media reports that some staff had seen their access to Google’s global network cut off and could no longer work. 

The company last week announced it was considering abandoning its Chinese search engine, and could shut its China offices, over theft of its intellectual property by hackers, believed to have been based in China. 

Google says it is no longer willing to bow to Chinese Internet censors by filtering search results on google.cn, but is still seeking talks with Beijing on a solution. 

The United States has asked for an explanation from Beijing over the Google dispute. China says the row will not affect Sino-US ties, but has also insisted that Google and other foreign Internet firms must obey its laws. 

The Foreign Correspondents’ Club of China said Monday that expatriate journalists in a “few” bureaus in Beijing had discovered that their Gmail accounts had been hacked, with messages forwarded to a stranger’s account.

Source

The vulnerability could be used in malware attacks to take complete control of a Windows machine running IE 6 or IE 7, according to an advisory issued over the weekend.

Here’s the gist of the problem:

A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the “getElementsByTagName()” method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

The vulnerability was confirmed on fully patched Windows XP SP3 systems with Internet Explorer 6 and 6.

For IE users unable (or unwilling) to upgrade to IE 8, you can disable Active Scripting in the Internet and Local intranet security zones.

Security researchers at Symantec have tested the published exploit and warned that a fully-functional reliable exploit will be available in the near future.

When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.

Microsoft has not yet issued an advisory with mitigation guidance.

Posted by Mary Jo Foley @ 11:20 am

Categories: Corporate strategy, Development tools, Internet Explorer, PDC 2009, Silverlight (wpf/e), Windows client

Tags: Microsoft Silverlight, Microsoft Internet Explorer, Microsoft Corp., Web Browsers, Internet, Mary Jo Foley

Microsoft shared some information about what’s coming in Internet Explorer 9 and Silverlight 4 during its November 18 Professional Developers Conference (PDC) keynotes.

If you want to see a real example of the difference in disclosure policies between Microsoft’s Windows unit and its Developer Division, the level of information provided by execs with each division today made that quite clear.

As expected, Microsoft Windows President Steven Sinofsky shared a few tidbits about Internet Explorer (IE) 9. Sinofsky emphasized that Microsoft will continue to play up privacy, user choice and responsible development with the next IE release. But he offered no information on when the team is planning to release a test build or the final version of the browser.

Sinofsky said during the Wednesday morning keynote that the IE team is about three weeks into the IE 9 project. (I’ve been getting tips that there already is a build of the product out there that is being used inside Microsoft, but it’s not available to external testers yet.)

Sinofsky noted that Microsoft is fully aware that it needs to keep pushing on the standards front. He noted that IE 9 is currently passing 32 of 100 Acid3 tests (compared to Firefox at more than 70 and Opera at 100). He also made it clear that Microsoft is aware it needs to continue to do work to improve JavaScript performance with IE.

Sinofsky said IE 9 will support hardware-accelerated rendering and rounded borders, but didn’t say a whole lot more about it. There are a (very) few more specifics about IE 9 on the IE Team blog today.

Scott Guthrie, Microsoft’s Corporate Vice President for .Net, had lots more to say about Silverlight 4, the next version of Microsoft’s browser plug-in that competes with Adobe Flash.

Microsoft is making a public beta of Silverlight 4 available for download today, November 18. A single, near-final Release Candidate will follow and then the final version of Silverlight 4 will be out in the first half of 2010, according to Guthrie.

Guthrie said Silverlight 4 will be a major new release of the plug-in. He said the upcoming version will incorporate nine of the ten most requested features by developers.

Guthrie itemized and demonstrated some of the new features of Silverlight 4 — which include everything from its support for webcam and microphone access, to the ability to run Silverlight inside the Google Chrome browser. Silverlight 4 also will include full support for Visual Studio 2010, native multicast support and improved printing, networking and reporting capabilities, company officials said. Silverlight Program Manager Tim Heuer has a full list of those Silverlight 4 features on his blog.

I’m interested in hearing from anyone who manages to download Silverlight 4 (servers are crawling, I hear) about what you think of the new beta of the product. Feel free to chime in in the talkbacks….

Posted by Larry Dignan @ 6:32 am

Categories: General, Government, Hardware Infrastructure, IT Management, Telecommunications

Tags: FAA, Network, Flight Plan, Federal Aviation Authority, FTI, Networking, Larry Dignan

Updated: The Federal Aviation Authority is looking into a networking problem that threatens to delay flights across the U.S.

FAA spokesman Les Dorr said that there’s a “problem with the telecommunications network that’s affecting automated processing system” for things like flight plans.

“Anything controllers normally have done automatically have to be done manually,” said Dorr. Indeed, the FAA has a ground stop. Atlanta is the hub that appears to be most affected, reports CBS News.

According to the FAA, the problems reside in the FAA Telecommunications Infrastructure, or FTI for short. FTI provides the voice, data, and video communications that support operations and mission support functions at more than 4,000 FAA and Department of Defense (DoD) facilities. Add it up and the network provides for more than 20,000 services such as switching and routing, network monitoring and control.

The FAA is currently investigating the problem. Dorr reiterated that the FAA can track planes with radar and have communication with pilots, but there’s an efficiency issue: You can only keep tabs on so many planes manually.

The manual process for flight plans and other essential is that these documents are emailed or faxed and then entered to the processing system.

The outage started between 5:15 a.m. and 5:30 a.m. and Dorr said it’s impossible to predict the impact on delays Thursday because it’s still early in the day.

You can track the flight delays across the country at the FAA site. Here’s the snapshot as of 9:43 a.m. EST.

Update: The FAA said it fixed the issue at 9 a.m. EST. In a statement, the FAA also shot down theories that a cyberattack was to blame. The statement in full:

At approximately 5:00 am EST a router problem disrupted a number of air traffic management services including flight plan processing. The problem was resolved at approximately 9:00 am EST. Air traffic control radar and communication with aircraft were not affected during this time and critical safety systems remained up and running.

The failure was attributed to a software configuration problem within the FAA Telecommunications Infrastructure (FTI) in Salt Lake City. As a result FAA services used primarily for traffic flow and flight planning were unavailable electronically.

The National Airspace Data Interchange Network (NADIN), which processes flight planning, was affected because it relies on the FTI services. During the outage air traffic controllers managed flight plan data manually and safely according to FAA contingency plans.

There is no indication the outage occurred as a result of a cyber attack.

System wide delays and cancellations will continue to be assessed throughout the day.

A team of FAA technical and safety experts is already investigating the outage. FAA Administrator Randy Babbitt is meeting with representatives from Harris Corporation, the company that manages the FTI, to discuss system corrections to prevent similar outages in the future.

Posted by Sam Diaz @ 2:30 am

Categories: AT&T, General, Legal, Mobile, Verizon

Tags: Advertisement, Verizon Communications Inc., AT&T Corp., Marketing Research, 3G, Marketing, Cellular Phones, Consumer Electronics, Personal Technology, Sam Diaz

AT&T may have lost the legal battle with Verizon Wireless over a marketing campaign that compares the 3G coverage of both carriers. But that doesn’t mean AT&T is going away quietly.

The company is airing a commercial of its own, which features actor Luke Wilson inside what appears to be a warehouse, standing in front of an orange magnet board with a checklist that compares AT&T and Verizon. (Techmeme)

When it comes to the fastest 3G network, AT&T wins, Wilson says. If you want to talk and surf at the same time, AT&T wins. Who has the most popular smartphones? AT&T, of course, home of the iPhone. Who provides access to more than 100,000 apps? You guessed it. Then, in the category, he asks which has a name that starts with the letter V.

I’ll give AT&T credit for making the attempt to even the playing field but – and maybe this is just me – the commercial felt sort of low-budget, like something thrown together in haste. Cheap set. Cheap props. Marketing messages in place of statistics. What is it telling me that’s new? I’ve been hearing that “Nation’s fastest 3G network” for some time now. As far as that “talk and surf” feature, I’m assuming that refers to tethering – mostly because Mr. Wilson doesn’t elaborate – but last time I heard, AT&T still wasn’t offering that for the iPhone.

Why would this commercial lure a potential customer to AT&T or convince an existing customer to stick around? There’s no fine print or footnotes about what sort of data these claims are based upon. No statistics. No independent analysis. There is a disclosure about 3G coverage not being available in all areas and some details about service plans, rebates and such.

There’s also a URL for a new Web site, called TruthAbout3G.com. But the site is nothing more than a place for cutesy marketing messages and some links to AT&T products and services. No statistics or hard data to be found.

It’s fun. But am I supposed to take it serious? From where I sit, Verizon launched a marketing campaign based on factual information (which AT&T didn’t dispute) and AT&T counters with… well, this. (see YouTube clip below.) If I’m a consumer (and I am), then this 30-second clip doesn’t offer the factual information that I need to be an informed customer.

What’s unfortunate is that this doesn’t help the company’s image – not by any stretch. In fact, you may recall that hole that AT&T was digging itself into. It appears the shovel has been handed from the legal department to the marketing department.

And it appears to be getting deeper.

Posted by Sam Diaz @ 2:30 am

Categories: AT&T, General, Legal, Mobile, Verizon

Tags: Advertisement, Verizon Communications Inc., AT&T Corp., Marketing Research, 3G, Marketing, Cellular Phones, Consumer Electronics, Personal Technology, Sam Diaz

AT&T may have lost the legal battle with Verizon Wireless over a marketing campaign that compares the 3G coverage of both carriers. But that doesn’t mean AT&T is going away quietly.

The company is airing a commercial of its own, which features actor Luke Wilson inside what appears to be a warehouse, standing in front of an orange magnet board with a checklist that compares AT&T and Verizon. (Techmeme)

When it comes to the fastest 3G network, AT&T wins, Wilson says. If you want to talk and surf at the same time, AT&T wins. Who has the most popular smartphones? AT&T, of course, home of the iPhone. Who provides access to more than 100,000 apps? You guessed it. Then, in the category, he asks which has a name that starts with the letter V.

I’ll give AT&T credit for making the attempt to even the playing field but – and maybe this is just me – the commercial felt sort of low-budget, like something thrown together in haste. Cheap set. Cheap props. Marketing messages in place of statistics. What is it telling me that’s new? I’ve been hearing that “Nation’s fastest 3G network” for some time now. As far as that “talk and surf” feature, I’m assuming that refers to tethering – mostly because Mr. Wilson doesn’t elaborate – but last time I heard, AT&T still wasn’t offering that for the iPhone.

Why would this commercial lure a potential customer to AT&T or convince an existing customer to stick around? There’s no fine print or footnotes about what sort of data these claims are based upon. No statistics. No independent analysis. There is a disclosure about 3G coverage not being available in all areas and some details about service plans, rebates and such.

There’s also a URL for a new Web site, called TruthAbout3G.com. But the site is nothing more than a place for cutesy marketing messages and some links to AT&T products and services. No statistics or hard data to be found.

It’s fun. But am I supposed to take it serious? From where I sit, Verizon launched a marketing campaign based on factual information (which AT&T didn’t dispute) and AT&T counters with… well, this. (see YouTube clip below.) If I’m a consumer (and I am), then this 30-second clip doesn’t offer the factual information that I need to be an informed customer.

What’s unfortunate is that this doesn’t help the company’s image – not by any stretch. In fact, you may recall that hole that AT&T was digging itself into. It appears the shovel has been handed from the legal department to the marketing department.

And it appears to be getting deeper.