Exploit code for a critical (remotely exploitable) vulnerability in Microsoft’s Internet Explorer 7 browser has been released on the Internet, prompting a new round “upgrade now!” warnings from computer security experts.

The vulnerability could be used in malware attacks to take complete control of a Windows machine running IE 6 or IE 7, according to an advisory issued over the weekend.

Here’s the gist of the problem:

A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the “getElementsByTagName()” method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

The vulnerability was confirmed on fully patched Windows XP SP3 systems with Internet Explorer 6 and 6.

For IE users unable (or unwilling) to upgrade to IE 8, you can disable Active Scripting in the Internet and Local intranet security zones.

Security researchers at Symantec have tested the published exploit and warned that a fully-functional reliable exploit will be available in the near future.

When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.

Microsoft has not yet issued an advisory with mitigation guidance.

November 18th, 2009

Posted by Mary Jo Foley @ 11:20 am

Categories: Corporate strategy, Development tools, Internet Explorer, PDC 2009, Silverlight (wpf/e), Windows client

Tags: Microsoft Silverlight, Microsoft Internet Explorer, Microsoft Corp., Web Browsers, Internet, Mary Jo Foley

Microsoft shared some information about what’s coming in Internet Explorer 9 and Silverlight 4 during its November 18 Professional Developers Conference (PDC) keynotes.

If you want to see a real example of the difference in disclosure policies between Microsoft’s Windows unit and its Developer Division, the level of information provided by execs with each division today made that quite clear.

As expected, Microsoft Windows President Steven Sinofsky shared a few tidbits about Internet Explorer (IE) 9. Sinofsky emphasized that Microsoft will continue to play up privacy, user choice and responsible development with the next IE release. But he offered no information on when the team is planning to release a test build or the final version of the browser.

Sinofsky said during the Wednesday morning keynote that the IE team is about three weeks into the IE 9 project. (I’ve been getting tips that there already is a build of the product out there that is being used inside Microsoft, but it’s not available to external testers yet.)

Sinofsky noted that Microsoft is fully aware that it needs to keep pushing on the standards front. He noted that IE 9 is currently passing 32 of 100 Acid3 tests (compared to Firefox at more than 70 and Opera at 100). He also made it clear that Microsoft is aware it needs to continue to do work to improve JavaScript performance with IE.

Sinofsky said IE 9 will support hardware-accelerated rendering and rounded borders, but didn’t say a whole lot more about it. There are a (very) few more specifics about IE 9 on the IE Team blog today.

Scott Guthrie, Microsoft’s Corporate Vice President for .Net, had lots more to say about Silverlight 4, the next version of Microsoft’s browser plug-in that competes with Adobe Flash.

Microsoft is making a public beta of Silverlight 4 available for download today, November 18. A single, near-final Release Candidate will follow and then the final version of Silverlight 4 will be out in the first half of 2010, according to Guthrie.

Guthrie said Silverlight 4 will be a major new release of the plug-in. He said the upcoming version will incorporate nine of the ten most requested features by developers.

Guthrie itemized and demonstrated some of the new features of Silverlight 4 — which include everything from its support for webcam and microphone access, to the ability to run Silverlight inside the Google Chrome browser. Silverlight 4 also will include full support for Visual Studio 2010, native multicast support and improved printing, networking and reporting capabilities, company officials said. Silverlight Program Manager Tim Heuer has a full list of those Silverlight 4 features on his blog.

I’m interested in hearing from anyone who manages to download Silverlight 4 (servers are crawling, I hear) about what you think of the new beta of the product. Feel free to chime in in the talkbacks….

November 19th, 2009

Posted by Larry Dignan @ 6:32 am

Categories: General, Government, Hardware Infrastructure, IT Management, Telecommunications

Tags: FAA, Network, Flight Plan, Federal Aviation Authority, FTI, Networking, Larry Dignan

Updated: The Federal Aviation Authority is looking into a networking problem that threatens to delay flights across the U.S.

FAA spokesman Les Dorr said that there’s a “problem with the telecommunications network that’s affecting automated processing system” for things like flight plans.

“Anything controllers normally have done automatically have to be done manually,” said Dorr. Indeed, the FAA has a ground stop. Atlanta is the hub that appears to be most affected, reports CBS News.

According to the FAA, the problems reside in the FAA Telecommunications Infrastructure, or FTI for short. FTI provides the voice, data, and video communications that support operations and mission support functions at more than 4,000 FAA and Department of Defense (DoD) facilities. Add it up and the network provides for more than 20,000 services such as switching and routing, network monitoring and control.

The FAA is currently investigating the problem. Dorr reiterated that the FAA can track planes with radar and have communication with pilots, but there’s an efficiency issue: You can only keep tabs on so many planes manually.

The manual process for flight plans and other essential is that these documents are emailed or faxed and then entered to the processing system.

The outage started between 5:15 a.m. and 5:30 a.m. and Dorr said it’s impossible to predict the impact on delays Thursday because it’s still early in the day.

You can track the flight delays across the country at the FAA site. Here’s the snapshot as of 9:43 a.m. EST.

Update: The FAA said it fixed the issue at 9 a.m. EST. In a statement, the FAA also shot down theories that a cyberattack was to blame. The statement in full:

At approximately 5:00 am EST a router problem disrupted a number of air traffic management services including flight plan processing. The problem was resolved at approximately 9:00 am EST. Air traffic control radar and communication with aircraft were not affected during this time and critical safety systems remained up and running.

The failure was attributed to a software configuration problem within the FAA Telecommunications Infrastructure (FTI) in Salt Lake City. As a result FAA services used primarily for traffic flow and flight planning were unavailable electronically.

The National Airspace Data Interchange Network (NADIN), which processes flight planning, was affected because it relies on the FTI services. During the outage air traffic controllers managed flight plan data manually and safely according to FAA contingency plans.

There is no indication the outage occurred as a result of a cyber attack.

System wide delays and cancellations will continue to be assessed throughout the day.

A team of FAA technical and safety experts is already investigating the outage. FAA Administrator Randy Babbitt is meeting with representatives from Harris Corporation, the company that manages the FTI, to discuss system corrections to prevent similar outages in the future.

November 19th, 2009

Posted by Sam Diaz @ 2:30 am

Categories: AT&T, General, Legal, Mobile, Verizon

Tags: Advertisement, Verizon Communications Inc., AT&T Corp., Marketing Research, 3G, Marketing, Cellular Phones, Consumer Electronics, Personal Technology, Sam Diaz

AT&T may have lost the legal battle with Verizon Wireless over a marketing campaign that compares the 3G coverage of both carriers. But that doesn’t mean AT&T is going away quietly.

The company is airing a commercial of its own, which features actor Luke Wilson inside what appears to be a warehouse, standing in front of an orange magnet board with a checklist that compares AT&T and Verizon. (Techmeme)

When it comes to the fastest 3G network, AT&T wins, Wilson says. If you want to talk and surf at the same time, AT&T wins. Who has the most popular smartphones? AT&T, of course, home of the iPhone. Who provides access to more than 100,000 apps? You guessed it. Then, in the category, he asks which has a name that starts with the letter V.

I’ll give AT&T credit for making the attempt to even the playing field but – and maybe this is just me – the commercial felt sort of low-budget, like something thrown together in haste. Cheap set. Cheap props. Marketing messages in place of statistics. What is it telling me that’s new? I’ve been hearing that “Nation’s fastest 3G network” for some time now. As far as that “talk and surf” feature, I’m assuming that refers to tethering – mostly because Mr. Wilson doesn’t elaborate – but last time I heard, AT&T still wasn’t offering that for the iPhone.

Why would this commercial lure a potential customer to AT&T or convince an existing customer to stick around? There’s no fine print or footnotes about what sort of data these claims are based upon. No statistics. No independent analysis. There is a disclosure about 3G coverage not being available in all areas and some details about service plans, rebates and such.

There’s also a URL for a new Web site, called TruthAbout3G.com. But the site is nothing more than a place for cutesy marketing messages and some links to AT&T products and services. No statistics or hard data to be found.

It’s fun. But am I supposed to take it serious? From where I sit, Verizon launched a marketing campaign based on factual information (which AT&T didn’t dispute) and AT&T counters with… well, this. (see YouTube clip below.) If I’m a consumer (and I am), then this 30-second clip doesn’t offer the factual information that I need to be an informed customer.

What’s unfortunate is that this doesn’t help the company’s image – not by any stretch. In fact, you may recall that hole that AT&T was digging itself into. It appears the shovel has been handed from the legal department to the marketing department.

And it appears to be getting deeper.

November 19th, 2009

Posted by Sam Diaz @ 2:30 am

Categories: AT&T, General, Legal, Mobile, Verizon

Tags: Advertisement, Verizon Communications Inc., AT&T Corp., Marketing Research, 3G, Marketing, Cellular Phones, Consumer Electronics, Personal Technology, Sam Diaz

AT&T may have lost the legal battle with Verizon Wireless over a marketing campaign that compares the 3G coverage of both carriers. But that doesn’t mean AT&T is going away quietly.

The company is airing a commercial of its own, which features actor Luke Wilson inside what appears to be a warehouse, standing in front of an orange magnet board with a checklist that compares AT&T and Verizon. (Techmeme)

When it comes to the fastest 3G network, AT&T wins, Wilson says. If you want to talk and surf at the same time, AT&T wins. Who has the most popular smartphones? AT&T, of course, home of the iPhone. Who provides access to more than 100,000 apps? You guessed it. Then, in the category, he asks which has a name that starts with the letter V.

I’ll give AT&T credit for making the attempt to even the playing field but – and maybe this is just me – the commercial felt sort of low-budget, like something thrown together in haste. Cheap set. Cheap props. Marketing messages in place of statistics. What is it telling me that’s new? I’ve been hearing that “Nation’s fastest 3G network” for some time now. As far as that “talk and surf” feature, I’m assuming that refers to tethering – mostly because Mr. Wilson doesn’t elaborate – but last time I heard, AT&T still wasn’t offering that for the iPhone.

Why would this commercial lure a potential customer to AT&T or convince an existing customer to stick around? There’s no fine print or footnotes about what sort of data these claims are based upon. No statistics. No independent analysis. There is a disclosure about 3G coverage not being available in all areas and some details about service plans, rebates and such.

There’s also a URL for a new Web site, called TruthAbout3G.com. But the site is nothing more than a place for cutesy marketing messages and some links to AT&T products and services. No statistics or hard data to be found.

It’s fun. But am I supposed to take it serious? From where I sit, Verizon launched a marketing campaign based on factual information (which AT&T didn’t dispute) and AT&T counters with… well, this. (see YouTube clip below.) If I’m a consumer (and I am), then this 30-second clip doesn’t offer the factual information that I need to be an informed customer.

What’s unfortunate is that this doesn’t help the company’s image – not by any stretch. In fact, you may recall that hole that AT&T was digging itself into. It appears the shovel has been handed from the legal department to the marketing department.

And it appears to be getting deeper.

Back in September, when Google launched the Google Chrome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure.

Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a “high risk” security vulnerability that could allow an attacker to bypass cross-origin protections.

SEE: Microsoft says Google Chrome Frame doubles IE attack surface

• Severity: High. An attacker could have bypassed cross-origin protections. Although important, “High” severity issues do not permit persistent malware to infect a user’s machine. We’re unaware of any exploitation of this issue.

The search technology company has shipped a new version of the Google Chrome Frame (version 4.0.245.1) with a patch for the vulnerability.

The plug-in update also fixes several bugs:

• Network requests fail randomly (Issue 27401).
• Fix issues with CFInstall.js to better detect compatible OS and browser versions, allow users to cancel the installation frame, and not cache the isAvailable result (Issues 22738, 23057, and 23132).
• Don’t use Google Chrome Frame for frames or iframes (Issue 22989).
• Follow redirects properly (Issue 25643).
• IE8 freezing intermittently (Issue 24007).
• Remove data directories on uninstall (Issue 27483).

“All users should be updated automatically,” said Mark Larson, a member of the Google Chrome team.