Microsoft Releases 14,000 Pages Of Trade Secrets

Microsoft continued to release formerly closely-held application protocol documentation Tuesday, posting 14,000 pages of information for Microsoft Office 2007, SharePoint Server 2007 and Exchange Server 2007 at MSDN, a Web site for developers.

The protocol information released includes protocols that allow Exchange Server to communicate with Outlook and those used by Office and SharePoint to communicate with one another and other Microsoft server products. Most of this information was available previously only under a Trade Secret license made available only to select partners.

“Microsoft is pleased to announce another step toward putting our interoperability principles into action,” Tom Robertson, Microsoft’s general manager of interoperability and standards, said in a statement. Microsoft announced a set of four interoperability principles in February, including the release of protocol documentation, which it says will lead to a more “open” Microsoft. In separate anti-trust cases, the United States and European Union had long sought for Microsoft to release protocol documents, but trends like Linux and Web 2.0 are increasingly forcing Microsoft’s hand.

The new protocol documentation released Tuesday is only preliminary; the company has said that more complete documentation for these products will be available by June. Between now and then, Microsoft will collect information from developers whose feedback will help determine the final shape of the documentation. Microsoft’s created a number of forums to encourage feedback.

Despite Microsoft’s pledged openness, there’s still a devil in the details with the release of this information. Microsoft’s protocol documentation, which includes 30,000 pages of Windows Server and Windows client documentation already released, is free to anyone to download, but protocols Microsoft deems covered by a patent — patent maps are being made available — can only be implemented freely by non-commercial open source developers. Commercial developers and enterprises will have to pay Microsoft royalties for their use. For that reason, Gartner has warned companies of the risks of freely implementing these protocols.

Formal terms of protocol licensing hasn’t yet been made available and won’t be until June, but Microsoft has licensed Windows Server protocols for pre-paid royalties of $10,000 plus additional royalty rates of anywhere between $0.40 and $20 per unit of software sold, or between 0.10% and 0.40% of revenue made from the products in question per protocol depending on the protocol used.

In addition to the protocol documentation already released, Microsoft has said it will release SQL Server documentation by June and other information going forward. “No one said that Microsoft’s efforts in this area would stop with the release of 30,000 pages of technical documentation,” Robertson said in a recent interview.

Source: Information Week

Posted in Coding, General BS, Internet, Privacy, Software, Windows | No Comments

Browser hack renders routers insecure

Researcher Dan Kaminsky plans to show how a web-based attack could be used to seize control of certain routers.

Kaminsky has spent the past year studying how design flaws in the way that browsers work with the Internet’s Domain Name System (DNS) can be abused in order to get attackers behind the firewall. But at the RSA Conference in San Francisco, he will demonstrate how this attack would work on widely used routers, including those made by Cisco’s Linksys division and D-Link.

The technique, called a DNS rebinding attack, would work on virtually any device, including printers, that uses a default password and a web-based administration interface, said Kaminsky, who is director of penetration testing with IOActive.

Here’s how it would work. The victim would visit a malicious web page that would use JavaScript code to trick the browser into making changes on the web-based router configuration page. The JavaScript could tell the router to let the bad guys remotely administer the device, or it could force the router to download new firmware, again putting the router under the hacker’s control.

Either way, the attacker would be able to control his victim’s Internet communications.

Read the rest of this story…

Posted in Hardware, Internet, Privacy, Security | 1 Comment

New attack kit targets bag of ActiveX bugs

Hackers are using a new multiple-attack package composed of seven ActiveX exploits, many of them never seen in the wild before, said a security company on Friday.

Fewer than half of the flawed ActiveX controls have been patched.

The attack framework probes Windows PCs for vulnerable ActiveX controls from software vendors Microsoft, Citrix Systems and Macrovision, as well as hardware makers D-Link Corp., Hewlett-Packard, Gateway and Sony, said a Symantec Corp. researcher.

“What’s interesting about this attack is that there are so many vulnerabilities in one attack that have not been seen in the wild previously,” said Symantec researcher Patrick Jungles, who wrote an analysis of the multistrike package for customers of the company’s DeepSight threat service.

According to Jungles, visitors to compromised Web sites are redirected by a rogue IFRAME to a malicious site serving the package. The attack pack tests the victim’s PC for each ActiveX control, detects whether a vulnerable version of a control is installed, and then launches an attack when it finds one.

Bugs in ActiveX, a Microsoft technology used most often to create add-ons for the company’s Internet Explorer browser, have always been common, but so many serious flaws have been disclosed of late that some security experts have recommended that users do without them.

Read the rest of this story…

Posted in Internet, Security, Windows | No Comments

Password theft via vulnerability in Google code

Billy Rios has discovered a vulnerability in the Google Code service which could be exploited to steal passwords from developers who have registered on the site. The Google Security Team has since fixed the vulnerability.

Rios succeeded in gaining cross-domain access by uploading a crafted Java applet to a project on code.google.com as an issue. It is possible to access files which are uploaded as issues via the Google domain. In his blog entry, Rios notes that this type of attack is usually carried out using a crafted Flash applet, but that in this case Flash does not work, as the Flash applet is only able to gain access to subdirectories of the domain. However the Java security model allows access to the complete domain rather than just specific subdirectories. It is thus possible for an external website to load the injected Java applet under the Google domain and still communicate with the Google server. Rios has posted a screenshot which appears to demonstrate that he was able to access another code.google.com user’s password.

According to Rios’ blog, no appliance or software application is currently able to protect against this kind of cross domain access. He also notes that the Google Security Team were very quick to plug the vulnerability.

Together with Nathan McFeters, Rios previously discovered the Windows URI vulnerability. He and McFeters also discovered vulnerabilities in Google’s Picasa.

Source: Heise Security

Posted in Coding, Internet, Privacy, Security, Software | No Comments

HP USB Keys Shipped with Malware for your Proliant Server

A loyal ISC reader pointed us to this note from AUSCERT. The basic story is that HP has optional “floppy USB keys” for some of their Proliant servers. The 256 KB and 1 GB versions include a batch that also came with ‘W32.Fakerecy’ or W32.SillyFDC’  designed to infect your machine if you insert them. The interesting note is that these keys seem only to be shipped for Proliant servers which could indicate an attempt to “target” by the attackers or that they just hit some factory and got lucky. Either way, with the prolific trail of stories of USB devices shipping with malware pre-installed, it is now an attack vector that we need to be concerned about. Here are some steps to protect yourself against USB-based (and Fireware, which isn’t immune from these stunts) malware:

1) Take the vendor who made the device and do a google news search on it. Odds are you aren’t the first to buy it and if it comes with badware it may be news. If you see a story about it, check the vendor webpage and see if you can compare serial numbers of infected/non-infected versions. If not, return it and get something similar. Additionally, you can check the vendor page, sometimes (but shamefully not enough) they do the right thing and let their customers know what to do.

2) Every time you get a USB device scan it for malware before you use it with your anti-virus software’s latest DATs. This includes picture frames, USB keys, SD Cards, USB/Fireware harddrives, iPods, MP3 players, everything. If it can store data, you should scan it. Most (if not all) anti-virus software I’ve seen and used allows you to scan an entire drive. Every time you take a new trinket out of the box, scan it. Even if the vendor is reputable because you don’t know what factory it came from.

Read the rest of this story…

Posted in Hardware, Privacy, Security | No Comments