Search This Blog

Monday, March 24, 2008

Microsoft has confirmed reports of vulnerability in Word that allows an attacker to exploit a system via the Microsoft Jet Database Engine


MS Word subjected to selective attacks.

Microsoft confirms Word attacks

Microsoft has confirmed reports of vulnerability in Word that allows an attacker to exploit a system via the Microsoft Jet Database Engine, which shares data with Access, Visual Basic and third party applications.

Microsoft in its advisory said the potential for attack is “very limited.” Reports of the Word flaw were highlighted by Panda and Symantec in the last two weeks. On March 3, Panda researcher Ismael Briones stumbled on the new exploit. On Thursday, Symantec also noted the Jet vulnerability. According to Symantec.

The attacker needs only to find a trick to force the MS Jet library to open the file and trigger the vulnerability that will run the malicious shellcode. Some social engineering and a little help from Office applications will work out well in this specific attack. In fact, it is possible to call MSJET40.DLL directly from MS Word, without using Access at all.

Microsoft said in its advisory:

Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue.

Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to these attacks.

Microsoft is investigating the public reports and customer impact. We are also investigating whether the vulnerability can be exploited through additional applications. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft then reiterated that the risk is limited since a customer would have to take multiple steps to make an attack successful.

more....
Microsoft Warns of New Attack on Word
Microsoft issues warning over Word attacks.
Microsoft has issued an alert this weekend, centering on targeted attacks using vulnerabilities in the MJDE (Microsoft Jet Database Engine) that can be exploited via Microsoft Word.

The Microsoft Jet Database Engine provides data access to applications such as Microsoft Access, Microsoft Visual Basic, and many third party applications. Jet can also be used by Internet Information Services (IIS) applications that require database functionality. The reported vulnerability is a code execution vulnerability caused by a buffer overrun in msjet40.dll, the Microsoft Jet Database Engine. An attacker can exploit this vulnerability by convincing a user to open a Word file that is constructed to load the specially crafted database file using msjet40.dll.

“This advisory contains information about a very limited, targeted attack exploiting a vulnerability in Microsoft Jet Database Engine,” Bill Sisk said on the MSRC blog. He reported that the initial investigation shows that this vulnerability affects Microsoft Word 2000, Word 2002, Word 2003, Word 2003, Word 2007, and on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1.

“Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue,” Sisk adds.

According to the warning, the attack is targeted and not widespread. In either case, the SSRIP, Software Security Incident Response Process, was tasked to follow the attacks and issue an out-of-cycle patch or add it to the regular patch cycle.

Microsoft has issued the following workarounds in the meantime.

Microsoft has issued an alert this weekend, centering on targeted attacks using vulnerabilities in the MJDE (Microsoft Jet Database Engine) that can be exploited via Microsoft Word.


The Microsoft Jet Database Engine provides data access to applications such as Microsoft Access, Microsoft Visual Basic, and many third party applications. Jet can also be used by Internet Information Services (IIS) applications that require database functionality. The reported vulnerability is a code execution vulnerability caused by a buffer overrun in msjet40.dll, the Microsoft Jet Database Engine. An attacker can exploit this vulnerability by convincing a user to open a Word file that is constructed to load the specially crafted database file using msjet40.dll.

“This advisory contains information about a very limited, targeted attack exploiting a vulnerability in Microsoft Jet Database Engine,” Bill Sisk said on the MSRC blog. He reported that the initial investigation shows that this vulnerability affects Microsoft Word 2000, Word 2002, Word 2003, Word 2003, Word 2007, and on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1.

“Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue,” Sisk adds.

According to the warning, the attack is targeted and not widespread. In either case, the SSRIP, Software Security Incident Response Process, was tasked to follow the attacks and issue an out-of-cycle patch or add it to the regular patch cycle.

Microsoft has issued the following workarounds in the meantime.
Microsoft has issued an alert this weekend, centering on targeted attacks using vulnerabilities in the MJDE (Microsoft Jet Database Engine) that can be exploited via Microsoft Word.


The Microsoft Jet Database Engine provides data access to applications such as Microsoft Access, Microsoft Visual Basic, and many third party applications. Jet can also be used by Internet Information Services (IIS) applications that require database functionality. The reported vulnerability is a code execution vulnerability caused by a buffer overrun in msjet40.dll, the Microsoft Jet Database Engine. An attacker can exploit this vulnerability by convincing a user to open a Word file that is constructed to load the specially crafted database file using msjet40.dll.

“This advisory contains information about a very limited, targeted attack exploiting a vulnerability in Microsoft Jet Database Engine,” Bill Sisk said on the MSRC blog. He reported that the initial investigation shows that this vulnerability affects Microsoft Word 2000, Word 2002, Word 2003, Word 2003, Word 2007, and on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1.

“Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue,” Sisk adds.

According to the warning, the attack is targeted and not widespread. In either case, the SSRIP, Software Security Incident Response Process, was tasked to follow the attacks and issue an out-of-cycle patch or add it to the regular patch cycle.

Microsoft has issued the following workarounds in the meantime.

Ubisoft Acquires Rights to Tom Clancy's Name


An Ubisoft presentation of a game developed by Ubisoft Montreal for the PC, Playstation 3 and Xbox 360. Reviewed on Xbox 360.
At its basest formulation, a videogame franchise with annual sequels is a lot like a car with a new model every fall. So it is with “Rainbow Six Vegas 2,” which takes last year’s hit squad-based shooter, makes a few minor improvements, and offers essentially a big expansion pack of what was a tightly designed game with a few notable flaws. As such, it should enjoy solid sales amongst hard core fans of the original eager for more and some new fans who want to start with the souped up version, but won’t turn as many heads as its predecessor.
Tom Clancy name belongs to Ubisoft forever


Much of Ubisoft’s core franchise games start their titles with “Tom Clancy’s,” be it Rainbow Six, Ghost Recon, or even Ubisoft Montreal’s own completely imagined Splinter Cell. Clearly with no intention to change what appears to be a winning formula, Ubisoft announced that it will acquire all intellectual property rights to the Tom Clancy name.


The value of this all-cash acquisition was not disclosed, but going forward, the Tom Clancy name will belong to Ubisoft. The company will now will have full reign over the name – royalty free – for use in books, video games and movies.

Ubisoft projects that the royalty savings generated by this acquisition are estimated at a minimum of 5 million Euros ($7.7 million) per year, based on past performance of Tom Clancy branded video games.

“The most recent example of such value creation through brand management is the EndWar book, based on the video game story, which has been in the NY Times top 10 Paperback Mass Market Fiction bestseller list for the last four weeks,” stated Yves Guillemot, CEO at Ubisoft. “Capitalizing on the strong franchises that we've built over the past 10 years, we will take the Tom Clancy game brand to the next level of the global entertainment industry.”

Other comments made by Guillemot during a conference call point to the creation of a Tom Clancy MMO game, which might previously have been cost prohibitive on a royalty-based system. Guillemot also estimated that the development of a new MMO title could cost $50 million.

"Dead Space" videogame release


Electronic Arts has teamed up with Starz Media for a Dead Space movie. The movie, along with a newly announced comic book series, will both act as prequels to the game in development for next-generation consoles such as the PS3 and Xbox 360.

EA and Starz Media made the announcement that the Dead Space franchise will expand into an automated movie.

The movie will release around the same time that the game ships to retailers in October.

The game is expected to launch on Halloween.

Electronic Arts and Starz Media are producing an animated prequel movie to the upcoming sci-fi horror video game "Dead Space."

The film, being developed by Starz subsidiary Film Roman, will pick up where the comic book series on which it is based ends and leads to the beginning of the game.

With the game, set for a Halloween launch, Film Roman president and COO Scott Greenberg said the company is looking to release the animated film between mid-September and late October, initially as a TV special in multiple markets, followed by a home video release through Starz's home entertainment company, Anchor Bay Entertainment.

"We're really looking for this to be an event," Greenberg said. "We feel we'll attract the hardcore gamer, but we'll also get sci-fi and animation fans as well."

Greenberg said there will be two versions of the film -- a softer one for TV and a harder one with more blood and coarser language for the DVD. Starz also is eyeing Web-based and wireless distribution.

Film Roman has been working for several years with Electronic Arts on projects tied to EA games. "We felt this one was the best one to launch with," noted Greenberg, whose animation company is behind "The Simpsons," "King of the Hill" and the preschool hit "Wow! Wow! Wubbzy!"

MIT aims to search for Earth-like planets with Google's help

MIT scientists are designing a satellite-based observatory that they say could for the first time provide a sensitive survey of the entire sky to search for planets outside the solar system that appear to cross in front of bright stars. The system could rapidly discover hundreds of planets similar to the Earth.

Google, the Internet search powerhouse that in recent years has expanded to include mapping of the stars as well as the surfaces of the moon and Mars and which has an ongoing collaboration with NASA's Ames Research Center, provided a small seed grant to fund development of the wide-field digital cameras needed for the satellite. Because of the huge amount of data that will be generated by the satellite, Google has an interest in working on the development of ways of sifting through that data to find useful information.

Dubbed the Transiting Exoplanet Survey Satellite (TESS), the satellite could potentially be launched in 2012. "Decades, or even centuries after the TESS survey is completed, the new planetary systems it discovers will continue to be studied because they are both nearby and bright," says George R. Ricker, senior research scientist at the Kavli Institute for Astrophysics and Space Research at MIT and leader of the project. "In fact, when starships transporting colonists first depart the solar system, they may well be headed toward a TESS-discovered planet as their new home."

Most of the more than 200 extrasolar planets discovered so far have been much larger than Earth, similar in size to the solar system's giant planets (ranging from Jupiter to Neptune), or even larger. But to search for planets where there's a possibility of finding signs of living organisms, astronomers are much more interested in those that are similar to our own world.

Most searches so far depend on the gravitational attraction that planets exert on their stars in order to detect them, and therefore are best at finding large planets that orbit close to their stars. TESS, however, would search for stars whose orbits as seen from Earth carry them directly in front of the star, obscuring a tiny amount of starlight. Some ground-based searches have used this method and found about 20 planets so far, but a space-based search could detect much smaller, Earth-sized planets, as well as those with larger orbits.

This transit-detection method, by measuring the exact amount of light obscured by the planet, can pinpoint the planet's size. When combined with spectroscopic follow-up observations, it can determine the planet's temperature, probe the chemistry of its atmosphere, and perhaps even find signs of life, such as the presence of oxygen in the air.

The satellite will be equipped with six high-resolution, wide-field digital cameras, which are now under development. Two years after launch, the cameras--which have a total resolution of 192 megapixels--will cover the whole sky, getting precise brightness measurements of about two million stars in total.

Statistically, since the orientation of orbits is random, about one star out of a thousand will have its planets' orbits oriented perpendicular to Earth so that the planets will regularly cross in front of it, which is called a planetary transit. So, out of the two million stars observed, the new observatory should be able to find more than a thousand planetary systems within two years.

In fact, if a new estimate based on recent observations of dusty disks is confirmed, there might even be up to 10 times as many such planets.

Because the satellite will be repeatedly taking detailed pictures of the entire sky, the amount of data collected will be enormous. As a result, only selected portions will actually be transmitted back to Earth. But the remaining data will be stored on the satellite for about three months, so if astronomers want to check images in response to an unexpected event, such as a gamma-ray burst or supernova explosion, "they can send us the coordinates [of that event] and we could send them the information," Ricker says.

The team is still trying to secure the full funding to build, launch and operate the satellite, once the design work is completed this year. The Harvard-Smithsonian Center for Astrophysics and the Origins of Life Initiative, NASA Goddard and NASA Ames as well as the privately funded Las Cumbres Observatory Global Telescope Network are already scientific participants with MIT on the TESS program.

The NASA Ames Research Center is a full partner in the TESS program. Their Small Spacecraft Division, formed in 2006, specializes in low-cost, rapid development of spacecraft and missions. Further, NASA Ames is partnering with universities and industry to support privately financed space missions and related activities.

Regardless of the funding for the satellite, the same wide-field cameras being developed for TESS could also be used for a planned ground-based search for dark matter in the universe--the invisible, unknown material that astronomers believe is more prevalent in space than the ordinary matter that we can see. Some of the unknown dark-matter particles must constantly be striking the Earth, and the plan is to train a bank of cameras inside tanks of fluid deep underground, to detect flashes of light produced by the impacts of these dark particles. Ricker's Kavli group is participating with MIT physics professor Peter Fisher's team in this new physics research initiative.

The electronic detectors for the new cameras are being developed in collaboration with MIT's Lincoln Laboratory. The lab's expertise in building large, highly sensitive detectors is a significant factor in making possible these unique cameras, which have no moving parts at all. If all goes well and funding is secured, the satellite could be launched in 2012 with NASA support, or even earlier with a private sponsor.

Ricker's MIT colleagues on the TESS project include Kavli Institute research scientist Roland Vanderspek, professors Sara Seager, Josh Winn, Adam Burgasser, Jim Elliot, Jacqueline Hewitt and several others

Scientists who conducted the most comprehensive survey to date of New Zealand's Antarctic waters


Giant Marine Life Found in Antarctica
Scientists who conducted the most comprehensive survey to date of New Zealand's Antarctic waters were surprised by the size of some specimens found, including jellyfish with 12-foot tentacles and 2-foot-wide starfish.

A 2,000-mile journey through the Ross Sea that ended Thursday has also potentially turned up several new species, including as many as eight new mollusks.

It's "exciting when you come across a new species," said Chris Jones, a fisheries scientist at the U.S. National Oceanic and Atmospheric Administration. "All the fish people go nuts about that - but you have to take it with a grain of salt."

The finds must still be reviewed by experts to determine if they are in fact new, said Stu Hanchet, a fisheries scientist at New Zealand's National Institute of Water and Atmospheric Research.

But beyond the discovery of new species, scientists said the survey, the most comprehensive to date in the Ross Sea, turned up other surprises.

Hanchet singled out the discovery of "fields" of sea lilies that stretched for hundreds of yards across the ocean floor.

"Some of these big meadows of sea lilies I don't think anybody has seen before," Hanchet said.

Previously only small-scale scientific samplings have been staged in the Ross Sea.

The survey was part of the International Polar Year program involving 23 countries in 11 voyages to survey marine life and habitats around Antarctica. The program hopes to set benchmarks for determining the effects of global warming on Antarctica, researchers said.

Large sea spiders, jellyfish with 12-foot tentacles, huge sea snails and starfish the size of big food platters were found during a 50-day voyage, marine scientist Don Robertson said.

Cold temperatures, a small number of predators, high levels of oxygen in the sea water and even longevity could explain the size of some specimens, said Robertson, a scientist with NIWA.

Robertson added that of the 30,000 specimens collected, hundreds might turn out to be new species.

Stefano Schiaparelli, a mollusk specialist at Italy's National Antarctic Museum in Genoa, said he thought the find would yield at least eight new mollusks.

"This is a new brick in the wall of Antarctic knowledge," Schiaparelli said.

Find here

Home II Large Hadron Cillider News