Archive for April, 2010

Although copyright may seem to be a purely legal issue, using unauthorized
files could have security implications. To avoid prosecution and minimize
the risks to your computer, make sure you have permission to use any
copyrighted information, and only download authorized files.

How does copyright infringement apply to the internet?

Copyright infringement occurs when you use or distribute information without
permission from the person or organization that owns the legal rights to the
information. Including an image or cartoon on your website or in a document,
illegally downloading music, and pirating software are all common copyright
violations.  While these activities may seem harmless, they could have
serious legal and security implications.

How do you know if you have permission to use something?

If you find something on a website that you would like to use (e.g., a
document, a chart, an application), search for information about permissions
to use, download, redistribute, or reproduce. Most websites have a “terms of
use” page that explains how you are allowed to use information from the site
(see US-CERT’s terms of use for an example). You can often find a link to
this page in the site’s contact information or privacy policy, or at the
bottom of the page that contains the information you are interested in
using.

There may be restrictions based on the purpose, method, and audience. You
may also have to adhere to specific conditions about how much information
you are allowed to use or how the information is presented and attributed.
If you can’t locate the terms of use, or if it seems unclear, contact the
individual or organization that holds the copyright to ask permission.

What consequences could you face?

* Prosecution – When you illegally download, reproduce, or distribute
information, you risk legal action. Penalties may range from warnings
and mandatory removal of all references to costly fines. Depending on
the severity of the crime, jail time may also be a possibility. To
offset their own court costs and the money they feel they lose because
of pirated software, vendors may increase the prices of their products.
* Infection – Attackers could take advantage of sites or networks that
offer  unauthorized  downloads  (music, movies, software, etc.) by
including code into the files that would infect your computer once it
was installed (see Understanding Hidden Threats: Corrupted Software
Files and Understanding Hidden Threats: Rootkits and Botnets for more
information). Because you wouldn’t know the source or identity of the
infection (or maybe that it was even there), you might not be able to
easily identify or remove it. Pirated software with hidden Trojan horses
is often advertised as discounted software in spam email messages (see
Why  is  Cyber  Security  a  Problem?  and  Reducing Spam for more
information).

References

* U.S. Copyright Office – <http://www.copyright.gov/>
* Copyright on the Internet – <http://www.fplc.edu/tfield/copynet.htm>
_________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

Microsoft has re-released the security update related to Microsoft
security bulletin MS10-025. This vulnerability affects Windows Media
Services running on Windows 2000 Server. The original release of this
update had been revoked last week because it did not effectively
correct the underlying vulnerability.

Relevant Url(s):
<http://blogs.technet.com/msrc/archive/2010/04/27/ms10-025-re-release-ready.aspx>

<http://www.microsoft.com/technet/security/bulletin/ms10-025.mspx>

Reports indicating that McAfee DAT release
5958 is incorrectly identifying the valid system file,
C:\Windows\system32\svchost.exe, as containing malicious code. Reports
indicate that a false positive detection occurs on Windows XP Service
Pack 3 systems. Symptoms include a denial-of-service condition when
the McAfee software attempts to clean the file.

US-CERT encourages users and administrators to review the McAfee Virus
Profile: W32/Wecorl.a and apply the “extra.dat” and additional updates
provided by McAfee as necessary to mitigate this issue. Users should
ensure that they have installed DAT 5959 or greater before running any
on-demand scans.

Corporate users and administrators are encouraged to review the McAfee
Corporate Knowledgebase Article KB68780, while home users are
encouraged to review the McAfee FAQ Document TS100969.

Relevant Url(s):
<http://service.mcafee.com/FAQDocument.aspx?lc=&id=TS100969>

<https://kc.mcafee.com/corporate/index?page=content&id=KB68780&pmv=print>

<http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=265240#none>

VideoLAN has released a security advisory to address multiple
vulnerabilities in VLC Media Player. These vulnerabilities may allow
an attacker to execute arbitrary code or cause a denial-of-service
condition.

Relevant Url(s):
<http://www.videolan.org/security/sa1003.html>

Cisco has released a security advisory to address a vulnerability in
Cisco Secure Desktop. Cisco Secure Desktop contains a vulnerable
ActiveX control that may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Cisco security
advisory cisco-sa-20100414-csd and apply any necessary updates to help
mitigate the risks. Cisco has provided a workaround for users who are
unable to apply the update. Additionally, users and administrators may
want to review and implement the best security practices described in
the Securing Your Web Browser document to help prevent future, similar
attacks.

Relevant Url(s):

<http://www.cisco.com/en/US/products/products_security_advisory09186a0080b25d01.shtml>

The Sun Java Development Toolkit plugin and ActiveX control contain a
vulnerability. This vulnerability is due to insufficient argument
validation. By convincing a user to visit a specially crafted HTML
document, an attacker may be able to exploit this vulnerability and
execute an arbitrary JAR file on the affected system.

Adobe has released a blog entry addressing a vulnerability in Acrobat
and Reader. This vulnerability exists due to the way in which Adobe
Acrobat and Adobe Reader handle launch actions embedded in PDFs. When
users open a PDF that contains a launch action, they are presented
with a dialog box warning the user that a file and its viewer
application are set to be launched by the PDF file. The dialog box
asks users if they want to continue opening the file and displays the
name of the file to be opened. An attacker may be able to manipulate
the content in the file name section of the dialog box in an attempt
to convince users to open the file. By default, the dialog is set to
select the option to continue opening the file. This default
configuration and the option to disable the warning message for future
launch actions makes it very easy for users to bypass this security
mechanism. Opening a PDF containing malicious launch actions may
result in arbitrary code execution.

US-CERT encourages users and administrators to review the Adobe Reader
blog entry related to this issue and apply the guidance provided in
the entry to help mitigate some of the risks.

Relevant Url(s):
<http://blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html>

Oracle has released Sun Java SE 1.6.0_20 to address several
vulnerabilities. The release notes for this version of Java SE
indicate that these vulnerabilities are in Java Deployment Toolkit and
the new Java Plug-in. Exploitation of these vulnerabilities may allow
a remote, unauthenticated attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the following
documents and apply any necessary updates or workarounds to help
mitigate the risks:
* Oracle security alert CVE-2010-0886
* Sun Java SE 1.6.0_20 release notes
* US-CERT Vulnerability Note VU#886582

Please note that web browsers using the plug-in version of the Java
Deployment Toolkit may not be properly updated. Users of these web
browsers should follow the workaround provided in US-CERT
Vulnerability Note VU#886582.

Relevant Url(s):
<http://java.sun.com/javase/6/webnotes/6u20.html>

<http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html>

<http://www.kb.cert.org/vuls/id/886582>

The days of buying a pristeen new hard drive with nothing but free space may be coming to an end. Seagate today has announced a plan to bundle motion pictures on new hard drives. “Some” of its 500GB FreeAgent hard drives will come preloaded with 20 recent films from Paramount. To watch them, the user will have to pay $9.99 each for the appropriate unlock code (though as part of the offering, the recent “Star Trek” feature will be unlockable for free).

Motion-picture distributors have gotten awfully clever about getting their content out in recent months. Last summer, Sonic Solutions announced it would sell movies preloaded on USB thumbdrives. Dell will now preload movies and music onto your new laptop, also.

This marks the first time a hard-drive manufacturer has bundled movies with a product.

I’m hesitant to endorse this wholeheartedly, as it pushes us ever closer to the “crapware” menace that infects virtually every new computer sold today, loaded as they are with gigabytes of unwanted programs preinstalled. But in all fairness, hard drives are far easier to reformat and wipe clean than a PC that needs Windows or another operating system and umpteen drivers to run. Still, I hope companies like Seagate will exercise restraint and not overwhelm hard drives so much that they’re virtually full right when you take them out of the box.

More telling in this announcement is how stagnant the hard-drive business has become, with manufacturers recognizing that there’s just not much excitement left in this business. “We think if we are to grow this market, we have to find new uses for hard drives,” says a Seagate VP in the story linked above, and he’s right. Bundling a bunch of movies like “GI Joe” with your drive may not exactly be the answer, but it’s probably on the right track. After all, hard drives are so cheap now that the buying decision could soon become a simple question of what media to get your movie on: Pay $25 for a Blu-ray disc of your movie or drop $50 for a hard drive with it and 19 others already installed.

— Christopher Null is a technology writer for Yahoo! News.

At last, the long-rumored revamp of Apple’s MacBook Pro notebooks has arrived, with the 15- and 17-inch models getting bleeding-edge Intel Core i5 and i7 processors while the 13-inch version sees graphics and battery-life improvements. Also new: a $100 price hike for one of the MacBook Pro configurations, plus $100 and $200 price cuts for two others.

The biggest news, of course, is the replacement of the older Intel Core 2 Duo processors on the 15- and 17-inch MacBook Pro models (starting at $1,799 for the 15-incher — a $100 price hike over last year’s model — and $2,299 for the 17-inch MBP, a $200 price drop) with Intel’s next-generation Core i5 and i7 processors, good for a performance boost of “up to 50 percent” over last year’s lineup, Apple claims.

Of the new MacBook Pros, only the high-end 15-inch MacBook Pro configuration gets the i7 processor (you can get a Core i7 processor for the 17-inch MacBook Pro as a $200 built-to-order option). The other two 15-inch configurations and the single 17-inch MBP model must settle for the i5 processor.

Meanwhile, the 13-inch MacBook Pro (starting at $1,119, same as before) is sticking with Intel’s Core 2 Duo processor for now, although it’s getting a slight speed bump (to 2.66GHz, from 2.53GHz) and — according to Apple, anyway — the “fastest integrated graphics processor on the market,” courtesy of Nvidia’s GeForce 320M graphics chipset (for a supposed 80 percent performance boost over the previous GeForce 9400M chipset).

Apple is also crowing about the 13-inch MacBook Pro’s improved battery life — up to 10 hours, although we’ll have to see how that figure holds up under testing.

The 15- and 17-inch models are getting graphic performance boosts as well thanks to the new GeForce GT 330M chipset, with either 256MB or 512MB of dedicated graphics depending on the configuration, along with “seamless” switching between speedy GeForce graphics and slower but “energy-efficient” Intel HD Graphics processors.

As for the MacBook and MacBook Air lines … no news, at least at the moment.

Anyway, on to the specs:

13-inch MacBook Pro
• 2.4GHz Intel Core 2 Duo processor, 4GB of RAM (twice as much as last year’s entry-level configuration), 250GB hard drive (was 160GB last year), Nvidia GeForce 320M graphics, $1,119
• 2.66GHz Intel Core 2 Duo processor, 4GB of RAM, 320GB hard drive (was 250GB), Nvidia GeForce 320M graphics, $1,499

15-inch MacBook Pro
• 2.4GHz Intel Core i5, 4GB of RAM, 320GB hard drive (last year’s entry-level configuration was just 250GB), Nvidia GeForce GT 330M with 256MB of dedicated memory, $1799 (a $100 price hike over last year’s entry-level 15-inch model)
• 2.53 Intel Core i5, 4GB of RAM, 500GB hard drive (was 320GB), Nvidia GeForce GT 330M with 256MB of dedicated memory, $1,999
• 2.66 Intel Core i7, 4GB of RAM, 500GB hard drive, Nvidia GeForce GT 330M with 512 of dedicated memory, $2,199 (a $100 price drop compared to last year’s high-end 15-inch configuration)

17-inch MacBook Pro
• 2.53GHz Intel Core i5, 4GB of RAM, 500GB hard drive, Nvidia GeForce GT 330M with 512 of dedicated memory, $2,229 (a $200 price drop from last year’s 17-inch MacBook Pro)

So, anyone ready to upgrade now that the i5- and i7-powered MacBook Pros are here? Wish the 13-inch MBP got the i5 upgrade along with the 15- and 17-inch models? Pleased or annoyed by the price points? Fire away below.

— Ben Patterson is a technology writer for Yahoo! News.