| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 27377 | 2002-11-21 05:29:00 | thursday 21st news | tweak'e (174) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 100157 | 2002-11-21 05:29:00 | Buffer Overrun in Microsoft Data Access Components . "Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414) Date: 20 November, 2002 Microsoft Data Access Components (MDAC) 2 . 1 Microsoft Data Access Components (MDAC) 2 . 5 Microsoft Data Access Components (MDAC) 2 . 6 Microsoft Internet Explorer 5 . 01 Microsoft Internet Explorer 5 . 5 Microsoft Internet Explorer 6 . 0 Impact: Run code of attacker?s choice Max Risk: Critical Bulletin: MS02-065 Microsoft encourages customers to review the Security Bulletins at: . microsoft . com/security/security_bulletins/ms02-065 . asp" target="_blank">www . microsoft . com . microsoft . com/technet/security/bulletin/MS02-065 . asp . " target="_blank">www . microsoft . com Issue: ====== Microsoft Data Access Components (MDAC) is a collection of components used to provide database connectivity on Windows platforms . MDAC is a ubiquitous technology, and it is likely to be present on most Windows systems: - - It is included by default as part of Windows XP, Windows 2000, and Windows Millennium . - - It is available for download as a stand-alone technology in its own right . - - It is either included in or installed by a number of other products and technologies . For instance, MDAC is included in the Windows NT 4 . 0 Option Pack, and some MDAC components are present as part of Internet Explorer even if MDAC itself is not installed . MDAC provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client . One of the MDAC components, known as Remote Data Services(RDS), provides functionality that support three-tiered Architectures ? that is, architectures in which a client?s requests for service from a back-end database are intermediated through a web site that applies business logic to them . A security vulnerability is present in the RDS implementation, specifically, in a function called the RDS Data Stub, whose purpose it is to parse incoming HTTP requests and generate RDS commands . The vulnerability results because of an unchecked buffer in the Data Stub . By sending a specially malformed HTTP request to the Data Stub, an attacker could cause data of his or her choice to overrun onto the heap . Although heap overruns are typically more difficult to exploit than the more-common stack overrun, Microsoft has confirmed that in this case it would be possible to exploit the vulnerability to run code of the attacker?s choice on the user?s system . Both web servers and web clients are at risk from the vulnerability: - - Web servers are at risk if a vulnerable version of MDAC is installed and running on the server . To exploit the vulnerability against such a web server, an attacker would need to establish a connection with the server and then send a specially malformed HTTP request to it, that would have the effect of overrunning the buffer with the attacker?s chosen data . The code would run in the security context of the IIS service (which, by default, runs in the localSystem context) - - Web clients are at risk in almost every case, as the RDS Data Stub is included with all current versions of Internet Explorer and there is no option to disable it . To exploit the vulnerability against a client, an attacker would need to host a web page that, when opened, would send an HTTP reply to the user's system and overrun the buffer with the attacker's chosen data . The web page could be hosted on a web site or sent directly to users as an HTML Mail . The code would run in the security context of the user . Clearly, this vulnerability is very serious, and Microsoft recommends that all customers whose systems could be affected by them take app- ropriate action immediately . Web server administrators should either install the patch, disable MDAC and/or RDS, or upgrade to MDAC 2 . 7, which is not affected by the vulnerability . Web client users should install the patch immediately on any system that is used for web browsing . It is important to stress that the latter guidance applies to any system used for web browsing, regardless of any other protective measures that have already been taken . For instance, a web server on which RDS had been disabled would still need the patch if it was occasionally used as a web client . Mitigating Factors: ==================== Web Servers - - Web servers that are using MDAC version 2 . 7 (the version that shipped with Windows XP) or later are not affected by the vulnerability . - - Even if a vulnerable version of MDAC were installed, a web server would only be at risk if RDS were enabled . RDS is disabled by default on clean installations of Windows XP and Windows 2000, and can be disabled on other systems by following the guidance in the IIS Security Checklist . In addition, the IIS Lockdown Tool will automatically disable RDS when used in its default configuration . - - If the URLScan tool were deployed with its default ruleset (which allows only ASCII data to be present in an HTTP request), it is likely that the vulnerability could only be used for denial of service attacks . - - IIS can be configured to run with fewer than administrative privileges . If this has been done, it would likewise limit the privileges that an attacker could gain through the vulnerability . - - IP address restrictions, if applied to the RDS virtual directory, could enable the administrator to restrict access to only trusted users . This is, however, not practical for most web server scenarios . Web clients - - The HTML mail-based attack vector could not be exploited automatically on systems where Outlook 98 or Outlook 2000 were used in conjunction with the Outlook Email Security Update, or Outlook Express 6 or Outlook 2002 were used in their default configurations . - - Exploiting the vulnerability would convey to the attacker only the user?s privileges on the system . Users whose accounts are configured to have few privileges on the system would be at less risk than ones who operate with administrative privileges . Risk Rating: ============ - Internet systems: Critical - Intranet systems: Critical - Client systems: Critical Patch Availability: =================== - A patch is available to fix this vulnerability . Please read the Security Bulletin here ( . microsoft . com/technet/security/bulletin/ms02-065 . asp" target="_blank">www . microsoft . com) for information on obtaining this patch . Acknowledgment: =============== - Microsoft thanks Foundstone Research Labs (http://www . foundstone . com/) for reporting this issue to us and working with us to protect customers . Drivers: New Nforce driver 2 . 0 Released New Nforce driver 2 . 0 on Nvidia Site! Audio driver 3 . 06 WHQL Audio utilities 3 . 07 Network driver 2 . 84 WHQL GART driver 2 . 78 WHQL SMBus driver 2 . 78 WHQL Memory controller driver 2 . 78 WHQL Display Drivers 40 . 72 WHQL Download Nforce 2 . 0 Unified Driver Package for Windows 98SE/ME ( . nvidia . com/view . asp?IO=nforce_udp_winme_2 . 00" target="_blank">www . nvidia . com ) Download Nforce 2 . 0 Unified Driver Package for Windows XP ( . nvidia . com/view . asp?IO=nforce_udp_winxp_2 . 00" target="_blank">www . nvidia . com ) Download Nforce 2 . 0 Unified Driver Package for Windows 2000 ( . nvidia . com/view . asp?IO=nforce_udp_win2k_2 . 00" target="_blank">www . nvidia . com ) TRIDENT XP4™ EMBRACED BY FOUR PC GRAPHICS CARD MANUFACTURERS Trident Microsystems, Inc . (NASDAQ:TRID) today announced that a new generation of 128Mbytes and 64Mbytes graphics cards based on the XP4 will be available in production from four well-known PC card manufacturers, including Chaintech Computer Co . , Ltd . (www . chaintech . com . tw), Hightech Information Systems, Ltd . (www . hightech . com . hk), Jaton Corporation (www . jaton . com) and Jetway Information Co . , Ltd . (www . jetway . com . tw) . Graphics cards based on the XP4 T3 will deliver high-quality and performance graphics of DX8 . 1/9 . 0 with 128MBytes frame buffer memory for only $99 MSRP (Manufacturers' Suggested Retail Price) to the end-users . Graphics cards based on the XP4 T2 with 64MBytes memory will be available at an even lower price of $79 MSRP . TRIDENT XP4™ EMBRACED BY FOUR PC GRAPHICS CARD MANUFACTURERS ( . tridentmicro . com/press/ReadNews . asp?NewsID=159&BigClassName=Trident&SmallClassName=release&SpecialID=0" target="_blank">www . tridentmicro . com ) PlexTools v1 . 17 Upgrade Plextor Europe is proud to announce a new release of the PlexTools software . You can use PlexTools for instance to get more information on your drive, tweak its settings and besides that you can use it to play audio discs (with support for CD-Text) and of course you can use PlexTools to copy CD's or to make your own audio compilations with . Download PlexTools v1 . 17 Upgrade For Windows 95/98/Me/NT/2K/XP ( . plextor . be/default . asp" target="_blank">www . plextor . be ) Please Note: the server is running slow . Update: Ok Peeps that page was up now it's down! I've change the link to Plextor's Homepage were it's shows PlexTools v1 . 17! DVD-Cloner 1 . 83 Now what you will get are real DVD movies . The DVD-R/RW copied by DVD-Cloner is the same with the original DVD movie, in true DVD format and adopts MPEG2 format . You can clone your DVD entirely within 3 hours . The DVD you copied is in the same quality with the one you bought . DVD-Cloner supports most DVD-RW drive . The DVD of cloned could be played on any players which support compatible format . Download DVD-Cloner 1 . 83 ( . dvd-cloner . com/download . html" target="_blank">www . dvd-cloner . com) Hard Disk Indicator 1 . 2 Add your hard-disk's led at your system tray with this cool FREE program ! NOW you can choose between 5 led colors and also the program can monitor 5 partitions on the SAME time . . . Very good for the laptop users without leds or for people like me with a tower under the desk ;) Get it from HERE ~ 140 Kb ( . softnews . ro/public/cat/13/9/13-9-48 . shtml" target="_blank">www . softnews . ro ) AthlonXP . com 'DaBass' Casemod ( . athlonxp . com/modules . php?op=modload&name=Diner_Wrapper&file=index&req=ShowFile&file_wrap=html/reviews_BaDass . html" target="_blank">www . athlonxp . com ) Never seen such a UNIQUE casemod before . AthlonXP . com has completed a watercooling project on a double Athlon 1900MP system on an Asus A7M266-D motherboard . The mod consists of two Cooler Master 200MX cases with highend equipment . Hammer Brand Name Revealed At Comdex, AMD yesterday announced it has selected AMD Athlon 64 as the brand name for its next- generation processor for desktop and mobile PCs, formerly code named "Clawhammer" . The upcoming AMD Athlon 64 processor is expected to be the industry's first and only 64-bit, x86 PC processor for desktop and mobile computing . Desktop and mobile PCs built on the AMD Athlon 64 processor will be able to run 64- bit applications at full performance and simultaneously run 32-bit software applications with no performance penalty . AMD Opteron will be the brand name for 64bit server CPU formerly known as Sledgehammer . IBM To Build World's Fastest Supercomputers In 2003/2004 IBM has signed contracts with the U . S . Department of Energy to built two supercomputers in 2003/2004 valued at $216 to $267 million US each . The two systems will have more combined processing power than the combined power of all 500 machines on the recently announced TOP500 List of Supercomputers . The first system - called ASCI Purple - will offer the Department of Energy the world's first supercomputer capable of up to 100 teraflops, more than twice as fast as the most powerful computer in existence today . ASCI Purple will consist of a cluster of POWER-based IBM systems and IBM storage systems . It represents a fifth-generation system under the ASCI Program . ASCI Purple will serve as the primary supercomputer in the department's Advanced Simulation and Computing program, commonly known as ASCI . The DOE's National Nuclear Security Administration's (NNSA) Stockpile Stewardship Program will rely on ASCI Purple to simulate the aging and operation of U . S . nuclear weapons, helping ensure the safety and reliability of the nation's stockpile without underground testing . The second supercomputer, a research machine called Blue Gene/L, will employ advanced IBM semiconductor and system technologies based on new architectures being developed in the partnership between IBM and the DOE for the government's ASCI Program . When completed, Blue Gene/L will have a theoretical peak performance of up to 367 teraflops with 130,000 processors running Linux . It will have the capability to process data at a rate of one terabit per second, equivalent to the data transmitted by 10,000 weather satellites . The supercomputer will be used by the three NNSA laboratories (Los Alamos, Sandia and Lawrence Livermore) and the ASCI University Alliance collaborators as well as other DOE laboratories in the future . Blue Gene/L will be used to develop and run a broad suite of scientific applications including the simulation of very complex physical phenomena of national interest, such as turbulence, prediction of material properties, and the behavior of high explosives . A human brain's probable processing power is around 100 teraflops, roughly 100 trillion calculations per second, according to Hans Morvec, principal research scientist at the Robotics Institute of Carnegie Mellon University . This is based on factoring the capability of the brain's 100 billion neurons, each with over 1,000 connections to other neurons, with each connection capable of performing about 200 calculations per second . Source: IBM (http://www . ibm . com/ ) New Tribes 2 Patch New patches for Tribes2 have been released, upgrading the multiplayer first person shooter by Dynamix to version 25034 . Excerpt from changelog: Fixed AMD Win32 Dual CPU timing bug Added $pref::useHighPerformanceCounter to enable usage of the -QueryPerformanceCounter code Added gravity to demo recordings Fixed CPU control state in a couple more places for deterministic simulation Merged many script fixes And more . . . Download at 3DGamers ( . 3dgamers . com/games/tribes2/#filelist" target="_blank">www . 3dgamers . com ) MS black limited edition mouse In a continued effort to meet consumer demand for stylish computer peripherals, Microsoft Corp . today unveiled the first of several upcoming special edition hardware products . Covered in a soft black finish, Wireless Optical Mouse Special Edition Black debuts as the fashion essential of devices -- a stylish companion for any computing occasion . Designed with ambidextrous comfort, this sleek, black mouse offers freedom from wires and cable clutter . Wireless Optical Mouse Special Edition Black glows red and glides with smooth accuracy on most surfaces using signature Microsoft® Optical Technology . The new mouse is widely available for a limited time for an estimated retail price of $44 . 95 . View: Full Story ( . microsoft . com/presspass/press/2002/Nov02/11-18HolidayOpticalMousePR . asp" target="_blank">www . microsoft . com ) AMD demos 64-bit Unreal Tournament Gaming will drive the Athlon 64 Clawhammer CHIP FIRM AMD appears to be making blizzards of announcements this Comdex . The latest today is that it demonstrated a 64-bit version of Unreal Tournament 2003 on its Athlon 64 (Clawhammer) processor . As AMD says, the Unreal Engine is used for other award winning games, and Mark Rein, VP at Epic Games, said it will ship a 64-bit version of Unreal Tournament when the Athlon 64 chip "show up on retail shelves" . As for AMD itself, it says that gaming enthusiasts will be the catalyst that "bring 64-bit computing to mainstream PC users" . Intel's Itanium is not now, and quite probably never will be positioned as a games machine . The only question is when we'll see Athlon 64s show up on retail shelves . Official dates are talking about the first quarter next year . Chipset firms at Computex in Taiwan were talking about the end of Q1 next year . So will it be even later than that before we see the Clawhammer in shops? AMD has raised a heap of expectations about the Clawhammer-Athlon 64 so has to ensure that it now ships the chip in a timely fashion, and not just press releases about the microprocessor . News Source: The Inquirer (http://www . theinquirer . net/ ) AntiVir Personal Edition 6 . 16 . 13 . 66 ( . majorgeeks . com/article . php?sid=955&cat=29" target="_blank">www . majorgeeks . com) Free, effective protection against computer viruses . Thanks to MozFan [ Freeware | 3 . 4 Mb | Win All ] Detonator Destroyer 1 . 2 ( . majorgeeks . com/article . php?sid=806&cat=28" target="_blank">www . majorgeeks . com ) Remove Detonator drivers from all 6 . xx versions and up . [ Freeware | 73 Kb | Win All ] MailWasher 2 . 0 . 16 (Beta) ( . majorgeeks . com/article . php?sid=2054&cat=10" target="_blank">www . majorgeeks . com) Preview or bounce back your emails and more . [ Freeware | 1 . 3 Mb | Win All ] IE Booster 1 . 6 ( . majorgeeks . com/article . php?sid=2076&cat=5" target="_blank">www . majorgeeks . com) Extends the context menu of the MSIE (version 5 and up) [ Freeware | 408 Kb | Win All ] might be interesting . |
tweak'e (174) | ||
| 100158 | 2002-11-21 08:48:00 | tweak'e is really slow this week so aplogies if you already know about this . new java update sun java page here ( . sun . com/j2se/1 . 4 . 1/index . html" target="_blank">java . sun . com) What's new in JavaTM 2 Platform, Standard Edition, v 1 . 4 . 1! ( . sun . com/j2se/1 . 4 . 1/changes . html" target="_blank">java . sun . com) Bug Fixes As the first maintenance release to J2SE 1 . 4 . 0, over 2000 bug fixes were integrated in J2SE 1 . 4 . 1 . Additionally, changes and improvements have been made in the following areas: Compiler and Class File Format Changes . Javadoc AWT SWING Java Naming and Directory InterfaceTM API Networking RMI Internationalization Security Kerberos Service and DNS Name Lookup Developer release for 64-bit Intel Itanium processors The Windows/Linux release is intended only for developers as they begin to work with the IA-64 architecture . It is offered without support and is not for use in production systems or for redistribution with applications . Applications run only in interpreted mode . Java Plug-in and Java Web Start products are not available in the IA-64 release for Linux and Windows . Note that the 32 bit versions of J2SE 1 . 4 . 1 will not work on Itanium machines . Java Virtual Machine Two new garbage collectors have been added to improve application performance: Concurrent Mark and Sweep Collector . This collector executes mostly concurrently with the application . It trades the utilization of processing power that would otherwise be available to the application for shorter garbage collection pause times . Parallel Garbage Collector . This collector enables garbage collection to occur on multiple threads for better performance on multiprocessor machines . Java Plug-in Several significant enhancements have been made . An update panel has been added for downloading security patches, in a compact format, as they become available . The Control Panel has been updated with new documentation in the Java Plug-in Developer Guide . Applet startup performance has been improved . Many other improvements have also been made . Java Web Start 1 . 2 Version 1 . 4 . 1 of the Java 2 SDK and Java Runtime Environment include the new Java Web Start 1 . 2 product . Java Web Start technology enables deployment of full-featured applications over the net . Version 1 . 2 offers several significant enhancements requested by the growing number of Java Web Start users . To use Java Web Start on previous Java releases, download the JRE package for the Java 2 Platform, Standard Edition, version 1 . 4 . 1 . a must for opera and XP uses |
tweak'e (174) | ||
| 100159 | 2002-11-21 20:25:00 | > > AthlonXP . com 'DaBass' > Casemod ( . athlonxp . com/modules . php?op=modload" target="_blank">www . athlonxp . com > name=Diner_Wrapper&file=index&req=ShowFile&file_wrap=h > ml/reviews_BaDass . html ) > Never seen such a UNIQUE casemod before . AthlonXP . com > has completed a watercooling project on a double > Athlon 1900MP system on an Asus A7M266-D > motherboard . The mod consists of two Cooler Master > 200MX cases with highend equipment . > They need to show us how to make those in the PCW! |
Chilling_Silence (9) | ||
| 1 | |||||