Archive for November, 2010

Microsoft CREI (Cloud Research Engagement Initiative) to provide scientists access to global resources

Monday, November 22nd, 2010

Microsoft last month announced it is using the Azure platform to provide a bevy of new cloud-based research and computation tools to researchers in various fields.  First up:  bioinformatics.

The recent release of NCBI BLAST (National Center for Biotechnology Information’s Basic Local Alignment Search Tool) services will permit biotech scientists and others to take advantage of Microsoft Research Lab’s BLAST implementation whenever and wherever they require it, without the massive capital expenditure involved in building their own distributed computing infrastructure or utilizing other offsite computing clusters.

Since Microsoft’s cloud computing capacity far exceeds what most labs have in place, the service will significantly lower processing time.  For example, protein or DNA sequencing queries which used to take days can now be run in hours or minutes.

According to the Research Labs whitepaper, Microsoft has signed agreements with the U.S. National Science Foundation, with Japan’s NII Info-Plosion project, and most recently with several organizations in Europe: the European Commission’s VENUS-C project, France’s INRIA and the University of Nottingham.  The objective is to provide powerful yet scalabale research tools and services to researchers from around the globe which can be controlled right from their desktop or mobile device.

Answers to most project-specific questions regarding NCBI BLAST capabilities and the Cloud Research Engagement Initiative in general can be obtained in Microsoft’s FAQ.  Questions regarding the purchase or implementation of the Azure platform can be directed to Gyver Networks.

Cisco engineers talk shop about the ASR 1000 Series routers and Quantum Flow Processor

Monday, November 22nd, 2010

Cisco recently posted a YouTube video of several of their engineers discussing the development of the Cisco ASR 1000 Series routers employing the new 40-core Quantum Flow Processor.  With four threads per core, the QFP is able to process 160 distinct packets concurrently, in their entirety – not just headers.  Other geek-friendly stats are available on the Cisco site.

As always, Gyver Networks can answer any additional questions you might have regarding procurement, deployment and administration.

Microsoft Lync 2010 improves on Office Communications Server functionality, expands feature set

Friday, November 19th, 2010

Microsoft Office Communications Server (OCS) 14, hereafter known as Lync 2010, is the next generation solution for all-in-one enterprise connectivity offered by the tech giant.  With this most recent rendition of unified communications software, Microsoft has existing telephony solutions providers squarely in their sights, and Cisco and Avaya would do well to sit up and take notice.

OCS provided a wide range of integrated communications options, but Lync 2010 supercedes them all with advances in not only standard IP-based communications mediums like chat, presence, and videoconferencing, but also a vastly improved voice solution featuring access from anywhere without VPNs or third-party applications, and smartphone client apps with full functionality.

The conferencing features are particularly advanced, allowing users to begin a meeting at their workstation, then transfer and continue on their smartphone if they have to hit the road – without ever leaving and rejoining the meeting!  Pretty cool.  Other options include the ability for anonymous users to join meetings without downloading software or, going in the opposite direction, an administrator lobby for additional meeting access controls.

Chat warriors need not fear either, as Lync chat integrates contact and presence info with many popular chat clients like Yahoo!, AOL, MSN, and others.

Of course, everything integrates with existing Microsoft applications platforms for seamless functionality and integration with existing MS infrastructure.  The feature set is rich, the options are innumerable, and the price is surprisingly affordable for an all-in-one connectivity platform.  Even though Lync 2010 is billed as an “enterprise connectivity” suite, small and mid-size businesses would be well served to consider the advances in internal communications, client presentations, and overall productivity Microsoft Lync 2010 would afford their company.

 

 

Google Apps to pose serious challenge to Microsoft Cloud services? Integrating Voice into Apps for Business is another big step

Thursday, November 18th, 2010

Google’s recent announcement that their Voice service will be included in the new Apps and Apps for Business rebranding provides yet another weapon in their assault against Microsoft’s Office, Exchange Unified Communications, and Cloud offerings, in particular the Business Productivity Online Services (BPOS) suite.  With the inclusion of Voice, Google is now able to match Microsoft’s scope of services by offering a complete range of media tools, access, and storage to its Apps for Business subscribers.

While most larger companies will opt to remain with the established business services provider in Microsoft, many smaller, mid-sized, and even some larger companies are going to pull the trigger and switch to Google’s product.  Several large companies and government entities – such as salesforce.com, the City of Los Angeles and the District of Columbia – already have, no doubt lured by Google Apps for Business’ lower price tag.

Which office productivity solution is right for your business?  Contact Gyver Networks today and our consultants will help you figure it out.

Nicaragua refuses to leave invaded Costa Rican territory after Google Maps prompted invasion

Tuesday, November 16th, 2010

It seems absurd that a Google Maps error could have provoked one country to invade another country, but that’s just what happened earlier this month when a Nicaraguan military commander used a Google Maps error as an excuse to invade Costa Rican territory, rip down a Costa Rican flag and fly Nicaragua’s colors instead.

The reason it was such a strange story wasn’t just because Google Maps made a mistake, but because it’s just so hard to believe that a military commander could be unaware of the legal borders of his own country, which is what Nicaragua said had happened.

It looks like we were right to be incredulous: the plot in that story is thickening. Apparently, Costa Rica — which has no military — is instead mobilizing its police force to go to that area and potentially fight back the Nicaraguans, who still haven’t left the area, despite having acknowledged the mistake.

Clearly, there’s a lot more to this story than a Google Maps error. In fact, it seems like Nicaragua has purposefully used the error as an excuse to try to claim territory from Costa Rica, which is not in a position to defend itself.

Both sides are being urged to back down, but things for the moment look tense. Could this be the first war provoked by Web 2.0? Let’s hope not.

 

Source:  Geek.com

Microsoft’s IT Academy gives NC high school students a headstart

Tuesday, November 16th, 2010

Filed as the latest entry in the “Where was this when we were kids?” folder:

North Carolina recently partnered with Microsoft to offer the Microsoft IT Academy program in every high school in the state.  Students will have the opportunity not only to learn the latest software and technical skills used daily in the secular world, they will have the chance to attain MOS or MCP certifications before they even graduate!

This easily qualifies as the single coolest educational program I’ve ever heard of.  It’s essentially the equivalent of a student taking electrical or plumbing at a vocational school having the opportunity to attain a master’s license at the same time they graduate.

Finally, it’s a chance for kids unable to attend college to acquire real-world skills and the accompanying certifications that can land them a decent job right out of high school.

Five bucks says NC’s juvenile crime rate drops and their graduation and employment rates rise within five years.  Now if only Massachusetts’ Department of Education would follow suit….

Cisco boasts wireless superiority in recent test vs. competitors

Monday, November 15th, 2010

Just because you’re the tougest kid on the block doesn’t mean that you don’t have to prove it every so often, and Cisco did recently, comparing wireless offerings against several other industry leaders.

Throughput vs. distance testing was performed pitting the Cisco Aironet 1252 against comparable 802.11n access points from HP, Aruba, Motorola and Trapeze, measuring access to assorted 802.11a/b/g/n wireless clients at various ranges.  The Cisco outperformed the pack in both 2.4GHz and 5GHz bands, by as much as 169% in the former and 64% in the latter.

The complete results of the Cisco wireless study are available on the Cisco website.

 

US-CERT November 2010 vulnerability assessment

Friday, November 12th, 2010

Excerpt from:  National Cyber Alert System Cyber Security Bulletin SB10-312

Vulnerability Summary for the Week of November 1, 2010

High Vulnerabilities
Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
4site — 4site_cms SQL injection vulnerability in catalog/index.shtml in 4site CMS 2.6, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the cat parameter. NOTE: the i and th vectors are already covered by CVE-2009-0646. 2010-11-03 7.5 CVE-2010-4152
BID
BUGTRAQ
MISC
SECUNIA
adobe — shockwave_player dirapi.dll in Adobe Shockwave Player before 11.5.9.615 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a Director file containing a crafted pamm chunk with an invalid (1) size and (2) number of sub-chunks, a different vulnerability than CVE-2010-4084, CVE-2010-4085, CVE-2010-4086, and CVE-2010-4088. 2010-10-29 9.3 CVE-2010-2581
CONFIRM
adobe — shockwave_player An unspecified function in TextXtra.x32 in Adobe Shockwave Player before 11.5.9.615 does not properly reallocate a buffer when processing a DEMX chunk in a Director file, which allows remote attackers to trigger a heap-based buffer overflow and execute arbitrary code. 2010-10-29 9.3 CVE-2010-2582
CONFIRM
adobe — acrobat Adobe Flash Player 10.1.85.3 and earlier on Windows, Mac OS X, Linux, and Solaris and 10.1.95.2 and earlier on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010. 2010-10-29 9.3 CVE-2010-3654
CERT-VN
BID
CONFIRM
SECUNIA
MISC
adobe — shockwave_player Stack-based buffer overflow in dirapi.dll in Adobe Shockwave Player before 11.5.9.615 allows attackers to execute arbitrary code via unspecified vectors. 2010-10-29 9.3 CVE-2010-3655
CONFIRM
adobe — shockwave_player dirapi.dll in Adobe Shockwave Player before 11.5.9.615 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-2581, CVE-2010-4085, CVE-2010-4086, and CVE-2010-4088. 2010-10-29 9.3 CVE-2010-4084
CONFIRM
adobe — shockwave_player dirapi.dll in Adobe Shockwave Player before 11.5.9.615 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-2581, CVE-2010-4084, CVE-2010-4086, and CVE-2010-4088. 2010-10-29 9.3 CVE-2010-4085
CONFIRM
adobe — shockwave_player dirapi.dll in Adobe Shockwave Player before 11.5.9.615 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Director (.dir) media file with an invalid element size, a different vulnerability than CVE-2010-2581, CVE-2010-2880, CVE-2010-4084, CVE-2010-4085, and CVE-2010-4088. 2010-10-29 9.3 CVE-2010-4086
CONFIRM
adobe — shockwave_player IML32.dll in Adobe Shockwave Player before 11.5.9.615 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a .dir file with a crafted mmap record containing an invalid length of a VSWV entry, a different vulnerability than CVE-2010-4089. 2010-10-29 9.3 CVE-2010-4087
CONFIRM
adobe — shockwave_player dirapi.dll in Adobe Shockwave Player before 11.5.9.615 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-2581, CVE-2010-4084, CVE-2010-4085, and CVE-2010-4086. 2010-10-29 9.3 CVE-2010-4088
CONFIRM
adobe — shockwave_player IML32.dll in Adobe Shockwave Player before 11.5.9.615 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-4087. 2010-10-29 9.3 CVE-2010-4089
CONFIRM
adobe — shockwave_player Adobe Shockwave Player before 11.5.9.615 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. 2010-10-29 9.3 CVE-2010-4090
CONFIRM
anyconnect — anyconnect Directory traversal vulnerability in AnyConnect 1.2.3.0, and possibly earlier, allows remote FTP servers to write arbitrary files via a “..\” (dot dot backslash) in a filename. 2010-11-01 9.3 CVE-2010-4148
XF
BID
OSVDB
MISC
SECUNIA
MISC
BUGTRAQ
aspindir — kisisel_radyo_script SQL injection vulnerability in radyo.asp in Kisisel Radyo Script allows remote attackers to execute arbitrary SQL commands via the Id parameter. 2010-11-01 7.5 CVE-2010-4144
XF
BID
EXPLOIT-DB
SECUNIA
MISC
avactis — avactis_shopping_cart Multiple SQL injection vulnerabilities in Pentasoft Avactis Shopping Cart 1.9.1 build 8356 free edition and earlier allow remote attackers to execute arbitrary SQL commands via the User-Agent header to (1) index.php and (2) product-list.php. 2010-11-01 7.5 CVE-2010-4147
XF
CONFIRM
BID
OSVDB
OSVDB
SECUNIA
MISC
cisco — ciscoworks_common_services Multiple buffer overflows in the authentication functionality in the web-server module in Cisco CiscoWorks Common Services before 4.0 allow remote attackers to execute arbitrary code via a session on TCP port (1) 443 or (2) 1741, aka Bug ID CSCti41352. 2010-10-29 10.0 CVE-2010-3036
BID
CISCO
VUPEN
SECTRACK
SECUNIA
crossftp — crossftp_pro Directory traversal vulnerability in CrossFTP Pro 1.65a, and probably earlier, allows remote FTP servers to write arbitrary files via a “..\” (dot dot backslash) in a filename. 2010-11-03 9.3 CVE-2010-4153
XF
BID
OSVDB
MISC
SECUNIA
freshwebmaster — fresh_ftp Directory traversal vulnerability in FreshWebMaster Fresh FTP 5.36, 5.37, and possibly earlier, allows remote FTP servers to write arbitrary files via a “..\” (dot dot backslash) in a filename. NOTE: some of these details are obtained from third party information. 2010-11-01 9.3 CVE-2010-4149
XF
BID
BUGTRAQ
OSVDB
MISC
SECUNIA
MISC
hp — insight_control_performance_management Unspecified vulnerability in HP Insight Control Performance Management before 6.2 allows remote authenticated users to gain privileges via unknown vectors. 2010-11-01 8.0 CVE-2010-4031
VUPEN
HP
HP
realflex — realwin Multiple stack-based buffer overflows in DATAC RealWin 2.0 Build 6.1.8.10 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) SCPC_INITIALIZE, (2) SCPC_INITIALIZE_RF, or (3) SCPC_TXTEVENT packet. NOTE: it was later reported that 1.06 is also affected by one of these requests. 2010-11-01 10.0 CVE-2010-4142
BID
EXPLOIT-DB
EXPLOIT-DB
SECUNIA
MISC
rhinosoft — ftp_voyager Directory traversal vulnerability in Rhino Software, Inc. FTP Voyager 15.2.0.11, and possibly earlier, allows remote FTP servers to write arbitrary files via a “..\” (dot dot backslash) in a filename. 2010-11-03 9.3 CVE-2010-4154
XF
BID
OSVDB
MISC
SECUNIA
MISC
BUGTRAQ
sonicwall — ssl-vpn_end-point_interrogator/installer_activex_control Stack-based buffer overflow in SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX control (Aventail.EPInstaller) before 10.5.2 and 10.0.5 hotfix 3 allows remote attackers to execute arbitrary code via long (1) CabURL and (2) Location arguments to the Install3rdPartyComponent method. 2010-11-03 9.3 CVE-2010-2583
XF
SECTRACK
BID
BUGTRAQ
CONFIRM
MISC
SECUNIA
vim — gvim Untrusted search path vulnerability in VIM Development Group GVim before 7.3.034, and possibly other versions before 7.3.46, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse User32.dll or other DLL that is located in the same folder as a .TXT file. NOTE: some of these details are obtained from third party information. 2010-11-03 9.3 CVE-2010-3914
JVN
CONFIRM
BID
SECUNIA
JVNDB
wsn — links Multiple SQL injection vulnerabilities in search.php in WSN Links 5.0.x before 5.0.81, 5.1.x before 5.1.51, and 6.0.x before 6.0.1 allow remote attackers to execute arbitrary SQL commands via the (1) namecondition or (2) namesearch parameter. 2010-11-03 7.5 CVE-2010-4006
MISC
BID
BUGTRAQ
Back to top

Medium Vulnerabilities
Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
acegisecurity — acegi-security VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter. 2010-10-29 5.0 CVE-2010-3700
MISC
BID
BUGTRAQ
aspindir — kisisel_radyo_script Kisisel Radyo Script stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for sevvo/eco23.mdb. 2010-11-01 5.0 CVE-2010-4145
EXPLOIT-DB
SECUNIA
MISC
attachmate — reflection_for_the_web Cross-site scripting (XSS) vulnerability in Attachmate Reflection for the Web 2008 R2 (builds 10.1.569 and earlier), 2008 R1, and 9.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2010-11-01 4.3 CVE-2010-4146
XF
BID
CONFIRM
SECUNIA
OSVDB
deliciousdays — cforms Multiple cross-site scripting (XSS) vulnerabilities in wp-content/plugins/cforms/lib_ajax.php in cforms WordPress plugin 11.5 allow remote attackers to inject arbitrary web script or HTML via the (1) rs and (2) rsargs[] parameters. 2010-11-03 4.3 CVE-2010-3977
BID
BUGTRAQ
MISC
SECUNIA
deluxebb — deluxebb SQL injection vulnerability in misc.php in DeluxeBB 1.3, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the xthedateformat parameter in a register action, a different vector than CVE-2005-2989, CVE-2006-2503, and CVE-2009-1033. 2010-11-03 6.8 CVE-2010-4151
XF
CONFIRM
BID
BUGTRAQ
MISC
SECUNIA
MISC
exv2 — exv2 Multiple cross-site scripting (XSS) vulnerabilities in eXV2 CMS 2.10 allow remote attackers to inject arbitrary web script or HTML via the (1) rssfeedURL parameter to manual/caferss/example.php and the sumb parameter to (2) modules/news/archive.php, (3) modules/news/topics.php, and (4) modules/contact/index.php, different vectors than CVE-2007-1965. 2010-11-03 4.3 CVE-2010-4155
XF
MISC
BID
MISC
hp — insight_control_performance_management Cross-site scripting (XSS) vulnerability in HP Insight Control Performance Management before 6.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2010-11-01 4.3 CVE-2010-4030
VUPEN
HP
HP
hp — insight_control_performance_management Cross-site request forgery (CSRF) vulnerability in HP Insight Control Performance Management before 6.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. 2010-11-01 6.8 CVE-2010-4032
VUPEN
HP
HP
hp — insight_control_performance_management Unspecified vulnerability in HP Insight Control Performance Management before 6.1 update 2 allows remote attackers to read arbitrary files via unknown vectors. 2010-11-01 5.0 CVE-2010-4100
VUPEN
HP
HP
hp — insight_recovery Cross-site scripting (XSS) vulnerability in HP Insight Recovery before 6.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2010-11-01 4.3 CVE-2010-4101
VUPEN
BID
HP
HP
SECUNIA
hp — insight_recovery Unspecified vulnerability in HP Insight Recovery before 6.2 allows remote attackers to read arbitrary files via unknown vectors. 2010-11-01 5.0 CVE-2010-4102
VUPEN
BID
HP
HP
SECUNIA
hp — insight_managed_system_setup_wizard Unspecified vulnerability in HP Insight Managed System Setup Wizard before 6.2 allows remote attackers to read arbitrary files via unknown vectors. 2010-11-01 5.0 CVE-2010-4103
XF
VUPEN
BID
HP
HP
SECUNIA
hp — insight_orchestration Unspecified vulnerability in HP Insight Orchestration before 6.2 allows remote attackers to read arbitrary files via unknown vectors. 2010-11-01 5.0 CVE-2010-4104
VUPEN
BID
HP
HP
SECUNIA
hp — insight_orchestration Unspecified vulnerability in HP Insight Orchestration before 6.2 allows remote attackers to bypass intended access restrictions, and obtain sensitive information or modify data, via unknown vectors. 2010-11-01 6.4 CVE-2010-4105
VUPEN
BID
HP
HP
SECUNIA
hp — insight_control_for_linux Cross-site request forgery (CSRF) vulnerability in HP Insight Control for Linux before 6.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. 2010-11-01 6.8 CVE-2010-4106
XF
VUPEN
BID
HP
HP
SECUNIA
phpcheckz — phpcheckz SQL injection vulnerability in chart.php in phpCheckZ 1.1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter. 2010-11-01 6.8 CVE-2010-4143
EXPLOIT-DB
Back to top

There were no low vulnerabilities recorded this week.