Microsoft Releases Visual C++

In separate moves, Microsoft has released its Visual C++ 2008 Feature Pack but discontinued extended support for the Visual Basic 6.0 IDE.

The feature pack had been available in a beta release since January, said S. “Soma” Somasegar, senior vice president of the Microsoft Developer Division, in his blog this week.
“The Feature Pack provides several exciting features for C++ developers, such as a major update to MFC (Microsoft Foundation Class) and an implementation of TR1 (Technical Report 1). Using the included MFC components, developers can create applications with the ‘look & feel’ of Microsoft’s most popular products — Microsoft Office, Visual Studio, and Internet Explorer,” Somasegar said.

TR1 is a document that featured a Visual C++ implementation with extensions to the C++ ISO standard. Microsoft’s implementation of TR1 contains such features as regular expression parsing and sophisticated random number generators.

Also included in the feature pack are a component for the Office 2007 Ribbon Bar, Visual Studio docking, auto hide windows, and Windows Vista theme support.

The feature pack is downloadable by any Visual Studio 2008 Standard or above customer, Somasegar said.

Also this week, Microsoft ended extended, paid support for the Visual Basic 6.0 IDE, which is more than 10 years old.

“If you haven’t converted all your apps to .Net, shame on you, but don’t freak out. Microsoft will continue to support the VB 6.0 runtime for all existing application in all the next versions of the Windows OS, including Windows Server 2008 and Vista,” said Microsoft’s Jeff Nuckolls, a technology specialist, in a blog entry from last week. Nuckolls still advised that users devise a migration plan.

An online petition in 2005 sought to save Visual Basic 6.0 and Visual Basic for Applications. Still available, that petition has gathered 13,341 signatures as of Wednesday afternoon. A Visual Basic user who had participated in the petition drive downplayed his need for support of Visual Basic 6.0 Wednesday afternoon.

“‘Support’ is not something I need or have needed outside the peer support of other VB developers,” said Visual Basic user Don Bradner. “Now if it gets to where I can’t write a VB6 app or my VB6 apps won’t run, that’s a lot different; it is also likely to be a long way into the future.”

Sun to Tout Hosting Platform

Sun will discuss on Thursday a research and development project intended to provide a hosting platform for delivering Internet-based services.

Called Project Caroline, the technology is on the agenda of a Sun Labs Open House taking place at Sun offices in Menlo Park, California. The platform comprises a programmatically configurable pool of virtualized compute, storage, and networking resources, according to Sun.

The Project Caroline Web page states that the project is designed to serve an emerging market of small and medium-sized SaaS providers.

“Anticipating needs driven by new SaaS business models and processes, Project Caroline helps SaaS providers develop services rapidly using high-level programming languages like the Java programming language, Ruby, Python, and Perl to update in-production services frequently and to automatically flex their use of platform resources to match changing runtime demands,” the Web page states.

Services can programmatically allocate, monitor, and control virtualized compute, storage, and networking resources via Project Caroline. Interfaces are featured for managing platform resources.

Developers can build services that update and flex platform resources usage. Project Caroline resources are exposed via high-level abstractions, including virtual machines, networks, and network-accessible file systems and databases. A horizontally scaled pool of distributed resources is presented as a single system to provide developers with a unified platform for allocating and controlling resources.

Also on the Open House agenda are OMS, pertaining to a royalty-free media system; Project Live, approaching software distribution and configuration by combining the firmware model with customization; and the Lively Kernel project for Web programming.

Other agenda items include: Project Wonderland, an open-source toolkit for building 3D virtual worlds for business and education collaboration; Project Darkstar, which is a gaming server; and Project MiRTLE (Mixed Reality Teaching and Learning Environment).

Microsoft Patches Critical Bugs in Windows

Microsoft has posted eight security updates — more than half marked “critical” — that patch 10 bugs in Windows, Office and Internet Explorer.

Of the 10 vulnerabilities plugged, Microsoft labeled seven as critical, the highest rating in its four-step threat-scoring system. Of the remainder, two were pegged as “important” and one as merely “moderate.”

Analysts agreed that the most serious vulnerabilities disclosed today were the two plugged by MS08-021, a critical update for every currently supported version of Windows, including the just-released Vista Service Pack 1 (SP1) and the even newer Windows Server 2008. “That’s right across the board,” said Tyler Reguly, a security research engineer at nCircle Network Security.

“All versions of Windows are affected,” echoed Amol Sarwate, manager of Qualys’s vulnerability research lab. “You don’t need to have any special software on your PC to be vulnerable.”

The MS08-021 update, said Microsoft in the advisory accompanying the release, fixes two flaws in Windows’ GDI, or graphics device interface, one of the core components of the operating system. Attackers can use malformed WMF (Windows Metafile) or EMF (Enhanced Metafile) image files to trigger the bugs and “take complete control of an affected system,” said Microsoft.

“Users who simply view an image online or in e-mail could be compromised,” said Sarwate.

Both Sarwate and Reguly noted that there are similarities between the two new GDI vulnerabilities and ones revealed in late 2005, which were extensively used by attackers for months afterward. In fact, Microsoft patched that earlier GDI vulnerability — which was also exploited by malicious WMF and EMF files — “out-of-cycle,” or outside of its normal second-Tuesday-of-the-month update schedule.

Dlink Launches Xtreme N Router

D-Link launched its Xtreme N router DIR-655, using the latest Draft 802.11n wireless technology, in the Indian market.

The D-Link Xtreme N Gigabit Router (DIR-655) is designed for consumers, small businesses and gamers. The Xtreme N family is designed for larger homes and offices with high-speed Internet using multiple PCs, game consoles and other digital home devices such as streaming media adapters.

With faster speeds and further range than that found in 802.11g wireless products, the D-Link Xtreme N Router claims to be industry’s first Gigabit Draft N router to incorporate Intelligent Wireless Quality of Service (QoS) Technology that automatically prioritizes high-bandwidth, latency-sensitive wireless data traffic, allowing users to experience smooth streaming HD video, lag-free gaming and jitter-free voice over Internet (VoIP) calls. The D-Link XtremeN QoS is powered by StreamEngine technology from Ubicom.

The Xtreme N router also ships with Gigabit local area network (LAN) and Gigabit wide area network (WAN) ports. In addition, the Xtreme N router comes with an integrated wireless security wizard, Windows Connect Now (WCN) support for easily connecting WCN-enabled devices, Network Magic’s management features from Pure Networks, removable antennas for flexible installation, and a wall-mount option.

The D-Link DIR-655 router is available for Rs. 12,500.

Sharp Launches Mobile Phone for Bloggers

Sharp has launched a new mobile phone in Japan that features a small QWERTY keyboard and a tool allowing users to easily update their blogs.

The Sharp 922SH went on sale on Thursday and has a 3.5-inch display that folds out to the side so the phone can be used more like a miniature laptop than a traditional clamshell phone. The widescreen VGA display has a resolution of 854 pixel by 480 pixels.

The phone has an RSS reader and a PC-style web browser in addition to one more adapted to mobile use.

There’s a three-row QWERTY keyboard above which sit hot keys for functions such as digital mobile TV and the camera. There are also buttons for phone functions, navigation keys and a shortcut key to Yahoo Mobile, the mobile internet service offered by Softbank, which is the largest shareholder in Yahoo Japan.

The phone works on the WCDMA (Wideband Code Division Multiple Access) used in Japan and the GSM (Global System for Mobile Communications) networks found elsewhere. Its features include Bluetooth and a 2MP main camera and 110,000-pixel sub-camera for videoconferencing. It accepts Micro SD memory cards.

The phone measures 56mm by 116mm by 17mm and weighs 132g. Battery life is 250 minutes of talk time on WCDMA and 270 minutes on GSM with standby time at 340 hours and 310 hours respectively, said Sharp. TV viewing time is 4.5 hours.

The phone is locked to the Softbank network in Japan and there are no plans at present to launch it overseas.

Google Search Behind Most Phishing Sites

Three-quarters of phishing sites are built on hacked servers that have been tracked down using pre-programmed Google search terms, according to research from brand-protection firm MarkMonitor.

Among other activities, MarkMonitor tracks phishing attacks that target brand names.

Researchers compiled a list of 750 Google search terms that are used to track down websites likely to have easily exploitable vulnerabilities – mostly PHP-based sites.

The search terms return a list of sites likely to have particular vulnerabilities; the attackers then exploit the vulnerability, gain access to the site, and then use it to host malicious code or counterfeit web pages as part of the scam.

MarkMonitor found that 75 percent of the phishing sites it had discovered had been originally tracked down using one of the list of 750 Google search terms. The finding was based on a sample of one-quarter of the phishing sites logged by the firm.

The search terms, called “Google dorks”, are actively traded on internet forums, and are routinely scanned by IRC-based “bots”, which also scan Yahoo and AOL Search results, according to MarkMontitor.

Google has already made moves to block automated exploitation of the “dorks”, but they can still be used manually.

The websites exploited tend to be small, local PHP-based sites, which are less likely to have the latest patches installed, and are invaded via one of more than 1,800 known PHP bugs, MarkMonitor said.

In the fourth quarter of 2007, 412 organizations were targeted by phishing attacks, up 37 percent from the same period in 2006, according to the firm’s Brandjacking Index, published last month.

Auction sites were the biggest targets, accounting for 44 percent of the phishing emails in the fourth quarter, up from 36 percent in the first quarter of 2007.

Adobe Unveils Free Web-based Photoshop

The long-awaited, Web-based and free version of Adobe Photoshop is now available as a beta, Adobe announced Thursday.

Photoshop Express allows users to store up to 2GB of images, make edits to their photos, and share them, all online.

It is a way for Adobe to compete with free applications like Google’s Picasa, which have emerged over the last few years.

Since it’s to be used by consumers, the company has put a lot of effort on ease-of-use. In a few clicks, users will be able to make standard edits, such as removing blemishes and red-eye, converting to black and white, cropping and resizing. No experience is required, Adobe said.

Users will also be able to integrate with social networking sites like Facebook.

Photoshop Express works with all major browsers, including Firefox, Internet Explorer and Safari, Adobe said. It requires an Internet connection and Flash Player 9 to work.

The tool is based on Flex, Adobes cross-browser plug-in technology for multimedia.

At first, Photoshop Express is available only to U.S. residents and only in English. Users may experience slow performance if accessed outside of the US, Adobe warned. Future plans include availability in other languages and countries.

This isn’t Adobe’s first foray into Web-based services. Adobe announced the availability of Premiere Express, an online video editing available on partner sites such as MTV and Photobucket, early last year.

Symantec Suspects Bot in Attacks on D-Link Routers

Suspicious port scanning that’s been tracked back to D-Link routers may mean a worm or bot is on the loose and infiltrating the popular brand’s devices using a three-year-old vulnerability, security researchers at Symantec said.

The security company issued a warning Monday night to customers of its DeepSight threat notification service saying that there were “reliable reports” of an in-the-wild worm or bot that was attacking, then installing itself, on D-Link routers. By today, however, Symantec had taken a step back.

“After looking into it further, we decided that that was a little misleading,” said Oliver Friedrichs, a director of Symantec’s security response team. “It’s unconfirmed at this point. But we have definitely seen an increase in attack activity, and that activity appears to be coming from other D-Link devices.”

In other words, although Symantec’s researchers haven’t gotten their hands on a worm or bot sample, all the evidence points in that direction. “We suspect that it’s a bot,” he said.

According to Friedrichs, the attacks against the D-Link routers begin with hackers scanning TCP port 23 for an active SNMP (Simple Network Management Protocol) service, a flaw that first showed up in D-Link router firmware in 2005. “It looks like they’re exploiting the SNMP vulnerability to reset and reconfigure the administrative password on the routers,” said Friedrichs, perhaps to conduct “drive-by pharming” attacks that change a router’s settings so its users are unknowingly directed to bogus or malicious Web sites instead of the real URLs.

“Having port 23 open on the Internet-facing side is a bad idea in general,” said Petko Petkov, a prolific penetration tester from the U.K who, with a partner, Adrian Pastor, has published research on hacking routers. “But I guess this is due to the fact that the attacked devices have only one Ethernet port and users can unwillingly expose otherwise privileged services on the Internet.”

Router vulnerabilities are up and attacks against routers are on the upswing — especially attacks that target devices used by consumers and small businesses to create wireless networks, said Friedrichs. “Attackers are increasingly looking beyond the desktop,” he said, for new places to install — and hide — their malware.

Petkov wasn’t shocked to hear of Symantec’s warning. “We’re not surprised at all, as all embedded-device(s) we have tested so far are vulnerable to all kinds of interesting vulnerabilities,” Petkov said in an e-mail today. Nor would creating a worm or bot Trojan be tough. “Anybody can code a worm which attacks routers on a massive scale quite easily. Most of the research information is out there, so it is a matter of putting the pieces of the puzzle together.”

Friedrichs characterized the port 23 scanning activity Symantec is seeing as “moderate” and said the researchers will continue to investigate. He and his team, however, had not been able to verify that the vulnerability had been patched, and if so, when, or which specific models of D-Link’s routers might be at risk.

D-Link officials did not respond to a call for comment.

For the moment, the best advice Friedrichs had for D-Link router owners is to make sure that the SNMP service was not exposed to the Internet.