Daily Report Thursday, January 11, 2007

Daily Highlights

TechWeb reports three technology companies have developed a communications system for miners and say they have made the first wireless phone call from a thousand feet inside a coal mine; this should greatly improve safety by giving miners a way to communicate with the outside world during a disaster. (See item 2)
The National Transportation Safety Board, after reviewing the October 2004 crash of a small plane in Missouri, said the accident shows a need for regional air carriers to adopt more stringent professional standards for pilots −− as major airlines have done −− and improve training procedures for pilots flying at high altitudes. (See item 14)

Information Technology and Telecommunications Sector

27. January 10, IDG News Service — U.S. commerce secretary says China is thwarting global technology innovation by not embracing 3G standards. Secretary of the U.S. Department of Commerce Carlos M. Gutierrez Tuesday, January 9, criticized China for delaying the creation of a 3G (third generation) wireless network in that country, saying it is thwarting global technology innovation by not embracing standards. Speaking in a session at the International Consumer Electronics Show (CES) in Las Vegas, NV, Gutierrez said companies around the world must support common standards to promote a worldwide environment for technology innovation, not have their own "pockets of standards." He used China, where the government continues to hold out on granting licenses to build 3G networks, as an example of that misstep. China has delayed plans to build a 3G network for several years, he said. Many believe it is because the government wants to promote its own homegrown 3G standard, called TD−SCDMA (Time Division Synchronous Code Division Multiple Access), instead of embracing a version of CDMA (Code Division Multiple Access), on which other countries have built or are building 3G networks. To do its part to encourage competition in the technology industry, the U.S. has to revise current legislation that governs the technology industry and remain as hands−off as possible, he said.
Source: http://www.infoworld.com/article/07/01/10/HNusslapschinafor3 G_1.html

28. January 10, Network World — Adobe releases first set of patches for cross−site scripting vulnerability. Adobe late Tuesday, January 9, released the first set of security patches to address the cross−site scripting vulnerability disclosed by European researchers late last year. The flaw allows Acrobat Reader v.7.0.8 and earlier versions to be exploited by hackers. Left unpatched, the vulnerable versions of Adobe’s Reader, Acrobat Standard, Acrobat Professional and Acrobat 3D let an attacker easily include JavaScript code in a browser session so that when a user clicks on a malicious link to a PDF on the Web, the attack code is activated. There is no vulnerability associated with PDF itself. The latest version of Acrobat, v.8, released in December, isn’t vulnerable to the cross−site scripting attack. “Adobe strongly urges Adobe Reader users to update to the latest version, Reader 8. Adobe Reader 7 users who wish to stay with their current version can follow the instructions outlined in the bulletin,” Adobe advised. Adobe also issued recommendations for a server−side workaround for Website operators.
Source: http://www.networkworld.com/news/2007/011007−adobe−patches.h tml

29. January 09, US−CERT — Technical Cyber Security Alert TA07−009A: Microsoft Updates for Multiple Vulnerabilities. Microsoft has released updates to address vulnerabilities that affect Microsoft Windows, Internet Explorer, Outlook, and Excel as part of the Microsoft Security Bulletin Summary for January 2007. The most severe vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system. Microsoft has provided updates for these vulnerabilities in the January 2007 Security Bulletins. The Security Bulletins describe any known issues related to the updates. Note any known issues described in the Bulletins and test for any potentially adverse affects in your environment.
Microsoft Security Bulletin: http://www.microsoft.com/technet/security/bulletin/ms07−jan.mspx
Source: http://www.uscert.gov/cas/techalerts/TA07−009A.html

30. January 09, US−CERT — Technical Cyber Security Alert TA07−009B: MIT Kerberos Vulnerabilities. The MIT Kerberos administration daemon contains two vulnerabilities that may allow a remote, unauthenticated attacker to execute arbitrary code. US−CERT is are aware of two vulnerabilities that affect the Kerberos administration daemon: Kerberos administration daemon fails to properly initialize function pointers and Kerberos administration daemon may free uninitialized pointers. These vulnerabilities are addressed in MIT krb5 Security Advisory 2006−002 and MIT krb5 Security Advisory 2006−003. Patches for these issues are also included in those advisories.
Source: http://www.uscert.gov/cas/techalerts/TA07−009B.html