Monday, April 21, 2008

Daily Report

• Foster’s Daily Democrat reports the Memorial Bridge in Portsmouth, New Hampshire, will be closed from April 21 to April 26 for much needed repair work, forcing commuters to seek alternate routes across the Piscataqua River. (See item 15)

• According to the Associated Press, a homeless man has come forward with two sets of confidential blueprints for the planned New York City Freedom Tower that he says were dumped in a lower Manhattan trash can. The agency that owns the World Trade Center site calls it a serious security lapse. (See item 41)

Information Technology

36. April 18, IDG News Service – (National) Chinese blogs detail zero-day flaw in Microsoft Works. Chinese-language blogs are detailing a zero-day vulnerability in Microsoft Works, the company’s lower-end office productivity suite, according to security vendor McAfee. The vulnerability is within an ActiveX control for the Works’ Image Server, a McAfee analyst wrote. A PC would need to visit a Web site engineered to exploit the flaw. A zero-day flaw is a software vulnerability that has become public knowledge but for which no patch is available. It is particularly dangerous since users are exposed from day zero until the day a vendor prepares a patch and notifies users it is ready. Proof-of-concept code was posted on a Chinese blog showing how the problem could cause Windows to crash. Then, a few hours later, a working exploit appeared, which could allow malicious code to run on a machine. Source:

37. April 18, ITProPortal – (Oklahoma) Oklahoma State leaks tens of thousands of social security numbers. Residents of Oklahoma were told this week that tens of thousands of their names, social security numbers, and allied data were effectively available on the Web for around three years. The source of the problem, says a software security researcher with Fortify Software, is poor coding on the state’s Department of Corrections Web site. “This is a classic SQL injection vulnerability,” he said, adding that, in this case, the security lapse could easily have been caught with a simple code review. Had some form of automated analysis been part of the release procedure for this Web site, the incident could have been avoided, he said. According to newswire reports, anyone with a basic knowledge of SQL programming could interpret the URL and other data returned by the Oklahoma DoC Web site. Then, by the simple process of amending the long URLs returned by the site, they could retrieve tens of thousands of social security numbers and their allied data from the site. Source:

38. April 17, Secunia – (National) Mozilla Firefox Javascript Garbage Collector vulnerability. A vulnerability has been reported in Mozilla Firefox, which can potentially be exploited to compromise a user’s system. The vulnerability is caused due to an error in the Javascript Garbage Collector and can be exploited to cause a memory corruption via specially crafted Javascript code. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in version Prior versions may also be affected. Source:

Communications Sector

39. April 18, International Herald Tribune – (International) Era of in-flight mobile phone use begins in Europe. Relatively unobtrusive data calls, like mobile e-mail and messaging, have been available for a while on airlines including Emirates, Qantas, JetBlue, Virgin America, and Alaska Airlines. But last month, Emirates became the first airline to enable in-flight mobile voice services, on an Airbus A340 from Dubai to Casablanca. On April 2, Air France began offering voice calls on one of its jets on a trial basis, and BMI of Britain and TAP of Portugal plan to do the same. Although U.S. airlines have shunned the service, Ryanair, Europe’s largest low-cost airline, is so confident mobile phoning will prove popular that it plans to start offering it in June without even bothering with a trial. With the Air France trial, passengers only learn about the possibility of using their phone once they are on the plane. An announcement refers them to an instruction card in the seat pocket. They are told to switch off their phones during take-off and landing – and a special icon has been added next to the seatbelt sign to indicate when phones can be turned on. But there are still a number of hurdles to be overcome. The technology, which lets users make and receive calls through a satellite-linked, on-board base station, delivers a patchy quality that keeps most in-flight calls short and tinny. So far, only six passengers on any given flight can get a signal at the same time, although that is due to be expanded to 12. And then there are the roaming charges of as much as $4.80 per minute. Source:

40. April 18, Los Angeles Times – (National) EBay may consider selling Skype phone division. EBay Inc. said Thursday that it would consider selling its Skype telephone division if it could not be integrated with other units. EBay will review Skype this year, and if its chief executive officer determines the unit does not help the auction and PayPal payment system, it will be reassessed and may be sold, an EBay spokesman said. The auctioneer bought Skype, which enables users to make calls over the Internet, for $2.6 billion in 2005 with the intent of using it to facilitate the sale and purchase of goods online. The company said last year that the phone service had not lived up to those expectations. In October, EBay wrote off $1.39 billion for Skype. Skype has 309 million registered users. Source:,1,7995341.story