Over the past few years, we've seen people on Messenger put emoticons or special symbols in their nicknames to mourn victims of terrorist attacks, AIDS, acts of God or evil stingrays. Sometimes these appeals create a sizeable buzz, in other cases just dozens of "colorful" contact lists. But with Microsoft now jumping on this trend for the first time you'll be able to actually make a difference without spending any money!

On march 1st "i'm Initiative" revealed different shortcuts that show the charity emoticon and, depending on which shortcut you use, you decide which one of the nine participating organization benefits from your free donations. By selecting your favorite cause from the following list and putting the associated emoticon in your Display Name, you can personally help the organization attain its goals:

*sierra - Sierra Club
*bgca - Boys and Girls Clubs of America
*9mil - ninemillion.org
*komen - Susan G. Komen for the Cure
*mssoc - National Multiple Sclerosis Society
*red+u - American Red Cross
*unicef - UNICEF
*naf - National AIDS Fund
*help - StopGlobalWarming.org

One important detail that I would like to pay extra attention to is the campaign's restriction to users from the United States. While you can still put the emoticon in your nickname in order to raise awareness for the campaign among your U.S.-based buddies.

Head over to im.live.com or the press release for more information.

It was only a matter of time until someone discovered an interesting vulnerability in the Xbox 360.

So, what is the cunning plan?  Well, the designers of the Xbox 360 (which is, incidentally, PowerPC-based) went to extreme lengths to try to make it "unhackable" and chose a hypervisorsyscall. Since everything goes via the syscall then, theoretically, all you need to do is armor the syscall to keep everything nice and secure. design in which, unlike previous generations of gaming consoles, games no longer take over the system. There is a thin "operating system" which the games communicate with using a classic

But looks like the syscall implementation didn't adequately check the parameters being passed for correctness and consistency allowing a privilege escalation attack. As a matter of fact if you read the actual description you will notice that it is a subtle bug with one instruction in the validation path only looking at 32 bits of a 64-bit register with a subsequent instruction acting on all 64 bits.

However , this has been patched since January 7th 2007.

Niels Provos recently released a tool, SpyBye, that allows a webmaster to perform exactly such an audit. SpyBye, of which version 0.2 was released yesterday, is a proxy server that analyzes a requested url, submits any links it finds through a rule based engine (including a list of known malicious sites) and then categorizes these in three categories: harmless, unknown or dangerous. A webmaster can install it on his local machine and then access his website to get detail on what exactly is taking place during the connection - that same webmaster, having knowledge of the expected content, will also be able to easily identify content that is suspicious, but could otherwise have been unreadable when obfuscated through some form of URI-encoding. 

This new version integrates with clamav to automatically scan downloaded files, and allows you to log all requests to syslog. Provos also provides a realtime version of the proxy so you can give it a try on-line. Note that it's still best to run any assessments of potentially dangerous content from a virtual machine, as the tool will continue to feed the results of requests classified as 'harmless' or 'unknown' to your browser.

Monkey.org

Kimmo Kasslin from F-Secure has released a paper on Kernel malware. In the paper, a brief overview of kernel malware is provided followed by detailed analysis of the kernel malware and case studies. If you ever wonder how kernel rootkit and other kernel level malware works, this is a good paper to read.

Follow this link to the paper. Together with the paper, Kimmo's slides for AVAR 2006 conference talk on the same topic is also released.

The fundamental problem in SQL injection is concatenation of untrusted data (raw user input) to trusted data and the whole strings is being sent to the backend database for execution. The moment you merge the raw untrusted data to other trusted data for execution, you got a problem.

Look at this prepared statement (Java)

PreparedStatement Stment = con.prepareStatement("SELECT * FROM table WHERE cond = ' + UserInput + ' ");
The UserInput which is raw input from the user is concatenated with the other string to form SQL statement then it is "prepared" for execution in the database. What's wrong here?  Untrusted data is concatenated with static strings and sent to database to execution, no validation whatsoever.... BOOM... SQL injection for ya.

Let's look at another version of this statement
Stment = "SELECT * FROM table WHERE cond = ? ";
PreparedStatement prepSQL = con.prepareStatement(Stment);
prepSQL.setString (1, UserInput);
ResultSet rs = prepSQL.executeQuery();

See the question mark in the first line? That's the character to tell prepared statement mechanism that there are more data coming into this space. Think "fill in the blanks" exercise here, question mark is an empty spot for filling, the setString function just fill a string into that spot. When statement is prepared, validation is performed on the user input, in the case of Java, the JDBC driver escapes the user input properly. Untrusted user input go through validation and become validated input. This type of passing user input to the statement as a parameter is sometimes referred to as parameterized queries.

One risk still remains here.... The implementation of the database driver (or data access mechanism) has to accurately escape the potentially offensive user input. So far, the track record of such mechanism across multiple languages are pretty good.

Extra note here about stored procedures which was regarded as another potential mitigations for SQL injection as well; Both prepared statement and stored procedures can be vulnerable to SQL injection if it is not done properly. Similar to prepared statement, stored procedure can be done in parameterized form to mitigate SQL injection.

The Mozilla folks have released the long-awaited version 2.0.0.2 of Firefox.  The second link below shows that 7 security issues were fixed.  One rate critical.  Bugs fixed appear to include CVE-2007-1004, CVE-2007-0995, CVE-2007-0981, CVE-2007-0800, CVE-2007-0780, CVE-2007-0779, CVE-2007-0778, CVE-2007-0777, CVE-2007-0776, CVE-2007-0775, CVE-2007-0008, and CVE-2007-0009, among others.  This also fixed the issue with the password manager that was exploited late last year, CVE-2006-6077.  The bookmarklet vulnerability CVE-2007-1084 does NOT appear to have been addressed.

Release Notes: http://www.mozilla.com/en-US/firefox/2.0.0.2/releasenotes/
Security Issues: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.2

Mozilla folks have also released Firefox 1.5.0.10 and SeaMonkey 1.0.8 and a number of the fixes mentioned above apply to these as well.
SeaMonkey security notes: http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey1.0.8
FF-1.5.0.10 security notes: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.10