Server 3.5 / 3i - New Patches Available

VMware ESX Server 3.5 Patch Download Page [http://app.connect.vmware.com/e/er.aspx?s=524&lid=2398&elq=0BCF9A5B79414AFDB4C359866EB56DF7]

ESX350-200804401-BG (Critical): Prevent DHCP from resetting the IP address and netmask when trying to acquire or renew a lease. Change the default multipath policy for all HDS modular storage arrays such as AMS, SMS, WMS, 9500V to "fixed".

ESX350-200804402-BG (Critical): Prevent the guest from stalling for a long time during snapshot operations. Prevent the ESX Server host from crashing during snapshot consolidation. Prevent the ESX Server host from rebooting while powering on a vSMP virtual machine on a Unisys ES7000/one with eight or fewer logical CPUs. Fix emulation of instructions that access I/O ports. Fix emulation of string instructions on 64-bit guest operating systems.

ESX350-200804403-BG (Critical): Prevent hostd from crashing due to incompatible entries in /etc/vmware/hostd/authorization.xml. Allow spaces in a password while creating and editing local ESX Server users through the VI Client. Set the executable bit for .vmx configuration files. Fix a vmware-vpxa crash caused by invalid UTF-8.

ESX350-200804404-BG (General): Allow Windows virtual machines to boot when DataDigest is enabled in software iSCSI.

ESX350-200804405-BG (General): Include a megaraid2 driver fix for UNISYS platforms.

ESX350-200804406-BG (General): Add support for the Intel PRO/1000 PF Quad Port Server Adapter.

ESX350-200804407-BG (Critical): Add support for the Broadcom HT-1100 SATA/IDE controller. Prevent path thrashing during an Invista all paths down condition.

VMware ESX Server 3i Patch Download Page [http://app.connect.vmware.com/e/er.aspx?s=524&lid=2398&elq=0BCF9A5B79414AFDB4C359866EB56DF7]

ESXe350-200804401-I-BG (Critical): Fix typographic errors in the message strings of storage controller battery status, which is displayed in the VI Client. Include fixes for issues addressed by the following 3.5 patch bundles: ESX350-200804401-BG, ESX350-200804405-BG, ESX350-200804405-BG, ESX350-200804403-BG, and ESX350-200804407-BG.

Lancio del Legendary Map Pack di Halo 3

Preparati a un'azione multiplayer ancora più intensa in Halo 3, perché è arrivato il “Legendary Map Pack”! Questa raccolta di tre incredibili nuove mappe di Bungie sarà disponibile al costo di 800 Microsoft Points da Xbox LIVE Marketplacea partire dal 15 aprile.

Analizziamo le mappe in ordine alfabetico, perché è praticamente impossibile stabilire un ordine di preferenza. "Avalanche" fornisce il pretesto per mettersi alla guida dei numerosi veicoli resi famosi dalla serie Halo, con un ritorno sul campo di battaglia innevato. Avalanche è un tributo alla mappa “Sidewinder” di Halo: Combat Evolved, ampiamente rinnovata per Xbox 360.

La successiva (se le nostre conoscenze in termini di alfabeto non sbagliano!) è “Blackout”, basata su “Lockout”, la mappa preferita dai fan di Halo 2.La struttura di base è fondamentalmente la stessa di Lockout, ma con una grafica estremamente rinnovata.A volte ci dimentichiamo dei cambiamenti introdotti da Xbox 360 sul piano della grafica, anche se le modalità di gioco classiche non tramontano mai.

Infine c'è "Ghost Town”, una mappa completamente nuova per questa serie. Questa mappa di medie dimensioni è stata creata per le partite in modalità Team Slayer, perciò non sorprenderti se ti terrà piuttosto impegnato. Non meravigliarti se i tuoi battiti aumenteranno a dismisura mentre cerchi di attraversare un terreno infestato dai conigli o quando ti ritrovi su un tetto ben lontano da terra.

Viste tutte queste novità, senza dimenticare le nuove opzioni di personalizzazione Forge, non potrai fare a meno del Legendary Map Pack, tenendo anche conto del costo di soli 800 Microsoft Points. Nel frattempo potrebbe interessarti sapere che l'Heroic Map Pack può ora essere scaricato da Xbox LIVE Marketplace completamente GRATIS.

Che cosa aspetti? Vai!Preparati a scoprire le novità di Halo!

TOP SPIN 3 (PEGI 3+)

Top Spin 3, il più realistico videogame del tennis oggi disponibile, offre infinite nuove funzionalità su Xbox 360. Il rivoluzionario sistema di controllo fornisce ai giocatori una più ampia gamma di opzioni fin dal primo servizio. Anche il tempismo e la posizione contano, pertanto, oltre ad imparare a colpire la palla ad effetto, con la pratica miglioreranno anche la potenza e la strategia di gioco.

L'aspetto e i movimenti dei giocatori sono estremamente realistici. Aggiustano sempre la posizione per rispondere a ogni palla ma non si tuffano automaticamente sui tiri (per poi trovarsi in difficoltà sul tiro successivo) se basta allungare la racchetta. Inoltre, le condizioni meteorologiche e il terreno incidono sull'aderenza.

Può sembrare irrilevante ma la differenza è enorme.

è giunta l'ora della vendetta

Il viaggio lungo il sentiero della vendetta ha avuto inizio. Predisponi il tuo arsenale e preparati alla carneficina di Release Your Wrath, il minigioco in linea di Ninja Gaiden II, creato in esclusiva per la console Xbox 360.

Le regole sono semplici: vinci il duello e la spada dell'avversario sarà tua. Perdi e il tuo clan verrà mandato a recuperare ciò che resta di te. Puoi accettare la sfida di un nemico o lanciarne una a tua volta, ma ricordati che la vittoria sorride solo a chi è dotato dell'agilità e dell'astuzia di un maestro ninja.

Head To Head: GTA IV Launch

LINK

The Need for Web Application Scanning

Any application developed by a human is very likely (albeit certainly) to have some type of vulnerability in it. This becomes even more of an issue when the software being developed does not have any IT or security functionality at all, causing the developers assigned to the project to typically not have deep experience in secure coding practices. Although this issue occurs in any application, from the lowest embedded assembly code to the highest level .NET interpreted code, one location seems to have the least amount of secure coding practices with the maximum exposed surface: web applications.

There are numerous examples of how web applications have caused innumerable amounts of damage to companies. SQL injections reveal customer information; XSS breakdown customer reliability in the vendor; remote file include vulnerabilities allow attackers to take over the web server. It would only take a few minutes on any news website searching for web breaches to realize that this new “frontier” may actually be the most dangerous frontier thus far in our computer evolution.

With the rise of “Web 2.0” applications, we are seeing a large trend towards EaaS (Everything as a Service). Every major software company right now likely has a project to enable previously console applications to have some sort of web-based front-end. Customers are driving this evolution, wanting fewer applications installed in their desktops and more hosted in a “secure” and stable offsite location from the vendor. Although we cannot disagree that this is a very cool evolution of software, we are again seeing the rapid advancement of technology move a bit quicker than the security practices surrounding it.

Web developers often times are focused on providing a very interactive experience to the end user. Especially in the “Web 2.0” world, many of the applications being developed have their contact purely developed by end-users. As was the case with all of the different vulnerabilities seen within desktop and server applications, user-input is typically the entry point of an attacker to deliver an exploit for a vulnerability. The modern-day web developers typically do not understand vulnerabilities, security issues, or the attackers that are trying to exploit their applications. Instead, they consistently focus on ensuring that: 1 – the product is very powerful, cool, or innovative; 2 – the product works. Rarely do you see the mandatory other step adopted recently by so many large desktop/server developers being 3 – is the product secure?

Commonly VERSA articles are meant to show the InfoSec warriors how to protect themselves. However, in this case, many of the VERSA readers are unlikely to be the main developers of web applications. Therefore, the call to action will shift from a “protect” to an “evangelize” need. Those that know security must drive the protection of web applications until the web developer community starts commonly practices secure coding practices.

There are a few processes and tools that can help security evangelists and web application developers ensure that their applications are properly secured from the most common vulnerabilities.
Knowledge – As was the case with standard memory-based vulnerabilities a decade ago, developers are not privy to all of the different types of vulnerabilities that are exposed within web applications and how to ensure that their code does not allow them to be exploited. This knowledge can be derived from many resources including: Web Application secure development books, security conference briefings, and tools being deployed by attackers. One notable place to learn a great deal is the OWASP initiative, a conglomeration of web-based application security tools and documentation.

Testing
Perhaps the most powerful way to get through to a developer with the implications of a vulnerability is to show them with a demonstration attack. There are many different web-application scanning tools on the market (some being better and more robust than others of course) that can scan a web application for vulnerabilities, and actually demonstrate the vulnerability at the end. For the large web-app testing, there are secure exploit toolkits available as well that can help to identify the potential result of the attack, such as the data that might have been revealed during a SQL injection attack. If testing for vulnerabilities is done during the development lifecycle, developers will become much more familiar with what web application vulnerabilities have the potential to do, while also ensuring that they learn better practices for future development projects.

Constant Verification
The web application vulnerability realm is a rather young one, and new types of vulnerabilities and exploits are being discovered often. Because some legacy web applications might not have been scanned for the latest and greatest vulnerabilities, it is very important that security teams regularly test web applications from the outside point of view (similar to a penetration test) with a cutting-edge web application scanner to verify that no newly discovered threats were pre-existing on their applications. Some companies of course offer this as a service to keep the weight off of the internal security teams as well.

Web applications are rapidly becoming the most powerful delivery method of content for the future. Unfortunately, many security vulnerabilities are being discovered that could cause issues for developers if they do not ensure that they understand and test for vulnerabilities within their web applications. This is a quickly emerging issue that will gain even more importance as the emergence of web applications continues.

Source: Andre Derek Protas, Director of Research and Preview Services