New AIM Worm a Stubborn Foe

A sophisticated computer worm spreading via AOL Instant Messenger (AIM) is setting up a botnet that may be difficult to combat, security researchers said.

The worm, known as W32.pipeline, propagates when AIM users click on a Web link that appears to have been sent to them by someone on their buddy list. They receive a message along the lines of, "Hey, would it be okay if I upload this picture of you to my blog?" If the recipient clicks on the link, an executable file that looks like a JPEG will download into a Windows folder, according to researchers at security company FaceTime Communications.

The file can then execute a number of different attacks, said Chris Boyd, security research manager for FaceTime Security Labs and the researcher who discovered the worm. It can open up the e-mail port on the PC and send out spam messages. It can also install a variant of the "hacker defender" rootkit, which is widely deployed and difficult to remove.

This Worm Is Different
One of the most dangerous aspects of the worm is that it can also connect to remote file upload sites, which Boyd believes the worm authors' use as sort of staging sites where they can continuously download new infections. Once a computer is infected, the program will propagate using the same instant messaging method.

The worm is unique because the program seems to be able to contact a number of different sites around the globe randomly. FaceTime researchers had different results when running the same file. "Previously, where we've seen something similar to this attempted, if one file is pulled offline or removed by an ISP, the whole chain goes down," Boyd said. "But this one, if one file goes missing or gets pulled down, it will potentially make a call to another file. It has quite a random aspect to it."

Take Defensive Measures
So far, he estimates that the botnet--a group of similarly infected computers that are remotely controlled--has 1000 to 2000 members. More computers may have been infected but not made part of the botnet.

The best defense is for AIM users to be wary of clicking on links. If a user receives an unexpected link from a buddy, the user can always reply to ask if they have sent the link, to make sure it is legitimate.

FaceTime has updated its virus protection software to prevent users from infection, and other antivirus vendors may do the same. AIM users that get infected can try to remove the worm but may have to wipe and reformat their drives to get rid of it.

Tweaked Firefox Lets You Surf Internet Without a Trace

A tweaked version of Firefox that makes Web browsing anonymous has been released by a group of privacy-minded coders.

Every few minutes, the Torpark browser causes a computer's IP address to appear to change. IP addresses are numeric identifier given to computers on the Internet. The number can be used along with other data to potentially track down a user, as many Web sites keep track of IP addresses.

Hackers Promote Privacy
Torpark's creators, a group of computer security gurus and privacy experts named Hactivismo, said they want to expand privacy rights on the Internet as new technologies increasingly collect online data.

The browser is free to download at torpark.nfshost.com. It's a modified version of Portable Firefox, an optimized version of the browser that can be run off a USB memory stick on a computer.

The Torpark browser uses encryption to send data over The Onion Router, a worldwide network of servers nicknamed "Tor" set up to transfer data to one another in a random, obscure fashion.

Internet traffic, such as Web site requests, carries information on where it came from and where it's going. But that's muddled using Tor, which has been endorsed by the Electronic Frontier Foundation, and is hard to trace back to a source.

Encryption Still Important
One minor downside is that surfing with Torpark is slower than with a typical browser over the same connection.

Torpark cautions that data sent from the last Tor server to the Web site is encrypted. Since only the user's connection is anonymous, Torpark advises that sensitive data such as username and passwords should only be used when the browser displays a golden padlock, a sign that a Web site is using encryption.

Torpark's user interface appears similar to Firefox with a few changes. It shows the current IP address that would be seen by Web sites in the lower right hand corner, and features a special "Flush Tor" button to reset a new, random server connection.

A test of Torpark using a computer in London employed IP addresses of servers registered in Berlin and Madison, Wisconsin.

Digital Gear: Recharge and Go

As mobile devices get hungrier for power, innovative gadgets are stepping in to recharge the demanding hardware. Xantrex Technology's PowerSource Mobile 100 portable battery recharges laptops, music players, and handheld devices on the run. One recent device that uses a lot of juice is Archos's Archos 604 portable media player, which displays DVD-quality video on its small screen and doubles as a digital video recorder. Meanwhile, multimedia mavens could save time with Primera Technology's Bravo SE Disc Publisher, which automatically burns and prints labels for up to 20 CDs or DVDs at once.

Keep the Juice Flowing While the Charging's Going
Xantrex's PowerSource Mobile 100 combines an AC power outlet and Universal Serial Bus ports in one device so you can recharge batteries in laptops, portable music players, and handheld devices. Simply plug the device's AC adapter or USB cable into the 1-pound battery, and Xantrex says it will run a laptop for 2 hours, a portable DVD player for 3 hours, or an iPod Nano for 72 hours.

In its tests, Xantrex says, a Dell Latitude D610 notebook ran for about 2 hours while the PowerSource Mobile recharged the laptop's internal battery. During this time, the laptop was performing minimal functions at low screen brightness, the company reports; undoubtedly, notebooks with greater power requirements will use up PowerSource's reserves more quickly. When PowerSource's own internal battery drops to 10 percent of full power, the device beeps to alert the user.

The charger has redundant safety features, including a thermal fuse to ensure that it will shut down if it overheats, according to Grant Dunbar, manager of product marketing at Xantrex.

Depending on voltage, about two-thirds of laptops in the market are compatible with PowerSource Mobile 100, Dunbar said. Nevertheless, I urge you to check with the company for compatibility with your particular laptop.

This $129 portable power source is available at Xantrex's Web site and from other online stores.

It Burns, It Labels, It Handles Multiple CDs or DVDs
Primera's new Bravo SE Disc Publisher lets you automatically burn and label multiple CDs or DVDs, for the relatively affordable price of $1495. The product is designed to duplicate up to 20 discs at a time, and then print professional-looking direct-to-disc labels in color at up to 4800 dots per inch on inkjet-printable media.

The Disc Publisher doesn't burn Blu-ray or HD DVD discs, and Primera has no immediate plans to manufacture a version that does, according to spokesperson Amie Hoffner. Hoffner says that the system is intended for "anyone who has limited disc production"--for example, individuals who want to label CDs or DVDs with photos or videos they took while on vacation, or small or medium-sized businesses that want to produce a small number of music or video disks.

The Bravo SE Disc Publisher comes with PTPublisher SE CD burning software and SureThing CD Labeler Primera Edition for designing labels. The software, with its typical interactive Windows interface, is easy to use.

The Disc Publisher uses a $38 printer cartridge sold by Primera and other distributors. A single cartridge can print only 114 discs at the printer's highest resolution, but it can produce thousands of discs at medium or low print resolution settings, Hoffner says.

Portable Video Players: Archos's Next Generation
Models in Archos's new Generation 4 line of portable media players take mobile video to a new level. The recently announced Archos 604, 504, and 404 portable media players can record and display DVD-quality digital video.

"Consumers can enjoy hundreds of hours of their favorite TV programs in DVD quality," with these portable video players, says Henri Crohas, founder and CEO of Archos.

The $350 Archos 604 has a 4.3-inch TFT wide-screen (16:9 aspect ratio, 480-by-272-pixel resolution) LCD. It measures 5.1 by 3.0 by 0.65 inches and plays MPEG-4, WMV, and MPEG-2 video files stored on its 30GB hard drive. Control buttons for managing programs and tracks are located on the right side of the player. The 604 weighs 9 ounces and doubles as a photo viewer and MP3 player.

The Archos 604 can play video continuously for 4.5 hours at low brightness or music continuously for 17.5 hours on one full battery charge, says Samantha Steinwinder, an Archos spokesperson.

An optional 'DVR Station' digital video recorder attachment lets the device record TV programs in MPEG-4 format. DVR Station will transfer content onto the hard drive of the Archos 404 or 604. And because Archos supports the Macrovision DRM found on DVDs, a user can record and play back a program on the Archos itself (but not on an attached TV or another device). This feature allows users to watch TV while on the move.

Archos also plans to announce a Wi-Fi-enabled version of the 604, with a touch screen and wireless networking capabilities for Web browsing, media sharing, and e-mail. An optional camcorder accessory will allow the video player to store extreme sports filmed from a perch at the top of a helmet. The specs otherwise resemble those for the Archos 604.

Preliminary prices for the 604 fluctuate between $400 and $450 on retail Web sites.

The Archos 504 differs from the 604 only in its storage capacity, says yet another Archos spokesperson, Jennifer Roberts. The 504 will come in 40GB ($350), 80GB ($400), and 160GB ($600) versions. The greater storage capacity will, however, make these devices heavier than the 604. Archos's Web site pegs the 40GB 504's weight at 11.2 ounces.

The $300 Archos 404 portable video player has similar features to the Archos 604 but its smaller (3.5-inch) TFT LCD displays video at 320 by 240 resolution and with a 4:3 aspect ratio. Archos plans to ship the 404 in October.

House Panel Widens HP Probe

A U.S. government panel has asked a corporate ethics lawyer from Hewlett-Packard to testify in its Sept. 28 hearing on the company's use of "pretexting" to spy on journalists, board members and other employees.

The investigative unit of the U.S. House Energy and Commerce Committee announced today that it has asked HP Senior Counsel Kevin Hunsaker and Fred Adler, a company computer security investigator, to join a growing list of witnesses.

The subcommittee had also previously requested testimony from outgoing HP Chairman Patricia Dunn, HP General Counsel Ann Baskins, HP Global Security Manager Anthony Gentilucci, outside attorney Larry Sonsini as well as outside investigators.

Investigation Broadens
The practice of "pretexting" usually involves pretending to be a person, in order to obtain that person's personal information. An HP spokesman declined to comment.

Up until now, Dunn has insisted she merely initiated the probe of boardroom leaks, and was ignorant of specific techniques used by investigators.

"Unfortunately, the investigation, which was conducted with third parties, included certain inappropriate techniques. These went beyond what we understood them to be, and I apologize that they were employed," Dunn said in a recent statement.

But e-mail correspondence examined by newspapers including The Wall Street Journal and The New York Times indicates that top HP officials solicited Dunn's opinion and questioned investigation techniques throughout the course of the leak probe.

More Background
As early as Aug. 6, 2005, HP's Gentilucci asked for Dunn's advice about using "internal and external sources" to gather intelligence on "interested parties," according to company e-mail seen by The Wall Street Journal. Gentilucci offered to brief HP management on more details of "Project Kona" in a proposed meeting on Aug. 31. It is still unknown if that meeting took place, but Dunn replied to the e-mail, promising to respond.

By Jan. 28, 2006, e-mail from Hunsaker to Adler shows that HP's own lawyers were closely questioning investigation techniques, according to The Wall Street Journal. Asked whether HP could legally spy on board members' cell-phone text messages, Adler replied: "Even if we could legally obtain the records, which we can't unless we pay the bill or get consent, I would highly suspect text-messaging records are not kept due to volume and expense."

It is unclear if HP obtained text messages. But in an April 28 e-mail to Gentilucci and an outside investigator, Ron DeLia of Security Outsourcing Solutions, in Boston, Hunsaker said he was writing at General Counsel Baskins' request to confirm the details of how the investigation team obtained phone records, according to The Wall Street Journal. In the e-mail, Hunsaker described how investigators were making "pretext calls."

Hunsaker also said in the e-mail that his legal research confirmed that pretexting is legal. However, California Attorney General Bill Lockyer has said that using fraudulent means to obtain personal information is not legal in the state. Lockyer has said he has evidence to charge people outside and inside HP.

House investigators have also asked for testimony from DeLia and private investigator Joe Depante, owner of Action Research Group, which was reportedly hired by HP to help in the investigation.

Dunn agreed on Sept. 12 to resign her own position, and will be replaced in January by current chief executive Mark Hurd.

Nokia Adds Mobile Printing Service

Software in four of Nokia's Nseries camera phones will enable users to order prints of their pictures for store pick-up or home delivery from services such as Hewlett-Packard's Snapfish. The new software will add to the printing capabilities of the phones, which can already connect to certain printers over USB or a Bluetooth wireless connection.

Nokia's software will allow Snapfish users in the U.S. to order prints from their online photo gallery directly from an N80 Internet Edition camera phone. They can already upload pictures to their gallery from a variety of camera phones, but so far prints can only be ordered over the Web from a PC.

The N80 will ship in the U.S. before year-end, Nokia said, but users elsewhere will have to wait a little longer.

Availability Abroad
HP operates online photo storage and printing services under the Snapfish or Pixaco brands in 14 European countries, including France, Germany, Italy, the U.K., Sweden and Norway.

In the Nordic countries, Nokia will also work with software and service developer Sapio to establish links with online photo printing services, Sapio chief executive officer David Hunter said Tuesday. By the end of this year, new phones will contain configuration files for the printing services, allowing users to send a picture for printing as soon as they have taken it, Hunter said.

International Pricing Undecided
The printing services will use Sapio's software to transmit details of the features they offer, and set their prices, Hunter said. Network operators may add on charges to transmit the data making up the digital picture, however. For Nokia's latest 2M-pixel or 3M-pixel camera phones, that can amount to 700K bytes or more per image, Roine said.

Vista Disc Will Contain All Versions

In an effort to simplify the distribution of Windows Vista and make it easier for customers to upgrade, Microsoft will include the various retail versions of the operating system on one DVD instead of having separate discs for each Vista edition.

In the past, Microsoft distributed each version of the Windows client OS on its own disc. However, in a move it is calling "Windows Anytime Upgrade"--which cuts costs for Microsoft as well as making it easier for customers to upgrade--the version of Windows Vista that a customer buys will be activated by his or her product key and will be on a disk with the other editions of the OS.

For example, if a customer buys Windows Vista Home Premium from a retail store, he or she will get a DVD that also includes Windows Vista Ultimate, but the product key for the purchase will only activate Home Premium and its features and functionality, said Mike Burk, a Microsoft spokesperson.

"With Windows Anytime Upgrade, the idea is to provide customers with the most convenient user experience possible by enabling them to more easily and directly upgrade to a higher edition of Windows Vista from within their current edition," he said.

Choice of Versions
Consumers will have their choice of several versions of Windows Vista when it becomes available, which is scheduled for January 2007. Microsoft plans to release Windows Vista Ultimate, which will cost $399; Windows Vista Business, which will cost $299; Windows Vista Home Premium, which will cost $239; and Windows Vista Home Basic, which will cost $199.

Microsoft has said it plans to urge customers to purchase premium versions of Vista in favor of Windows Vista Home Basic, the entry-level version for U.S. consumers.

Security Expert Predicts VoIP Hack Attacks

KUALA LUMPUR, MALAYSIA -- Banks and other companies switching their phone systems to Voice Over Internet Protocol (VoIP) are making themselves vulnerable to phishing attacks for which there are currently no effective detection or prevention tools, a security researcher warns.

"People will be able to penetrate bank networks and hijack their phone lines," said an independent security researcher, known by his pseudonym The Grugq, in an interview Wednesday. VoIP is becoming increasingly common as companies and operators look to the technology to help cut costs, which makes them more vulnerable to attack, he said.

The Groqg, who spoke here this week at the Hack In The Box Security Conference (HITB), said VoIP phishing attacks will emerge by the end of this year. The attacks will allow hackers to steal personal data, including credit card numbers and bank account information, and there is little security managers can do to stop them.

"Theoretically, you phone up your bank and the customer service line has been taken over by hackers," The Grugq said.

Digital Eavesdroppers
In this scenario, the customer would be asked by the hacker to enter personal banking information before being passed on to an actual bank customer-service representative.

"There's no security technology out there that companies can deploy to fix this," The Grugq said, noting that existing intrusion detection systems are not capable of detecting when a VoIP attack takes place.

During his presentation at HITB, The Groqg announced the release of alpha code for SIPhallis, a tool he wrote that allows security managers to manage Session Initiation Protocol (SIP) VoIP packets on their networks.

"It gives you an interface to create and send VoIP packets; it also allows monitoring of VOIP packets," he said, adding the application can also be used to inject packets into a VoIP stream.

Existing softphone or PBX software is all that is required for hackers to launch a VoIP attack, The Grugq said.

HITB runs through Thursday, September 21.

Xbox 360 to Get HD DVD Soon

TOKYO -- Microsoft will launch an HD DVD drive add-on for its Xbox 360 console in November, a company executive said Wednesday.

The drive will be available in Japan from November 22 and will cost $168, according to Takashi Sensui, general manager of the Xbox division of Microsoft's Japanese subsidiary. Sensui made the announcement at a news conference here.

Microsoft had previously said it would provide an HD DVD drive peripheral for Xbox 360, but was not specific about its release.

Movies Via Xbox
The drive will allow Xbox 360 owners to watch high-definition HD DVD video content on a suitable television. The system will allow viewing at up to 1080p (1080 lines and progressive scanning), which is the highest of several picture levels judged to be high-definition.

The drive is due for release in other markets as well. However, Microsoft did not announce pricing or availability.

It is expected to appeal to both existing and new Xbox 360 owners, said Sensui.

"For those who already own the Xbox 360 system it'll cost only [$168] to enjoy HD DVD. That's by far the most affordable solution for those people," he said.

Rival Formats
HD DVD is one of two formats competing to become the de facto replacement for today's DVD standard. The format is backed by Toshiba and a number of other companies including Microsoft and Intel.

Its rival, Blu-ray Disc, is backed by, Matsushita (Panasonic) and a number of other big-name electronics companies. Sony has said it will build a Blu-ray Disc drive into the PlayStation 3.

With the launch of the HD DVD drive for the Xbox 360 and the PlayStation 3 console, the high-definition video disc battle will have reached the gaming space.

New Business:Real-life Dollars Buy In-game Gold?

Will people pay real dollars for in-game virtual money to help their virtual characters buy in-game goods?

One gamer, who goes by the screen name Haylo, said he spent $10 to $20 real dollars a month on in-game platinum(all nonexistent, of course) to buy weapons and other goods in Dark Age of Camelot (DAOC), but would spend more if he could afford it.

Most video games have some form of currency. In many ways, the in-game economy is similar to a real world economy - goods and services are traded to mutual advantage and are mediated in currency (platinum, gold, credit,etc.). "With all the things you can buy in game," a gamer said, "it's hard not to want them, just like real-life stuff."

The average Massively Multiplayer Online Role Playing Game(MMORPG) player is 27-year-old -- a demographic drooled over by marketers. Plus, nearly half of all players have jobs, which often means they have more money than time and are the perfect consumers of virtual assets. On the Internet, many gamers now buy virtual money that only exist as data files stored in a server run by a game company with real-world dollars, and the buying and selling of virtual currencies may be off most people's radar, but it is truly big business.

An online broker, who goes by the screen name Rolala, was not a fan of online games until his 15-year-old son became interested in Final Fantasy XI. He then noticed that a large number of gils which are the currencies used in FFXI were for sale on eBay.

"I started hearing about players leaving the game who were selling their assets at cheap prices," he said, "so I figured, buy low, sell high."

But Rolala found his moneymaking options in FFXI "very limited". He switched toWorld of Warcraft. There, he has leveraged his real-life experience into an online business. He converts his game profits into real money on sites like eBay and Cheap WOW Gold,etc. Earnings can be considerable. He said he was on track to earn about $120,000 in real money in his first year in this business.

Rolala's business is just one example of how increasingly popular online role-playing games have created a shadow economy in which the lines between the real world and the virtual world are getting blurred.

"World of Warcraft", the world's largest MMORPG, boasts more than 1 million paying users in North America.There are many sites like wow gold free strategics, teaching gamers how to earn wow gold in game for free, however many players are still willing to buy gold and weapons to help their virtual characters get a higher virtual status more rapidly. Some virtual goods in World of Warcraft have been sold for thousands of dollars. It obviously creates a large real world market.


Edward Castronova, an economics professor at Indiana University who has written a book on the subject, calculated that if you took the real dollars spent within "EverQuest "as an index, its game world, called Norrath, would be the 77th richest nation on the planet, while annual player earnings surpass those of citizens of Bulgaria, India or China.

Go to GameUSD, an exchange-rate calculator for the virtual worlds, and do a search for the latest rates of virtual currencies against the U.S. dollar, and let your jaw drop open. The rates of some virtual world currencies are even better than that of the Iraqi Dinar! For instance, here is the recent exchange rate of several popular virtual currencies:Everquest Plat ($0.54/1K),EQ2 Gold ($0.17/gold),WOW Gold (World of Warcraft Gold ) ($0.098/gold), SWG Credit ($4.40/1M), Lineage 2 adena ($2.80/1M), Guild Wars Gold ($0.12/1K), FFXI Gil ($17.89/1M), etc.

Right now, this business is one of the most hotly debated issues on the internet. Many game companies such as Blizzard who run World of Warcraft discourage profit from in-game properties, though none have found a way to stop it.

Sony Online Entertainment, on the other hand, encourages the practice (albeit within the confines of their own "Station Exchange", their own forum for the sale of in-game properties). It recently announced the first month's figures from "Station Exchange". According to SOE, over 45,000 characters from "EverQuest 2" have been active on the exchange and have spent over $180,000 USD in one month, half of which have been spent on in-game gold and platinum.

Despite of different attitudes towards virtual currency trade, the number of people who are getting into such business is rising, and the size of market has been expanding very rapidly.The market also creates a competitive environment. We could refer to sites like Cheap World of Warcraft Gold, a price comparison site, to see the fierce price competition between different exchange sites.

For some ordinary gamers, however, such a capitalist approach spoils the experience. Nick Yee, a psychology researcher from Stanford University, believes many players dislike virtual currency traders because, by using real wealth to buy virtual power, "they're breaking the fantasy-reality bubble, getting an advantage in a way that other players can't".

According to a recent survey by IGN, an internet media focused on the videogame markets, most gamers say they dislike and avoid this business, believing that it gives players with more discretionary income an unfair advantage.

But such attitudes are called into question by size estimates for the virtual asset trading market, which is seen having a value of $200 million to nearly $900 million in 2005.

One potential explanation for the disconnection between attitudes and money spent may be that gamers are unwilling to admit they use the services, IGN said.

In terms of the law's concern, another issue is, who owns the virtual money? Many virtual world designers maintain that anything created in the world belong to the company. They refuse to recognise the rights of their players in the virtual property for fear of attracting liability for its maintenance or security.

But will this work in the long term? Players spend considerable time and/or money acquiring such assets. In many cases they are the creation of the player and even the intellectual property ownership is questionable. "As we spend more time in these worlds, it's not enough for companies to say that 'we own everything and we can turn it off at any time,'" said a gamer. "The question may soon be should we have recourse against a game company for obliterating virtual assets?"

With the rapid growth of virtual currency exchange market, should people accord virtual property the same protection as property in the real world?

Yet Another Antitrust Challenge for Microsoft?

Two engineers at the computer security firm Symantec are coming to Brussels next week to discuss the antitrust threat posed to their company by the upcoming version of Microsoft's Windows, dubbed Vista, a Symantec spokesperson said Thursday.

Vice President for Consumer Engineering Rowan Trollope and a senior engineer in the technology strategy office, Bruce McCorkendale, will press their case to the European antitrust regulator, the European Commission.

Vista is due to launch at the beginning of next year.

Microsoft Has Been Warned
The Commission has warned Microsoft about the possible impact on competition of Vista's built-in security software. The regulator fears that by including a sophisticated antivirus program in Vista, this could have a similar effect to the bundling of Media Player with Windows XP.

Two and a half years ago the Commission ruled that the bundling of Media Player into Windows was anticompetitive and ordered Microsoft to launch a second version of Windows without Media Player. It also fined the company nearly $634 million.

Meanwhile, Adobe Systems has told European Union regulators that Microsoft should be banned from bundling in free competing software for reading and writing electronic documents into Vista, according to a report in The Wall Street Journal Europe.

The paper cites unnamed people familiar with the situation.

Security Issue or Non-Issue?
Adobe's and Symantec's lobbying moves will come as no surprise to the Commission. Competition Commissioner Neelie Kroes wrote to Microsoft in March expressing concern about Vista's impact on competition, and cited the computer security and document reader and writers sectors as examples of where Microsoft's bundling strategy might pose competition problems.

However, earlier this week Kroes insisted she wasn't calling for Microsoft to launch Vista without any security system.

"I have seen it suggested that the Commission may seek to prevent Microsoft from improving the security of its operating system. This is categorically not the case," she wrote in a letter to the Financial Times newspaper.

Microsoft Outlook 2003 Vulnerable to Critical IE Bug

A critical bug in the Internet Explorer (IE) browser also affects users of the Outlook 2003 e-mail client, making it much more serious than previously thought.

The vulnerability can be triggered when IE or Outlook 2003 processes Web-based graphics code written in the Vector Markup Language (VML). It was first reported Monday by researchers at Sunbelt Software.

Sunbelt posted a workaround for the vulnerability.

Attackers have not yet begun exploiting the e-mail attack, but a handful of Web sites now serve the code, and hackers have publicly posted software that exploits the vulnerability.

Only IE Thought Affected At First
Initially, researchers thought that only Internet Explorer was vulnerable to attacks that exploited this flaw, but Sunbelt has now concluded that Outlook 2003 users are also at risk.

That's because researchers have discovered a way to execute malicious code without using scripting code, which would normally be blocked by Outlook. By embedding a machine-language "shellcode" program in the VML tags, researchers have been able run unauthorized software on systems running the latest version of Outlook 2003.

This has raised concerns because it means that some victims could have their PCs compromised with little or no user action.

Easier to Target Victims with Outlook
To attack Internet Explorer, criminals would first need to trick users into visiting a malicious Web site. But with an Outlook attack, it becomes much easier to target a victim.

"All you have to do is send an HTML e-mail, and the user is hosed," said Eric Sites, Sunbelt's vice president of research and development.

Microsoft plans to patch the VML problem as part of its next set of security patches, due Oct. 10, but Sites believes that hackers may force the software vendor to rush out an early fix. "I think it will get bad enough that they will have to," he said.

Researchers at VeriSign's iDefense unit have also confirmed that some configurations of Outlook will launch the code with no user action, said Ken Dunham, the director of the iDefense Rapid Response Team.

Users who have Outlook's Reading Pane enabled to read messages in HTML are particularly vulnerable to this attack, Dunham said.

Microsoft advises users who want to protect themselves to set Outlook to read e-mail messages in plain text format. The Microsoft advisory describes the problem in greater detail.

According to one researcher, Outlook 2003 should not be rendering VML code automatically, but the product appears to be vulnerable due to a second bug in Microsoft's software. "Some versions of Outlook will render VML despite the fact that they shouldn't," said Russ Cooper, a senior information security analyst with Cybertrust. "We should be raking Microsoft over the coals for this."

Sites agreed that "there seems to be a bug in the latest version of Outlook."

Microsoft executives were not immediately available to comment for this story.

Mobile Industry Aims for Greener Phones

just a small portion of the world's mobile phone users unplugged their charger when the battery is full, it could save enough electricity to power thousands of homes. So said Nokia on Thursday, as it unveiled a new industry group that aims to make mobile phones more environmentally friendly.

The group also includes Motorola, France Telecom, Vodafone Group, TeliaSonera, and others. It was created as part of a European Commission project aimed at uniting members of different industries to work on reducing the environmental impact of their products.

Consumer Education, Greener Components
Members of the new group will try to educate people more about how they can reduce the environmental impact of using their cell phones. For example, manufacturers will start displaying a reminder on phones to unplug chargers once the battery is charged. If only 10 percent of phone users did that, they would save enough energy to power 60,000 European homes each year, Nokia estimates.

The companies will also reduce the hazardous materials they use beyond what current legislation requires. One example is Nokia's decision to stop using any components in its phones that contain a certain type of environmentally harmful chemical flame retardant.

The operators will also increase the number of used phones that are returned for recycling. They'll examine existing recycling schemes around the world and identify successful ones. They also plan to try out incentive initiatives to determine if they might improve recycling rates.

Environmental organizations including World Wildlife Fund, the Finnish Environmental Institute, the European Consumers' Organization and the U.K.'s Department of Environment, Food and Rural Affairs are also part of the new initiative.

The European Union recently instituted new regulations on the types of hazardous materials that can be included in electronic devices. Most manufacturers were able to alter their products to comply with the new laws but Palm in July stopped shipping what was its latest smart phone, the Treo 650, to Europe because it didn't meet the regulations.

Skype Phones Set You Free From Your PC

A Web-based phone service can certainly save you money, and Skype, perhaps, can save you more than most. This software-based phone service allows you to make PC-to-PC calls for free, though you are charged for calls placed to and received from landlines and cell phones. Till now, though, it has come with a trade-off: You've need to use the service with a PC headset. So to make a call, you've been attached to your PC, quite literally.

But not any more. With Skype's blessing, more and more third-party vendors are offering Skype-compatible phones that allow you to roam around your house--or in some cases, even further--while still talking up a storm. Skype-compatible products are available via Skype's online store.

"Skype has been doing a great job, actually, of making sure that the experience you get on Skype is compatible with the hardware they're offering," says William Stofega, research manager of VoIP services with research firm IDC.

Cutting the Cord

In order to connect to Skype, all of these third-party handsets must somehow connect to your PC; most do so via USB. The recently announced USR9630 Cordless Phone for Skype from US Robotics is one such phone. The phone's base station connects to an available USB port on your PC, allowing you to access your Skype account. The handset's LCD shows your Skype contacts, allowing you to see who is online and available to talk.

You can also use the handset to use the SkypeIn and SkypeOut services. SkypeIn provides you with a phone number so you can receive calls from non-Skype users. A one-year subscription to SkypeIn costs about $38. SkypeOut lets you call landlines and mobile phones from Skype. For the rest of 2006, users in the U.S. can make free calls to landlines and mobile phones in those countries. Typically, rates start around 2 cents per minute.

US Robotics' dual-mode phone also can be connected to your landline telephone jack, so you can use it with your regular phone line service when you prefer. The USR9630 will be available this month for $120, the company says. Similar phones, like the Cordless DUALphone, are already available from Skype's store.

Skype on Speakerphone

Another option for Skype users is the Polycom Communicator, a $130 speakerphone that also connects to your PC via USB. While you do need to be near your PC to use it, the Communicator is designed to offer better sound quality than your average PC headset. IDC's Stofega is impressed: "I've used Skype with just the PC speakers and microphone in my laptop, and the quality is 100 times better with Polycom device," he says.


If you're interested in using Skype, but not at all interested in using a PC, you may want to consider the NetGear WiFi Phone for Skype. This handset, which was announced earlier this year and began shipping last week, is available for $250. The Skype client is preloaded on the phone, so you don't need to access the application from a PC. The phone can connect to Skype from any 802.11b/g Wi-Fi hotspot that does not require browser-based authentication. It allows you to make and receive calls to and from Skype users, and to make outgoing calls to non-Skype users via the SkypeOut service. You cannot, however, receive incoming calls from non-Skype users via the SkypeIn Service.

It may seem counterintuitive to pay for a device when Skype was designed as a free service. But these products can make your Skype experience a better one.

"If you're going to be using the Skype service, having a product that works with Skype and is certified by Skype, will help you get a better experience," says Stofega.

New Security Group Patches Latest IE Flaw

Microsoft may be waiting until next month to patch a nasty bug in Outlook and Internet Explorer, but security researchers are offering users a more immediate option.

A loose affiliation of security researchers going by the name of ZERT (Zeroday Emergency Response Team) has released a patch for the VML (Vector Markup Language) vulnerability, which increasingly is being exploited by criminals in malware attacks.

Microsoft is scheduled to fix the bug on October 10, the date it has set to release its monthly batch of security updates, but the company is under increasing pressure to release an earlier, "out-of-cycle" patch. The SANS Internet Storm Center today raised its alert level from green to yellow, an indication that attacks are becoming more widespread.

Microsoft's Solutions
Microsoft has suggested a number of workarounds to the problem, and the software vendor does not recommend that users install the new ZERT patch.

"We think it's great that there are people out there working to help protect our customers. But as we've always said, we cannot endorse third party updates," wrote Microsoft Security Response center operations manager Scott Deacon in a blog posting today.

Microsoft rigorously tests its patches to try to cut off any problems that the new software might introduce. The ZERT patch has not been widely tested and could introduce new problems when installed, security experts warn.

ZERT's Actions
ZERT plans to continue to release its own patches when particularly critical unpatched flaws begin to pose a "serious risk to the public, the infrastructure of the Internet or both," the group claims in a manifesto, published on its Web site.

"The purpose of ZERT is not to 'crack' products, but rather to 'uncrack' them by averting security vulnerabilities in them before they can be widely exploited," the group says.

ZERT sprang out of discussions on e-mail lists set up a few years ago by security researcher Gadi Evron, said ZERT member Randy Abrams, director of technical education with Eset in San Diego.

"Microsoft wants to assign a monthly patch and we understand that," said ZERT member Roger Thompson, who is chief technology officer with Atlanta's Exploit Prevention Labs. "There's a certain benefit of staying on the monthly patch, but when things start to pop, as we think this VML thing is, there's a need to do something."

The group's formation was spurred by Microsoft's WMF (Windows Metafile) vulnerability, which emerged in late 2005. Tens of thousands of Microsoft users downloaded third-party patches to fix that bug and Microsoft was eventually forced to release an out-of-cycle patch to address the problem.

"This has been the first real vulnerability [since then] that the members have felt can be patched fairly quickly," Abrams said.

Microsoft clearly does not want its users to get into the habit of installing third-party security patches, so if the ZERT software is widely downloaded, Microsoft may move more quickly with its own VML patch, Abrams said.

First Impressions of Sony's PlayStation 3

CHIBA, JAPAN -- Although Sony's PlayStation 3 has already been shown in prototype form at various trade events for more than a year now, most sightings have been of development kits only. We finally got a look at the console in action at the Tokyo Game Show today.

In Sony's own booth, about a dozen home-spun games were playable, with several more on display for eye-candy value alone. The standout titles drawing most attention from the huge first-day crowds of journalists, exhibitors, and assorted hangers-on were "Gran Turismo HD"--a racing game being demoed in mock-ups of sports-car cockpits--and "Minna No Golf 5" (Everybody's Golf 5), a fun golfing game that looked remarkably similar to the versions already available for other platforms.

The game console is due to go on sale in the U.S. on November 17, but Sony has already announced that it expects to ship far fewer PS3s than originally announced due to component shortages.

High-Definition Gaming
Away from the games at the Sony booth, it appears that Sega has the best lineup of PS3 games. The outstanding title there was clearly "Power Smash 3," a tennis game that is presented in full 1080p high-definition resolution, which makes it appear closer to a simulation than a traditional game.

Hi-def gaming may take some getting used to, however. For example, close-ups of tennis star James Blake's shaven head that were shown between points were more than a little off-putting. Scratch beneath the glossy hi-def surface, though, and actual game play was surprisingly simple and easy to grasp. That caused a traffic jam of players so engaged that they had to be ushered along to keep the line moving and allow someone else a turn.

Other Sega standards were also out in impressive force. These included "Virtua Fighter 5" and "Sega Golf Club." The former game could hardly fail to impress, with detailed renditions of blizzards of sakura cherry blossoms falling from background trees and realistic-looking Japanese temples. Sega's golf title, on the other hand, looked slightly dated, especially when compared with the Sony golf offering.

Finally, not all PS3 games on show were complete. One of the most interesting games still on the drawing board, but available to lust over, was previewed under the working title of "Lair" and is surely the first high-definition fire-breathing dragon-riding game for any console.

List of PS3 Games
The software title line-up that will be available on November 11 when the PlayStation 3 console launches in Japan became clearer today.

At least six games are expected to be available on the PlayStation 3's launch day. Two games each will come from Sony and Bandai Namco and a title each from Konami and Sega.

One game was also given a price: "Konami's Mahjong Fight Club Online" will cost $43.

Demonstration versions of many of the games are on display at the show, which continues through Sunday.

PlayStation 3 Games List
Here are upcoming PlayStation 3 titles, publishers, and genres, grouped by the date they are projected to launch in Japan.

November 11:

"Resistance: Fall of Man" (SCEI) / First person shooter
"Genji: Days of the Blade" (SCEI) / Action
"Ridge Racer 7" (Namco Bandai) / Racing
"Mobile Suit Gundam: Target In Sight" (Namco Bandai) / 3D action shooting
"MahJong Fight Club Online" (Konami) / Mahjong
"Sega Golf Club featuring Miyazato Family" (Sega) / Golf
November 2006:

"Mahjong Taikai IV" (Koei) / Mahjong
December 2006:

"Gran Turismo HD" (working title) (SCEI) / Real driving simulator
"Armored Core 4" (FromSoftware) / High-speed mech-action
"MotorStorm" (SCEI) / Race
"Formula One Championship" (working title) (SCEI) / F1 simulator
2006:

"Fatal Inertia" (Koei) / Flying combat racing
"Sonic the Hedgehog" (Sega) / Action adventure
"Railfan" (Ongakukan) / Variety
"Need for Speed Carbon" (Electronic Arts) / Street race
"NBA Live 07" (Electronic Arts) / Basketball
"Enchant Arm" (FromSoftware) / Role playing game
Early 2007:

"Heavenly Sword" (SCEI) / Action adventure
"The Eye of Judgment" (SCEI) / 3D card battle
"Virtua Fighter 5" (Sega) / 3D CG battle
"Ninja Gaiden Sigma" (Tecmo) / Action adventure
"Monster Kingdom: Unknown Realms" (working title) (SCEI) / Action adventure
"Lair" (tentative name for Japan) (SCEI) / Flight action adventure
"Virtua Tennis 3" (Sega) / Tennis
"Wangan Midnight" (Genki) / Race game
Midyear 2007:

"Warhawk" (SCEI) / Flight action adventure
"Everybody's Golf 5" (working title) (SCEI) / Golf
Third quarter 2007:

"Dark Sector" (D3 Publisher) / Combat action
2007:

"Afrika" (working title) (SCEI) / no genre given
"Metal Gear Solid 4: Guns of the Patriots" (Konami Digital Entertainment) / Tactical espionage action
No date given:

"Shirokishi Monogatari" (SCEI) / Role-playing game
"Devil May Cry 4" (Capcom) / Stylish action
"Final Fantasy XIII" (Square Enix) / Role playing game
"Bladestorm: The Hundred Years' War" (Koei) / Action
"Coded Arms: Assault" (Konami Digital Entertainment) / First person shooter
"fl0w" (working title) (SCEI) / no genre given