A new Hack Code can steal CPU time without being noticed!

Three scientists have developed a new kind of attack against Linux, Windows and Unix.

Prior to an international IT security convention in Boston this Agust – Usenix Security ’07 – three of the presenters published the following publication: Secretly Monopolizing the CPU Without Superuser Privileges.

The trio, Dan Tsafrir, Yoav Etsion and Dror G. Feitelson, are all working at School of Computer Science and Engineering at Hebrew University in Jerusalem. One of them, Tsafrir, is also connected to IBMs Watson Research Center in New York.

The publication shows how you can build a program that uses the CPU in a way the OS can’t monitor. The process is completely invisible as the impact caused by the program is added to the other “normal” processes run at the same time, thus bypassing the security and monitoring systems in the OS. The program can be executed without superuser privileges (admin).

A vulnerability in Firefox 2 announced this week could allow remote command execution. Only Window versions prior to Vista (XP ->) are affected.

The problem, according to Secunia, is that Firefox registers the “firefoxurl://” URI handler and allows invoking Firefox with arbitrary command line arguments. Using e.g. the “-chrome” parameter it is possible to execute arbitrary JavaScript in chrome context.

This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer. The site xs-sniper.com shows examples of how to do this.

The vulnerability was first made known by Thor Larholm. However he believes the problem is related to Internet Explorer as it doesn’t escape the “ sign when passing data through to the command line.

Solution

Do not browse untrusted sites and disable the “Firefox URL” URI handler OR install the Firefox extension NoScript.

MIT researchers are designing a “Digital Water Pavillion” for next year’s Expo Zaragoza in Spain. The walls of the structure are sheets of water sprayed from suspended pipes. Software-controlled valves enable the valves to be opened and closed with high accuracy to create gaps at very specific locations, forming something like liquid pixels.

More info and an intro video available at www.digitalwaterpavilion.com.

Fujitsus mini server, “Tower Server Primergy TX120″, received the Innovation Award at Intel’s developer forum in Bejing this spring. It’s been a huge success on the Asian market and are now available in Europe.

The TX 120 is targeted towards businesses and companies that doesn’t have a separate server room available (can’t afford/don’t need). The manufacturer uses the following 3 as main sales arguments:

See how gobsmacked Simon Cowell and the other judges are when this guy starts to sing.