Wireshark released a new version (1.0.4). The new version includes a number of security fixes. For details, see http://www.wireshark.org/news/20081020.html .

Just by its nature of including a large number of protocol parsers, Wireshark is a somewhat risky program. To mitigate the risk, collect traffic using a simpler program like tcpdump, and later analyze the traffic in wireshark using a low privilege account.

As far as the security features, they discuss this on one of their dev pages.

some of the security changes require action on your part.  Adobe says..... "Some of these changes may require existing content to be updated to comply with stricter security rules. Other changes introduce new abilities that were previously unavailable or restricted by security rules."

You can get the download for version 10.0.12.36 here.

Last week I received an invitation to participate in the (free) preview of the new Microsoft PC Advisor program. We’re “not allowed” to share the initial survey and download link. The invitation to try out the PC Advisor made some intriguing promises—the app will monitor our PC for problems and give solutions in real time and it will monitor system settings for potential pitfalls. The survey that preceded our download was even more interesting, it hinted that Microsoft's ultimate goal for the new app is complete Apple domination.

On to the software. The invitation email we received said that the Microsoft PC Advisor will:

• Monitor your PC for problems and give you solutions in real-time to fix them.
• Keep your PC running smoothly with important software and driver updates
• Optimize your Windows experience with useful tips and tutorials
• Optimize your PC by monitoring and updating settings

Adobe has released a security bulletin today, APSB08-11, to address multiple vulnerabilities in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, that could lead to the potential execution of arbitrary code remotely. Additionally the update includes DNS rebinding attack and cross-domain policy countermeasures.

It is strongly recommended to update to the newest Adobe Flash Player version, 9.0.124.0!

Google isn’t just talking about hosting applications in the cloud any more. They’ve launched Google App Engine, an ambitious new project that offers a full-stack, hosted, automatically scalable web application platform. It consists of Python application servers, BigTable database access and GFS data store services.

At first blush this is a full on competitor to the suite of web services offered by Amazon, including S3 (storage), EC2 (virtual servers) and SimpleDB (database).

However,Unlike Amazon Web Services’ loosely coupled architecture, which consists of several essentially independent services that can optionally be tied together by developers, Google’s architecture is more unified but less flexible. For example, it is possible with Amazon to use their storage service S3 independently of any other services, while with Google using their BigTable service will require writing and deploying a Python script to their app servers, one that creates a web-accessible interface to BigTable.

The service is completely free during the beta period, but there are ceilings on usage. Applications cannot use more than 500 MB of total storage, 200 million megacycles/day CPU time, and 10 GB bandwidth (both ways) per day.

One current limitation is a requirement that applications be written in Python, a popular scripting language for building modern web apps (Ruby and PHP are among others widely used). Google says that Python is just the first supported language, and that the entire infrastructure is designed to be language neutral. Google’s initial focus on Python makes sense because they use Python internally as their scripting language.

Virgle

Google announces a joint project with the Virgin Group that aims to establish a permanent human settlement on Mars (http://www.google.com/virgle/index.html). This operation has been named Project Virgle. it also includes videos of Richard Branson as well as Larry Page & Sergey Brin on YouTube , talking about Virgle.

Dajare

Google launches Dajare in Japan (google.co.jp), with the mission of "organizing the world’s laughter."

gDay

Google announces gDay in Australia (http://www.google.com.au/intl/en/gday/press.html), a new beta search technology that will search web pages 24 hours before they are created.

Google Dialect Translation

Google announces Google 사투리 번역 (Google dialect translation) for translating regional dialects of Korean to and from Standard Korean.

Gmail Custom Time

Around 11:00 p.m. EST March 31, 2008, on the newer and older version of Gmail, but not in the basic HTML version, in the upper right corner, next to Settings, a link appeared labeled, "New! Gmail Custom Time". The link led to a 404 error before April 1st CST. It now leads to their latest hoax, Gmail Custom Time . The page claimed a new Gmail feature had been added that would allow people to date stamp their emails in the past, allowing for all sorts of mischief. Users would be limited to 10 Custom Times a year to minimize the number of fraudulent emails. Clicking any of the three links at the bottom of the page brought the user to a page indicating that Gmail Custom time was, in fact, their April Fools prank for 2008.

Google Calendar is Feeling Lucky

Google added the "I'm Feeling Lucky" button to its calendar feature. When you tried to create a new event, you were given the regular option of entering the correct details and hitting "Create Event," and also the new option of "I'm Feeling Lucky" which would set you up with an evening date with, among others, Matt Damon, Eric Cartman, or Angelina Jolie.

Google Wake Up Kit

Google launched their "Wake Up Kit" as a calendar notification option. The option sends a series of increasingly aggressive alerts, starting with an SMS message to your cellphone, and ending with a bucket of water dumped into your bed, which would then flip over, tossing you out (all using apparently free equipment).

Google Docs

A little easter egg was added, where a user can click the file menu and directly under new document is "New Airplane" which immediately opens a copy of a Google branded paper airplane

With IE8 coming in the not so distant future, Microsoft describes what's new for developers in this Readiness page.

http://www.microsoft.com/windows/products/winfamily/ie/ie8/readiness/DevelopersNew.htm

Google toolbar crashes IE 8 when the user goes to certain web sites. It crashed for me when I visited http://my.ebay.ca  and  http://www.google.com/ig

Way to reproduce:

• Install Google tool bar, in my case toolbar was installed when I upgraded.
• go to http://www.google.com/ig Google toolbar gives you a crashed warning and takes IE with it.

Severity can be high if you had already set http://www.google.com/ig as your home page because you are stuck in an endless loop that can only be fixed if you uninstall the toolbar. Note that the crash doesn't occur if you are in Emulate IE7 mode.

Hotmail users around the world are having trouble gaining access to their e-mail accounts as Microsoft Corp. wrestles with technical difficulties.

More info..

http://www.theglobeandmail.com/servlet/story/RTGAM.20080226.wgthotmail0226/BNStory/Technology/home

http://www.rte.ie/business/2008/0226/hotmail.html

http://www.huliq.com/51700/hotmail-down-east-coast

During the last couple of years intensive security research has been performed on virtualization environments, like VMware, Virtual PC, XEN etc. It has been mainly focused on finding new ways to detect if you are running inside a virtual machine (vs. a native host), and finding ways to escape from a virtual machine to the host (or to another virtual machine).

This new VMware vulnerability discovered by Core means a full scape from the guest virtual machine to the host is possible: "On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host's complete file system and create or modify executable files in sensitive locations."

It has been rated as critical by VMware and it affects all VMware client products on Windows, that is:

• VMware Workstation 6.0.2 and earlier, AND 5.5.4 and earlier

• VMware Player 2.0.2 and earlier, AND 1.0.4 and earlier

• VMware ACE 2.0.2 and earlier, AND 1.0.2 and earlier

VMware on Mac OS (Fusion) and Linux are not affected by it.

By default, the shared folders feature is disabled in Workstation 6, Player 2, and ACE 2. Workstation 5, Player 1, and ACE 1 enable the shared folders feature by default, but exploiting this vulnerability still requires at least one folder to be configured as shared between the host and guest.

The impact on production environments is supposed to be limited as they tend to use the server versions. However,  security professionals, make an extensive use of virtualization technologies for multiple purposes: malware analysis, incident response, forensics, security testing, training, etc, and we typically use the client  versions of the products, so... It is  time to disable the shared folder capabilities!!, as no update or patch is available yet:

Workaround (from the VMware advisory)

Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders.
To disable shared folders in the Global settings:

1. From the VMware product's menu, choose Edit > Preferences.

2. In the Workspace tab, under Virtual Machines, deselect the checkbox for Enable all shared folders by default.

To disable shared folders for the individual virtual machine settings:

1. From the VMware product's menu, choose VM > Settings.

2. In the Options tab, select Shared Folders and Disable.