21 अगस्त से बुक कीजिए हिंदी में डोमेन नेम...

नई दिल्ली। सरकार वेबसाइट्स के देवनागरी लिपि में डोमेन नेम बुकिंग 21 अगस्त से शुरू करेगी। पहले इसे 15 अगस्त से शुरू किया जाना था।

देवनागरी लिपि का इस्तेमाल हिंदी, मराठी, डोगरी के अलावा आठ अन्य आधिकारिक भाषाओं में लिखने के लिए किया जाता है। इसमें एक्सटेंशन 'डॉट भारत' होगा। वेबसाइट के लिए डोमेन नेम की बुकिंग 350 रुपये में और सब-डोमेन नेम की बुकिंग 250 रुपये में होगी।

पहले दो महीने ट्रेडमार्क या कॉपीराइट वाली कंपनियां ही बुकिंग करवा सकेंगी।

Oracle issues fix for Java update that crippled some Web apps : A work-around is available for users who are unable to apply Java upgrades, Oracle says

There's relief available for users who applied a recent Java update that stopped some Web applications from being able to launch.

Oracle has issued Java 7 Update 67 which contains a fix for the problem that cropped up in Java 7 Update 65, according to an official blog post.

The issue only involves a number of Web Start and Applet applications, and not any client or server-side software, according to the blog. The new Java update "is not a security fix or Critical Patch," the blog states.

Administrators should direct their users to download and install the update, Oracle added. The blog also describes a manual work-around users can take if they're unable to upgrade Java.

Those in such a bind should open their Java control panel, select the Java tab, then click "view." Once there, they should enter the number 7 in the area marked "runtime parameters," and then backspace over it, according to the blog.

While the issue resolved by Java Update 67 doesn't involve security, Oracle has faced pressure from community members following the discovery of high-profile vulnerabilities in the widely used programming language, which it gained control of through the acquisition of Sun Microsystems in 2010.

Last year, Oracle's head of Java security promised the company would fix Java's issues and step up its community outreach efforts.

Oracle's most recent quarterly Java security update, issued in July, contained 20 fixes. That total was down significantly from the 37 Java fixes shipped in the April update and 36 issued in January.

5 reasons Internet crime is worse than ever : Why does Internet crime remain a menace? These five reasons have enabled us to accept it -- but that complacency may not last

I've been fighting Internet crime for more than 20 years. In the old days, the daily malware hot sheet was known as the Dirty Dozen -- because it listed only a dozen malware programs. Today we have literally hundreds of millions of malware programs, thousands of professional hacking organizations, and tens of thousands bit players who steal hundreds of millions (if not billions) of dollars via the Internet every year.

Though we have smarter online users, better detection tools, and a host of legal tools at our disposal, Internet crime is worse than ever. It's been a long time since I've run into someone who hasn't had his or her life impacted by Internet crime.

How did we ever let Internet crime get so big? Why do we let Internet criminals get away with so much that it impacts and threatens nearly every transaction we commit over the Internet? Read on:

1. Internet criminals almost never get caught

The world is full of malicious individuals who have no problem skirting rules and laws, as well as taking property that belongs to other people. Bad people exist -- and the Internet is a very low-risk neighborood in which they can run amok.

There are tens of thousands of Internet criminals, almost none of whom get caught or prosecuted. If you're an Internet criminal, you have to be especially brazen for a long time -- and make mistakes -- before you get caught.

You don't have to be a mastermind or uber hacker. One of the most popular misconceptions is that you have to be hyperintelligent to get away with cyber crime. The exact opposite is true. Most Internet criminals I've met (and chatted with online) are not particularly smart. They couldn't program a simple notepad application, and they certainly don't have to be as smart as the average defender.

They simply lack morals, buy programs from other, smarter programmers, and want to roll the dice and take the risk. But they aren't taking any real risk, and that's the central problem: You can get rich without much risk of getting caught. Until this equation changes, we will never see a significant decrease in Internet crime.

2. Indefinite legal jurisdiction

Most Internet crime takes place across international borders. Law enforcement agencies are always limited to jurisdictional boundaries. For instance, a city police officer in Billings, Mont., can't easily arrest someone in Miami, Fla. We have federal law enforcement agencies, which reach across city and state boundaries, but they can't easily traverse international boundaries.

The FBI can't go to China and arrest someone just because they have legal evidence a crime being committed by a person there. They have to submit a request, which will likely be ignored, to Chinese authorities. But let's not pick on the Chinese. It's not like we're going to arrest an American citizen and ship him off to Beijing anytime soon, either, regardless of the evidence.

Sometimes law enforcement agencies of one nation work with another nation's law enforcement, but these occasions are rare. Plus, the really big ones involved with the majority of the Internet crime, like Russia, China, and the United States, certainly don't cooperate with each other.

3. Lack of legal evidence

Another huge impediment to successful convictions is the lack of official, legal evidence. Most courts accept "the best representation" of evidence recorded during the commission of a crime. But most computer systems -- and many networks in totality -- don't collect any evidence at all, much less evidence that might stand a chance of holding up in court. I'm still surprised by the number of computers I investigate that don't, at a minimum, have event logging turned on.

Even if more evidence was collected, most of it wouldn't stand up to a decent lawyer, assuming it would even be allowed in court. Collecting and preparing good legal evidence takes planning and commitment. Few organizations have the dedication or expertise.

4. Lack of resources

Few victims or victim advocacy groups have the resources, technology, or funding to pursue Internet criminals. I know many people who have lost tens of thousands of dollars to fraudulent transactions, including car sales, stock trades, bank transfers, and so on. Unfortunately, the amount lost usually pales compared to the cost of the resources that would be needed to recover the funds.

Many victims are too ashamed of their own gullibility to report the crime. If they do, a report will be taken -- and that's that. Your local enforcement agency isn't about to cross international boundaries to try and to recover your personal money. You can report it to the proper authorities, but rarely will they do anything to recover the damages or prosecute.

5. Cyber crime isn't hurting the economy enough (yet)

Lastly, the amount of Internet crime isn't hurting economies enough to raise a global red alert. Sure, Internet crime probably results in the loss of hundreds of millions -- or perhaps several billion -- dollars each year, but that amount of crime has persisted for a long time, well before the Internet.

Most of today's Internet crimes are newer versions of crimes and scams that have been occurring for decades before the Internet was around. Take credit card fraud: Retail stores would once look up known fraudulent credit card numbers in little paper books that the credit card vendors handed out. Nigerian scams have been around, via paper letters, phone calls, or faxes, at least since the 1990s.

Unfortunately, most Internet crime is seen as a necessary cost of doing business. As long as the majority of transactions are legitimate, the noise will be acceptable.

The solution is right in front of us

I've often wondered what it would take for our world to decide to diminish Internet crime substantially. We've had the means and technology to do so for a long time. We are not waiting for some fantastic new technology. Everything we need we already have, except for global consensus on how to do it and actually enabling the new features.

Personally, I think it's going to take a huge disaster. A digital catastrophe will happen eventually and bring down much of the Internet for a few days -- or shut down financial markets for a few hours or more. Passive acceptance of Internet crime will no longer be tolerated. We'll finally have to do something about it.

SAP ties up with Apigee for API management : Apigee's platform will serve as a middleman between SAP systems and mobile apps

SAP will resell software from Apigee in a move to help customers and partners build mobile applications, products and services that securely tap data from SAP systems.

The deal will result in a product called SAP API Management, a rebadged version of Apigee's Edge platform, which will be available in both on-premises form and on SAP's Hana Cloud Platform, according to an announcement Thursday.

The Apigee product's approach should calm the nerves of conservative SAP system administrators, who may be resistant to allowing external applications to call into critical back-end systems directly, said Joav Bally, chief product manager for Gateway and SAP API Management.

He compared Apigee's platform to a bouncer at a nightclub. "It decides who gets into the club or not," he said.

Apigee stands between back-end systems and applications running on mobile devices, websites, POS (point of sale) systems and other places, according to the company's website.

The applications interact with a proxy API (application programming interface) sitting on Apigee's platform, which relays calls to the back end. Apigee provides a framework for security and authorization, as well as the ability to throttle the amount of traffic moving through an API in order to avoid overloading back-end systems.

The proxy approach means SAP customers will have the ability to make changes to their systems as long as they maintain the API on Apigee. In turn, developers don't have to rewrite anything in order to handle such changes, since their applications talk only to the API.

Apigee also provides customers with analytics showing how their APIs are being used, as well as various ways to charge third-party developers for access to APIs.

With the Apigee deal, SAP is signaling a desire to keep pace with rivals such as Salesforce.com when it comes to opening up its software to the world in a secure way. In November, Salesforce.com introduced a new version of its platform that features 10 times as many APIs as before, allowing for a much wider array of integration scenarios.

"APIs are hot, and not just for digital businesses," said IDC analyst Al Hilwa, via email. "In a way, all companies are finding ways to connect with customers and partners through digital means, no matter the product. This is driving a huge wave of architecting systems for external use through APIs."

With Apigee, SAP is partnering with a company that has a wealth of experience in API management, Hilwa added: "SAP is wise to accelerate its investment in this area and support its large contingency of customers with their API efforts."

SAP is also trying to attract partners, particularly startups, to build software for its Hana cloud platform and marketplace, hoping to repeat the success Salesforce.com has had with its own AppExchange. The addition of Apigee's technology to the mix is clearly aimed at making it easier for those companies to interact with SAP systems.

Google makes Hangouts more enterprise friendly : Hangouts and Chromebox for Meetings get a business-focused update

Google is looking to make your work day a bit more social and is taking its Google Hangouts into the business arena.

The company is trying to make it easier for enterprises to use Hangouts for face-to-face, if not in-person, meetings, according to Clay Bavor, vice president of product management for Google Apps.
The Hangouts feature, which was first introduced as part of Google+, comes to the enterprise as part of a slew of new features for Google Apps for Business customers.

Starting today, even non-Google+ users can use Hangouts at work. Any Google Apps customer can start or join a high-definition video meeting that connects up to 15 participants -- from a computer or Chromebox for Meetings device. Google noted that the same ability will "soon" be available on smartphones and tablets.

"Hangouts is now covered under the same Terms of Service that support our other Google Apps for Business products, like Gmail and Drive," wrote Bayor, in a blog post. "That means we've got your back with 24x7 phone support and a 99.9% guaranteed uptime, as well as ISO27001, SSAE 16/ISAE 4302 and SOC 2 certification. Additional enterprise integration with Google Apps Vault is coming by the end of the year."

Taking Hangouts to the business community is another way for Google to get its foot in the door with enterprises. However, it's also part of the company's effort to push out Chromebox, Google's Chrome OS-based corporate meeting device, to a bigger, and more business-minded, audience.

"In the coming months, we'll be making Chromebox for Meetings work better in rooms of all shapes and sizes," Bayor wrote. "In larger conference rooms, you can connect two displays to one Chromebox for meetings device to see your audience and project a presentation at the same time. And if you've ever wanted a dedicated setup for video meetings for your home, new personal calendar integration means you will be able to easily set up Chromebox for meetings outside the office."

He added that IT administrators can better manage meetings directly from the Google Apps Admin Console, giving them options like remote starting, muting and ending a meeting.

"Google is moving into the enterprise, or at least trying to," said Ezra Gottheil, an analyst with Technology Business Research. "I know Hangouts was introduced with Google+, but Hangouts is cleaner, more understandable, and more business-friendly, as a stand-alone chat, video-chat, video-conferencing application."

Google is scheduled to hold a Hangout on Aug. 19 to go over the new features.

Google used this video to introduce its update to Chromebox for meetings, while making Hangouts easier to use in the enterprise.

Judge rules against Microsoft in email privacy case : The company is compelled to comply with a U.S. warrant for emails held on a server in Ireland, a judge rules

A U.S. district court judge has ruled against Microsoft in the company's effort to oppose a U.S. government search warrant for emails stored in Ireland.

On Thursday, Judge Loretta Preska of the U.S. District Court for the Southern District of New York rejected the company's appeal of an earlier ruling requiring it to turn over emails stored in the company's facility in Dublin. Preska ruled that Microsoft will not have to turn over the emails while it files an appeal.

Preska, in an oral ruling from the bench, sided with a magistrate judge's April ruling quashing Microsoft's opposition to the warrant, related to a criminal case, from the U.S. Department of Justice.
Microsoft will appeal Preska's ruling to the U.S. Court of Appeals for the 2nd Circuit, the company said. Microsoft has argued that the DOJ has no authority to issue warrants related to emails stored outside the U.S.

"The only issue that was certain this morning was that the district court's decision would not represent the final step in this process," Microsoft general counsel Brad Smith said in a statement. "We will appeal promptly and continue to advocate that people's email deserves strong privacy protection in the U.S. and around the world."

U.S. law has long required search warrants to name the specific location of the information they seek, instead of requiring a company receiving the warrant to search multiple locations for the information, as has happened in the Ireland case, Microsoft has argued. U.S. search warrants also haven't been able to reach overseas, just as U.S. residents wouldn't want foreign courts to be able to search domestic locations, Smith has said.

U.S. Attorney Preet Bharara of the Southern District of New York has opposed Microsoft's attempts to invalidate the warrant. If Microsoft's interpretation of the law is upheld, Web services providers could move content around the world in an effort to avoid law enforcement requests, Bharara wrote in a brief to the court.

Microsoft EMET 5.0 security tool puts a leash on plug-ins : Latest version of the free toolkit allows administrators to block third-party plug-ins -- a favored route for attackers

The latest release of a Microsoft security tool that's designed to stop exploits lets administrators control when third-party plugins are launched, a long favored route for attackers.

Microsoft has been steadily improving and adding more capabilities to the Enhanced Mitigation Experience Toolkit (EMET), a free tool that strengthens the security of non-Microsoft applications by using defenses built within Windows, such as ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention).

The latest 5.0 iteration, released Thursday, includes something called "Attack Surface Reduction," which can block some of an application's modules or plugins that might be abused, wrote Chris Betz, senior director of the Microsoft Security Response Center.

He wrote that Microsoft Word, for example, can be prevented from loading an Adobe Flash Player plugin or allow Java plugins to only run from intranet-zone sites rather than outside ones.

Third-party software is often favored by hackers as finding vulnerabilities in the Windows operating system has become more difficult. Java, an application framework for running applications, is often targeted, as well as applications from Adobe Systems.

EMET has been configured by default to block Adobe's Flash plugin from being loaded by Word, Excel and PowerPoint.

Another improvement to EMET deals with digital certificates, which are used to secure a SSL (Secure Socket Layer) connection, Betz wrote. EMET now has a blocking mode that will tell Internet Explorer to halt an SSL connection if an untrusted certificate is detected without sending session data.

Microsoft also hardened EMET in light of successful efforts at bypassing mitigations in its 4.0 version. Earlier this year, researchers from Bromium, which develops security technologies based on micro-virtualization, found that more technical hackers could bypass all of EMET's protections.

The company worked on hardening EMET against bypass techniques, which are possible "when a memory corruption within an EMET-protected application can be abused to overwrite selected memory areas and corrupt data belonging to EMET itself," according to a technical writeup.

Microsoft sues Samsung, says it stopped paying for patents : Samsung is requires it to pay licensing fees to Microsoft for the Android phones it sells

Microsoft filed suit against Samsung on Friday, claiming the device maker has backed out of an agreement that requires it to pay licensing fees to Microsoft for the Android phones it sells.
Samsung has not honored the agreement since at least last September, when Microsoft announced it was acquiring Nokia's devices and services business from Google, Microsoft alleged in the complaint.

"Samsung breached the license agreement last fall by refusing to make its Fiscal Year 2 royalty payment on time and then refusing to pay interest on its late payment, and is threatening to breach the License Agreement again with respect to its ongoing royalty payment obligations," says the complaint, which was filed Friday in federal court in New York.

Microsoft and Samsung have been meeting for months to resolve a disagreement over the contract, to no avail, Microsoft said Friday in an accompanying blog post.

"We don't take lightly filing a legal action, especially against a company with which we've enjoyed a long and productive partnership," wrote Microsoft corporate vice president and deputy general counsel David Howard.

"Unfortunately, even partners sometimes disagree," he wrote.

The companies entered into a patent cross-licensing agreement in 2011 under which Samsung would pay Microsoft to use its technology in the Android phones and tablets it sells.

But after Microsoft's Nokia acquisition was announced, Samsung decided to stop complying, Microsoft said Friday.

"Samsung began using the acquisition as an excuse to breach its contract," Microsoft's Howard wrote. Samsung did not ask the court whether the Nokia acquisition invalidated the contract, he wrote.
A Samsung spokeswoman said via email that the company would review the complaint in detail "and determine appropriate measures in response."

Since 2011, sales of Samsung-made smartphones running Google's Android operating system have grown substantially, according to industry research firm IDC. Samsung's smartphones, which include the Galaxy S5 and S4, now have a roughly 30 percent share of the global market, according to IDC.

How to protect personal, corporate information when you travel : Today's hotels are unfortunately vulnerable to types of attempted fraud. Here's how to keep data safe

Before flying from Rome to Philadelphia earlier this summer, I stopped in the hotel lobby to print my boarding pass. The hotel had one computer dedicated solely to this task. It was the only public computer available to guests. I could access only airline websites and input my name and confirmation number for the ticket. That was it.

I thought this was the hotel's way of trying to squeeze a few more Euros out of me -- but this setup may also stop fraud. It prevents someone from stealing whatever other information I could have typed into the computer, such as an email login and password.

In July, the U.S. Secret Service and Department of Homeland Security released an alert to the hospitality industry, warning it that business center computers had become a hacker target.
According to Kregs on Security, which posted the nonpublic advisory, the warning came from a task force in Texas that arrested individuals who allegedly targeted computers at hotel business centers in the Dallas/Forth Worth area.

This kind of fraud could be more than just about trying to steal a road tripper's credit card information, said Patrick Peterson, CEO of cybersecurity company Agari. If the hotel in question is near a major corporate headquarters -- where contractors, consultants and employees from other offices stay when visiting -- criminals could target them to steal and then sell company login information. Credit card theft thus becomes possible corporate espionage.

The hotels involved in this case haven't been revealed, but Peterson points out that they could be near the Dallas/Fort Worth-area headquarters for AT&T, Energy Transfer Equity, Southwest Airlines, Texas Instrument and Neiman Marcus.

"If you're in Russia, if you're in China, and you're about to bid on a multibillion-dollar oil field, knowing what your competing bidders know about that oil field is very valuable," he says. It's much easier to steal someone's login through an unsecured business center computer than to infiltrate a heavily protected company.

Travel industry security lags -- and hackers know it

The travel industry lags in its security efforts, Peterson says. Agari's TrustIndex report found a 400 percent increase in the level of threat to the travel industry in the past quarter. Out of 14 companies that Agari studied, only three hit acceptable security marks.

A large part of that threat came from email phishing scams that would either install malware on the victim's computer or let criminals encrypt a hard drive and then demand a ransom to unlock that hard drive, Peterson says.

Attacking business center computers is a different kind of scam. "It's low-tech, and there are so many different ways it can be done," says Bill Hargenrader, cyber security solutions architect at Booz Allen Hamilton, a strategy and technology consulting firm. It's also cheap, he adds: "I can go online right now and, for $60, get a USB keylogger and put it into someone's computer and record all those keystrokes."

On a business center computer, a keylogger stuck into the back of a machine can go undetected for months -- and that's assuming the person who finds it knows it shouldn't be there.

Another attack method: Installing software directly onto the machine, using general-purpose Trojan malware such as Zeus, which will "sit around and look for user names and passwords for people browsing online," Hargenrader says. The Trojan will also look to steal credentials, banking login, credit card information and company logins.

In the Dallas/Forth Worth case, the suspects allegedly used stolen credit cards to register as hotel guests, then logged on to install keylogging software onto those machines.

Security cameras, touchscreens can help hotels prevent data fraud.

Hotels have a few options on how to prevent this kind of theft. One low-tech but effective tactic is installing video surveillance, says Chris Poulin, IBM security strategist. "Cameras can be a pretty good deterrent." Just knowing that they're being recorded can stop hackers from trying to insert a USB keylogger -- not to mention identify perpetrators if they still try.

Hotels can also swap out standard screens with touchscreens and activate Windows 7 Touch features that come with the device, says Hargenrader. If there are no keys, there are no keystrokes to record.
Going a step further, hotels could replace PCs with tablets, says Poulin, especially as the demand for doing much more than printing boarding passes declines as travelers bring their own devices.

Hotels could also arrange for their computers to set up virtual desktop for every visitor, requiring a login to get into the system. "They get a fresh copy of a known operating system and operating system. When they logoff, it wipes everything out," Poulin says.

More immediately, though, Hargenrader says hotels should remind visitors that lobby and business center computers are public and that they shouldn't put their information at risk.

Another option: They can do what my hotel in Rome did and limit what kind of information customers can enter into the system. "When you put your boarding pass information in, you put in the flight locator code. It's limited information that's not personally identifiable but still gives you access," said Hargenrader. If malware captured that information, it would give criminals nothing in return.

Many antivirus products are riddled with security flaws : Antivirus products increase a computer's attack surface and may even lower an operating system's protections, a security researcher claims

It's generally accepted that antivirus programs provide a necessary protection layer, but organizations should audit such products before deploying them on their systems because many of them contain serious vulnerabilities, a researcher warned.

According to Joxean Koret, a researcher at Singapore security firm Coseinc, antivirus programs are as vulnerable to attacks as the applications they're trying to protect and expose a large attack surface that can make computers even more vulnerable.

Koret spent the last year analyzing antivirus products and their engines in his spare time and claims to have found dozens of remotely and locally exploitable vulnerabilities in 14 of them. The vulnerabilities ranged from denial-of-service issues to flaws that allow potential attackers to elevate their privileges on systems or to execute arbitrary code. Some bugs were located in antivirus engines -- the core parts of antivirus products -- and some in various other components.

Koret presented his findings at the SysScan 360 security conference earlier this month.
"Exploiting AV engines is not different to exploiting other client-side applications," the researcher said in his presentation slides. They don't use any special self-protections and rely on anti-exploitation technologies in the OS like ASLR (address space layout randomization) and DEP (data execution prevention); and sometimes they even disable those features, he said.

Because antivirus engines typically run with the highest system privileges possible, exploiting vulnerabilities in them will provide attackers with root or system access, Koret said. Their attack surface is very large, because they must support a long list of file formats and file format parsers typically have bugs, he said.

According to the researcher, another issue is that some antivirus products don't digitally sign their updates and don't use encrypted HTTPS connections to download them, which allows man-in-the-middle attackers to inject their own malicious files into the traffic that would get executed.

During his SysScan talk, Koret disclosed vulnerabilities and some other security issues, like the lack of ASLR protection for some components, in antivirus products from Panda Security, Bitdefender, Kaspersky Lab, Eset, Sophos, Comodo, AVG, Ikarus Security Software, Doctor Web, MicroWorld Technologies, BKAV, Fortinet and ClamAV. However, he also claimed to have found vulnerabilities in the Avira, Avast, F-Prot and F-Secure antivirus products.

Koret did not report the issues he found to all affected vendors, because he thinks that vendors should audit their own products and run bug bounty programs to attract independent research. Some of his other recommendations for vendors include using programming languages "safer" than C and C++, not using the highest privileges possible when parsing network packets and files because "file parsers written in C/C++ code are very dangerous," running potentially dangerous code in emulators or sandboxes, using SSL and digital signatures for updates and removing code for old very threats that hasn't been touched in years.

Independent of Koret's analysis, researchers from Offensive Security recently found three privilege escalation vulnerabilities in Symantec's Endpoint Protection product. The flaws can be exploited by a local user with limited privileges to gain full system access. Symantec is currently investigating the flaws.

"I won't go to the extent to say that AV software is pointless, since we do know that users still love clicking and installing stuff, and many networks are compromised this way," said Carsten Eiram, the chief research officer at security intelligence firm Risk Based Security and a long-time vulnerability researcher. "However, system administrators should carefully select which security products they buy as well as which features are enabled -- especially when it comes to content inspection. All those file format parsers have proven again and again over the years to be treasure troves to attackers."
Eiram said that while he didn't attend Koret's talk, he looked over the slides and the research appears to be solid.

"Adding a huge attack surface, which often happens when installing AV software or other security software, in an attempt to make systems/networks more secure does not increase overall security," Eiram said. "I agree that it often decreases it."

The fact that antivirus products have vulnerabilities might not be surprising to security researchers, but many regular users likely assume that security products are inherently secure. After all, it would be fair to expect good coding practices and solid secure development lifecycles from companies that are clearly familiar with the risks of vulnerable code and sell protection against attacks that exploit vulnerabilities in other software.

This problem, however, extends beyond antivirus programs. Ben Williams, a penetration tester with NCC Group, analyzed security appliances, including email and Web security gateways, firewalls, remote access servers and UTM (united threat management) systems, from leading vendors in 2012 and concluded that most of them are poorly maintained Linux systems running insecure Web applications.

"While we do everything possible to ensure that products are fault free, sadly no software is perfect," an Eset representative said via email in response to an inquiry about Koret's research. The company contacted Koret after the researcher tweeted some of his findings on March 1 and fixed the problem he identified in less than three days, the representative said. "Eset always welcomes researchers who follow responsible disclosure procedures of bugs and issues."

A Bitdefender representative said via email that the company also fixed the problems disclosed in Koret's presentation slides within days of their release. However, the company is not in possession of the entire list of bugs that the researcher claims to have found and can't be sure that it has fixed all of them, or if they're even reproducible.

"Since the announcement, we have also conducted an internal code audit, fixed a number of other bugs and made changes to our build and QA [quality assurance] processes which should result in far sturdier code and prevent similar situations in the future," the Bitdefender representative said.
The issues in Kaspersky Lab's antivirus products that were outlined in Koret's presentation, namely the absence of ASLR in some components and a potential denial-of-service issue when scanning nested archives, are not critical to the security protection of the company's customers, a Kaspersky representative said via email. Software that is written without ASLR is not implicitly more vulnerable to exploits, but Kaspersky Lab added ASLR to the product components that were lacking it -- vlns.kdl and avzkrnl.dll -- after Koret's presentation, he said.

The archive issue where scanning of a 3MB 7-Zip file can allegedly produce a 32GB dump file could not be verified or refuted because the company has not received a detailed description of the methodology used by the researcher.

The researcher confirmed in his presentation slides that some of the vulnerabilities he found had been fixed.