Comcast Sees VoIP, ISP Growth

Comcast, the largest U.S. cable service provider, posted a higher quarterly profit as it gained market share in Voice over IP (VoIP) phone and ISP customers while controlling expenses, sending shares up 6 percent.

The company said free cash flow rose 216 percent rise to $1.163 billion — an increase largely due to lower spending on expanding its cable systems to new communities, a development prompted by a slowdown in U.S. homebuilding.

While that slowdown contributed to weaker video subscriber growth, analysts said Comcast’s (NASDAQ: CMCSA) VoIP service was winning market share from phone competitors including AT&T (NYSE: T) and Verizon Communications (NYSE: VZ).

“Free cash flow was better than we expected and that was partly due to the fewer customer adds, so they didn’t incur costs of adding new subscribers,” said Tom Eagan, an analyst at Collins Stewart.

Comcast said it added 278,000 high-speed Internet subscribers and 500,000 VoIP subscribers during the second quarter. Seven analysts polled by Reuters had on average expected Comcast to add 327,000 new Internet subscribers and 579,000 new phone subs.

Steve Burke, Comcast’s chief operating officer, told analysts on a conference call that the company’s faster Internet access speeds are helping to win over phone company DSL customers as they want to watch more online video.

Burke said the company is also on target to add more than 2 million phone subscribers by the end of the year. It currently has 5.6 million, making it the fourth-largest U.S. phone provider. The Philadelphia-based company has 24.6 million customers for all of its services.

Compared to its growth in IP-based services, Comcast gained 320,000 digital video subscribers during the quarter — analysts had expected Comcast to add around 450,000 — while it lost 138,000 basic video subscribers. Analysts on average had been expecting the company to lose 129,000 such users.

Net profit in the second quarter rose to $632 million, or $0.21 per share, from $588 million, or $0.19 per share a year earlier, Comcast said on Wednesday. Revenue rose 11 percent to $8.553 billion. Wall Street had expected Comcast to post revenue of $8.574 billion and per-share profit of $0.22, according to Reuters Estimates.

The company also spent less on buying new digital TV set top boxes than a year ago, when it bought a significant number of new boxes ahead of a U.S. regulatory deadline to adopt a different set-top box.

That deadline came as a result of a government mandate to switch from analog to digital broadcasts, freeing up highly sought-after spectrum sold in a multibillion-dollar auction earlier this year.

Shares in Comcast rose $1.08 cents to $20.26. Shares of rival Time Warner Cable (NYSE: TWC) also rose 4 percent, while Cablevision (NYSE: CVC) shares rose 4.8 percent.

The company is also facing scrutiny over its network management policies for high-bandwidth ISP customers, particularly those BitTorrent. The Federal Communications Commission, for instance, is looking into allegations that the cable provider arbitrarily blocked certain Internet traffic without warning subscribers.

Comcast has maintained that the charges against it are overstated, and that the policies it imposes on traffic aim only to ensure the smooth operation of its network.

NVIDIA: Announcing Two New Additions To The GeForce 9 Series Family

With the introduction of the NVIDIA GeForce 9500 GT and GeForce 9800 GT GPUs, you now have two new options to ensure your customers get the best visual computing value and the best performance for the price. Whether your customer wants an ideal blend of graphics power and video performance without a hefty price tag, or is a hard-core gamer who wants to play all the latest games at high resolutions, the SLI-Ready GeForce 9500 GT and 9800 GT GPUs deliver a winning product at each price point.

NVIDIA^® GeForce^® 9500 GT – An ideal blend of graphics power and video performance without a hefty price tag:

• The most gaming horsepower ever released in a graphics card under $100*
• Up to 3X performance increase over comparable previous generation GPUs
• Improved 3D experience with Microsoft Windows Vista^™
• Spectacular picture clarity and vibrant color with PureVideo^® HD advanced video processing technology
• Up to 2X the performance of a single card set-up when paired with an identical 9500 GT-based card and NVIDIA SLI^® technology
• PCI Express 2.0 Compatibility

NVIDIA^® GeForce^® 9800 GT – The perfect combination of price and performance:

• 112 processor cores and 256-bit frame buffer interface running at 900MHz
• Ultra-realistic physical worlds with NVIDIA PhysX^™ technology**
• Offload of the most intensive processing tasks from the CPU to GPU with NVIDIA CUDA^™ technology.
• Industry leading features like dynamic cloth, live debris and next generation volumetric effects, optimized for the hottest game titles of 2008
• Optimal power management with NVIDIA HybridPower^™ technology***
• Second generation PureVideo HD for unsurpassed Blu-ray movie picture quality and dual-stream picture-in-picture content
• PCI Express 2.0 Compatibility

NVIDIA^® GeForce^® 9500 GT and 9800 GT GPUs are available now from your NVIDIA Authorized Board Partners at your preferred NVIDIA Authorized Distributor.

Comcast Offers Wii™ Systems To New Triple Play Customers

Comcast’s Super-Fast Internet Speeds Let Wii Players Enjoy Online Games, Entertainment and Fun

Philadelphia, PA  -  July 28, 2008

Comcast, the nation’s leading residential broadband Internet provider, and video game pioneer, Nintendo, have teamed up to offer an exclusive deal available to new Comcast Triple Play customers. From today until August 17, 2008, those who sign up for Comcast Preferred Plus or Premier Triple Play package* will receive a complimentary Wii™ system, merging together the joy of a super-fun video gaming experience with the power of super-fast Internet speed.

The partnership between Comcast and Nintendo will give new qualifying Triple Play customers a free Wii system and it will also allow them to hook up their Wii to Comcast High-Speed Internet for great online experiences:

• Play friends over Nintendo® Wi-Fi Connection in games like Mario Kart Wii, Super Smash Bros. Brawl and more
• Surf the Internet on a bigger screen by downloading the Wii Internet Channel from the Wii Shop Channel using Wii Points™
• Visit the Wii Shop Channel to download classic Nintendo games or discover new exciting titles made for Wii

“By connecting to our high-speed Internet, it will be easy for our customers to access all the fun content and features their Wii has to offer online,” said Greg Butz, Senior Vice President of Marketing & Product Development. “The Wii offers something for everyone, so pairing the Comcast Triple Play with the Wii system provides great entertainment value for the entire family.”

“Comcast’s high-speed Internet connects Wii owners with their friends all over the world,” said Cammie Dunaway, Nintendo of America’s executive vice president of Sales & Marketing. “In addition to playing video games, people can surf the Internet, share family photos, and check the news or weather. The Wii is home to a multitude of fun Internet based entertainment and informational options.”

Comcast Preferred Plus and Premier Triple Play packages* include: Comcast Digital Cable with On Demand and premium channels; Comcast Digital Voice®, offering unlimited local and domestic long-distance calling and 12 popular calling features plus enhanced voicemail, and; Comcast High-Speed Internet with PowerBoost®, providing some of the fastest download speeds available today.

To be eligible for a complimentary Wii system, a two-year contract is required. Customers can sign up for the Triple Play by calling 1-800-COMCAST.

*Triple Play package availability and offers vary by market. Total number of Wii systems is limited.

About Comcast Corporation
Comcast Corporation (Nasdaq: CMCSA, CMCSK) (http://www.comcast.com) is the nation’s leading provider of entertainment, information and communications products and services. With 24.7 million cable customers, 14.1 million high-speed Internet customers, and 5.2 million voice customers, Comcast is principally involved in the development, management and operation of broadband cable systems and in the delivery of programming content.

Comcast’s content networks and investments include E! Entertainment Television, Style Network, The Golf Channel, VERSUS, G4, PBS KIDS Sprout, TV One, ten Comcast SportsNet networks and Comcast Interactive Media, which develops and operates Comcast’s Internet business. Comcast also has a majority ownership in Comcast-Spectacor, whose major holdings include the Philadelphia Flyers NHL hockey team, the Philadelphia 76ers NBA basketball team and two large multipurpose arenas in Philadelphia.

About Nintendo
The worldwide innovator in the creation of interactive entertainment, Nintendo Co., Ltd., of Kyoto, Japan, manufactures and markets hardware and software for its Wii™ and Nintendo DS™ systems. Since 1983, Nintendo has sold more than 2.7 billion video games and more than 460 million hardware units globally, and has created industry icons like Mario™, Donkey Kong®, Metroid®, Zelda™ and Pokémon®. A wholly owned subsidiary, Nintendo of America Inc., based in Redmond, Wash., serves as headquarters for Nintendo’s operations in the Western Hemisphere. For more information about Nintendo, visit the company’s Web site at www.nintendo.com.

WatchGuard Live Security: Trio of New Vulnerabilities for Firefox 3

Severity: Medium

17 July, 2008

Summary:

§  This vulnerability affects: Firefox 2.0.0.15 and 3.0 for Windows, Linux, and Macintosh

§  How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page

§  Impact: Various results; in the worst case, attacker executes code on your user’s computer, gaining complete control of it

§  What to do: Upgrade to Firefox 2.0.0.16 or 3.0.1

Exposure:

Late yesterday, the Mozilla Foundation released Firefox 3.0.1 and Firefox 2.0.0.16, fixing three security vulnerabilities (based on CVE-IDs) in the popular web browser. We summarize the vulnerabilities below:

§  CSS Reference Counter overflow vulnerability (2008-034). Firefox suffers from a vulnerability in one of its internal data structures (CSSValue Array). Specifically, Mozilla did not use a sufficient size for the variable used as a reference counter for CSS objects. By enticing one of your users to a web page that makes a large number of references to a CSS object, an attacker could exploit this vulnerability to overflow that particular variable and corrupt the memory. The attacker could then leverage this memory corruption either to crash Firefox or to execute code on your user’s machine, with your user’s privileges. Depending upon your user’s level of privilege, an attacker could potentially exploit this flaw to gain complete control of that user’s computer.
Mozilla Impact rating: Critical

§  Internet-connected application can launch Firefox with multiple tabs (2008-035). In their alert, Mozilla describes a very convoluted Firefox vulnerability that attackers will probably find difficult to exploit in the real world. In a nutshell, attackers can force other Internet-connected applications to launch Firefox and open multiple tabs. Firefox is supposed to prevent external applications from loading certain types of URIs. However, an attacker could exploit this vulnerability to force Firefox to handle URIs it otherwise wouldn’t. By enticing one of your users into clicking a specially crafted link in some other web browser, at attacker might exploit this flaw either to read data on that user’s disk or even to execute code on that user’s computer. If your user has local administrative privileges, an attacker could exploit this flaw to gain complete control of that user’s machine. Keep in mind, however, that an attacker can only leverage this flaw if your user has Firefox installed but doesn’t have it running, and he visits the malicious link or web page in some other web browser, or Internet-connected application. For more details about this convoluted vulnerability, see Mozilla’s advisory.
Mozilla Impact rating: Critical

§  GIF image handling vulnerabilities (2008-036). Firefox suffers from a vulnerability involving the way it parses specially malformed GIF images. By enticing one of your users into visiting a web page containing a malicious GIF image, an attacker could exploit this flaw to execute code on that user’s machine, with that user’s privileges. This flaw only affects Firefox 3 running on OS X computers. Since OS X separates administrator privileges from typical user privileges, an attacker could not gain full control of OS X computers by leveraging this vulnerability alone.
Mozilla Impact rating: Critical

Solution Path:

Mozilla has updated Firefox 2 and 3, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.0.1 as soon as possible. Mozilla no longer supports the 1.5.x branch of Firefox; we recommend that 1.5.x users migrate to 3.0.1 now.

§  Windows

§  Linux

§  Mac OS X

If you prefer to stick with Firefox 2, you can get the fixed version here (2.0.0.16).

Note: The latest versions of Firefox 3.0 automatically inform you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that the update exists.

For All WatchGuard Users:

Some of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.0.1 and 2.0.0.16, fixing these security issues.

References:

§  Firefox 3.0.1 Release Notes

§  Vulnerabilities Fixed in Firefox 3.0.1

§  Firefox 2.0.0.16 Release Notes

§  Vulnerabilities Fixed in Firefox 2.0.0.16

WatchGuard Releases Version 10.2.1 for WSM, Edge, Fireware, and Fireware Pro

WatchGuard is pleased to announce the availability of version 10.2.1 of WatchGuard System Manager, Edge, Fireware, and Fireware Pro. This update is a maintenance release and contains a number of enhancements and fixes for critical issues as reported by WatchGuard customers.

Contained in this release are improvements to:

§  Fireware’s support for Vasco authentication systems

§  Email attachment handling in the proxies

§  More accurate mapping of Mobile VPN users to groups

§  Numerous improvements to logging and the log server, resulting in greater ease of installation, management, and reliability

For full details on these and other resolved issues, as well as a list of known issues with this release, please consult the Release Notes posted on the Software Downloads page for your Firebox.

Does This Release Pertain to Me?

10.2.1 is a regularly scheduled maintenance release. If you are impacted by any of the issues listed above or those contained in the Release Notes, you should consider upgrading to version 10.2.1. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

Firebox X, Edge, Peak and Core owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Software Downloads web page, which also includes clear installation instructions. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

WatchGuard LiveSecurity | Urgent: Update – All DNS Servers Suffer From Common DNS Protocol Vulns

DNS Proxy Helps; NAT/PAT Devices Exacerbate Issue

Severity: Medium

18 July, 2008

Update:

Last week, we published an alert about some DNS protocol vulnerabilities that could affect any software or networking devices that run DNS servers, and to a lesser extent, DNS clients. By sending your DNS server (or client) a series of specially crafted DNS queries and/or responses, an attacker could poison your DNS server’s cache with arbitrary IP addresses, thus potentially forcing your users to visit arbitrary, malicious web sites.

This alert adds one new wrinkle pertaining to this issue, then explains a DNS proxy configuration that may help mitigate the risk of DNS cache poisoning attacks in general. First, the new wrinkle:

Possible Negative Impact of NAT

The DNS vulnerability relies in part upon the lack of randomization in the source port used in DNS queries. The patch released by DNS vendors last week forces DNS applications and devices to use random source ports (among other things), which should help make it harder for attackers to impersonate legitimate DNS traffic.

However, in a post to the Full-Disclosure mailing list, security researchers pointed out that network address translation (NAT) or port address translation (PAT) applications and devices could potentially undo one of the benefits provided by your vendor’s DNS fixes. When a NAT/PAT device receives a packet, such as a DNS request, it resends that packet using source ports of its choice. If your NAT/PAT device doesn’t select the source port randomly, attackers could predict the source port necessary to send a response that would trick the NAT device. The NAT device would then format the attacker’s response properly to send to your DNS server, regardless of whether the server was patched.

Many NAT/PAT devices, including WatchGuard’s Firebox models, select source ports incrementally rather than randomly. While incremental source ports aren’t as bad as static source ports, they are still predictable. As a result of these DNS protocol flaws, many NAT/PAT vendors have realized that they need to update their products to select random source ports. WatchGuard plans to add randomization of sources ports to its Firebox UTM devices as soon as possible; our engineers are currently investigating the feasability of providing this fix in an upcoming release. (You should also contact the vendors of any other NAT/PAT devices in your network, to see how they are affected.)

Note that non-random source ports make up just one aspect of this DNS flaw. Attackers must also predict DNS transaction IDs in order to poison your DNS cache. So even if your NAT/PAT device reverses one aspect of the DNS fix, the rest of the fixes will still mitigate the risk of this DNS attack.

Now for the good news: WatchGuard’s DNS proxy can reduce the risks of Internet-based DNS cache poisoning attacks.

How the Firebox DNS Proxy Helps

An attacker can only poison your DNS cache if you have configured your DNS server for recursion. Recursive DNS servers answer DNS queries for ANY domain. If they don’t know the answer to a particular DNS request, they send their own DNS queries to other authoritative DNS server in order to find the answers. Because recursive DNS servers launch their own DNS queries, attackers have an opportunity to send spoofed replies that poison those servers’ DNS caches. However, if your server doesn’t allow for recursive DNS queries — rather, it answers queries about your domain only — then attackers have much less opportunity to lie to your server.

As a security measure, most DNS administrators configure their DNS servers not to use recursion when receiving DNS queries from the Internet. They may allow recursive requests from internal users, but not from external users. We highly recommend that you configure your DNS server in this way.

WatchGuard’s DNS proxy can help you set this up for all devices running WatchGuard System Manager (WSM) and Fireware, as follows:

§  In Policy Manager, click Setup => Actions => Proxies… Double-click the DNS-Incoming proxy action, and highlight Query Names under the Categories section. Here, you can control which domain name queries your DNS server will accept.

§  By default, the DNS-Incoming proxy action contains an asterisk wildcard under Query Names, which means it accepts queries for all domains. You want it to accept queries only for your domain. So highlight the asterisk and press Remove.

§  Now you simply need to add your domain or domains to the list of Query Names the DNS-Incoming proxy action accepts. Enter these domains in the Pattern dialog and press Add. Then press OK and then Close (you may be asked to rename this new DNS-Incoming proxy action).

§  Now you can add this new action to a DNS-Proxy policy. Set the policy as Allowed from Any-External to the IP address of your DNS server, and make sure to apply your new DNS-Incoming action to your DNS-Proxy policy.

Now, Internet-based users will only be able to make DNS requests that have to do with your domain name. Meanwhile, your internal users will still be able to make recursive DNS requests. This simple proxy setting should prevent external attackers from exploiting most DNS cache poisoning attacks against your DNS server.

In the latest episode of Radio Free Security: Firebox Special, the LiveSecurity content team goes over the latest DNS cache poisoning attack, and this proxy workaround, in greater detail. If you have further questions pertaining to this issue, we highly recommend listening to this episode.

Finally, as a convenient reference, our original DNS alert from last week is reprinted below. You can also find it in the LiveSecurity Latest Broadcasts archive.

---

Summary:

§  This vulnerability affects: All software and networking devices that run DNS servers; to a lesser extent, software or devices with DNS clients

§  How an attacker exploits it: By sending your DNS server (or client) a series of specially crafted DNS queries and/or responses

§  Impact: The attacker could poison your DNS server’s cache with arbitrary IP addresses, thus forcing your users to visit arbitrary, malicious web sites

§  What to do: Deploy the appropriate updates from your DNS vendors as quickly as possible

Exposure:

The Domain Name Service (DNS) is a standard protocol used to translate IP addresses into human readable names. For instance, when you visit www.watchguard.com in your web browser, your DNS server translates that name into an Internet routable IP address registered to our company.

In a coordinated effort launched yesterday, CERT released an advisory warning of some overarching design flaws in the way many products implement the DNS protocol. These flaws could lead to a significant security vulnerability called DNS cache poisoning. Since the design flaws lie within the DNS protocol itself, the vulnerabilities can affect any software or networking device that runs a DNS server. They could even affect, to a lesser extent, software and devices that have a DNS client. Here’s a short list of the more common vendors and products affected by these DNS flaws:

§  Microsoft Windows (both its DNS Server and Client components, as described in yesterday’s alert)

§  Cisco IOS products

§  ISC’s Bind

§  Red Hat Linux

§  Sun Microsystems SunOS

For a complete list of affected vendors, see the Systems Affected section of CERT’s advisory.

Dan Kaminsky, a well-known DNS security researcher, discovered a way to exploit three DNS protocol design flaws. In order to give the world time to patch, Kaminsky and the vendors involved have not released any significant technical details describing how an attacker might exploit these vulnerabilities. They only generally outline the three design flaws as follows:

§  Insufficient randomization of a DNS query’s transaction ID field — When making DNS queries, DNS Servers and clients should use a strong random number (one that’s not easy to predict) for a field in the query called the transaction ID. Otherwise, an attacker might guess the transaction ID and can use that information to help falsify a DNS response in lieu of a legitimate response.

§  Multiple outstanding Resource Record requests — If your DNS server gets multiple requests to look up the same Resource Record (RR) (domain name data) at the same time, it should only generate one RR request and then share that result with all the requestors. However, many DNS implementations will generate multiple identical requests for the same RR. This condition leads to the possibility of something known as a birthday attack, which greatly increases the probability of successful DNS spoofing attacks.

§  Fixed source port in DNS queries — Many DNS implementations use the same source port for their DNS queries. The lack of source port randomization can make it easier for attackers to spoof DNS replies.

By combining these three vulnerabilities in some manner which Kaminsky hasn’t yet explained in detail, an attacker can launch successful DNS cache poisoning attacks against your DNS server (and in some classes, specific DNS clients). This means an attacker can arbitrarily make any domain name point to any IP address he wants to. He could, for example, make www.bankofamerica.com point to the IP address of a malicious phishing site in an attempt to steal your banking credentials. Or he might redirect the domain name for any popular web site to point to a malicious drive-by download site that forces arbitrary malware onto your computer. In short, if an attacker can poison your DNS, you’ll never know if you’re seeing the correct version of the site you want to visit.

While Internet-wide DNS cache poisoning poses a very critical and sobering threat, the lack of technical details in CERT and Kaminsky’s alert has lead many security experts to question the true severity of these DNS flaws. In general, vulnerabilities that rely on lack of randomization of certain elements often take significant effort for attackers to exploit. While some vulnerabilities can make it easier for attackers to predict random elements, just how predictable those elements are depends greatly on the technical details of the flaws. Without knowing how Kaminsky combined these flaws in his attack, we can’t say exactly how severe a risk they pose. However, since these vulnerabilities could potentially pose a very serious risk, and do affect so many products and devices, we highly recommend you patch all your affected DNS software and hardware as soon as you can.

Solution Path:

Many of the vendors affected by these vulnerabilities have released updates to mitigate the risk of these DNS protocol design issues. For a complete list of affected vendors, and links to those vendors’ updates, visit the Systems Affected section of CERT’s advisory. When you click the vendors’ links, you’ll get directed to another page that supplies you with the link to that vendor’s update. Keep in mind that at the time of this writing, many vendors have not yet responded to CERT’s coordinated release effort. CERT lists these vendors with the status of “Unknown.” You may want to occasionally revisit the Systems Affected section of CERT’s advisory to see if any vendors are changed to “Vulnerable.”

Also, if you are curious about whether or not your DNS servers are affected by this flaw, visit Dan Kaminsky’s DoxPara Research page. In the top-right corner of the main page, Kaminsky has provided an automated DNS Checker tool that will test whether or not these vulnerabilities affect the DNS servers assigned to your computer. The tool requires JavaScript to work, so be sure to enable it for DoxPara if you’ve used tools to block it.

Note: If you applied the patches from yesterday’s consolidated Windows alert, you have already applied Microsoft fix for this DNS issue.

For All WatchGuard Users:

As far as we can tell, these attacks travel as normal-looking DNS traffic, which you must allow if you want your users to access the Internet. Therefore, the vendor’s patches are your best solution.

Status:

Many vendors have released patches to fix these vulnerabilities.

References:

§  CERT’s DNS advisory

§  Microsoft’s DNS advisory

§  Cisco’s DNS advisory

§  Bind’s DNS advisory

Dan Kaminsky’s DoxPara Research Page

AltiGen Communications and SYNNEX Corporation to Offer a Complete Microsoft-based Unified Communications Solution

Houston, TX – July 9, 2008 – AltiGen® Communications, Inc. (NASDAQ: ATGN), a leading provider of VoIP business telephone systems and unified communications solutions for small-to-medium businesses (SMBs), including companies with multiple distributed locations, and SYNNEX Corporation (NYSE: SNX), a leading business process services company announce their intent to offer a complete Microsoft-based unified communications solution.

Through new product bundles, AltiGen and SYNNEX will offer a complete Microsoft-based unified communications solution consisting of AltiGen’s recently announced next generation unified communications solution MAX Communications Server 6.0 (MAXCS 6.0), Microsoft’s Exchange Server 2007, and Microsoft Windows Server running on Intel® based servers.

“Through AltiGen’s recently announced MAXCS 6.0, SYNNEX can now offer a complete Microsoft-based  unified communications solution to our SMB partners,” said Bob Stegner, Senior Vice President, Marketing, North America at SYNNEX Corporation. “With integration services available through SYNNEX, we provide convenient one stop shopping for preconfigured unified communications solutions and a compelling reason for companies to upgrade to Exchange Server 2007.”

Some of the key benefits of this complete Microsoft-based unified messaging solution include:

• Microsoft Windows Server-based IP PBX running on Intel based servers
• Exchange Server 2007 Unified Messaging Native Integration
  • Voicemail delivery/management via Outlook 2007
  • Voice access to your Exchange calendar, contacts, and notes
• Automatic Call Distribution with Robust Call Center features
• .NET based Windows Telephony Client
• Simple Windows-based Administration  

“By offering a complete Microsoft-based unified communications solution with SYNNEX, AltiGen will gain access to a large base of Microsoft software resellers and customers that are looking for an all-in-one unified communications solution,” said Jeff Kays, Vice President of Business Development at AltiGen Communications. “This initiative plays a vital role in furthering AltiGen’s growth by driving new system sales while expanding our reseller channel.”

Availability
General availability and pricing of the new Microsoft-based unified communications bundle featuring MAX Communications Server 6.0 and Exchange Server 2007 is expected to be released calendar third quarter of 2008.

About AltiGen Communications
AltiGen Communications, Inc. (NASDAQ: ATGN) is a leading provider of VoIP business phone systems and Microsoft-based Unified Communications solutions for small-to-medium businesses (SMBs), including companies with multiple distributed locations, branch offices and call centers. AltiGen’s scalable, integrated, and easy to manage all-in-one unified communications solutions enable an array of applications like standards based SIP VoIP phones and servers, unified messaging, voicemail, call recording, conferencing, call activity reporting and mobility solutions that leverage both the Internet and the public telephone network to take advantage of the convergence of voice and data communications. AltiGen’s systems are designed with an open architecture and are built on an industry standard platform. This adherence to widely used standards allows products to integrate with and leverage the existing technology investment of partners and customers. For more information, call 1-888-ALTIGEN or visit the web site at www.altigen.com.

Safe Harbor Statement

This press release contains forward-looking statements within the meaning of Section 21E of the Securities Exchange Act of 1934, including, without limitation, statements regarding the continued market acceptance of our voice-over-IP telephone systems and call-center solutions, our successful introduction of the MAX Communications Server 6.0 as a part of the complete Microsoft-based unified communications solution offered by SYNNEX Corporation, and our expectation for SYNNEX Corporation to contribute to expanding our reseller channel and contributing to our revenue growth. These statements reflect management’s current expectation. However, actual results could differ materially as a result of unknown risks and uncertainties, including but not limited to, risks related to AltiGen’s limited operating history. For a more detailed description of these and other risks and uncertainties affecting AltiGen’s performance, please refer to AltiGen’s Annual Report on Form 10-K for the fiscal year ended September 30, 2007, and all subsequent current reports on Form 8-K and quarterly reports on Form 10-Q. All forward-looking statements in this press release are based on information available to AltiGen as of the date hereof, and AltiGen assumes no obligation to update these forward-looking statements.Houston, TX – July 9, 2008 – AltiGen® Communications, Inc. (NASDAQ: ATGN), a leading provider of VoIP business telephone systems and unified communications solutions for small-to-medium businesses (SMBs), including companies with multiple distributed locations, and SYNNEX Corporation (NYSE: SNX), a leading business process services company announce their intent to offer a complete Microsoft-based unified communications solution.

WatchGuard: All DNS Servers Suffer From Common DNS Protocol Vulnerabilities

Severity: Medium

9 July, 2008

Summary:

§  This vulnerability affects: All software and networking devices that run DNS servers; to a lesser extent, software or devices with DNS clients

§  How an attacker exploits it: By sending your DNS server (or client) a series of specially crafted DNS queries and/or responses

§  Impact: The attacker could poison your DNS server’s cache with arbitrary IP addresses, thus forcing your users to visit arbitrary, malicious web sites

§  What to do: Deploy the appropriate updates from your DNS vendors as quickly as possible

Exposure:

The Domain Name Service (DNS) is a standard protocol used to translate IP addresses into human readable names. For instance, when you visit www.watchguard.com in your web browser, your DNS server translates that name into an Internet routable IP address registered to our company.

In a coordinated effort launched yesterday, CERT released an advisory warning of some overarching design flaws in the way many products implement the DNS protocol. These flaws could lead to a significant security vulnerability called DNS cache poisoning. Since the design flaws lie within the DNS protocol itself, the vulnerabilities can affect any software or networking device that runs a DNS server. They could even affect, to a lesser extent, software and devices that have a DNS client. Here’s a short list of the more common vendors and products affected by these DNS flaws:

§  Microsoft Windows (both its DNS Server and Client components, as described in yesterday’s alert)

§  Cisco IOS products

§  ISC’s Bind

§  Red Hat Linux

§  Sun Microsystems SunOS

For a complete list of affected vendors, see the Systems Affected section of CERT’s advisory.

Dan Kaminsky, a well-known DNS security researcher, discovered a way to exploit three DNS protocol design flaws. In order to give the world time to patch, Kaminsky and the vendors involved have not released any significant technical details describing how an attacker might exploit these vulnerabilities. They only generally outline the three design flaws as follows:

§  Insufficient randomization of a DNS query’s transaction ID field — When making DNS queries, DNS Servers and clients should use a strong random number (one that’s not easy to predict) for a field in the query called the transaction ID. Otherwise, an attacker might guess the transaction ID and can use that information to help falsify a DNS response in lieu of a legitimate response.

§  Multiple outstanding Resource Record requests — If your DNS server gets multiple requests to look up the same Resource Record (RR) (domain name data) at the same time, it should only generate one RR request and then share that result with all the requestors. However, many DNS implementations will generate multiple identical requests for the same RR. This condition leads to the possibility of something known as a birthday attack, which greatly increases the probability of successful DNS spoofing attacks.

§  Fixed source port in DNS queries — Many DNS implementations use the same source port for their DNS queries. The lack of source port randomization can make it easier for attackers to spoof DNS replies.

By combining these three vulnerabilities in some manner which Kaminsky hasn’t yet explained in detail, an attacker can launch successful DNS cache poisoning attacks against your DNS server (and in some classes, specific DNS clients). This means an attacker can arbitrarily make any domain name point to any IP address he wants to. He could, for example, make www.bankofamerica.com point to the IP address of a malicious phishing site in an attempt to steal your banking credentials. Or he might redirect the domain name for any popular web site to point to a malicious drive-by download site that forces arbitrary malware onto your computer. In short, if an attacker can poison your DNS, you’ll never know if you’re seeing the correct version of the site you want to visit.

While Internet-wide DNS cache poisoning poses a very critical and sobering threat, the lack of technical details in CERT and Kaminsky’s alert has lead many security experts to question the true severity of these DNS flaws. In general, vulnerabilities that rely on lack of randomization of certain elements often take significant effort for attackers to exploit. While some vulnerabilities can make it easier for attackers to predict random elements, just how predictable those elements are depends greatly on the technical details of the flaws. Without knowing how Kaminsky combined these flaws in his attack, we can’t say exactly how severe a risk they pose. However, since these vulnerabilities could potentially pose a very serious risk, and do affect so many products and devices, we highly recommend you patch all your affected DNS software and hardware as soon as you can.

Solution Path:

Many of the vendors affected by these vulnerabilities have released updates to mitigate the risk of these DNS protocol design issues. For a complete list of affected vendors, and links to those vendors’ updates, visit the Systems Affected section of CERT’s advisory. When you click the vendors’ links, you’ll get directed to another page that supplies you with the link to that vendor’s update. Keep in mind that at the time of this writing, many vendors have not yet responded to CERT’s coordinated release effort. CERT lists these vendors with the status of “Unknown.” You may want to occasionally revisit the Systems Affected section of CERT’s advisory to see if any vendors are changed to “Vulnerable.”

Also, if you are curious about whether or not your DNS servers are affected by this flaw, visit Dan Kaminsky’s DoxPara Research page. In the top-right corner of the main page, Kaminsky has provided an automated DNS Checker tool that will test whether or not these vulnerabilities affect the DNS servers assigned to your computer. The tool requires JavaScript to work, so be sure to enable it for DoxPara if you’ve used tools to block it.

Note: If you applied the patches from yesterday’s consolidated Windows alert, you have already applied Microsoft fix for this DNS issue.

For All WatchGuard Users:

As far as we can tell, these attacks travel as normal-looking DNS traffic, which you must allow if you want your users to access the Internet. Therefore, the vendor’s patches are your best solution.

Status:

Many vendors have released patches to fix these vulnerabilities.

References:

§  CERT’s DNS advisory

§  Microsoft’s DNS advisory

§  Cisco’s DNS advisory

§  Bind’s DNS advisory

Dan Kaminsky’s DoxPara Research Page

WatchGuard: Attackers Exploiting Zero Day Microsoft Word 2002 Flaw

Severity: Medium

9 July, 2008

Summary:

§  These vulnerabilities affect: Microsoft Word 2002 w/SP3. Doesn’t affect any other versions of Word.

§  How an attacker exploits them: By enticing one of your users into downloading and opening a malicious Word document

§  Impact: An attacker can execute code, potentially gaining complete control of your user’s computer

§  What to do: Implement workarounds found in the “Solution Path” section below

Exposure:

In a security advisory quietly released during Patch Day, Microsoft warns of a serious unpatched vulnerability in Word 2002 with Service Pack 3 (SP3) that attackers have begun exploiting on the Internet. Since they just discovered this vulnerability in the wild, Microsoft doesn’t describe it in any technical detail. However, they do describe how an attacker might leverage the new vulnerability: By enticing one of your users into opening a maliciously crafted Word document, an attacker could exploit this flaw to execute code on that user’s machine, with that user’s privileges. If the user has local administrator rights, the attacker would gain full control of the user’s machine.

Since attackers have already begun leveraging this flaw in the wild (in what Microsoft describes as targeted attacks), we highly recommend you implement one of the workarounds suggested below.

Solution Path:

Microsoft has not had time to release a patch yet for this vulnerability. We will update this alert as soon as they do. Until that time, you can mitigate the risk of this vulnerability in the following ways:

§  Inform your users of this breaking vulnerability. Warn your users of this new flaw and remind them to avoid saving or opening unsolicited Word documents, whether or not they trust the source of the document. If they receive an unsolicited document from someone they trust, they should contact that source first, to ensure that the document is indeed legitimate.

§  Keep your antivirus (AV) software up-to-date. Many AV products will eventually release signatures for this new threat, if they haven’t done so already. Be sure to set your AV software to update automatically, so you’ll get those updates as soon as possible.

§  Block Word documents at your perimeter. Some perimeter security devices, including WatchGuard’s Firebox line, are able to block certain types of content at your gateway. If you like, you can set these devices to block all Word files that arrive via HTTP, SMTP, or FTP. (Of course, some businesses need to receive Word files on a daily basis; in that case, you can either skip this workaround, or have legitimate senders zip their Word files before sending them.)

For All WatchGuard Users:

Many of WatchGuard’s Firebox models allow you to prevent your users from accessing Word (.doc) files via the web (HTTP) or email (SMTP, POP3). So, you can temporarily mitigate the risk of this vulnerability by blocking .doc files using your Firebox’s proxy services (video instructions below). Again, if blocking Word documents will disrupt your business, you can skip this workaround or ask legitimate senders to zip their Word files.

If you choose to block Word documents, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block .doc files by their file extensions:

§  Firebox X Edge running 10.x

§  How do I block files with the FTP proxy? (Video, 2:30)
Windows Media, 17.4MB   /    QuickTime, 11.8MB

§  How do I block files with the HTTP proxy? (Video, 2:52)
Windows Media, 32MB   /    QuickTime, 28.6MB

§  How do I block files with the POP3 proxy? (Video, 2:35)
Windows Media, 17.6MB   /    QuickTime, 16.5MB

§  How do I block files with the SMTP proxy? (Video, 2:18)
Windows Media, 12.2MB   /    QuickTime, 9.1MB

§   

§  Firebox X Core and X Peak running Fireware 10.x

§  How do I block files with the FTP proxy? (Video, 2:30)
Windows Media, 25.2MB   /    QuickTime, 9.1MB

§  How do I block files with the HTTP proxy? (Video, 2:52)
Windows Media, 38.2MB   /    QuickTime, 10.7MB

§  How do I block files with the POP3 proxy? (Video, 2:35)
Windows Media, 23.2MB   /    QuickTime, 10.1MB

§  How do I block files with the SMTP proxy? (Video, 2:18)
Windows Media, 25.6MB   /    QuickTime, 9.0MB

Status:

Microsoft hasn’t had time to release a patch for this zero day vulnerability. We will inform you when they do.

References:

Microsoft Word 2002 Security Advisory 07-08

Comcast and Vonage Form Collaboration to Address Network Management and Better Meet Customer Needs

PHILADELPHIA & HOLMDEL, N.J., Jul 09, 2008 (BUSINESS WIRE) — Comcast Corporation and Vonage Holdings Corporation announced today a collaborative agreement to address the reasonable network management of Internet services. Comcast committed to work together with Vonage to ensure that network management techniques are chosen that effectively balance the need to avoid network congestion with the need to ensure that over-the-top VoIP services like Vonage work well for consumers.

“This agreement helps Vonage to ensure that customers have the best possible Internet experience,” said Louis Mamakos, Vonage Chief Technology Officer. “Although we’re competitors with Comcast, this understanding helps our two companies work together to balance the needs of network management with consumers’ ability to freely access the services, applications and content of their choice.”

“This collaboration with Vonage, and our outreach to many key participants in the Internet community, demonstrate that we are committed to provide network management solutions that benefit consumers and competition,” said Tony Werner, Comcast Chief Technology Officer.

This is the latest in a series of announcements related to Comcast’s network management practices that demonstrate the company’s commitment to ensure that its customers’ ability to use any application or access any content they choose while avoiding network congestion situations that could affect the consumer experience. In March, Comcast announced it would move to a protocol-agnostic network management approach by the end of 2008, and tests on this approach have already begun. Comcast has announced other collaborations with BitTorrent, Inc. and Pando Networks, as well as participation in the P4P Working Group organized by the Distributed Computing Industry Association (DCIA). Comcast has also participated in the IETF Workshop on P2P Infrastructure, and will continue to collaborate in the IETF with other ISPs, P2P providers, and others on technologies related to network management and P2P application development.

About Comcast Corporation

Comcast Corporation is the nation’s leading provider of entertainment, information and communications products and services. With 24.7 million cable customers, 14.1 million high-speed Internet customers, and 5.2 million voice customers, Comcast is principally involved in the development, management and operation of broadband cable systems and in the delivery of programming content.

Comcast’s content networks and investments include E! Entertainment Television, Style Network, The Golf Channel, VERSUS, G4, PBS KIDS Sprout, TV One, ten Comcast SportsNet networks and Comcast Interactive Media, which develops and operates Comcast’s Internet business. Comcast also has a majority ownership in Comcast-Spectacor, whose major holdings include the Philadelphia Flyers NHL hockey team, the Philadelphia 76ers NBA basketball team and two large multipurpose arenas in Philadelphia.

About Vonage

Vonage is a leading provider of broadband telephone services with 2.6 million subscriber lines. Our award-winning technology enables anyone to make and receive phone calls with a touch tone telephone almost anywhere a broadband Internet connection is available. We offer feature-rich and cost-effective communication services that offer users an experience similar to traditional telephone services.

Our Residential Premium Unlimited and Small Business Unlimited calling plans offer consumers unlimited local and long distance calling, and popular features like call waiting, call forwarding and voicemail – for one low, flat monthly rate.

Vonage’s service is sold on the web and through national retailers including Best Buy, Circuit City, Wal-Mart Stores Inc. and Target and is available to customers in the U.S., Canada and the United Kingdom. For more information about Vonage’s products and services, please visit http://www.vonage.com.

Vonage Holdings Corp. is headquartered in Holmdel, New Jersey. Vonage(R) is a registered trademark of Vonage Marketing Inc., a subsidiary of Vonage Holdings Corp.

SOURCE: Comcast Corporation

Sena Fitzmaurice
Comcast
202-379-7107
sena_fitzmaurice@comcast.com
or
Michael Zema
Vonage
732-528-2677
michael.zema@vonage.com