Further to the security alert A11-04-01 and further update A11-04-01a issued on 12.04.2011 and 18.04.2011 respectively, we would like to draw your attention that Adobe has released updated versions of Adobe Reader/Acrobat to address the issue. It will also fix another memory corruption vulnerability in the "CoolType" library found in Adobe Reader/Acrobat products. The respective versions can be updated by "Check for Updates" mechanism in Adobe Reader/Acrobat or can be downloaded at the following URLs:
- Adobe Reader version 9.4.4
* http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows (for Windows)
* http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh (for Macintosh)
- Adobe Reader version 10.0.3 for Macintosh
* http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
- Adobe Acrobat Professional/Standard versions 9.4.4 and 10.0.3
* http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows (for Windows)
* http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh (for Macintosh)
- Adobe Acrobat Professional Extended version 9.4.4 for Windows
* http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
DITSOs (or your delegates) are also requested to inform the relevant system administrators and end users as appropriate about this issue.
More Information:
More information about this update is available at:
* http://www.adobe.com/support/security/bulletins/apsb11-07.html
* http://www.adobe.com/support/security/bulletins/apsb11-08.html
* http://www.adobe.com/support/security/advisories/apsa11-02.html
* http://www.us-cert.gov/current/index.html#adobe_releases_security_updates_for8
* http://www.kb.cert.org/vuls/id/230057
* http://secunia.com/advisories/44149/
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0610
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0611
星期二, 4月 26, 2011
星期一, 4月 25, 2011
Review Assessment: Test 8 Topic 9
COMPUTER CONTROL AUDITING AND SECURITY
Question 1
Which of the following has a security classification? (10.1)
A. a subject
B. an object
C. All of the above
D. None of the above
Correct answer is B.
In most security models, each subject and each object is assigned a security class. In the simplest formulation, security classes form a strict hierarchy and are referred to as security levels. A subject is said to have a security clearance of a given level; an object is said to have a security classification of a given level.
Question 2
What are the three rules specified by the BLP model? (10.2)
A. no read down, no write up and no property
B. ds-property, no read up and no write down
C. *-propety, no write up and security authorisation to a higher level object
D. none of the above
Correct answer is B.
no read up: A subject can only read an object of less or equal security level. This is referred to in the literature as the simple security property (ss-property).
no write down: A subject can only write into an object of greater or equal security level. This is referred to in the literature as the *-property.
ds-property: An individual (or role) may grant to another individual (or role) access to a document based on the owner's discretion, constrained by the MAC rules. Thus, a subject can exercise only accesses for which it has the necessary authorization and which satisfy the MAC rules.
Question 3
What does the Biba model deal with? (10.4)
A. unauthorised disclosure of information
B. integrity
C. confidentiality
D. unauthorised modification of information
E. Both B and D
F. Both A and C
G. None of the above
Correct answer is E.
The BLP model deals with confidentiality and is concerned with unauthorized disclosure of information. The Biba model deals with integrity and is concerned with the unauthorized modification of data.
Question 4
1 points Save
Which of the following are degrees of granularity that are possible with am MLS database? (10.11)
A. Entire database
B. Individual columns
C. Individual elements
D. Individual tables
E. Only B, C and D above
F. All of the above
Correct answer is F.
Refering to page 327 of the text, Stallings & Brown (2008), note the following:
Entire database: This simple approach is easily accomplished on an MLS platform. An entire database, such as a financial or personnel database, could be classified as confidential or restricted and maintained on a server with other files.
Individual tables (relations): For some applications, it is appropriate to assign classification at the table level. In the example of Figure 10.10a, two levels of classification are defined: unrestricted (U) and restricted (R). The Employee table contains sensitive salary information and is classified restricted, while the Department table is unrestricted. This level of granularity is relatively easy to implement and enforce.
Individual columns (attributes): A security administrator may choose to determine classification on the basis of attributes, so that selected columns are classified. In the example of Figure 10.10b, the administrator determines that salary information and the identity of department managers is restricted information.
Individual rows (tuples): In other circumstances, it may make sense to assign classification levels on the basis of individual rows that match certain properties. In the example of Figure 10.10c, all rows in the Department table that contain information relating to the Accounts Department (Dept. ID = 4), and all rows in the Employee Table for which the Salary is greater than 50K are restricted.
Individual elements: The most difficult scheme to implement and manage is one in which individual elements may be selectively classified. In the example of Figure 10.10d, salary information and the identity of the manager of the Accounts Department are restricted.
Question 5
What are the three basic services of the TPM? (10.13)
A. Microsoft firewall, anti virus software and encryption service
B. anti virus software, Microsoft Windows Malicious Software Removal Tool and SSL certification
C. authenticated boot service, certification service and encryption service
D. none of the above
Correct answer is C.
Authenticated boot service: The authenticated boot service is responsible for booting the entire operating system in stages and assuring that each portion of the OS, as it is loaded, is a version that is approved for use.
Certification service: Once a configuration is achieved and logged by the TPM, the TPM can certify the configuration to other parties. The TPM can produce a digital certificate by signing a formatted description of the configuration information using the TPM's private key. Thus, another user, either a local user or a remote system, can have confidence that an unaltered configuration is in use.
Encryption service: The encryption service enables the encryption of data in such a way that the data can be decrypted only by a certain machine and only if that machine is in a certain configuration.
Further details are provided on page 330 of the text, Stallings & Brown (2008).
Question 6
Under the Common Criteria Evaluation Assurance Levels, what is the highest level of assessment a product can be rated? (10.17)
A. EAL7
B. E1
C. EAL1
D. A1
Correct answer is A.
The highest Evaluation Assurance Level is EAL7.
Refer to your text, page 342 and 243, Computer Security Principles and Practice, Stalling & Brown, 2008.
Question 1
Which of the following has a security classification? (10.1)
A. a subject
B. an object
C. All of the above
D. None of the above
Correct answer is B.
In most security models, each subject and each object is assigned a security class. In the simplest formulation, security classes form a strict hierarchy and are referred to as security levels. A subject is said to have a security clearance of a given level; an object is said to have a security classification of a given level.
Question 2
What are the three rules specified by the BLP model? (10.2)
A. no read down, no write up and no property
B. ds-property, no read up and no write down
C. *-propety, no write up and security authorisation to a higher level object
D. none of the above
Correct answer is B.
no read up: A subject can only read an object of less or equal security level. This is referred to in the literature as the simple security property (ss-property).
no write down: A subject can only write into an object of greater or equal security level. This is referred to in the literature as the *-property.
ds-property: An individual (or role) may grant to another individual (or role) access to a document based on the owner's discretion, constrained by the MAC rules. Thus, a subject can exercise only accesses for which it has the necessary authorization and which satisfy the MAC rules.
Question 3
What does the Biba model deal with? (10.4)
A. unauthorised disclosure of information
B. integrity
C. confidentiality
D. unauthorised modification of information
E. Both B and D
F. Both A and C
G. None of the above
Correct answer is E.
The BLP model deals with confidentiality and is concerned with unauthorized disclosure of information. The Biba model deals with integrity and is concerned with the unauthorized modification of data.
Question 4
1 points Save
Which of the following are degrees of granularity that are possible with am MLS database? (10.11)
A. Entire database
B. Individual columns
C. Individual elements
D. Individual tables
E. Only B, C and D above
F. All of the above
Correct answer is F.
Refering to page 327 of the text, Stallings & Brown (2008), note the following:
Entire database: This simple approach is easily accomplished on an MLS platform. An entire database, such as a financial or personnel database, could be classified as confidential or restricted and maintained on a server with other files.
Individual tables (relations): For some applications, it is appropriate to assign classification at the table level. In the example of Figure 10.10a, two levels of classification are defined: unrestricted (U) and restricted (R). The Employee table contains sensitive salary information and is classified restricted, while the Department table is unrestricted. This level of granularity is relatively easy to implement and enforce.
Individual columns (attributes): A security administrator may choose to determine classification on the basis of attributes, so that selected columns are classified. In the example of Figure 10.10b, the administrator determines that salary information and the identity of department managers is restricted information.
Individual rows (tuples): In other circumstances, it may make sense to assign classification levels on the basis of individual rows that match certain properties. In the example of Figure 10.10c, all rows in the Department table that contain information relating to the Accounts Department (Dept. ID = 4), and all rows in the Employee Table for which the Salary is greater than 50K are restricted.
Individual elements: The most difficult scheme to implement and manage is one in which individual elements may be selectively classified. In the example of Figure 10.10d, salary information and the identity of the manager of the Accounts Department are restricted.
Question 5
What are the three basic services of the TPM? (10.13)
A. Microsoft firewall, anti virus software and encryption service
B. anti virus software, Microsoft Windows Malicious Software Removal Tool and SSL certification
C. authenticated boot service, certification service and encryption service
D. none of the above
Correct answer is C.
Authenticated boot service: The authenticated boot service is responsible for booting the entire operating system in stages and assuring that each portion of the OS, as it is loaded, is a version that is approved for use.
Certification service: Once a configuration is achieved and logged by the TPM, the TPM can certify the configuration to other parties. The TPM can produce a digital certificate by signing a formatted description of the configuration information using the TPM's private key. Thus, another user, either a local user or a remote system, can have confidence that an unaltered configuration is in use.
Encryption service: The encryption service enables the encryption of data in such a way that the data can be decrypted only by a certain machine and only if that machine is in a certain configuration.
Further details are provided on page 330 of the text, Stallings & Brown (2008).
Question 6
Under the Common Criteria Evaluation Assurance Levels, what is the highest level of assessment a product can be rated? (10.17)
A. EAL7
B. E1
C. EAL1
D. A1
Correct answer is A.
The highest Evaluation Assurance Level is EAL7.
Refer to your text, page 342 and 243, Computer Security Principles and Practice, Stalling & Brown, 2008.
星期日, 4月 24, 2011
開機時顯示 "please wait for IDE scan"
問:
電腦啟動時顯示「please wait for IDE scan」,如何取消?
答:
可以在BIOS頁面將RAID關掉,但可能會有部份硬盤不能使用。
例如 GIGABYTE 中 Socket 775 - 945P 的 GA-8I945P-G,有一個紅色的IDE port及兩個綠色的IDE port。關掉RAID後兩個綠色的IDE 接口便不能使用了。
電腦啟動時顯示「please wait for IDE scan」,如何取消?
答:
可以在BIOS頁面將RAID關掉,但可能會有部份硬盤不能使用。
例如 GIGABYTE 中 Socket 775 - 945P 的 GA-8I945P-G,有一個紅色的IDE port及兩個綠色的IDE port。關掉RAID後兩個綠色的IDE 接口便不能使用了。
星期四, 4月 21, 2011
有關excel if 問題
Q: 我想整一條if
F4=44
我想整 F4 細過或等於40時 就出現個 差 字 F4係40-50個數值內就出現 一般 字 F4係 50或者以上既數值就出現 好 字
想問點整?
我想問如果"差" 果個字要紅色
同埋要計差同一般加埋係有幾多個,用邊個函數去計??有冇得比式/_\'..thankyou
A:
G4 =IF(F4<=40,"差",IF(F4>=50,"好","一般"))
G11 =COUNTIF(G4:G8, "差")
F4=44
我想整 F4 細過或等於40時 就出現個 差 字 F4係40-50個數值內就出現 一般 字 F4係 50或者以上既數值就出現 好 字
想問點整?
我想問如果"差" 果個字要紅色
同埋要計差同一般加埋係有幾多個,用邊個函數去計??有冇得比式/_\'..thankyou
A:
G4 =IF(F4<=40,"差",IF(F4>=50,"好","一般"))
G11 =COUNTIF(G4:G8, "差")
44.The sum of 3 consecutive EVEN number is 90. Find the smallest one.
Let x be the smallest consecutive EVEN number.
x + (x + 2) + (x + 4) = 90
=> 3x + 6 = 90
=> x + 2 = 30
=> x = 28
45.The sum of two numbers is 84 . If the large number exceed 3 times the smaller by 4 ,what is the larger number?
Let x be the smaller number and y be the larger number.
x + y = 84 --- (1)
3x + 4 = y --- (2)
Put (2) into (1):
x + (3x + 4) = 84
4x + 4 = 84
x = 20 --- (3)
Put (3) back into (2):
3(20) + 4 = y
y = 64
i.e. The larger number is 64.
46. Betty is 5kg lighter than twice the weight of Jane. Their total weight is 94kg. Find the weight of Betty.
Let x be the weight of Betty and y be the weight of Jane.
x + y = 94 --(1)
x + 5 = 2y --(2)
(1)-(2):
x + y - x - 5 = 94 - 2y
y - 5 = 94 - 2y
3y = 99
y = 33 --(3)
Put (3) back into (1):
x + 33 = 94
x = 61
i.e. the weight of Betty is 61 kg
47. There are some $2 coins and some $5 coins. The total value is $78 and the total number of coins is 21 . Find the number of $5 coins.
Let b be number of $2 coins and e be number of $5 coins.
2b + 5e = 78 --(1)
b + e = 21 --(2)
(1) - 2 x (2):
2b + 5e - 2b - 2e = 78 - 2 x 21
3e = 36
e = 12
i.e. the number of $5 coins is 12.
48. There are some $2 coins and some $5 coins. The total value is $169 and the total number of coins is 50 . Find the number of $2 coins
Let b be number of $2 coins and e be number of $5 coins.
2b + 5e = 169 --(1)
b + e = 50 --(2)
(1)- 5 x (2):
2b + 5e - 5b - 5e = 169 - 250
81 = 3b
b = 27
i.e. the number of $2 coins is 27
Let x be the smallest consecutive EVEN number.
x + (x + 2) + (x + 4) = 90
=> 3x + 6 = 90
=> x + 2 = 30
=> x = 28
45.The sum of two numbers is 84 . If the large number exceed 3 times the smaller by 4 ,what is the larger number?
Let x be the smaller number and y be the larger number.
x + y = 84 --- (1)
3x + 4 = y --- (2)
Put (2) into (1):
x + (3x + 4) = 84
4x + 4 = 84
x = 20 --- (3)
Put (3) back into (2):
3(20) + 4 = y
y = 64
i.e. The larger number is 64.
46. Betty is 5kg lighter than twice the weight of Jane. Their total weight is 94kg. Find the weight of Betty.
Let x be the weight of Betty and y be the weight of Jane.
x + y = 94 --(1)
x + 5 = 2y --(2)
(1)-(2):
x + y - x - 5 = 94 - 2y
y - 5 = 94 - 2y
3y = 99
y = 33 --(3)
Put (3) back into (1):
x + 33 = 94
x = 61
i.e. the weight of Betty is 61 kg
47. There are some $2 coins and some $5 coins. The total value is $78 and the total number of coins is 21 . Find the number of $5 coins.
Let b be number of $2 coins and e be number of $5 coins.
2b + 5e = 78 --(1)
b + e = 21 --(2)
(1) - 2 x (2):
2b + 5e - 2b - 2e = 78 - 2 x 21
3e = 36
e = 12
i.e. the number of $5 coins is 12.
48. There are some $2 coins and some $5 coins. The total value is $169 and the total number of coins is 50 . Find the number of $2 coins
Let b be number of $2 coins and e be number of $5 coins.
2b + 5e = 169 --(1)
b + e = 50 --(2)
(1)- 5 x (2):
2b + 5e - 5b - 5e = 169 - 250
81 = 3b
b = 27
i.e. the number of $2 coins is 27
星期三, 4月 20, 2011
Security Alert (A11-04-04): Multiple Vulnerabilities in Oracle Products (April 2011)
Affected Systems:
Oracle has released Critical Patch Updates with collections of patches for 73 security vulnerabilities found in various Oracle products and Oracle Sun products.
Patches for Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Oracle Industry Applications and Oracle VM are cumulative.
Impact:
Depending on the vulnerability exploited, a successful attack could lead to denial of service, access to sensitive information, or taking complete control of an affected system.
Recommendation:
Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. For detailed information of the patches, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor's website:
DITSOs (or your delegates) are also requested to inform the relevant system administrators and end users as appropriate about this issue.
More Information:
More information about the vulnerabilities is available at:
Database
- Oracle Database 11g Release 2, versions 11.2.0.1, 11.2.0.2
- Oracle Database 11g Release 1, version 11.1.0.7
- Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
- Oracle Database 10g Release 1, version 10.1.0.5
Fusion Middleware
- Oracle Fusion Middleware 11g Release 1, versions 11.1.1.2.0, 11.1.1.3.0, 11.1.1.4.0
- Oracle Application Server 10g Release 2, version 10.1.2.3.0
- Oracle Application Server 10g Release 3, version 10.1.3.5.0
- Oracle Identity Management 10g, versions 10.1.4.0.1, 10.1.4.3
- Oracle JRockit, versions R27.6.8 and earlier (JDK/JRE 1.4.2, 5, 6), R28.1.1 and earlier (JDK/JRE 5, 6)
- Oracle Outside In Technology, versions 8.3.2.0, 8.3.5.0
- Oracle WebLogic Server, versions 8.1.6, 9.2.3, 9.2.4, 10.0.2, 11gR1(10.3.2, 10.3.3, 10.3.4)
E-Business Suite
- Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3
- Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle Supply Chain
- Oracle Agile Technology Platform, versions 9.3.0.2, 9.3.1
PeopleSoft
- Oracle PeopleSoft Enterprise CRM, version 8.9
- Oracle PeopleSoft Enterprise ELS, versions 9.0, 9.1
- Oracle PeopleSoft Enterprise HRMS, versions 9.0, 9.1
- Oracle PeopleSoft Enterprise Portal, versions 8.8, 8.9, 9.0, 9.1
- Oracle PeopleSoft Enterprise People Tools, versions 8.49, 8.50, 8.51
JD Edwards
- Oracle JD Edwards OneWorld Tools, version 24.1.x
- Oracle JD Edwards EnterpriseOne Tools, version 8.98.x
Siebel
- Oracle Siebel CRM Core, versions 7.8.2, 8.0.0, 8.1.1
Health Sciences Applications
- Oracle InForm, versions 4.5, 4.6, 5.0
Oracle Sun Product Suite
- Oracle Sun Product Suite
- Oracle Open Office, version 3 and StarOffice/StarSuite, versions 7, 8
Oracle has released Critical Patch Updates with collections of patches for 73 security vulnerabilities found in various Oracle products and Oracle Sun products.
Patches for Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Oracle Industry Applications and Oracle VM are cumulative.
Impact:
Depending on the vulnerability exploited, a successful attack could lead to denial of service, access to sensitive information, or taking complete control of an affected system.
Recommendation:
Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. For detailed information of the patches, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor's website:
- http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html
DITSOs (or your delegates) are also requested to inform the relevant system administrators and end users as appropriate about this issue.
More Information:
More information about the vulnerabilities is available at:
- http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html
- http://www.us-cert.gov/current/index.html#oracle_critical_patch_update_pre1
- http://www.kb.cert.org/vuls/id/520721
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3450
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3451
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3452
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3453
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3454
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3689
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4253
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4452
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4643
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0411
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0412
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0785
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0787
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0789
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0790
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0791
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0792
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0793
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0794
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0795
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0796
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0797
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0798
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0799
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0800
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0801
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0803
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0804
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0805
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0806
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0807
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0808
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0809
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0810
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0812
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0813
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0818
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0819
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0820
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0821
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0823
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0824
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0825
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0826
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0827
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0828
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0829
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0833
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0834
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0836
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0837
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0839
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0840
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0841
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0843
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0844
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0846
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0847
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0849
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0850
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0851
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0853
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0854
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0855
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0856
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0857
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0858
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0859
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0860
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0861
星期二, 4月 19, 2011
MC_topic10.pdf
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question.
1) Which statement below regarding the development of an AIS is false?
A) A newly designed AIS always meets user needs for a time period.
B) Changes to the AIS are often difficult to make after requirements have been frozen into specifications.
C) Users are unable to specify their needs adequately.
D) The development process can take so long that the system no longer meets company needs.
2) In which approach to systems acquisition is "inexpensive updates" considered an advantage?
A) turnkey software and systems
B) custom software
C) canned software
D) modified software
3) When canned software is used for systems acquisition, the conceptual design phase of the SDLC
A) is the same.
B) involves a make-or-buy decision.
C) is combined with the physical design phase.
D) is eliminated.
4) When canned software is used for systems acquisition, the physical design phase of the SDLC
A) is the same.
B) is eliminated.
C) is combined with the conceptual design phase.
D) does not involve designing and coding although modifications may be made.
5) When canned software is used for systems acquisition, the implementation and conversion phase of the SDLC
A) does not involve the documentation step.
B) does not require the develop and test software step.
C) does not require the company to have trained IS personnel.
D) both A and C above
6) When canned software is used for systems acquisition, the maintenance aspect of the operations and maintenance phase of the SDLC
A) is not necessary and is eliminated.
B) is usually the responsibility of the vendor.
C) is more costly.
D) requires trained personnel.
7) Software development companies write commercial software that can be used by a variety of organizations. Sometimes these companies combine both software and hardware together to sell as one package. Such a package is commonly referred to as
A) an application service package.
B) canned software.
C) a value-added system.
D) a turnkey system.
8) What is a major problem with "canned software"?
A) Canned software is sold on the open market to a broad range of users with similar requirements.
B) Canned software may not meet all of a company's information or data processing needs.
C) Canned software may offer easy availability and lower costs.
D) A commercial software development company has developed it.
9) Which statement is true regarding canned software and the SDLC?
A) Canned software cannot be modified to meet unique user needs.
B) The SDLC process does not apply to canned software.
C) Most canned software meets all of a company's information or data processing needs.
D) Companies that buy rather than develop AIS software can still follow the SDLC process.
10) The reasons for ________ are to simplify the decision-making process, reduce errors, provide timesavings, and avoid potential disagreements.
A) leasing
B) outsourcing
C) sending out a request for a proposal
D) prototyping
11) Total costs are usually lower and less time is required for vendor preparation and company evaluation when requests for proposal are solicited based on
A) generalized software needs.
B) specific hardware and software specifications.
C) exact equipment needs.
D) None of the above are correct.
12) Information given to vendors should include
A) timeframe required for completion of the project.
B) detailed specifications for the AIS.
C) a budget for software and hardware.
D) None of the above are correct.
13) The approach that evaluates vendors' systems based on the weighted score of criteria and points totaled is called
A) requirements costing.
B) prototyping.
C) benchmark problem.
D) point scoring.
14) The approaches to evaluating proposals that do not incorporate dollar estimates of costs and benefits is known as
A) requirement costing and point scoring.
B) benchmark problem and point scoring.
C) All methods mentioned above include dollar estimates.
D) point scoring and requirement costing.
15) It is important for a company to be selective in choosing a software vendor. When a company buys a large or complex system, it may request that a software vendor submit a specific proposal for a system by a specified date. What acronym is used to identify such a request?
A) EIS
B) ISP
C) ASP
D) RFP
16) A request for proposal sent to software vendors is an important tool since it can reduce errors.
Which statement below supports this reason?
A) All responses are in the same format and based on the same information.
B) The same information is provided to all vendors.
C) The chances of overlooking important factors are reduced.
D) Both parties possess the same expectations and pertinent information is captured in writing.
17) A company should carefully evaluate proposals submitted by software vendors. What is the first step a company should take in the proposal evaluation process?
A) Carefully compare proposals against the proposed AIS requirements.
B) Invite vendors to demonstrate their systems.
C) Eliminate proposals that are missing important information or fail to meet minimum requirements.
D) Determine how much of a given proposal meets the desired AIS requirements.
18) Among the methods a company can use to help it evaluate software and hardware systems from vendors, one way is to calculate and compare the processing times of different AIS to compare system performance. This is the ________ method.
A) mandatory requirements
B) requirements costing
C) benchmark problem
D) point scoring
19) What is a drawback to using the requirements costing method of software and hardware evaluation?
A) The weights and points used are assigned subjectively.
B) Intangible factors such as reliability and vendor support are overlooked.
C) There is no drawback to using the requirements costing method.
D) Dollar estimates of costs and benefits are not included.
20) The costly and labor-intensive approach to systems acquisition is
A) modified software.
B) custom software.
C) canned software.
D) turnkey software.
Answer Key
1) A
2) C
3) B
4) D
5) D
6) B
7) D
8) B
9) D
10) C
11) B
12) B
13) D
14) D
15) D
16) C
17) C
18) C
19) B
20) B
1) Which statement below regarding the development of an AIS is false?
A) A newly designed AIS always meets user needs for a time period.
B) Changes to the AIS are often difficult to make after requirements have been frozen into specifications.
C) Users are unable to specify their needs adequately.
D) The development process can take so long that the system no longer meets company needs.
2) In which approach to systems acquisition is "inexpensive updates" considered an advantage?
A) turnkey software and systems
B) custom software
C) canned software
D) modified software
3) When canned software is used for systems acquisition, the conceptual design phase of the SDLC
A) is the same.
B) involves a make-or-buy decision.
C) is combined with the physical design phase.
D) is eliminated.
4) When canned software is used for systems acquisition, the physical design phase of the SDLC
A) is the same.
B) is eliminated.
C) is combined with the conceptual design phase.
D) does not involve designing and coding although modifications may be made.
5) When canned software is used for systems acquisition, the implementation and conversion phase of the SDLC
A) does not involve the documentation step.
B) does not require the develop and test software step.
C) does not require the company to have trained IS personnel.
D) both A and C above
6) When canned software is used for systems acquisition, the maintenance aspect of the operations and maintenance phase of the SDLC
A) is not necessary and is eliminated.
B) is usually the responsibility of the vendor.
C) is more costly.
D) requires trained personnel.
7) Software development companies write commercial software that can be used by a variety of organizations. Sometimes these companies combine both software and hardware together to sell as one package. Such a package is commonly referred to as
A) an application service package.
B) canned software.
C) a value-added system.
D) a turnkey system.
8) What is a major problem with "canned software"?
A) Canned software is sold on the open market to a broad range of users with similar requirements.
B) Canned software may not meet all of a company's information or data processing needs.
C) Canned software may offer easy availability and lower costs.
D) A commercial software development company has developed it.
9) Which statement is true regarding canned software and the SDLC?
A) Canned software cannot be modified to meet unique user needs.
B) The SDLC process does not apply to canned software.
C) Most canned software meets all of a company's information or data processing needs.
D) Companies that buy rather than develop AIS software can still follow the SDLC process.
10) The reasons for ________ are to simplify the decision-making process, reduce errors, provide timesavings, and avoid potential disagreements.
A) leasing
B) outsourcing
C) sending out a request for a proposal
D) prototyping
11) Total costs are usually lower and less time is required for vendor preparation and company evaluation when requests for proposal are solicited based on
A) generalized software needs.
B) specific hardware and software specifications.
C) exact equipment needs.
D) None of the above are correct.
12) Information given to vendors should include
A) timeframe required for completion of the project.
B) detailed specifications for the AIS.
C) a budget for software and hardware.
D) None of the above are correct.
13) The approach that evaluates vendors' systems based on the weighted score of criteria and points totaled is called
A) requirements costing.
B) prototyping.
C) benchmark problem.
D) point scoring.
14) The approaches to evaluating proposals that do not incorporate dollar estimates of costs and benefits is known as
A) requirement costing and point scoring.
B) benchmark problem and point scoring.
C) All methods mentioned above include dollar estimates.
D) point scoring and requirement costing.
15) It is important for a company to be selective in choosing a software vendor. When a company buys a large or complex system, it may request that a software vendor submit a specific proposal for a system by a specified date. What acronym is used to identify such a request?
A) EIS
B) ISP
C) ASP
D) RFP
16) A request for proposal sent to software vendors is an important tool since it can reduce errors.
Which statement below supports this reason?
A) All responses are in the same format and based on the same information.
B) The same information is provided to all vendors.
C) The chances of overlooking important factors are reduced.
D) Both parties possess the same expectations and pertinent information is captured in writing.
17) A company should carefully evaluate proposals submitted by software vendors. What is the first step a company should take in the proposal evaluation process?
A) Carefully compare proposals against the proposed AIS requirements.
B) Invite vendors to demonstrate their systems.
C) Eliminate proposals that are missing important information or fail to meet minimum requirements.
D) Determine how much of a given proposal meets the desired AIS requirements.
18) Among the methods a company can use to help it evaluate software and hardware systems from vendors, one way is to calculate and compare the processing times of different AIS to compare system performance. This is the ________ method.
A) mandatory requirements
B) requirements costing
C) benchmark problem
D) point scoring
19) What is a drawback to using the requirements costing method of software and hardware evaluation?
A) The weights and points used are assigned subjectively.
B) Intangible factors such as reliability and vendor support are overlooked.
C) There is no drawback to using the requirements costing method.
D) Dollar estimates of costs and benefits are not included.
20) The costly and labor-intensive approach to systems acquisition is
A) modified software.
B) custom software.
C) canned software.
D) turnkey software.
Answer Key
1) A
2) C
3) B
4) D
5) D
6) B
7) D
8) B
9) D
10) C
11) B
12) B
13) D
14) D
15) D
16) C
17) C
18) C
19) B
20) B
星期一, 4月 18, 2011
Further Update (A11-04-01a): Vulnerability in Adobe Flash Player and Adobe Reader/Acrobat
Further to the security alert A11-04-01 issued on 12.04.2011, we would like to draw your attention that Adobe has released updated versions of Adobe Flash Player for the platforms below to address the issue. However, related patches for Adobe Reader and Adobe Acrobat are still pending. The respective updates are available at:
- Flash Player 10.2.159.1 for Windows, Macintosh, Linux and Solaris
To verify the Flash player version installed, you may visit the following URL:
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
DITSOs (or your delegates) are also requested to inform the relevant system administrators and end users as appropriate about this issue.
More Information:
More information about this update is available at:
- Flash Player 10.2.159.1 for Windows, Macintosh, Linux and Solaris
- http://www.adobe.com/go/getflash
- http://www.adobe.com/licensing/distribution
- http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html
To verify the Flash player version installed, you may visit the following URL:
- http://www.adobe.com/products/flash/about/
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
DITSOs (or your delegates) are also requested to inform the relevant system administrators and end users as appropriate about this issue.
More Information:
More information about this update is available at:
- http://www.adobe.com/support/security/advisories/apsa11-02.html
- http://www.adobe.com/support/security/bulletins/apsb11-07.html
- http://www.us-cert.gov/current/index.html#adobe_releases_security_advisory_for7
- http://www.kb.cert.org/vuls/id/230057
- http://secunia.com/advisories/44119/
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0611
星期四, 4月 14, 2011
Microsoft Windows XP 變數
有時編寫執行檔時,可能會因為使用者名稱不同而不能執行成功。
假若遇到這個情況,系統變數便可以簡化問題了。
以下是 Ms Windows XP 及 Windows 7 的例子:
變數 | Win XP 例子 | Win 7例子 |
%LOGONSERVER% | \\127.0.0.1 | \\127.0.0.1 |
%HOMEDRIVE% | C:\ | C:\ |
%SystemDrive% | C:\ | C:\ |
%AllUsersProfile% | C:\Documents and Settings\All Users | C:\ProgramData |
%HOMEPATH% | C:\Documents and Settings\wfh | C:\Users\wfh |
%USERPROFILE% | C:\Documents and Settings\wfh | C:\Users\wfh |
%APPDATA% | C:\Documents and Settings\wfh\Application Data | C:\Users\wfh\AppData\Roaming |
%Temp% | C:\Documents and Settings\wfh\Local Settings\Temp | C:\Users\Ben\AppData\Local\Temp |
%Tmp% | C:\Documents and Settings\wfh\Local Settings\Temp | C:\Users\Ben\AppData\Local\Temp |
%USERPROFILE%\My Documents\ | C:\Documents and Settings\wfh\My Documents\ | |
%ProgramFiles% | C:\Program Files | C:\Program Files |
%commonprogramfiles% | C:\Program Files\Common Files | C:\Program Files\Common Files |
%SystemRoot% | C:\WINDOWS | C:\Windows |
%windir% | C:\WINDOWS | C:\Windows |
%ComSpec% | C:\WINDOWS\system32\cmd.exe | C:\WINDOWS\system32\cmd.exe |
%PSModulePath% | C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules | C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
===========================
batch file 應用例子:
@echo off
:: 設定變數 drive 為 G:\Backup
set drive=G:\Backup
:: 設定變數 backupcmd 為 xcopy /s /c /d /e /h /i /r /y
set backupcmd=xcopy /s /c /d /e /h /i /r /y
echo 備份我的文件至 G:\Backup\My Documents ...
%backupcmd% "%USERPROFILE%\My Documents" "%drive%\My Documents"
echo 備份我的最愛至 G:\Backup\Favorites...
%backupcmd% "%USERPROFILE%\Favorites" "%drive%\Favorites"
echo 備份 Outlook Express...
%backupcmd% "%USERPROFILE%\Application Data\Microsoft\Address Book" "%drive%\Address Book"
%backupcmd% "%USERPROFILE%\Local Settings\Application Data\Identities" "%drive%\Outlook Express"
echo 備份 Ms Outlook...
%backupcmd% "%USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook" "%drive%\Outlook"
echo 備份登錄檔...
if not exist "%drive%\Registry" mkdir "%drive%\Registry"
if exist "%drive%\Registry\regbackup.reg" del "%drive%\Registry\regbackup.reg"
regedit /e "%drive%\Registry\regbackup.reg"
:: use below syntax to backup other directories...
:: %backupcmd% "...source directory..." "%drive%\...destination dir..."
echo 備份完成
pause
試想像,假若目標使用者的視窗安裝在 D:\ ,而且你不知道對方的使用者名稱,在不使用變數的情況下便十分麻煩了。
===========================
如果希望新增 / 修改 Win xp 的變數,你可以:
2. 在「系統內容」的「進階」分頁,點選「環境變數」
3. 在下方的「系統變數」,你可以找到 「TMP」 等大部份變數了
===========================
如果希望新增 / 修改 Win 7 的變數,你可以:
1. 在「我的電腦」的空白位置單擊右鍵,然後點選「內容」
2. 點選「進階系統設定」
3. 在「系統內容」的「進階」分頁,點選「環境變數」
4. 在下方的「系統變數」,你可以找到 「TMP」 等大部份變數了
訂閱:
文章 (Atom)