[ISN] Security UPDATE -- Netscape 8.0 Security -- May 25, 2005
InfoSec News
isn at c4i.org
Fri May 27 03:26:30 EDT 2005
====================
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
Reduce Costs with Cyclades AlterPath OnSite
http://list.windowsitpro.com/t?ctl=AB2B:4FB69
Anti-Spam product not working? What more companies are switching to...
and why.
http://list.windowsitpro.com/t?ctl=AB14:4FB69
====================
1. In Focus: Netscape 8.0 Security
2. Security News and Features
- Recent Security Vulnerabilities
- Windows TCP/IP Woes
- NT OBJECTives Offers Two Free Security Tools
3. Security Toolkit
- Security Matters Blog
- FAQ
- Security Forum Featured Thread
4. New and Improved
- Control Your Network Traffic
====================
==== Sponsor: Cyclades ====
Reduce Costs with Cyclades AlterPath OnSite
Reduce operational costs by eliminating the need for most remote
site visits with the AlterPath OnSite, Cyclades newest out-of-band
infrastructure (OOBI) appliance specifically designed for small, remote
branch office management. The AlterPath OnSite combines the
functionality of Cyclades ACS (advanced console server) and Cyclades
KVM/net (KVM over IP) to deliver serial console control, KVM control
and power control (through the AlterPath PM power control unit) – in a
single, easy-to-use appliance. Visit Cyclades at Microsoft Tech Ed in
Orlando, Florida, June 6-9, Booth #228 and #230.
http://list.windowsitpro.com/t?ctl=AB2B:4FB69
====================
==== 1. In Focus: Netscape 8.0 Security ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Netscape Communications' Netscape Browser 8.0 was released last week. I
downloaded a copy and found that it has some impressive features, two
of which are great innovations that I think are worth a close look.
First, Netscape 8.0 can use both the Mozilla Firefox and Microsoft
Internet Explorer (IE) rendering engines, which means that if you use
it, you no longer have to open two browsers to get maximum
functionality while surfing the Web. The IE engine is enabled by
default for "trusted sites," and you can change that setting so that
the Firefox engine is used by default instead. A menu option (Tools,
Rendering Engine) lets you switch back and forth between the engines on
the fly.
Second, configuring Netscape 8.0 is fairly simple, especially if you're
familiar with Firefox. The Options dialog boxes are nearly identical in
both browsers. However, one Netscape 8.0 feature that you won't find in
Firefox is the Site Controls, which are similar to IE's security zones.
With Site Controls, you can define master settings that determine how
the browser will behave for each site you visit. There are four master
settings: "I Trust This Site," "I'm Not Sure," "I Don't Trust This
Site," and "Local Files." These are equivalent to IE's Trusted Sites,
Internet, Restricted Sites, and Local Intranet zones, respectively. For
each zone in Netscape 8.0, you can enable or disable various Web
features, such as Java, JavaScript, cookies, pop-up windows, and
ActiveX controls. You read that last item right--Netscape 8.0 supports
ActiveX!
You can customize the master settings on a per-site basis for any sites
you've added to any of the zones. Adding sites to a zone is simple.
After you have a site open in the browser, right-click its tab and
select Site Controls. Doing so presents a dialog box in which you can
specify the zone the site should belong to and customize individual
settings. You can also define a default rendering engine on a per-zone
or per-site basis.
A third new security feature (also part of Site Controls) is Trust
Ratings. If you enable this feature, you're relying on a third party to
determine whether you should trust a Web site's content and whether
it's OK to enter sensitive information at that Web site. The third
party maintains catalogs of trusted and untrusted sites. The catalogs
are automatically downloaded to the browser based on a schedule you
define. For example, you can refresh the catalogs hourly, daily, or
weekly. What Trust Ratings lacks is any information about who creates
the catalogs, what classification criteria is used, and a way to view
the catalogs. The feature requires that you trust it blindly to decide
on your behalf. Thus, I think this feature is less useful than it could
be.
Netscape 8.0 has other security-related features, some of which are
similar to ones in Firefox. For example, Datacard Manager helps store
information you might enter in Web forms. Passcard Manager helps you
store frequently used passwords. Netscape 8.0 also supports themes and
extensions. All those features are found in Firefox. Netscape 8.0 also
has a handy toolbar button that erases the browser history and a Web
mail manager that lets you configure account information for commonly
used services such as MSN Hotmail, Yahoo!, Google's Gmail, America
Online (AOL), and others. Those features don't come as standard
components of Firefox, but extensions that offer such functionality are
probably available.
Another feature not found in Firefox is statistics gathering. Netscape
8.0 can gather numbers about customers' browser feature usage, send
them back to developers (while preserving customers' anonymity, of
course), and use these statistics to improve future versions of the
browser. As you would expect, when you install Netscape 8.0, you can
import settings (such as preferences, cookies, browsing history) from
other installed browsers, including Firefox, IE, and Opera. Although
the installation routine did import all my settings, it didn't import
all my search engine plug-ins, so that's one area that needs some
improvement.
One thing I'm not clear about yet is how Netscape 8.0 actually uses the
IE rendering engine and ActiveX controls. Does Netscape 8.0 respect the
security zone settings as defined in IE? When I configure Netscape 8.0
to use the IE rendering engine, does it somehow map its own zones to IE
zones to use the IE zone settings in the registry? Does it respect my
IE zone settings for ActiveX behavior, such as disabling the download
of unsigned controls? I did some basic testing to try to determine the
functionality, and Netscape 8.0 didn't appear to use IE zone settings,
but I could be wrong. If you have any information to help explain what
goes on under the hood, please send me an email message with the
details.
Overall, Netscape 8.0 seems like an excellent solution, particularly
because of the new Site Controls and its use of both the IE and Firefox
rendering engines. You can download a copy at the URL below and take it
for a test drive. Note that Netscape 8.0 is based on Firefox 1.0.3
code. As such it inherited the same security problems that were present
in that Firefox version. Netscape 8.0.1 has been released to correct
those problems.
http://list.windowsitpro.com/t?ctl=AB29:4FB69
====================
==== Sponsor: Postini ====
Anti-Spam product not working? What more companies are switching to...
and why.
Many email administrators are experiencing increased frustration
with their legacy anti-spam products as they battle new and more
dangerous email threats. In-house software, appliances and even some
services may no longer work effectively, require too much IT staff time
to update and maintain, or satisfy the email security needs of
different users. In this free white paper learn why many companies are
switching to a managed service solution. You'll find out how to get
better accuracy and effectiveness, lower overhead and administrative
costs, get more flexible end user controls, improve service and support
and more. Download your free copy now!
http://list.windowsitpro.com/t?ctl=AB14:4FB69
====================
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=AB1B:4FB69
Windows TCP/IP Woes
The Land attack method has been known to the public at least since
November 1997. When a Windows system receives a SYN packet that
contains the same source and destination address, the packet could
cause a minor Denial of Service (DoS). Microsoft issued a patch to fix
the problem in IPv4, but the company's IPv6 implementation is still
vulnerable.
http://list.windowsitpro.com/t?ctl=AB1E:4FB69
NT OBJECTives Offers Two Free Security Tools
NT OBJECTives announced that it has made its ntoinsight 2.0 Web site
analysis tool and ntoweb vulnerability assessment tool available as
freeware. Ntoinsight catalogs a Web site's content, architecture, and
dependencies, and can identify areas that might be used as attack
points by intruders. Ntoweb is a plug-in that lets ntoinsight use the
Nikto vulnerability database.
http://list.windowsitpro.com/t?ctl=AB20:4FB69
====================
==== Resources and Events ====
Safeguard Your Exchange Servers--Plus Receive a Free eBook
Managing storage growth, providing application resiliency, and
handling small errors and problems before they grow are all important
aspects of boosting your Exchange Server uptime. In this free Web
seminar, discover how storage and application management techniques for
Exchange can be used to improve the resiliency and performance of your
Exchange infrastructure. Register now and get a free eBook!
http://list.windowsitpro.com/t?ctl=AB11:4FB69
Streamline Desktop Deployments
Managing desktop software configurations doesn't have to be a manual
process, resulting in unplanned costs, deployment delays, and client
confusion. In this free Web seminar, find out how to manage the
software package preparation process and increase your desktop
reliability, user satisfaction, and IT cost effectiveness. You'll learn
how to simplify the deployment and configuration process, starting with
the new-application request, review, and approval process and
progressing through software packaging and deployment.
http://list.windowsitpro.com/t?ctl=AB16:4FB69
Here's Your Chance To Earn $100
If you're going to TechEd 2005, we want you! Now's the time to tell
us what you think--click here to see if you qualify to participate in
this exclusive focus group opportunity.
http://list.windowsitpro.com/t?ctl=AB1D:4FB69
Get Ready for SQL Server 2005 Roadshow in Europe
Get the facts about migrating to SQL Server 2005. SQL Server experts
will present real-world information about administration, development,
and business intelligence to help you implement a best-practices
migration to SQL Server 2005 and improve your database computing
environment. Receive a 1-year membership to PASS and 1-year
subscription to SQL Server Magazine. Register now!
http://list.windowsitpro.com/t?ctl=AB17:4FB69
Get on the 64-Bit Bandwagon
In this free, on-demand Web seminar, you'll learn the most important
factors and best uses of 64-bit technology. Join industry expert Mike
Otey as he compares 32-bit and 64-bit technology and reveals the best
platform for high performance. You'll also learn how to successfully
migrate and manage the two. Register now!
http://list.windowsitpro.com/t?ctl=AB18:4FB69
====================
==== Featured White Paper ====
Test Your Security Configuration
Today, vulnerability-scanning hackers, Internet-traveling worms, and
roving bots are common. You should conduct regular vulnerability and
penetration testing audits to validate your security policy. In this
free white paper, learn how to identify and fix vulnerabilities,
discover and use vulnerability assessment tools, evaluate your security
investment, and more. Download your free copy now!
http://list.windowsitpro.com/t?ctl=AB10:4FB69
====================
==== Hot Release ====
Saving Time and Money with Network Faxing
Despite the rise of e-mail and the Internet, fax continues to be an
important means of business communication. Organizations can save
significantly on long distance costs, increase worker productivity, and
streamline their business processes simply by connecting a fax server
to their local area network. Get this white paper now!
http://list.windowsitpro.com/t?ctl=AB15:4FB69
====================
==== 3. Security Toolkit ====
Security Matters Blog: Hack IIS 6.0
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=AB25:4FB69
Feel like testing your hacking skills against IIS? If you can break
into the test server, you'll win an Xbox. Head over to
http://list.windowsitpro.com/t?ctl=AB2C:4FB69 and read the rules of engagement. The contest
ends June 8.
http://list.windowsitpro.com/t?ctl=AB21:4FB69
FAQ
by John Savill, http://list.windowsitpro.com/t?ctl=AB23:4FB69
Q: How can I restrict the application of Group Policy Object (GPOs)
depending on the client machine's OS?
Find the answer at
http://list.windowsitpro.com/t?ctl=AB1F:4FB69
Security Forum Featured Thread: Accessing the Security Log on a DC
A forum participant writes that he has a third-party audit tool
running in Active Directory on Windows Server 2003. The configuring
administrators of the audit tool aren't domain administrators, but they
must have access to the Security log of the DCs to get the needed
events. Is it possible to give access to the Security log on a DC
without a membership in Domain Admins? Join the discussion at
http://list.windowsitpro.com/t?ctl=AB12:4FB69
====================
==== Announcements ====
(from Windows IT Pro and its partners)
Why Do You Need the Windows IT Pro Master CD?
There are three good reasons to order our latest Windows IT Pro
Master CD. One, because it's a lightning-fast, portable tool that lets
you search for solutions by topic, author, or issue. Two, because it
includes our Top 100 Windows IT Pro Tips. Three, because you'll also
receive exclusive, subscriber-only access to our entire online article
database. Click here to discover even more reasons:
http://list.windowsitpro.com/t?ctl=AB22:4FB69
Nominate Yourself or a Friend for the MCP Hall of Fame
Are you a top-notch MCP who deserves to be a part of the first-ever
MCP Hall of Fame? Get the fame you deserve by nominating yourself or a
peer to become a part of this influential community of certified
professionals. You could win a VIP trip to Microsoft and other valuable
prizes. Enter now--it's easy:
http://list.windowsitpro.com/t?ctl=AB19:4FB69
====================
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Control Your Network Traffic
Lightspeed Systems offers Total Traffic Control (TTC) 5.03 for
schools, government departments, and businesses. TTC 5.03 performs
content filtering, spam blocking, bandwidth management, and reporting.
TTC 5.03 incorporates a Security Agent, which augments virus signature
matching with behavior analysis to identify and prevent malicious
threats. The Security Agent enables administrators to quickly classify
any undesirable application as a known malicious program and distribute
that information to systems on the network. TTC 5.03 also has new spam-
blocking techniques and can block Web searches on words that you
specify. For more information, go to
http://list.windowsitpro.com/t?ctl=AB28:4FB69
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
Editor's note: Share Your Security Discoveries and Get $100
Share your security-related discoveries, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
====================
==== Sponsored Links ====
Symantec and Gartner Present Client Resilience
Symantec Webcasts: Ensure devices are available and compliant.
http://list.windowsitpro.com/t?ctl=AB2D:4FB69
Converting a Microsoft Access Application to Oracle HTML DB
Convert MS Access into a Web application for multiple users.
Download now!
http://list.windowsitpro.com/t?ctl=AB2E:4FB69
Protecting Your Company by Managing Your Users' Internet Access
Internet access within an organization can represent a legal &
security risk
http://list.windowsitpro.com/t?ctl=AB13:4FB69
====================
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=AB27:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com
====================
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
http://list.windowsitpro.com/t?ctl=AB1C:4FB69
View the Windows IT Pro privacy policy at
http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2005, Penton Media, Inc. All rights reserved.
More information about the ISN
mailing list