[ISN] Microsoft Catches Flak for Lack of Vulnerability Disclosure
InfoSec News
isn at c4i.org
Thu Apr 27 01:42:24 EDT 2006
====================
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
Esker Software
http://list.windowsitpro.com/t?ctl=282BF:4FB69
Availl
http://list.windowsitpro.com/t?ctl=282D0:4FB69
====================
1. In Focus: Microsoft Catches Flak for Lack of Vulnerability
Disclosure
2. Security News and Features
- Recent Security Vulnerabilities
- Novell Acquires e-Security
- GRISOFT Boosts Its Security Offerings with Acquisition of Ewido
- New Antiphishing Toolbar Takes an Obvious Approach
3. Security Toolkit
- Security Matters Blog
- FAQ
- Security Forum Featured Thread
- Share Your Security Tips
4. New and Improved
- Bring Systems Back in Line
====================
==== Sponsor: Esker Software ====
Align compliance with business efficiency, and learn how fax-document
management plays a role in your strategy.
http://list.windowsitpro.com/t?ctl=282BE:4FB69
====================
==== 1. In Focus: Microsoft Catches Flak for Lack of Vulnerability Disclosure ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
News stories last week discussed a blog entry (at the URL below) by
Matthew Murphy of SecuriTeam that hammered Microsoft for what Murphy
thinks is a lack of adequate vulnerability disclosure. Murphy's beef
with Microsoft relates to Microsoft Security Bulletin MS06-015--
Vulnerability in Windows Explorer Could Allow Remote Code Execution. In
a nutshell, Murphy wants Microsoft to offer more details about
vulnerabilities. (MS06-015 also happens to be the security bulletin
that proved to be buggy--an update was due to be released yesterday.)
http://list.windowsitpro.com/t?ctl=282CD:4FB69
Many think that Microsoft's disclosure practices border on the silent
fixing of security issues. It's no secret that in the past Microsoft
has silently fixed security problems and sometimes has misinformed the
public about the ramifications of security problems. Microsoft and many
other companies don't like the publicity related to security problems,
so they try to keep matters as quiet and calm as possible.
Granted, each company is free to establish its own policies about
disclosure and few are forthcoming with complete details in any given
instance of vulnerability discovery. For example, Apple silently fixes
security problems and rarely if ever releases any substantial details
about them. But then people interested in security don't place Apple
under the same microscope as Microsoft.
When Microsoft releases a security-related patch, numerous independent
researchers go to work to analyze the patch to find everything that's
changed in the related files. If they detect anything that isn't
documented, the researchers either call Microsoft on the carpet or they
keep their mouths shut for any of several reasons, including the
ability to exploit the undocumented bugs in systems that don't have the
patch installed. Thus the patch could actually aid in the proliferation
of malware and increase the overall risk of security breaches.
Of course, Microsoft's disclosure practices have improved over the
years, but there's still room for improvement, particularly if the
company expects the masses to more fully buy into the Trustworthy
Computing ideology.
Again, we're back to the same old issue of disclosure being a double-
edged sword. While many businesses and researchers have seen fit to
adopt some form of responsible disclosure in terms of timing the
release of vulnerability details, another important point of contention
remains. Microsoft and other companies argue that too much disclosure
creates a more dangerous network environment. But many security
researchers contend that not enough disclosure creates a more dangerous
network environment. Obviously, the situation calls for balance, and I
think there is balance. However, when the balance tips too far toward
either perspective, then risk levels increase.
Here's an interesting thought, even if it's only tangentially related:
What if software as a service or applications on demand become
commonplace? Think of a scenario in which you no longer have an OS and
sundry applications installed on your desktops and servers, but instead
everything is driven by some hardware-based technology that loads
everything from a remote location that you don't control. That would
just about put an end to many aspects of security research, security
administration, and the disclosure debate, wouldn't it?
====================
==== Sponsor: Availl ====
Ensure instant access to files at remote servers/offices.
Confused by WAFS, Wide Area Mirroring, DFS, WAN acceleration, or
Replication technologies? Do you have remote sites with common data or
file needs? Get a free software trial, and register for the free
seminar:
http://list.windowsitpro.com/t?ctl=282D0:4FB69
====================
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=282C2:4FB69
Novell Acquires e-Security
With e-Security's Sentinel solution under its wing, Novell says its
customers will enjoy a more comprehensive view of user, network, and
application events that will help streamline processes, augment
compliance monitoring, and cut costs.
http://list.windowsitpro.com/t?ctl=282CC:4FB69
GRISOFT Boosts Its Security Offerings with Acquisition of Ewido
GRISOFT aims to bolsters its cross-platform antivirus and firewall
solutions by adding Ewido Networks' award-winning anti-malware
protection to its suite of offerings.
http://list.windowsitpro.com/t?ctl=282CA:4FB69
New Antiphishing Toolbar Takes an Obvious Approach
TraceSecurity developed a different and rather obvious approach to
an antiphishing toolbar. Instead of looking for known phishing sites,
the free TraceAssure Toolbar searches for legitimate Web sites by
matching domain names to IP addresses.
http://list.windowsitpro.com/t?ctl=282CB:4FB69
====================
==== Resources and Events ====
How do you ensure that your email system isn't vulnerable to a
messaging meltdown? In this Web seminar, Exchange guru Paul Robichaux
tells you what you should do before you have an outage to increase your
chances of coming out of it smelling like roses.
http://list.windowsitpro.com/t?ctl=282C1:4FB69
Learn the best ways to manage your email security (and fight spam)
using a variety of solutions and tips.
http://list.windowsitpro.com/t?ctl=282BD:4FB69
Expert Ben Smith describes the benefits of using server virtualization
to make computers more efficient. Download this exclusive podcast
today!
http://list.windowsitpro.com/t?ctl=282C0:4FB69
Make sure that your DR systems are up to the challenge of a real
natural disaster by learning from messaging survivors of Hurricanes
Katrina and Rita. Live Event: Tuesday, May 2
http://list.windowsitpro.com/t?ctl=282BC:4FB69
Ensure that you're being effective with your internal network security.
Are your DIY options protecting you against worms, BotNets, Trojans,
and hackers? Make sure! Live Event: Tuesday, May 23
http://list.windowsitpro.com/t?ctl=282BB:4FB69
====================
==== Featured White Paper ====
Examine the risks of allowing unwanted or offensive content into your
network and learn about the technologies and methodologies to defend
against inappropriate content, spyware, IM, and P2P.
http://list.windowsitpro.com/t?ctl=282BA:4FB69
====================
==== Hot Spot ====
Try it Free: Access & Control PCs from your USB
NetOp Remote Control provides the most complete, scalable, and
secure remote control software available. Access PCs from your desktop,
PocketPC or USB! NEW On Demand option provides tiny, temporary,
download with no user installation or firewall configuration and NO per
session charges. Free evaluation & support.
http://list.windowsitpro.com/t?ctl=282B8:4FB69
====================
==== 3. Security Toolkit ====
Security Matters Blog: Rubberhose: A Useful Form of Data Encryption?
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=282CF:4FB69
Instead of making it glaringly obvious that data is encrypted,
Rubberhose makes encryption deniable--i.e., supposedly it can't be
proven that the data is encrypted. This technique might be useful for
people who, for whatever reasons, can't use other forms of data
encryption. Learn a bit more about it in this blog article.
http://list.windowsitpro.com/t?ctl=282C9:4FB69
FAQ
by John Savill, http://list.windowsitpro.com/t?ctl=282CE:4FB69
Q: Does Microsoft provide a different level of support for applications
and services running under a VMware virtualization host rather than
under a Microsoft Virtual Server 2005 virtualization host?
Find the answer at http://list.windowsitpro.com/t?ctl=282C8:4FB69
Security Forum Featured Thread: Is Someone Trying To Hack Our System?
A forum participant has Windows 2000 Advanced Server with Terminal
Services running. In the Security event log, he noticed many instances
of an event in which someone tries to log on to a system named GARY-
HOME. He has no system with that name, so he wonders whether someone is
trying to hack into his network. Look at the event log entry he posted
and join the discussion at
http://list.windowsitpro.com/t?ctl=282B9:4FB69
Share Your Security Tips and Get $100
Share your security-related tips, comments, or problems and
solutions in the Windows IT Security print newsletter's
Reader to Reader column. Email your contributions to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
====================
==== Announcements ====
(from Windows IT Pro and its partners)
Exclusive Spring Savings
Subscribe to Windows IT Pro and SAVE 58%! Along with your 12 issues,
you'll get FREE access to the entire Windows IT Pro online article
archive, which houses more than 9,000 helpful articles. This is a
limited-time offer, so order now:
http://list.windowsitpro.com/t?ctl=282C5:4FB69
Save 44% off Windows Scripting Solutions
For a limited time, order the Windows Scripting Solutions newsletter
and SAVE up to $80. You'll get 12 helpful issues loaded with expert-
reviewed downloadable code and scripting techniques, as well as
hundreds of tips on automating repetitive tasks. You'll also get FREE,
unlimited access to the full online scripting article library (more
than 500 articles). Subscribe now:
http://list.windowsitpro.com/t?ctl=282C4:4FB69
====================
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Bring Systems Back in Line
NetPro Computing describes SecurityManager 2.0 as "a significant
upgrade." SecurityManager 2.0 centralizes policy management and
enforcement for Active Directory (AD) and file servers. It includes new
policies for object locking, group membership, separation of duties,
and external trusts. SecurityManager 2.0 constantly monitors the
network, so when systems become uncompliant with company standards, the
software immediately sends an alert and helps remediate the problem.
For more information about SecurityManager 2.0, go to
http://list.windowsitpro.com/t?ctl=282C7:4FB69
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
====================
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=282D1:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
====================
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
http://list.windowsitpro.com/t?ctl=282C6:4FB69
View the Windows IT Pro privacy policy at
http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2006, Penton Media, Inc. All rights reserved.
More information about the ISN
mailing list