Forwarded from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com> PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE: Give viruses admin rights to your computer http://list.windowsitpro.com/t?ctl=4603A:7EB890 Black Hat security event http://list.windowsitpro.com/t?ctl=46056:7EB890 esxRanger Professional: Hot Backups for VI3 http://list.windowsitpro.com/t?ctl=46051:7EB890 === CONTENTS =================================================== IN FOCUS: Month of Apple Patches NEWS AND FEATURES - Attacking Vista: From Proof of Concept to Actual Exploit - Cisco Strengthens Mail Offering with IronPort - Backup and Recovery Basics - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: At Least 11 Unpatched Vulnerabilities in Microsoft Products - FAQ: Start a Program with Elevated Permissions - From the Forum: Information Quality During Security Incidents - Share Your Security Tips PRODUCTS - Secure Remote Access from Handhelds - Wanted: Your Reviews of Products RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: Byte Crusher ====================================== Give viruses admin rights to your computer Sounds crazy, doesn't it. But if you run Windows XP as an Administrator, this is exactly what you are doing every time you touch the Internet. You locked the door but forgot to close it. WindowZones can dynamically remove Administrator rights from Internet applications such as web browsers and email clients. Say "Access Denied!" to Internet threats with WindowZones. http://list.windowsitpro.com/t?ctl=4603A:7EB890 === IN FOCUS: Month of Apple Patches =========================== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Recently, someone announced that a new Apple-related security bug would be posted every day for the month of January (see the URL below). The stunt comes on the heels of other such projects, dubbed Month of Kernel Bugs and Month of Browser Bugs. There was also a proposed Month of Oracle Database Bugs, but that stunt never came to fruition. http://list.windowsitpro.com/t?ctl=46055:7EB890 You might have read my recent Security Matters blog article in which I questioned whether this relatively new "month of bugs" trend is stupendous or just plain stupid. If you missed it, you can read it at the URL below. http://list.windowsitpro.com/t?ctl=46046:7EB890 The problem I see with these events is that they place millions of computer users at severe risk. The alleged motives for launching these events vary, but it seems to me that they're primarily publicity stunts designed to draw attention to the operators of the events. If that weren't the case, then the bug publicists would at least post their bugs anonymously. Furthermore, if they really cared about the overall effects of their bug reports, they'd be more responsible with their disclosure methods instead of leaving people vulnerable while vendors scramble to fix the bugs. At least some people out there have a conscience. In response to the recent launch of the Month of Apple Bugs (MOAB) comes the cavalry riding to the rescue, led by Landon Fuller, former Apple engineer. Fuller found out about MOAB and decided that it would be a good exercise and public service to fix the bugs while waiting for official fixes from Apple. So day by day, as the new bugs are posted, Fuller works to find ways to fix them and subsequently releases patches. http://list.windowsitpro.com/t?ctl=4604F:7EB890 In addition to Fuller's work, William Carrel stepped in to set up a MOAB Fixes group at Google where MOAB patch coordination is taking place. There you can find open discussion along with the patches released so far. The group is accessible at the URL below. http://list.windowsitpro.com/t?ctl=46047:7EB890 Apple will undoubtedly release its own patches for the bugs in the near future. However, so far the company hasn't said anything publicly about possible patches or the MOAB project. Although Fuller formerly worked at Apple and is helping to fix the bugs on his own, he stated that he hasn't heard anything from Apple regarding MOAB or his patching efforts. I think that the work of the people who are now involved in patching the issues made known by the MOAB project is admirable. The people who launch these "month of bugs" stunts could take a lesson in public service from the example being set. But will they? I doubt it. === SPONSOR: Black Hat ========================================= Black Hat security event Black Hat DC, February 26-March 1 in Washington, DC, is the DC version of Black Hat, the world's premier technical event for IT security experts. Featuring 10 hands-on training courses and 30 Briefings presentations with lots of new content--the best of Black Hat. Network with 300 delegates and see solutions from 10 major sponsors. http://list.windowsitpro.com/t?ctl=46056:7EB890 === SECURITY NEWS AND FEATURES ================================= Attacking Vista: From Proof of Concept to Actual Exploit During the final week of December, a vulnerability was discovered in Windows platforms that affects the Client-Server Runtime Subsystem (CSRSS) service. Then, on the final day of 2006, just in time to ring in the new year, an anonymous person posted a working exploit to the Full Disclosure mailing list. http://list.windowsitpro.com/t?ctl=46048:7EB890 Cisco Strengthens Mail Offering with IronPort Cisco will acquire IronPort Systems, which makes a range of appliances that help companies defend themselves against email- and Web-based attacks. http://list.windowsitpro.com/t?ctl=46049:7EB890 Backup and Recovery Basics Every business needs a comprehensive data protection plan. David Chernicoff shows you how to begin creating one for your company. http://list.windowsitpro.com/t?ctl=46044:7EB890 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=46040:7EB890 === SPONSOR: Vizioncore ======================================== esxRanger Professional: Hot Backups for VI3 Still don't have a reliable disaster recovery plan in place? Vizioncore's esxRanger Professional supports a sophisticated, yet cost effective DR strategy for your VMware Infrastructure 3 environment. Restoring entire virtual machine images--or just files--is smooth & seamless. Visit http://list.windowsitpro.com/t?ctl=46051:7EB890 for a trial download today. === GIVE AND TAKE ============================================== SECURITY MATTERS BLOG: At Least 11 Unpatched Vulnerabilities in Microsoft Products by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4604E:7EB890 Are you aware of the known vulnerabilities for which no patch is available? There are at least 11, and the list is growing. Learn more about them in this blog article. http://list.windowsitpro.com/t?ctl=4604A:7EB890 FAQ: Start a Program with Elevated Permissions by John Savill, http://list.windowsitpro.com/t?ctl=4604C:7EB890 Q: How can I easily start a program in elevated permission mode? Find the answer at http://list.windowsitpro.com/t?ctl=46045:7EB890 FROM THE FORUM: Information Quality During Security Incidents A forum participant writes that he's seen discrepancies in data collected during various incidents, which can lead to wrong actions being taken. He's curious to hear stories from others about such incidents as well as suggestions about how people handle information quality issues during incidents. http://list.windowsitpro.com/t?ctl=4603B:7EB890 SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@private If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. === PRODUCTS =================================================== by Renee Munshi, products@private Secure Remote Access from Handhelds Positive Networks announced PositivePRO 3.5, the newest version of the secure remote access service, which offers several major improvements, including automatic device detection for easier provisioning, the ability to work on handheld devices such as BlackBerries and phones with a Web browser, and Windows Vista support. The PositivePRO remote access service combines a client-based VPN, a clientless, Web-based Secure Sockets Layer (SSL) VPN, and remote desktop control. PositivePRO supports multiple antivirus products on the client and can prevent a client's access to the network if PositivePRO detects a virus on the client. PositivePRO can also install up-to-date antivirus software on a client that doesn't have it. For more information, go to http://list.windowsitpro.com/t?ctl=46053:7EB890 WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to whatshot@private and get a Best Buy gift certificate. === RESOURCES AND EVENTS ======================================= For more security-related resources, visit http://list.windowsitpro.com/t?ctl=4604B:7EB890 How do you manage security vulnerabilities? If you depend on vulnerability assessments to determine the state of your IT security systems, you can't miss this Web seminar. Special research from Gartner indicates that deeper penetration is needed to augment your existing vulnerability management processes. Learn more today! http://list.windowsitpro.com/t?ctl=4603D:7EB890 Total Cost of Ownership--TCO--is every executive's favorite buzzword, but what does it really mean and how does it affect you? In this podcast, Ben Smith explains how your organization can use virtualization technology to measurably improve the TCO for servers and clients. http://list.windowsitpro.com/t?ctl=4603F:7EB890 Protect your users and your network from email-borne threats. This free eBook gives you the knowledge required to understand the real threat that email-borne attacks pose and how to address those attacks in a way that reduces risk while ensuring users aren't impacted. Download it today! http://list.windowsitpro.com/t?ctl=4603E:7EB890 === FEATURED WHITE PAPER ======================================= Are you familiar with new government regulations affecting email? Learn about the dozens of issues surrounding the security of email in business today and make sure that your company is in compliance. Download your copy of this must-have white paper today! http://list.windowsitpro.com/t?ctl=4603C:7EB890 === ANNOUNCEMENTS ============================================== Ring in the New Year with SQL Server Magazine Don't miss SQL Server Magazine in 2007! As a subscriber, you'll have full access to must-have coverage of high availability, SQL Server & Office integration, business intelligence, clustering, reporting services, and much more. Order now and save 58% off the cover price: http://list.windowsitpro.com/t?ctl=46041:7EB890 Vote for the Next IT Pro of the Month! Your vote counts! Take the time to reward excellence in a deserving IT pro. The first 100 readers to cast a vote will receive a one-year subscription to Windows IT Pro, compliments of Microsoft. Voting takes only a few seconds, so don't miss out. Cast your vote now at http://list.windowsitpro.com/t?ctl=46050:7EB890 ================================================================ Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below). http://list.windowsitpro.com/t?ctl=4604D:7EB890 http://list.windowsitpro.com/t?ctl=46054:7EB890 Subscribe to Security UPDATE at http://list.windowsitpro.com/t?ctl=46043:7EB890 Be sure to add Security_UPDATE@private to your antispam software's list of allowed senders. To contact us: About Security UPDATE content -- letters@private About technical questions -- http://list.windowsitpro.com/t?ctl=46052:7EB890 About your product news -- products@private About your subscription -- windowsitproupdate@private About sponsoring Security UPDATE -- salesopps@private View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=46042:7EB890 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All rights reserved. _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Wed Jan 10 2007 - 22:43:20 PST