[ISN] Month of Apple Patches

From: InfoSec News (alerts@private)
Date: Wed Jan 10 2007 - 22:35:05 PST

Forwarded from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>


Give viruses admin rights to your computer 

Black Hat security event

esxRanger Professional: Hot Backups for VI3

=== CONTENTS ===================================================

IN FOCUS: Month of Apple Patches

   - Attacking Vista: From Proof of Concept to Actual Exploit
   - Cisco Strengthens Mail Offering with IronPort
   - Backup and Recovery Basics
   - Recent Security Vulnerabilities

   - Security Matters Blog: At Least 11 Unpatched Vulnerabilities in 
Microsoft Products
   - FAQ: Start a Program with Elevated Permissions
   - From the Forum: Information Quality During Security Incidents
   - Share Your Security Tips

   - Secure Remote Access from Handhelds
   - Wanted: Your Reviews of Products 




=== SPONSOR: Byte Crusher ======================================

Give viruses admin rights to your computer 
   Sounds crazy, doesn't it. But if you run Windows XP as an 
Administrator, this is exactly what you are doing every time you touch 
the Internet. You locked the door but forgot to close it. WindowZones 
can dynamically remove Administrator rights from Internet applications 
such as web browsers and email clients. Say "Access Denied!" to 
Internet threats with WindowZones. 

=== IN FOCUS: Month of Apple Patches ===========================
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Recently, someone announced that a new Apple-related security bug would 
be posted every day for the month of January (see the URL below). The 
stunt comes on the heels of other such projects, dubbed Month of Kernel 
Bugs and Month of Browser Bugs. There was also a proposed Month of 
Oracle Database Bugs, but that stunt never came to fruition. 

You might have read my recent Security Matters blog article in which I 
questioned whether this relatively new "month of bugs" trend is 
stupendous or just plain stupid. If you missed it, you can read it at 
the URL below.

The problem I see with these events is that they place millions of 
computer users at severe risk. The alleged motives for launching these 
events vary, but it seems to me that they're primarily publicity stunts 
designed to draw attention to the operators of the events. If that 
weren't the case, then the bug publicists would at least post their 
bugs anonymously. Furthermore, if they really cared about the overall 
effects of their bug reports, they'd be more responsible with their 
disclosure methods instead of leaving people vulnerable while vendors 
scramble to fix the bugs. 

At least some people out there have a conscience. In response to the 
recent launch of the Month of Apple Bugs (MOAB) comes the cavalry 
riding to the rescue, led by Landon Fuller, former Apple engineer.

Fuller found out about MOAB and decided that it would be a good 
exercise and public service to fix the bugs while waiting for official 
fixes from Apple. So day by day, as the new bugs are posted, Fuller 
works to find ways to fix them and subsequently releases patches. 

In addition to Fuller's work, William Carrel stepped in to set up a 
MOAB Fixes group at Google where MOAB patch coordination is taking 
place. There you can find open discussion along with the patches 
released so far. The group is accessible at the URL below.

Apple will undoubtedly release its own patches for the bugs in the near 
future. However, so far the company hasn't said anything publicly about 
possible patches or the MOAB project. Although Fuller formerly worked 
at Apple and is helping to fix the bugs on his own, he stated that he 
hasn't heard anything from Apple regarding MOAB or his patching 

I think that the work of the people who are now involved in patching 
the issues made known by the MOAB project is admirable. The people who 
launch these "month of bugs" stunts could take a lesson in public 
service from the example being set. But will they? I doubt it. 

=== SPONSOR: Black Hat =========================================

Black Hat security event
   Black Hat DC, February 26-March 1 in Washington, DC, is the DC 
version of Black Hat, the world's premier technical event for IT 
security experts. Featuring 10 hands-on training courses and 30 
Briefings presentations with lots of new content--the best of Black 
Hat. Network with 300 delegates and see solutions from 10 major 

=== SECURITY NEWS AND FEATURES =================================

Attacking Vista: From Proof of Concept to Actual Exploit
   During the final week of December, a vulnerability was discovered in 
Windows platforms that affects the Client-Server Runtime Subsystem 
(CSRSS) service. Then, on the final day of 2006, just in time to ring 
in the new year, an anonymous person posted a working exploit to the 
Full Disclosure mailing list.

Cisco Strengthens Mail Offering with IronPort
   Cisco will acquire IronPort Systems, which makes a range of 
appliances that help companies defend themselves against email- and 
Web-based attacks. 

Backup and Recovery Basics
   Every business needs a comprehensive data protection plan. David 
Chernicoff shows you how to begin creating one for your company.

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

=== SPONSOR: Vizioncore ========================================

esxRanger Professional: Hot Backups for VI3
   Still don't have a reliable disaster recovery plan in place?
   Vizioncore's esxRanger Professional supports a sophisticated, yet 
cost effective DR strategy for your VMware Infrastructure 3 
environment. Restoring entire virtual machine images--or just files--is 
smooth & seamless. Visit http://list.windowsitpro.com/t?ctl=46051:7EB890
for a trial download today.

=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: At Least 11 Unpatched Vulnerabilities in 
Microsoft Products 
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4604E:7EB890

Are you aware of the known vulnerabilities for which no patch is 
available? There are at least 11, and the list is growing. Learn more 
about them in this blog article. 

FAQ: Start a Program with Elevated Permissions
   by John Savill, http://list.windowsitpro.com/t?ctl=4604C:7EB890 

Q: How can I easily start a program in elevated permission mode?

Find the answer at

FROM THE FORUM: Information Quality During Security Incidents
   A forum participant writes that he's seen discrepancies in data 
collected during various incidents, which can lead to wrong actions 
being taken. He's curious to hear stories from others about such 
incidents as well as suggestions about how people handle information 
quality issues during incidents.

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ===================================================
   by Renee Munshi, products@private

Secure Remote Access from Handhelds
   Positive Networks announced PositivePRO 3.5, the newest version of 
the secure remote access service, which offers several major 
improvements, including automatic device detection for easier 
provisioning, the ability to work on handheld devices such as 
BlackBerries and phones with a Web browser, and Windows Vista support. 
The PositivePRO remote access service combines a client-based VPN, a 
clientless, Web-based Secure Sockets Layer (SSL) VPN, and remote 
desktop control. PositivePRO supports multiple antivirus products on 
the client and can prevent a client's access to the network if 
PositivePRO detects a virus on the client. PositivePRO can also install 
up-to-date antivirus software on a client that doesn't have it. For 
more information, go to

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to 
whatshot@private and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit

How do you manage security vulnerabilities? If you depend on 
vulnerability assessments to determine the state of your IT security 
systems, you can't miss this Web seminar. Special research from Gartner 
indicates that deeper penetration is needed to augment your existing 
vulnerability management processes. Learn more today! 

Total Cost of Ownership--TCO--is every executive's favorite buzzword, 
but what does it really mean and how does it affect you? In this 
podcast, Ben Smith explains how your organization can use 
virtualization technology to measurably improve the TCO for servers and 

Protect your users and your network from email-borne threats. This free 
eBook gives you the knowledge required to understand the real threat 
that email-borne attacks pose and how to address those attacks in a way 
that reduces risk while ensuring users aren't impacted. Download it 

=== FEATURED WHITE PAPER =======================================

Are you familiar with new government regulations affecting email? Learn 
about the dozens of issues surrounding the security of email in 
business today and make sure that your company is in compliance. 
Download your copy of this must-have white paper today! 

=== ANNOUNCEMENTS ==============================================

Ring in the New Year with SQL Server Magazine 
   Don't miss SQL Server Magazine in 2007! As a subscriber, you'll have 
full access to must-have coverage of high availability, SQL Server & 
Office integration, business intelligence, clustering, reporting 
services, and much more. Order now and save 58% off the cover price:  

Vote for the Next IT Pro of the Month! 
   Your vote counts! Take the time to reward excellence in a deserving 
IT pro. The first 100 readers to cast a vote will receive a one-year 
subscription to Windows IT Pro, compliments of Microsoft. Voting takes 
only a few seconds, so don't miss out. Cast your vote now at 


Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=46052:7EB890
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Jan 10 2007 - 22:43:20 PST