Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com> PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE: ALERT: "How A Hacker Launches A Cross-Site Scripting Attack" White Paper http://list.windowsitpro.com/t?ctl=5AE11:57B62BBB09A69279F588102EB0E41E1B Replication in the VMware Environment http://list.windowsitpro.com/t?ctl=5AE0D:57B62BBB09A69279F588102EB0E41E1B Automated GLBA Security Compliance: Free Report http://list.windowsitpro.com/t?ctl=5AE23:57B62BBB09A69279F588102EB0E41E1B === CONTENTS =================================================== IN FOCUS: Numerous Bugs in Safari 3.0 for Windows Beta NEWS AND FEATURES - Three Botnet Operators Arrested - SonicWALL to Expand Offerings with Aventail Acquisition - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: Phishers Using Wildcard DNS - FAQ: Mapping Accounts to Services - Share Your Security Tips PRODUCTS - A Managed Service for Security and Systems Management - Product Evaluations from the Real World RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: SPI Dynamics ====================================== ALERT: "How A Hacker Launches A Cross-Site Scripting Attack" White Paper Cross-site scripting vulnerabilities in web apps allow hackers to compromise confidential information, steal cookies, and create requests that can be mistaken for those of a valid user!! Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! http://list.windowsitpro.com/t?ctl=5AE11:57B62BBB09A69279F588102EB0E41E1B === IN FOCUS: Numerous Bugs in Safari 3.0 for Windows Beta ===== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Browser vulnerabilities are serious business. Windows administrators already have contend with Microsoft Internet Explorer (IE) bugs flying out of the woodwork nearly faster than Microsoft can fix them, Mozilla Firefox bugs appearing at a lesser rate, and of course bugs in the Opera browser. If that isn't enough to keep up with, we're about to see another browser and its inevitable security vulnerabilities added to the mix. Apple recently released a beta version of Safari 3.0.1 for Windows (see the first URL below). Security researchers immediately began banging away at it looking for vulnerabilities, and they've already struck pay dirt. A torrent of newfound vulnerabilities is now raining down upon Safari. http://list.windowsitpro.com/t?ctl=5AE22:57B62BBB09A69279F588102EB0E41E1B Writing in his company blog (at the URL below), Dave Maynor of Errata Security, said, "We found a total of six bugs in an afternoon, 4 [of which lead to] denial of service and two [that allow] remote code execution." Maynor added that while he did test the beta for Windows, the bugs also exist in a production version of Safari for OS X. Maynor also said that he has "weaponized" one of the bugs into a working exploit. http://list.windowsitpro.com/t?ctl=5AE1C:57B62BBB09A69279F588102EB0E41E1B Maynor isn't alone in his discoveries. Aviv Raff also put Safari through a hammering. Raff said that "I wasn't surprised to get a nice crash a few minutes later." What Raff discovered was a memory corruption problem, which can often lead to remote exploits. See the URL below for details. http://list.windowsitpro.com/t?ctl=5AE28:57B62BBB09A69279F588102EB0E41E1B Two more researchers, "jsz" and "Trancer," discovered a Denial of Service (DoS) exploit, which you can read about at the first URL below. Tom Ferris said he found 10 vulnerabilities (at the second URL below) but didn't elaborate. He's holding them until the browser is released. http://list.windowsitpro.com/t?ctl=5AE0E:57B62BBB09A69279F588102EB0E41E1B http://list.windowsitpro.com/t?ctl=5AE10:57B62BBB09A69279F588102EB0E41E1B Robert Swiecki discovered a spoofing vulnerability in the first beta release (see the first URL below) that has been fixed in the Safari 3.0.1 beta. And Thor Larholm discovered "a fully functional command execution vulnerability, triggered without user interaction simply by visiting a web site." See the second URL for information on that problem. I'm sure there are other Safari 3.0.1 vulnerabilities that I haven't learned about yet. http://list.windowsitpro.com/t?ctl=5AE21:57B62BBB09A69279F588102EB0E41E1B http://list.windowsitpro.com/t?ctl=5AE12:57B62BBB09A69279F588102EB0E41E1B Like Microsoft, which attempts to write applications that are "secure by design," Apple boasts that it "designed Safari to be secure from day one." But as the flurry of vulnerabilities shows, Apple's contention doesn't hold water. Because Apple has reacted rather harshly (and sometimes with media spin) to a few previous incidents of reported security problems, some researchers, such as Maynor and Ferris, have little if any intention of notifying Apple up front about the details of their discoveries. Although Apple has already plugged a few of the holes mentioned in this article, I'm still almost certain that we're going to see a lot of zero-day exploits against Safari. As is often said in the security industry, "You've been warned." === SPONSOR: Double-Take Software ============================== Replication in the VMware Environment When recoverability matters, ensure you can protect and recover business critical data and applications. This document describes how VMware software can be used to provide solutions for challenging high availability and disaster recovery problems by leveraging real-time data replication and virtualization technologies to create cost- effective, simplified disaster recovery architectures. http://list.windowsitpro.com/t?ctl=5AE0D:57B62BBB09A69279F588102EB0E41E1B === SECURITY NEWS AND FEATURES ================================= Three Botnet Operators Arrested The FBI revealed that it has arrested three people who allegedly built and managed botnets. http://list.windowsitpro.com/t?ctl=5AE1A:57B62BBB09A69279F588102EB0E41E1B SonicWALL to Expand Offerings with Aventail Acquisition SonicWALL will gain new SSL VPN features and functionality through its planned acquisition of Aventail. http://list.windowsitpro.com/t?ctl=5AE1B:57B62BBB09A69279F588102EB0E41E1B Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=5AE13:57B62BBB09A69279F588102EB0E41E1B === SPONSOR: Qualys ============================================ Automated GLBA Security Compliance: Free Report Compliance and knowledge of every aspect of the GLBA is mandatory. Through web services, on demand security is automated and immediate compliance to the GLBA safeguard guidelines is achieved. Learn how comprehensive GLBA compliance is managed through internal and external audits. http://list.windowsitpro.com/t?ctl=5AE23:57B62BBB09A69279F588102EB0E41E1B === GIVE AND TAKE ============================================== SECURITY MATTERS BLOG: Phishers Using Wildcard DNS by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=5AE20:57B62BBB09A69279F588102EB0E41E1B Wildcard DNS is a handy feature, and phishers are apparently using it to bypass filtering. http://list.windowsitpro.com/t?ctl=5AE0F:57B62BBB09A69279F588102EB0E41E1B FAQ: Mapping Accounts to Services by John Savill, http://list.windowsitpro.com/t?ctl=5AE1E:57B62BBB09A69279F588102EB0E41E1B Q: What is a Service Principal Name (SPN) mapping? Find the answer at http://list.windowsitpro.com/t?ctl=5AE19:57B62BBB09A69279F588102EB0E41E1B SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@private If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. === PRODUCTS =================================================== by Renee Munshi, products@private A Managed Service for Security and Systems Management Vigilar announced the availability of ATLAS, a managed service for security and systems management. ATLAS offers five modules, which can be purchased separately or as a group. The Log Management Service Module audits all system and application components for compliance with regulations. The Authentication Management Module administers "various authentication platforms, implementing and managing customer's user accounts for various applications." The System Maintenance Module provides automated patch management and health checks. The Asset and License Management Module tracks IT asset and license data, and the Technical Support Concierge Module provides Help desk functions. For more information, go to http://list.windowsitpro.com/t?ctl=5AE27:57B62BBB09A69279F588102EB0E41E1B PRODUCT EVALUATIONS FROM THE REAL WORLD Share your product experience with your peers. Have you discovered a great product that saves you time and money? Do you use something you wouldn't wish on anyone? Tell the world! If we publish your opinion, we'll send you a Best Buy gift card! Send information about a product you use and whether it helps or hinders you to whatshot@private === RESOURCES AND EVENTS ======================================= For more security-related resources, visit http://list.windowsitpro.com/t?ctl=5AE1D:57B62BBB09A69279F588102EB0E41E1B Discover a wealth of information about how to protect and secure your data in the event of a disaster. You might not be able to predict what kind of a disaster you might be faced with, but you can be prepared with a solid response when one strikes. Disaster can strike anywhere, so make sure you're ready when it does. http://list.windowsitpro.com/t?ctl=5AE14:57B62BBB09A69279F588102EB0E41E1B Having customers depend on your IT services in order to communicate, purchase, or manage orders is great for your business. But what happens when your applications or Web sites become unavailable? Download this free white paper and learn how to eliminate application downtime and ensure the continuity of your business. http://list.windowsitpro.com/t?ctl=5AE0A:57B62BBB09A69279F588102EB0E41E1B This Web seminar explains how to ensure that your organization gets the most out of its log management investment, the key requirements and architectural differences to consider, and the caveats and risks to watch for as you spec out your requirements and design. http://list.windowsitpro.com/t?ctl=5AE0B:57B62BBB09A69279F588102EB0E41E1B === FEATURED WHITE PAPER ======================================= Learn how Symantec and IBM deliver a comprehensive archiving solution for email, files, instant messages, databases, and VoIP, as well as many other document formats, while helping you reduce storage costs and simplifying management. Understand the challenges surrounding an Exchange environment and the Symantec and IBM capabilities to solve them. http://list.windowsitpro.com/t?ctl=5AE0C:57B62BBB09A69279F588102EB0E41E1B === ANNOUNCEMENTS ============================================== Scripting Pro VIP--Just Download and Run Scripting Pro VIP is an online resource that delivers in-depth articles (and downloadable code) every week on topics such as ADSI and ADO. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other unique benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=5AE16:57B62BBB09A69279F588102EB0E41E1B Special Invitation for VIP Access Become a VIP subscriber and get continuous, inside access to all the content published in Windows IT Pro, SQL Server Magazine, Exchange & Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe now!: http://list.windowsitpro.com/t?ctl=5AE15:57B62BBB09A69279F588102EB0E41E1B ================================================================ Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below). http://list.windowsitpro.com/t?ctl=5AE1F:57B62BBB09A69279F588102EB0E41E1B http://list.windowsitpro.com/t?ctl=5AE26:57B62BBB09A69279F588102EB0E41E1B Subscribe to Security UPDATE at http://list.windowsitpro.com/t?ctl=5AE18:57B62BBB09A69279F588102EB0E41E1B Be sure to add Security_UPDATE@private to your antispam software's list of allowed senders. To contact us: About Security UPDATE content -- letters@private About technical questions -- http://list.windowsitpro.com/t?ctl=5AE24:57B62BBB09A69279F588102EB0E41E1B About your product news -- products@private About your subscription -- windowsitproupdate@private About sponsoring Security UPDATE -- salesopps@private View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=5AE17:57B62BBB09A69279F588102EB0E41E1B Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All rights reserved. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu Jun 21 2007 - 00:19:33 PDT