SANS Internet Storm Center logs a chilling tale of a new piece of maliciousness out there infecting Windows, not yet detected by any virus detectors: A malware jungle, (Tue, Jun 6th). “Detection We got an interesting piece of malware from one of our readers, Robert. Robert detected one …”
Archive | Security
Security is not a feature; it’s a process. Notes on issues, patches and essays on security.
Skype hole discovered and patched
Computerworld Breaking News reports Aussie firm finds hole in Skype client install. “Australian security firm Security-Assessment.com Ltd. has discovered a flaw in the install of the Windows-based Skype Ltd. client.”
Skype has issued an update they claim patches the problem. Get patching!
Symantec patches AntiVirus Corporate Edition
SANS Internet Storm Center posts Symantec Patch Posted, (Sat, May 27th). “Symantec has just posted patches for the Security Advisory SYM06-010.” Note that these patches seem to be for the Corporate Edition of Symantec’s anti-virus tool. Get patching!
Problematic PostgreSQL patch
Computerworld Breaking News notes PostgreSQL fix could break applications. “PostgreSQL users have been put in a potentially sticky situation by a security flaw made public this week. The hole allows for SQL injection attacks, and affects all unpatched versions of PostgreSQL. The fix breaks many users' applications.” Ouch. A cure worse than the disease?
AT&T shares their secrets with the world
Slashdot postAT&T Accidentally Leaks NSA Suit Information. op12 writes “CNET has an article describing how AT&T accidentally leaked sensitive information involving the NSA lawsuit. From the article: 'AT&T's attorneys this week filed a 25-page legal brief striped with thick black lines that were intended to obscure portions of three pages and render them unreadable. But the obscured text nevertheless can be copied and pasted inside some PDF readers, including Preview under Apple's OS X and the xpdf utility used with X11.”
Boy, I'm sure glad AT&T isn't protecting any of my private information, like the Veteran's Administration or Acxiom or CardSystems.
The article goes on to say, “The deleted portions of the legal brief seek to offer benign reasons why AT&T would allegedly have a secret room at its downtown San Francisco switching center that would be designed to monitor Internet and telephone traffic. The Electronic Frontier Foundation, which filed the class action lawsuit in January, alleges that room is used by an unlawful National Security Agency surveillance program.”
Here's the Wired article on the “secret room.”
GROKLAW
GROKLAW quoting a source at Stanford Law, reports: “The Court also held that the website editors were journalists entitled to claim California’s Journalist Shield…” Yes! Freedom of the Press belongs to WordPress, too!
Microsoft Patches 3 vulnerabilities: Flash (!), Exchange, DTS
InfoWorld reports “Microsoft released one critical security update for its Exchange messaging server and two security updates for Windows on Tuesday, one of which was critical… In Microsoft’s rating system, a critical vulnerability means it could allow unauthorized software to be installed without user action… The third patch released Tuesday fixes two vulnerabilities in Windows rated as “moderate,” Microsoft said… More information and Microsoft’s monthly security bulletin can be found at its Web site“.
Funny, I would not have thought that Adobe Flash was a product MSFT would be responsible for patching, but it appears they shipped it in some of their components. Watch out for the Exchange patch – SANS Internet Storm Center is reporting it cripples Blackberries using the Blackberry Enterprise Server.
MS06-018, 019 and 020 ship this week. It’s the 19th week of the year.
Limited User Access bugs
Garrett Fitzgerald blogs: “I noticed that Aaron Margosis had stopped blogging, but I missed that he had started back up. He has a list of ways to fix or work around bugs involving not running as Admin starting here and going forward for a couple of posts. Aaron is the creator of MakeMeAdmin, which is a little script that makes it easier to run with limited access.”
With the rampant security problems Windows has been experiencing, I reconfigured my development machine into an Least Privileged User configuration over a year ago. It’s a pain, and some applications just fall apart, especially with installing modules or updates. “Run As…” solves the problem in some cases, but others are a lot more difficult. The Linux/Unix/OSX model of security rights seem to map more easily into these situations than the “only one user is logged on” mentality of Windows. I’ll have to check out Aaron’s utilities to see if they can help bridge the gap.
Vista loses another feature
OSNews reports RSA: Microsoft To Shelve Token Support in Vista. “Microsoft has shelved plans to include built-in support for RSA Security’s tokens in Windows Vista, even though the company has been testing out the authentication technology for almost two years. In February 2004, Microsoft Chairman Bill Gates said that Windows would be able to support easy integration with RSA’s popular SecurID tokens. That meant businesses would find it far easier to deploy a two-factor authentication system for logging on to networks and applications. However, almost two years after the SecurID beta-testing program kicked off, RSA’s chief executive, Art Coviello, disclosed that Windows Vista will not natively support the technology.”
So, there were features left in Vista! Good thing Microsoft found them and removed them before shipping!
A sign of changing times
Netcraft notes that “Apache has overtaken Microsoft as the leading developer of secure web servers. Apache now runs on 44.0% of secure web sites, compared to 43.8% for Microsoft.” Yet another sign of the tide turning. Interesting article with several trends explaining the shift, and a great graph. Read the entire article here