AOH :: ISN-2366.HTM

Microsoft Catches Flak for Lack of Vulnerability Disclosure

Microsoft Catches Flak for Lack of Vulnerability Disclosure
Microsoft Catches Flak for Lack of Vulnerability Disclosure

This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

Esker Software 


1. In Focus: Microsoft Catches Flak for Lack of Vulnerability 

2. Security News and Features
   - Recent Security Vulnerabilities
   - Novell Acquires e-Security
   - GRISOFT Boosts Its Security Offerings with Acquisition of Ewido
   - New Antiphishing Toolbar Takes an Obvious Approach

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Security Forum Featured Thread
   - Share Your Security Tips

4. New and Improved
   - Bring Systems Back in Line

==== Sponsor: Esker Software ===
Align compliance with business efficiency, and learn how fax-document 
management plays a role in your strategy. 

==== 1. In Focus: Microsoft Catches Flak for Lack of Vulnerability Disclosure ===   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

News stories last week discussed a blog entry (at the URL below) by 
Matthew Murphy of SecuriTeam that hammered Microsoft for what Murphy 
thinks is a lack of adequate vulnerability disclosure. Murphy's beef 
with Microsoft relates to Microsoft Security Bulletin MS06-015--
Vulnerability in Windows Explorer Could Allow Remote Code Execution. In 
a nutshell, Murphy wants Microsoft to offer more details about 
vulnerabilities. (MS06-015 also happens to be the security bulletin 
that proved to be buggy--an update was due to be released yesterday.) 

Many think that Microsoft's disclosure practices border on the silent 
fixing of security issues. It's no secret that in the past Microsoft 
has silently fixed security problems and sometimes has misinformed the 
public about the ramifications of security problems. Microsoft and many 
other companies don't like the publicity related to security problems, 
so they try to keep matters as quiet and calm as possible. 

Granted, each company is free to establish its own policies about 
disclosure and few are forthcoming with complete details in any given 
instance of vulnerability discovery. For example, Apple silently fixes 
security problems and rarely if ever releases any substantial details 
about them. But then people interested in security don't place Apple 
under the same microscope as Microsoft. 

When Microsoft releases a security-related patch, numerous independent 
researchers go to work to analyze the patch to find everything that's 
changed in the related files. If they detect anything that isn't 
documented, the researchers either call Microsoft on the carpet or they 
keep their mouths shut for any of several reasons, including the 
ability to exploit the undocumented bugs in systems that don't have the 
patch installed. Thus the patch could actually aid in the proliferation 
of malware and increase the overall risk of security breaches. 

Of course, Microsoft's disclosure practices have improved over the 
years, but there's still room for improvement, particularly if the 
company expects the masses to more fully buy into the Trustworthy 
Computing ideology. 

Again, we're back to the same old issue of disclosure being a double-
edged sword. While many businesses and researchers have seen fit to 
adopt some form of responsible disclosure in terms of timing the 
release of vulnerability details, another important point of contention 
remains. Microsoft and other companies argue that too much disclosure 
creates a more dangerous network environment. But many security 
researchers contend that not enough disclosure creates a more dangerous 
network environment. Obviously, the situation calls for balance, and I 
think there is balance. However, when the balance tips too far toward 
either perspective, then risk levels increase. 

Here's an interesting thought, even if it's only tangentially related: 
What if software as a service or applications on demand become 
commonplace? Think of a scenario in which you no longer have an OS and 
sundry applications installed on your desktops and servers, but instead 
everything is driven by some hardware-based technology that loads 
everything from a remote location that you don't control. That would 
just about put an end to many aspects of security research, security 
administration, and the disclosure debate, wouldn't it? 

==== Sponsor: Availl ===
Ensure instant access to files at remote servers/offices.
Confused by WAFS, Wide Area Mirroring, DFS, WAN acceleration, or 
Replication technologies? Do you have remote sites with common data or 
file needs? Get a free software trial, and register for the free 

==== 2. Security News and Features ===
Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at 

Novell Acquires e-Security
   With e-Security's Sentinel solution under its wing, Novell says its 
customers will enjoy a more comprehensive view of user, network, and 
application events that will help streamline processes, augment 
compliance monitoring, and cut costs. 

GRISOFT Boosts Its Security Offerings with Acquisition of Ewido
   GRISOFT aims to bolsters its cross-platform antivirus and firewall 
solutions by adding Ewido Networks' award-winning anti-malware 
protection to its suite of offerings. 

New Antiphishing Toolbar Takes an Obvious Approach
   TraceSecurity developed a different and rather obvious approach to 
an antiphishing toolbar. Instead of looking for known phishing sites, 
the free TraceAssure Toolbar searches for legitimate Web sites by 
matching domain names to IP addresses. 

==== Resources and Events ===
How do you ensure that your email system isn't vulnerable to a 
messaging meltdown? In this Web seminar, Exchange guru Paul Robichaux 
tells you what you should do before you have an outage to increase your 
chances of coming out of it smelling like roses. 

Learn the best ways to manage your email security (and fight spam) 
using a variety of solutions and tips. 

Expert Ben Smith describes the benefits of using server virtualization 
to make computers more efficient. Download this exclusive podcast 

Make sure that your DR systems are up to the challenge of a real 
natural disaster by learning from messaging survivors of Hurricanes 
Katrina and Rita. Live Event: Tuesday, May 2 

Ensure that you're being effective with your internal network security. 
Are your DIY options protecting you against worms, BotNets, Trojans, 
and hackers? Make sure! Live Event: Tuesday, May 23 

==== Featured White Paper ===
Examine the risks of allowing unwanted or offensive content into your 
network and learn about the technologies and methodologies to defend 
against inappropriate content, spyware, IM, and P2P. 

==== Hot Spot ===
Try it Free: Access & Control PCs from your USB
   NetOp Remote Control provides the most complete, scalable, and 
secure remote control software available. Access PCs from your desktop, 
PocketPC or USB! NEW On Demand option provides tiny, temporary, 
download with no user installation or firewall configuration and NO per 
session charges. Free evaluation & support. 

==== 3. Security Toolkit ==== 

Security Matters Blog: Rubberhose: A Useful Form of Data Encryption?
by Mark Joseph Edwards, 

Instead of making it glaringly obvious that data is encrypted, 
Rubberhose makes encryption deniable--i.e., supposedly it can't be 
proven that the data is encrypted. This technique might be useful for 
people who, for whatever reasons, can't use other forms of data 
encryption. Learn a bit more about it in this blog article. 

by John Savill, 

Q: Does Microsoft provide a different level of support for applications 
and services running under a VMware virtualization host rather than 
under a Microsoft Virtual Server 2005 virtualization host?

Find the answer at 

Security Forum Featured Thread: Is Someone Trying To Hack Our System?
   A forum participant has Windows 2000 Advanced Server with Terminal 
Services running. In the Security event log, he noticed many instances 
of an event in which someone tries to log on to a system named GARY-
HOME. He has no system with that name, so he wonders whether someone is 
trying to hack into his network. Look at the event log entry he posted 
and join the discussion at 

Share Your Security Tips and Get $100
   Share your security-related tips, comments, or problems and 
solutions in the Windows IT Security print newsletter's 
Reader to Reader column. Email your contributions to If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.

==== Announcements ===   (from Windows IT Pro and its partners)

Exclusive Spring Savings
   Subscribe to Windows IT Pro and SAVE 58%! Along with your 12 issues, 
you'll get FREE access to the entire Windows IT Pro online article 
archive, which houses more than 9,000 helpful articles. This is a 
limited-time offer, so order now: 

Save 44% off Windows Scripting Solutions
   For a limited time, order the Windows Scripting Solutions newsletter 
and SAVE up to $80. You'll get 12 helpful issues loaded with expert-
reviewed downloadable code and scripting techniques, as well as 
hundreds of tips on automating repetitive tasks. You'll also get FREE, 
unlimited access to the full online scripting article library (more 
than 500 articles). Subscribe now: 

==== 4. New and Improved === by Renee Munshi, 

Bring Systems Back in Line
   NetPro Computing describes SecurityManager 2.0 as "a significant 
upgrade." SecurityManager 2.0 centralizes policy management and 
enforcement for Active Directory (AD) and file servers. It includes new 
policies for object locking, group membership, separation of duties, 
and external trusts. SecurityManager 2.0 constantly monitors the 
network, so when systems become uncompliant with company standards, the 
software immediately sends an alert and helps remediate the problem. 
For more information about SecurityManager 2.0, go to 

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 

==== Contact Us ==== 

About the newsletter -- 
About technical questions -- 
About product news -- 
About your subscription -- 
About sponsoring Security UPDATE -- 

This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today. 

View the Windows IT Pro privacy policy at 

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

InfoSec News v2.0 - Coming Soon! 

Site design & layout copyright © 1986-2014 CodeGods