Microsoft Patch Tuesday: Expect 7 Bulletins, 4 Critical

MicrosoftMicrosoft plans to release seven security bulletins next week, including patches for critical bugs in Windows, Internet Explorer and Office.

Four of the bulletins address critical vulnerabilities, which is Microsoft’s highest security threat classification.

The other three, according to Microsoft, are rated important, which is the second-highest rating.

While Microsoft said in its Security Bulletin Advance Notification that there will be seven bulletins, there’s no word on how many actual vulnerabilities will be fixed.

This month’s Patch Tuesday comes on October 9, 2007.

Three of the bulletins address flaws in Windows Vista, two of them are critical.

The online advisory also noted that the four critical bulletins all address remote execution problems.

The critical bulletins cover flaws in Office, Windows, the Internet Explorer browser, Outlook Express, and Windows Mail.

One important bulletin deals with a denial-of-service problem in Windows, while another one addresses a Windows flaw that enables spoofing.

The third important bulletin handles an elevation of privileges bug in Windows and Office.

October 4, 2007 · Filed Under Microsoft, Security Patches, Software, Technology

Comment 

Microsoft Releases SP1 For .Net Micro

Today at the Embedded Systems Conference (ESC) Boston, Microsoft released an update to its .Net Micro Framework 2.0 development platform for embedded systems.

The software features a number of new enhancements to help users build secure and widely compatible applications for resource constrained environments.

Service Pack 1 includes a utility that facilitates the automated provisioning of mobile devices.

Among other things, Microsoft expects it to be used by equipment makers that want to create customized deployment software for their products.

It also allows them to prevent unsigned firmware or application code from being installed on their devices.

Another new tool in SP1 is built to help generate bitmap fonts for applications, allowing greater flexibility interface design, Microsoft said.

Microsoft said a number of embedded systems providers have recently announced support for ..Net Micro, including:

  • ESC Boston
  • NXP Semiconductors
  • SJJ Embedded Micro Solutions
  • EmbeddedFusion
  • Atmel Corp.

Atmel is porting the .Net Micro Framework onto its ARM9-based microcontroller.

Earlier this year, Microsoft introduced a software development kit for the .Net Micro Framework.

September 18, 2007 · Filed Under Microsoft, Security Patches, Software, Technology

Comment 

Mobile Security 101

Everyone knows that mobile workers can fall victim to hackers or simple absentmindedness and expose enterprise networks. Security can be a complex subject, but it doesn’t have to be.

Here are a few quick tips with some simple measures you should take to protect your enterprise:

1. Use VPNs: One potential weak link in remote employee communication with back-end systems is the method they use to connect.

Hopping onto the Wi-Fi hotspot at Starbucks or other open public network is looking for trouble.

Using VPNs that require users to authenticate and connect through secure tunnels protects data in transit.

2. Use Strong Passwords: I know, typing in passwords to access your PC or email or files is a pain in the neck, but it’s an easy way to prevent people from breaking in… unless you use “password” as your password.

Be sure to mix up the capital letters and make it mandatory to include a number in there. Another idea is to follow the “something you know, and something you have” mantra.

Not only require a password to log in, but something like a USB thumb drive with the appropriate software as well.

This two-step authentication process ensures that even if someone steals your laptop and guesses your password, they won’t be able to log in.

3. Encrypt, encrypt, encrypt: Hard drive encryption is easy with tools such as PointSec, Safeguard, and Safeboot. You can also choose to encrypt individual files to make it even harder for people to break in.

4. Protect Against Removable Storage: Whether it be a thumb drive, MP3 player, or smartphone, mass storage is cheap and easy to carry in and out of any enterprise.

Software is available that prevents even authorized users from downloading files to removable storage.

You can also choose to enforce encryption on removable storage if it is necessary that employees be able to transfer files back and forth.

This way, only approved corporate computers can decrypt the information and access the files downloaded.

5. Beware of Your Neighbors: In confined spaces, such as airplanes, it is often easy to view what people are doing on their laptops.

Since you never know who you’re sitting next to or in front of on an airplane, watch out. Buy a filter or screen protector that prevents others from seeing what you’re doing.

All too often I’ve seen people fire up company spreadsheets that may or may not have contained sensitive data and leave their laptop where others could see it.

September 12, 2007 · Filed Under Security Patches, Software, Technology, Wireless

Comment 

Yahoo Issues Messenger Security Fix

Yahoo has issued a patch for its instant messaging client, Yahoo Messenger.

The patch issued Wednesday addresses a buffer overflow vulnerability in an ActiveX control. Users who installed Yahoo Messenger before August 29, 2007 should install the update.

Microsoft’s ActiveX controls can interact with the full Windows operating system, unlike Java applets. This gives them a lot of power and also makes them potentially risky.

iDefense Labs identified the Yahoo Messenger vulnerability:

Exploitation allows attackers to execute arbitrary code with the privileges of the currently logged in user. Users would be required to have a vulnerable version of the target software installed and be lured to a malicious site.

Yahoo issued another security patch for Yahoo Messenger on August 21.

That patch addressed two security issues with the way the software’s Webcam functions work: susceptibility to a denial-of-service attack following a malicious Webcam invitation and a buffer overflow that could lead to the introduction of executable code by an attacker.

August 31, 2007 · Filed Under Instant Messaging, Security Patches, Technology

Comment 

Apple’s Brand-New iMacs Get Quick Security Update

One day after Steve Jobs unveiled a redesigned iMac, Apple released a security update for it.

Apple released very little information about the 5.1 MB release, saying only that the security update “provides important bug fixes.”

The company also noted in a short advisory that the fixes are recommended for 20-inch and 24-inch iMac models with 2.0 GHz, 2.4 GHz or 2.8 GHz processors.

Apple did not supply any information on what bugs are being fixed. Hopefully more information will be released. If you have anything to add, let me know in the comments.

The company also issued a new version of its software that is designed to enable Intel-based Macs to run Windows XP.

Still in beta, Boot Camp is billed as being able to enable users to install Windows XP or 32-bit Windows Vista without moving their Mac data.

An Apple advisory noted that Boot Camp V1.4 adds updated graphics drivers, an improved driver installer, improved international keyboard support, updated Windows Help and Apple remote pairing.

August 9, 2007 · Filed Under Apple, Security Patches, Technology

1 Comment 

Information Technology Security 101 Resources

I receive a lot of requests from Geek With Laptop readers, some of my friends and also co-workers for resources that I use in my various talks and presentations on Information Technology Security.

So with that in mind, I figured with the amount of requests I’ve received recently, why not do a post on it?

Below are many books, websites and other resources that will help you get started in IT security:

Recommended Reading

Recommended Tools

  • WireShark – Examine packets (use with “TCP/IP Illustrated”, above)
  • Superscan - Powerful TCP port scanner, pinger, resolver.
  • Nessus and/or Nmap – Vulnerability scanners

Additional Tools

  • Sysinternals – Variety of utilities
  • PGP – Encryption, documentation is highly recommended, basically a primer on encryption.

Regulations and Standards

Vulnerability Lists

Local Chapter Organizations

Training Organizations

Some of you might be thinking to yourself “Good grief Sean! That’s a huge list of resources and information!” and yes, you’d be correct.

I thought you might want a little light reading for the weekend.

While the above list is by no means comprehensive, it should serve to give you some idea of the sorts of things involved with Information Technology Security.

Constructive comments, suggestions and additions are always welcome.

August 4, 2007 · Filed Under Security Patches, Software, Technology

Comment 

Next Page →