ALERT: How Hackers Use SQL Injection to Steal Your Data
It's as simple as placing additional SQL commands into a Web Form
input box giving hackers complete access to all your backend systems!
Firewalls and IDS will not stop such attacks because SQL Injections are
NOT seen as intruders. Download this *FREE* guide from SPI Dynamics to
check for SQL Injection vulnerabilities.
http://list.windowsitpro.com/t?ctl=43443:886699
=== SECURITY ALERT =============================================
7 Microsoft Security Bulletins for December 2006
by Orin Thomas, orin@windowsitpro.com
Microsoft released seven security updates, three rated critical. Here's
a brief description of each update; for more information, go to
http://list.windowsitpro.com/t?ctl=43444:886699
MS06-072: Cumulative Security Update for Internet Explorer.
This update fixes several vulnerabilities in previous versions of
Microsoft Internet Explorer (IE). Web sites that are crafted with
special code could have that code executed on the local computer. If
the locally logged on user is an administrator, that code will execute
with administrator privileges.
Applies to: All versions of IE 5 and IE 6. Doesn't apply to IE 7.
Recommendation: Microsoft has rated this update as critical. You
should put this patch through an accelerated testing process to ensure
that it doesn't cause other problems and then deploy it immediately.
MS06-073: Vulnerability in Visual Studio 2005 Could Allow Remote Code
Execution.
A vulnerability exists in Visual Studio 2005 that could allow remote
code execution. An exploit for this vulnerability is "out in the wild,"
which is why Microsoft has rated the update as critical.
Applies to: All editions of Visual Studio 2005 except the Express
editions.
Recommendation: Microsoft has rated this update as critical. If your
organization uses Visual Studio 2005, you should put this patch through
an accelerated testing process to ensure that it doesn't cause other
problems and then deploy it immediately.
MS06-074: Vulnerability in SNMP Could Allow Remote Code Execution.
Although the SNMP service isn't installed by default on Windows
computers, a vulnerability exists in the service that could be used by
an attacker to execute code remotely.
Applies to: All versions of Windows.
Recommendation: Microsoft has rated this update as important but not
critical. This means that you should test the update on development
computers thoroughly and deploy it as part of your normal patch
management cycle.
MS06-075: Vulnerability in Windows Could Allow Elevation of Privilege.
This vulnerability allows a locally logged on user with standard
privileges to elevate those privileges to those of an administrator by
running an appropriately crafted application.
Applies to: Windows XP and Windows Server 2003.
Recommendation: Microsoft has rated this update as important but not
critical. This means that you should test the update on development
computers thoroughly and deploy it as part of your normal patch
management cycle.
MS06-076: Cumulative Security Update for Outlook Express.
This update fixes a possible remote code execution problem in
Microsoft Outlook Express. Exploiting the problem requires that a user
give permission for the exploit to work.
Applies to: All versions of Outlook Express.
Recommendation: Microsoft has rated this update as important but not
critical. This means that you should test the update on development
computers thoroughly and deploy it as part of your normal patch
management cycle.
MS06-077: Vulnerability in Remote Installation Service Could Allow
Remote Code Execution.
The Remote Installation Service (RIS) is used to deploy software
from a central server to clients in an Active Directory (AD)
environment. A vulnerability in this service could allow an attacker to
gain access to a client through this service.
Applies to: Windows 2000 Service Pack 4 (SP4)
Recommendation: Microsoft has rated this update as important but not
critical. This means that you should test the update on development
computers thoroughly and deploy it as part of your normal patch
management cycle.
MS06-078: Vulnerability in Windows Media Format Could Allow Remote Code
Execution.
This update relates to a problem with Windows Media Format. An
attacker could send a media file that promises humorous video but also
carries code that will allow the attacker to take over the subject's
computer. The attacker might not be the person who forwards the media,
but relies on others, unaware of the media's extra content, to forward
it to their friends.
Applies to: All versions of Windows.
Recommendation: Microsoft has rated this update as critical. You
should put this patch through an accelerated testing process to ensure
that it doesn't cause other problems and then it deploy immediately.
Remind users of the risk of opening non-work-related attachments no
matter how humorous or interesting they might seem.
================================================================
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and the Windows IT Security newsletter
(subscribe at the second URL below).
http://list.windowsitpro.com/t?ctl=43448:886699
http://list.windowsitpro.com/t?ctl=43445:886699
Subscribe to Security UPDATE at
http://list.windowsitpro.com/t?ctl=43447:886699
Unsubscribe by clicking
http://list.windowsitpro.com/u?id=4160B336D0B60CB1B646611E531F1827
Be sure to add Security_UPDATE@list.windowsitpro.com
to your antispam software's list of allowed senders.
To contact us:
About Security UPDATE content -- letters@windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=43449:886699
About your product news -- products@windowsitpro.com
About your subscription -- windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- salesopps@windowsitpro.com
View the Windows IT Pro privacy policy at
http://list.windowsitpro.com/t?ctl=43446:886699
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2006, Penton Media, Inc. All rights reserved.
No comments:
Post a Comment