News

Wednesday, August 08, 2007

Here Comes Mozilla's Fuzzer

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Automating System Performance and Reliability

http://list.windowsitpro.com/t?ctl=61848:4160B336D0B60CB1EA517858EB54C0F5

Automated GLBA Security Compliance: Free Report

http://list.windowsitpro.com/t?ctl=6185C:4160B336D0B60CB1EA517858EB54C0F5

ALERT: "How A Hacker Launches A Cross-Site Scripting Attack" White
Paper

http://list.windowsitpro.com/t?ctl=6184A:4160B336D0B60CB1EA517858EB54C0F5


=== CONTENTS ===================================================

IN FOCUS: Here Comes Mozilla's Fuzzer

NEWS AND FEATURES
- A Reporter Becomes the Story at DEFCON
- Apple Pounces on Hacked iPhones
- Seagate's Encrypted Laptop Disk Wins NIST Approval
- Recent Security Vulnerabilities

GIVE AND TAKE
- Security Matters Blog: Total OS Encryption on Ubuntu Linux
- FAQ: Windows Recovery Environment Explained
- From the Forum: Remote Network Bandwidth Monitoring?
- Share Your Security Tips
- Microsoft Learning Paths for Security: Learn How to Protect Your
Sensitive Data from Malware

PRODUCTS
- One Console to Manage Email and Web Policy
- Two "Connectors" Aid Email Discovery
- Product Evaluations from the Real World

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS


=== SPONSOR: Diskeeper =========================================

Automating System Performance and Reliability
File fragmentation is a serious problem. As a disk gets more
fragmented the workload on the operating system and hardware increases.
It becomes more difficult for applications to read and write data, file
corruption becomes a distinct possibility, the user experience is
negatively affected due to system performance issues, and the
reliability of the computer is endangered. In this whitepaper we will
look at the impact of disk defragmentation on your users.

http://list.windowsitpro.com/t?ctl=61848:4160B336D0B60CB1EA517858EB54C0F5


=== IN FOCUS: Here Comes Mozilla's Fuzzer =============
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

At last week's Black Hat conference in Las Vegas, representatives of
Mozilla Foundation announced that they would release a JavaScript-based
fuzzer tool to the public.

If you aren't familiar with fuzzers, they basically generate random
data and code that is then used to try to find bugs in applications.
Fuzzers are available for all sorts of applications. Mozilla's fuzzer
is designed specifically to look for bugs in JavaScript. It generates
random functions that may or may not be valid and tests those functions
to try to find bugs.

The fuzzer has been used by Mozilla to identify and fix hundreds of
bugs in Firefox and other Mozilla products that also use JavaScript. As
best I can determine, the tool originally appeared back in August 2006.
At the time, the script was called jsparsefuzz.js and was mainly used
from a JavaScript shell. Later, a simple HTML wrapper was provided so
that tool could be used directly from a Web browser. That version and
its wrapper was still available to the public as of Monday.

The most recent version has been renamed to jsfunfuzz.js and has added
features that go beyond the capability of the previous rendition. This
new version was released internally to the Mozilla security team in
April and isn't available to public yet.

According to Jesse Ruderman, author of the fuzzer script, existence of
the script was made known to Microsoft, Apple, Opera Software, and
other browser makers so that they too could use it to help locate bugs
in their own JavaScript engines. Ruderman said that Mozilla intends to
release the latest script to the browser makers first and then to the
public sometime in the next couple of weeks. The delay is to let
browser makers have time to use the script to find bugs and, in the
event that any found bugs turn out to be exploitable, produce patches.

Of course, the delay probably won't benefit users of Microsoft Internet
Explorer (IE) because Microsoft releases security patches only once a
month unless a particular security bug starts to become widely
exploited. However, Mozilla, Opera, and some other browser makers are
quick to fix security bugs without any regard for preset time tables.

To give you a quick example, Mozilla released Firefox 2.0.0.5 and
Thunderbird 2.0.0.5 in mid-July to fix numerous security bugs. Less
than two weeks later, the company released version 2.0.0.6 of both
products to fix two more security bugs. That sort of unscheduled
release protects users as rapidly as possible.

Some companies don't like unscheduled patch releases from their
vendors. However, if a bug could lead to system or network compromise,
which is worse and more expensive: Loading an updated product version
or completely rebuilding one or more computers? The answer seems pretty
clear to me.

Anyway, if you want to get a copy of jsparsefuzz.js right now (if
jsfunfuzz.js hasn't already been released by the time you read this
newsletter), head over to Mozilla's bug tracking site at the first URL
below where you can read a bit of background and history about the
fuzzer. To download a copy of the older jsparsefuzz.js source code,
visit the second URL below. And, to get a copy of the HTML wrapper that
lets you run the script inside a browser, visit the third URL below.
After the (blank) page at the third URL loads, simply view the source
code to see the HTML wrapper code.

http://list.windowsitpro.com/t?ctl=61856:4160B336D0B60CB1EA517858EB54C0F5

http://list.windowsitpro.com/t?ctl=61853:4160B336D0B60CB1EA517858EB54C0F5

http://list.windowsitpro.com/t?ctl=61852:4160B336D0B60CB1EA517858EB54C0F5


=== SPONSOR: Qualys ============================================

Automated GLBA Security Compliance: Free Report
Compliance and knowledge of every aspect of the GLBA is mandatory.
Through web services, on demand security is automated and immediate
compliance to the GLBA safeguard guidelines is achieved. Learn how
comprehensive GLBA compliance is managed through internal and external
audits.

http://list.windowsitpro.com/t?ctl=6185C:4160B336D0B60CB1EA517858EB54C0F5


=== SECURITY NEWS AND FEATURES =================================

A Reporter Becomes the Story at DEFCON
An NBC reporter who declined an official press pass to the recent
DEFCON conference in Las Vegas instead opted to attend under cover. She
was quickly unmasked and soon fled the convention posthaste.

http://list.windowsitpro.com/t?ctl=61854:4160B336D0B60CB1EA517858EB54C0F5

Apple Pounces on Hacked iPhones
Hacked your iPhone? Apple's latest iPhone patch is going to
overwrite all your hard work.

http://list.windowsitpro.com/t?ctl=61855:4160B336D0B60CB1EA517858EB54C0F5

Seagate's Encrypted Laptop Disk Wins NIST Approval
Seagate announced that it has become the first manufacturer to win
NIST approval. The approval was awarded to the company for its laptop
hard drive with native AES encryption.

http://list.windowsitpro.com/t?ctl=61857:4160B336D0B60CB1EA517858EB54C0F5


Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at

http://list.windowsitpro.com/t?ctl=6184D:4160B336D0B60CB1EA517858EB54C0F5


=== SPONSOR: SPI Dynamics ======================================

ALERT: "How A Hacker Launches A Cross-Site Scripting Attack" White
Paper
Cross-site scripting vulnerabilities in web apps allow hackers to
compromise confidential information, steal cookies and create requests
that can be mistaken for those of a valid user!! Download this *FREE*
white paper from SPI Dynamics.

http://list.windowsitpro.com/t?ctl=6184A:4160B336D0B60CB1EA517858EB54C0F5


=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Total OS Encryption on Ubuntu Linux
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=6185E:4160B336D0B60CB1EA517858EB54C0F5

Encrypting a few files is relatively easy, building an encrypted drive
is a bit more difficult. So why not simply encrypt everything including
the OS? Here's how to do that on Ubuntu.

http://list.windowsitpro.com/t?ctl=61849:4160B336D0B60CB1EA517858EB54C0F5

FAQ: Windows Recovery Environment Explained
by John Savill, http://list.windowsitpro.com/t?ctl=6185B:4160B336D0B60CB1EA517858EB54C0F5


Q: What is the Windows Recovery Environment (RE)?

Find the answer at

http://list.windowsitpro.com/t?ctl=61858:4160B336D0B60CB1EA517858EB54C0F5

FROM THE FORUM: Remote Network Bandwidth Monitoring?
A forum participant wants to know if there is a tool that will allow
him to remotely monitor bandwidth usage. He has 200 to 300 users on his
network and for about the last month, he has seen an increase in
bandwidth consumption. His firewall allows him to see some bandwidth
information, but he would like a tool to monitor from his desk who or
what is causing the increase. Join the conversation at

http://list.windowsitpro.com/t?ctl=61845:4160B336D0B60CB1EA517858EB54C0F5

SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r@securityprovip.com. If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.

MICROSOFT LEARNING PATHS FOR SECURITY: Learn How to Protect Your
Sensitive Data from Malware
Learn how to detect and control malware to help prevent data
corruption and breaches. These resources and technologies can help you
manage the threat and associated problems caused by malware. Take an
aggressive stance against malware and help prevent costs and negative
effects such as lost productivity, increased costs, and slower decision
making.

http://list.windowsitpro.com/t?ctl=61859:4160B336D0B60CB1EA517858EB54C0F5


=== PRODUCTS ===================================================
by Renee Munshi, products@windowsitpro.com

One Console to Manage Email and Web Policy
Clearswift's MIMEsweeper Email Appliance 2.6 adds a unified console
that lets customers create and administer one policy for both email and
Web traffic or centrally manage separate Web and email policies. The
new version of the email appliance also lets organizations identify and
block sensitive data such as credit card numbers and Social Security
numbers. MIMEsweeper 2.6 can be installed on a VMware ESX server or on
approved servers from IBM and HP. And the email appliance has a new
antispam engine. For more information, go to

http://list.windowsitpro.com/t?ctl=61861:4160B336D0B60CB1EA517858EB54C0F5

Two "Connectors" Aid Email Discovery
Symantec announced two new "e-discovery connectors" for users of
Symantec Enterprise Vault Discovery Accelerator. These new connectors
provide integration with third-party case management, review,
analytics, forensics, and desktop collection tools. Review Connector
automates data transfer to third-party analytics and review products;
Collection Connector enables third-party active desktop collection
software to archive data from desktop collections in Enterprise Vault
so that all necessary data is one place.

PRODUCT EVALUATIONS FROM THE REAL WORLD
Share your product experience with your peers. Have you discovered a
great product that saves you time and money? Do you use something you
wouldn't wish on anyone? Tell the world! If we publish your opinion,
we'll send you a Best Buy gift card! Send information about a product
you use and whether it helps or hinders you to
whatshot@windowsitpro.com.


=== RESOURCES AND EVENTS =======================================
For more security-related resources, visit

http://list.windowsitpro.com/t?ctl=6185A:4160B336D0B60CB1EA517858EB54C0F5

How Drugstore.com Achieved Virtualized Success
Hear Drugstore.com's production experience with VMware
Infrastructure 3 (VI3). Attend this on-demand Webcast and learn how the
new products in VI3 DRS, HA, and consolidated backup are helping
businesses achieve better service levels; how VI3 customers have
extended their virtualization ROI; lessons learned from upgrading to
VI3; and best practices for leveraging VI3's capabilities.

http://list.windowsitpro.com/t?ctl=61846:4160B336D0B60CB1EA517858EB54C0F5

Email Discovery and You
Email is increasingly used in court and regulatory proceedings from
civil lawsuits to criminal cases. According to the ePolicy Institute,
21 percent of companies have been required to produce employee email in
legal cases. Download this white paper to learn the key ingredients of
proper data retention and retrieval.

http://list.windowsitpro.com/t?ctl=6184B:4160B336D0B60CB1EA517858EB54C0F5

Discover a wealth of information about how to protect and secure your
data in the event of a disaster. You might not be able to predict what
kind of a disaster you might be faced with, but you can be prepared
with a solid response when one strikes. Disaster can strike anywhere,
so make sure you're ready when it does.

http://list.windowsitpro.com/t?ctl=6184C:4160B336D0B60CB1EA517858EB54C0F5


=== FEATURED WHITE PAPER =======================================

Are you familiar with new government regulations affecting email? Learn
about the dozens of issues surrounding the security of email in
business today and make sure that your company is in compliance.
Download your copy of this must-have white paper today!

http://list.windowsitpro.com/t?ctl=61847:4160B336D0B60CB1EA517858EB54C0F5


=== ANNOUNCEMENTS ==============================================

Search Thousands of SQL Articles Online and on CD
A SQL Server Magazine Master CD subscription buys you portable,
lightning-fast access to the entire SQL Server article database on CD,
plus exclusive, up-to-the-minute access to the new articles we publish
on SQLMag.com every day. Order your subscription now!

http://list.windowsitpro.com/t?ctl=6184F:4160B336D0B60CB1EA517858EB54C0F5

Save 1/2 Off Security Pro VIP
Security Pro VIP is an online resource that delivers new articles
every week to help you defend your network. Subscribers also receive
tips, cautionary advice, direct access to our editors for technical
Q&As, and a host of other benefits! Order now, and save up to 50
percent!

http://list.windowsitpro.com/t?ctl=6184E:4160B336D0B60CB1EA517858EB54C0F5


================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).

http://list.windowsitpro.com/t?ctl=6185D:4160B336D0B60CB1EA517858EB54C0F5

http://list.windowsitpro.com/t?ctl=61860:4160B336D0B60CB1EA517858EB54C0F5

Subscribe to Security UPDATE at

http://list.windowsitpro.com/t?ctl=61851:4160B336D0B60CB1EA517858EB54C0F5

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=4160B336D0B60CB1EA517858EB54C0F5

Be sure to add Security_UPDATE@list.windowsitpro.com
to your antispam software's list of allowed senders.

To contact us:
About Security UPDATE content -- letters@windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=6185F:4160B336D0B60CB1EA517858EB54C0F5

About your product news -- products@windowsitpro.com
About your subscription -- windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at

http://list.windowsitpro.com/t?ctl=61850:4160B336D0B60CB1EA517858EB54C0F5

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive