WIN_SECURITY UPDATE_
A Penton Media Property
April 30, 2008
If you want to view this on the web go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656244-0-0-0-1-2-207
----------------------------------------
ADVERTISEMENT
BeyondTrust
FREE Product- Identify What Apps Require Admin Rights
BeyondTrust Application Rights Auditor is a new, free product that
automatically identifies and reports the Windows applications that
require users to have admin rights. Once identified, enterprises can
develop informed plans to remove admin rights without app downtime.
FREE product to identify what apps require users to have admin rights.
http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656245-0-0-0-1-2-207
----------------------------------------
IN FOCUS
--Is Vista Easier to Patch Than Linux or UNIX?
by Mark Joseph Edwards, News Editor
Recently Jeff Jones (strategy director in the Microsoft Security
Technology Unit) released an updated "one year vulnerability report"
regarding Windows Vista. The data in the report shows how Vista compares
to Windows XP, Red Hat Enterprise Linux 4 Workstation, Ubuntu 6.06, and
Mac OS X 10.4 in terms of vulnerabilities during each OS's first year in
the marketplace.
Jones used a variety of criteria for the comparison, including limiting
the applications that he analyzed for the sake of keeping the competing
OSs in line with a typical Vista installation. For example, RedHat and
Ubuntu ship with OpenOffice installed by default on desktop systems.
Jones didn't consider vulnerabilities in OpenOffice as part of his
analysis. Other omissions were made of tools such as the Gimp graphics
program and the gcc compiler, depending on the OS.
When the results were tallied, Jones found that during Vista's first
year, 36 vulnerabilities were fixed by 17 patches in 9 patch events. The
events were regular due to Microsoft's scheduled monthly patch releases.
XP on the other hand experienced 65 vulnerability fixes in 30 patches
for a total of 26 events. Quite a difference, as should be the case at
this point in Windows' evolution.
RedHat Enterprise Linux 4 Workstation experienced 360 vulnerability
fixes in 125 patches in 64 patch events. Ubuntu 6.06 experienced 224
vulnerability fixes in 80 patches in 65 patch events. OS X 10.4
experienced 116 vulnerability fixes in 17 patches in 17 patch events.
The low number of patch events for Vista and OS X are due to Microsoft's
and Apple's routine of issuing patches on relatively fixed schedules.
RedHat and Ubuntu on the other hand publish security patches immediately
after they become available. So there's a trade-off involved: The
approach used by Microsoft and Apple reduces the amount of
administrative overhead but leaves customers exposed to security risks
longer than if patches were issued immediately upon creation.
Near the beginning of the report, Jones suggests how the data might be
useful by posing two questions: "All other things being equal, is it
easier to mediate risk on a system that has 10 vulnerabilities in a year
or one that has 100 vulnerabilities in a year?" And, "Which has a more
negative impact on your security team and risk management process -
deploying 10 security updates per year or deploying 100 security updates
per year?"
The answer to first question is rather obvious: Of course it's easier to
handle risk on systems with fewer vulnerabilities, assuming that we're
talking only about patching holes and nothing else. The second question
is too narrow because it overlooks the fact that Windows is the most
targeted OS on the planet. Maybe asking yourselves how that fact affects
your security team and risk management process would be more realistic.
That aside, some of us would rather have patches immediately even if
that means installing patches 100 times throughout the year.
Another issue not taken into consideration when posing those questions
is the issue of downtime. To give you a good idea of the ramifications
of less-than-stellar patch installation processes, refer to my editorial
of March 5, 2008, "Windows Server: The New King of Downtime" (URL
below). You might recall that according to Yankee Group, Windows Server
has the worst downtime record of any mainstream server OS. The downtime
record is due almost entirely to patch management.
windowsitpro.com/article/articleid/98475/windows-server-the-new-king-of-downtime.html
(http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656246-0-0-0-1-2-207)
When patching any version of Windows, a reboot is often required, and in
many cases the OS must be made unavailable to help manage the patch
process. By comparison, UNIX and Linux systems typically don't
experience such extreme burdens. For example, I've loaded many security
patches on Ubuntu desktops and servers, and so far I've never had to
reboot the systems nor take them offline--even systems that run
high-traffic Apache and MySQL servers. Nor have I ever experienced a
patch that breaks system components or services. Maybe I'm just lucky,
but I don't think so.
Last week I did a complete OS upgrade on some Ubuntu desktops. The
upgrade required the installation of 1,234 new packages. The upgrade ran
completely in the background and didn't interrupt system use during
installation. The systems were down for a total of about 30 seconds due
to a need to reboot because the upgrades were major--similar to
upgrading Vista with SP1. As far as I can see Linux is far easier to
upgrade or patch than Windows.
Although I don't think Jones's report is anything to give a lot of
weight to, if you're interested in reading it you can download a copy in
PDF format at Jones's blog at the first URL below. And, if you're
interested to see how Windows is still the most targeted OS on the
planet, get a copy of Microsoft's new Security Intelligence Report at
the second URL below.
blogs.technet.com/security/archive/2008/01/23/download-windows-vista-one-year-vulnerability-report.aspx
(http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656247-0-0-0-1-2-207)
www.microsoft.com/downloads/details.aspx?FamilyId=BCC879DB-9FE6-4331-B231-E274EA8FC804&displaylang=en
(http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656248-0-0-0-1-2-207)
Microsoft has a long way to go to improve its patch management process.
It needs to be more transparent, and patches need to be more thoroughly
tested before they become available. If Microsoft could achieve that,
then the company could ditch its monthly patch release schedule and make
patches available immediately as in the past, but this time without
putting a huge burden on administrators and end users. As things stand
now, there's fear every Patch Tuesday that a patch is going to break
systems. I bet that, like me, many of you never experience that fear
with your Linux platforms.
--Security Horror Story Contest
Tell us about a security hole that you found, a virus that shut down
your network, an embarrassing or scary near-miss or direct hit. (Be sure
to describe how you solved the problem too.) We'll print the best tales
in a Windows IT Pro cover story (anonymously, if you like), and you'll
win a 1-year Windows IT Pro VIP subscription. Send your security horror
stories (no more than 500 words) to lpeters@windowsitpro.com
(mailto:lpeters@windowsitpro.com) by May 9.
----------------------------------------
ADVERTISEMENT
VeriSign, Inc. / SSL
Increase confidence on your site
Give your site visitors the reassurance that your site is safe to
transact on with VeriSign Extended Validation (EV) SSL Certificates.
The new certificates turn the address bar green in high security
browsers letting customers know that they are on the site they intended
to be on. Learn how to provide the latest advancement in SSL, EV SSL,
and give your customers the confidence to transact on your site with
this free white paper.
http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656249-0-0-0-1-2-207
----------------------------------------
SECURITY NEWS AND FEATURES
--Ubuntu 8.04 Unleashed
Canonical released Ubuntu 8.04 for desktops and servers, the latter of
which includes several new security tools and features.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656250-0-0-0-1-2-207
--Panda Warns of Widespread SQL Injection Attacks
Panda Security is warning administrators of a widespread SQL injection
attack against Microsoft IIS servers. The company said that so far about
282,000 Web pages have already been infected.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656251-0-0-0-1-2-207
--UK on Track for a Record Level of Phishing Incidents
UK payment association APACS said it tracked more than 10,000 phishing
incidents between January and March of this year. Compounding the
problem, one third of UK consumers don't have adequate protection on
their computers.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656252-0-0-0-1-2-207
--Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts,
which inform you about recently discovered security vulnerabilities. You
can also find information about these discoveries at
www.windowsitpro.com/departments/departmentid/752/752.html
(http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656253-0-0-0-1-2-207)
GIVE AND TAKE
--SECURITY MATTERS BLOG: Automatically Generate Exploits?
by Mark Joseph Edwards
Is it possible to take a buggy program along with a patched version of
that same program and automatically generate an exploit? Some people
think it is, and they're out to prove their point.
windowsitpro.com/blog/index.cfm?action=BlogIndex&DepartmentID=949
(http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656254-0-0-0-1-2-207)
--FAQ: Publicizing RMS Templates
by John Savill
Q: I've deployed Windows Rights Management Service (RMS) in my
organization, but users aren't receiving the templates I'm pushing.
What's wrong?
Find the answer at
windowsitpro.com/article/articleid/98947
(http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656255-0-0-0-1-2-207)
--Vote in the 2008 Windows IT Pro Community Choice Awards!
Final voting for the Windows IT Pro Community Choice Awards is now open!
Voting in this awards program is open to all Windows IT Pro Web site
visitors, but vendors whose products are nominated are prohibited from
voting. Click the link below to enter the voting tool:
www.surveymonkey.com/s.aspx?sm=_2fz97tv4rU5iY2IsYDbyCRg_3d_3d
(http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656256-0-0-0-1-2-207)
Voting will close May 23, 2008 at 11:45 p.m. Mountain.
--SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and solutions in
Security Pro VIP's Reader to Reader column. Email your contributions to
r2r@securityprovip.com (mailto:r2r@securityprovip.com). If we print your
submission, you'll get $100. We edit submissions for style, grammar, and
length.
PRODUCTS
--Use Multiple Diverse Factors for Authentication
by Renee Munshi
AdmitOne Security (formerly BioPassword) announced a new name and a new
product. The AdmitOne Authentication Suite links users to their digital
identities by combining requested authentication factors (username and
password) with observed factors (keystroke dynamics and device
signature) to verify the user. The Suite assesses the risk of fraud to
determine the confidence level of the user's identity. If the confidence
score is too low, additional authentication factors (such as one-time
password to email or SMS) can be employed based on assigned policies.
The Suite includes Web-based administration and reporting capabilities.
For more information, go to
www.admitonesecurity.com (http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656257-0-0-0-1-2-207)
RESOURCES AND EVENTS
Have you checked out OfficeSharePointPro.com lately? Real-time blogs,
hot-off-the-press articles, forums, tips, and more! Learn best practices
from your peers and read real-world implementation and management case
studies. Check it out!
www.officesharepointpro.com/?code=e&r
(http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656258-0-0-0-1-2-207)
Keep Your Exchange Server Healthy
Fear of loss compels us to protect ourselves. Although no one's life is
in danger from a messaging system, the welfare of your data could be.
Read this white paper to learn the bare and necessary facts you should
know to proactively maintain your Exchange Server 2007 environment.
windowsitpro.com/Whitepapers/Index.cfm?fuseaction=ShowWP&WPID=393a7bec-e173-483c-b887-95b1cf858e28&code=042308er
(http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656259-0-0-0-1-2-207)
Backup, Recovery, and Testing for Exchange in a Single,
Easy-to-Configure Integrated App
Read how a comprehensive protection solution lets you dispense with your
backup applications, bare-metal recovery solutions, test recovery
hardware, and a lot of worry. See how you can extract any Microsoft
Exchange item or folder without interrupting the performance of the live
Exchange server. Download this white paper today!
windowsitpro.com/whitepapers/Index.cfm?fuseaction=ShowWP&wpid=43065da9-c439-4d63-b079-df04eb60d393&code=042308er
(http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656260-0-0-0-1-2-207)
FEATURED WHITE PAPER
Top 7 Benefits of Server-Hosted Desktops
This white paper explains the distinct advantages of server-based
computing. Learn the benefits of server-hosted desktops and how to
obtain those benefits. To begin saving money and gain flexibility,
download this white paper today!
windowsitpro.com/whitepapers/Index.cfm?fuseaction=ShowWP&wpid=ad7cc518-087b-4d5c-aa53-2337758a7909&code=042308er
(http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656261-0-0-0-1-2-207)
ANNOUNCEMENTS
Windows IT Pro Master CD: Take the Experts with You!
Find the solutions you need within the thousands of searchable articles,
helpful bonus content, and loads of expert advice on the Windows IT Pro
Master CD. A Master CD subscription buys you portable access to the
entire Windows IT Pro article database plus exclusive access to the new
articles we publish on WindowsITPro.com every day. It's like having a
team of consultants in your pocket! Get real-world solutions fast--order
the Windows IT Pro Master CD today.
store.pentontech.com/index.cfm?s=1&promocode=EU2284WC&
(http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656262-0-0-0-1-2-207)
CONTACT US
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656263-0-0-0-1-2-207
http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656264-0-0-0-1-2-207
You are subscribed to this newsletter as boy.blogger@gmail.com
Manage your Security UPDATE subscription at
http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656265-0-0-0-1-2-207.
To unsubscribe:
http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656266-0-0-0-1-2-207&list_id=803&email=boy.blogger@gmail.com&message_id=6665
Be sure to add Security_UPDATE@email.windowsitpro.com
to your spam filter's list of allowed senders.
To contact us:
About Security UPDATE content -- mailto:letters@windowsitpro.com
About technical questions -- http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656267-0-0-0-1-2-207
About your product news -- mailto:products@windowsitpro.com
About your subscription -- mailto:windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- mailto:salesopps@windowsitpro.com
View the Windows IT Pro privacy policy at
http://ct.email.windowsitpro.com/rd/cts?d=33-6665-803-202-62923-656268-0-0-0-1-2-207
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2008, Penton Media, Inc. All rights reserved.
