A Penton Media Property
July 23, 2008
If you want to view this on the web go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146149-0-0-0-1-2-207
----------------------------------------
ADVERTISEMENT
Windows IT Pro
Innovative Solution for Managing Email and Data Risk
The Proofpoint and Forrester Consulting report shows how large companies
manage the risks associated with outbound email, blog postings, media
sharing sites, social networking sites, mobile Internet-connected
devices and other electronic communications streams.
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146150-0-0-0-1-2-207
----------------------------------------
IN FOCUS
--Security Vulnerabilities You Can't Fix
by Mark Joseph Edwards, News Editor
Software makers routinely issue patches to fix security problems in
their applications and OSs, but that's not always possible for hardware.
(What??? You didn't know that your CPU has unfixed security bugs that
might leave you wide open to attack? It's true!) Take for example
Intel's hugely popular Core 2 line of processors. Over the past few
years a lot of discussion has taken place regarding a long list of bugs
in Core 2 Duo and Solo processors, including the Extreme Edition of the
processors, all of which are currently used in numerous systems. These
bugs are the result of design flaws.
Sometimes OS developers and BIOS developers can work around the bugs to
help protect against potential system failures and security exploits. As
an example of the security implications, a system might load data from
the wrong memory location, or malware might take advantage of
insufficient code segment checks, and so on. Although CPU bugs are to be
expected, there's no fix from any vendor--including Intel--for many of
the known bugs. If you're interested in having a look, Intel's list of
bugs (as of February 2008) for the Core 2 Duo and Solo processors is
available at the first URL below. If you're interested in the potential
impact of some of the known bugs, head over to Geek.com (at the second
URL below) and have a look at the image file that was posted back in
2006. It contains a list of bugs known at that time, along with their
potential ramifications.
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146151-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146152-0-0-0-1-2-207)
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146153-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146154-0-0-0-1-2-207)
Even if you don't have any systems using Core 2 CPUs, you've still got
plenty to worry about. Other CPUs, including those manufactured by AMD,
each have their list of bugs. Fortunately, so far there hasn't been any
widespread exploitation of CPU bugs. Unfortunately, that might be about
to change. At the upcoming Hack In The BOX (HITB) Conference, which will
be held October 27-30 in Malaysia, independent researcher Kris Kaspersky
will give a presentation that is already making big waves.
According to Kaspersky, "Intel CPUs have exploitable bugs which are
vulnerable to both local and remote attacks which works against any OS
regardless of the patches applied or the applications which are
running." He intends to back up his claims by demonstrating how such
attacks are possible using proof-of-concept (POC) code which he has
developed. Based on the information he's released so far, his POC code
takes advantage of JavaScript and TCP/IP packet storms to wreak havoc on
a system. Kaspersky said that exploitation is possible via just-in-time
(JIT) compilers. And, he claims that CPU bugs have caused disk drive
damage, which makes data recovery a big issue. See the URL below for a
bit more information.
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146155-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146156-0-0-0-1-2-207)
If Kaspersky releases his POC code, as he reportedly intends to do, then
we can fully expect that as usual that code will make it into the hands
of malware developers who will turn it toward malicious purposes. If
that happens, and any particular exploits become widespread and
indefensible, then it's also possible that Intel might have to step up
to the plate with processor recalls as they did back in the mid 1990's
after the discovery of the now relatively famous Pentium floating point
division bug. I guess we'll find out what the future holds soon enough.
----------------------------------------
ADVERTISEMENT
Windows IT Pro
Are You Exposed to Costly Litigation?
Get a broad understanding of important regulations and how you can make
sure your site is in adherence in this free white paper on getting in
compliance with government data regulations.
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146157-0-0-0-1-2-207
----------------------------------------
SECURITY NEWS AND FEATURES
--Government and Business Web Sites Fall Victim to Attacks
Regardless of lots of mainstream media attention, some administrators of
government and big business websites remain oblivious to ongoing SQL
injection attacks. As a result, even more sites have become pawns that
serve up malware to unsuspecting visitors.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146158-0-0-0-1-2-207
--Mozilla Patches Three Critical Holes in Firefox
Recently released, Firefox 3.0 already has a successor in Firefox 3.0.1.
Mozilla issued the new version to fix three critical security problems,
two of which also affect Firefox 2.x.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146159-0-0-0-1-2-207
--Security and Server Virtualization
As virtualization becomes more popular, so does the need to ensure that
the platform is secure. Of course one of the biggest concerns is a
compromise of the virtual host server. This can lead to hyper-jacking
attacks when a hypervisor host is compromised.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146160-0-0-0-1-2-207
--Increased Spread of Malware Is Due to SQL Injection Attacks
According to data released by ScanSafe, ongoing SQL injection attacks
outpaced all other forms of website compromises by 212 percent since the
beginning of 2008. As a result, web-based malware attack attempts have
risen by 30 percent.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146161-0-0-0-1-2-207
--Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts,
which inform you about recently discovered security vulnerabilities. You
can also find information about these discoveries at
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146162-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146163-0-0-0-1-2-207)
GIVE AND TAKE
--SECURITY MATTERS BLOG: SSH Attacks Flying Under the Radar?
by Mark Joseph Edwards
If you're running SSH servers, do you know how often an intruder tries
to brute force guess your logon passwords? Here's a tool that will
automatically block those intruders, as well as other intruders who
haven't hit your site yet.
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146164-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146165-0-0-0-1-2-207)
--SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and solutions.
Email your contributions to r2r@windowsitpro.com
(mailto:r2r@windowsitpro.com). If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.
--FAQ: Inventory Your Applications
by John Savill
Q. How can I use the command line to obtain a list of all the
applications installed on my computer?
Find the answer at
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146166-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146167-0-0-0-1-2-207)
RESOURCES AND EVENTS
Are You Really in Compliance with Software Regulations?
When 30 percent of enterprises are experiencing at least one audit per
year, how can you be completely certain that you're compliant? This web
seminar will give you compliance best practices and illustrate a
management solution to assure that you won't be in jeopardy of an audit.
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146168-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146169-0-0-0-1-2-207)
Understand the Real Business Impact of Disasters
Learn the benefits of implementing a disaster recovery plan beyond
simple survival. Be able to show how effective DR planning not only
mitigates the risk of financial loss, but also creates value. View this
web seminar, which addresses key business questions that are of interest
to management with regard to investing in disaster recovery planning.
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146170-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146171-0-0-0-1-2-207)
IT TV
Now there's a new way to connect with your IT peers! With IT TV
(www.ittv.net), an exciting video website by Windows IT Pro, engaging
interactively with other IT pros and developers has never been easier.
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146172-0-0-0-1-2-207 (http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146173-0-0-0-1-2-207)
FEATURED WHITE PAPER
The Latest Advancements in SSL Technology
Learn the benefits of strong SSL encryption, Extended Validation SSL,
and security trust marks and what these SSL offerings can do for your
site in this white paper on the latest advancements in SSL technologies.
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146174-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146175-0-0-0-1-2-207)
ANNOUNCEMENTS
Master SharePoint with 3 eLearning Seminars--hosted by Windows IT Pro
Join MVPs Dan Holme and Michael Noel to learn how to build a better
SharePoint infrastructure and enable powerful collaboration. On October
1, 2008, at 11:00 AM EDT, direct from your computer, these SharePoint
gurus will guide you through three info-packed sessions: 21st Century
File Sharing: Configuring & Managing Document Libraries; Building
Code-Free SharePoint Applications and Business Intelligence Lite; and
Forms-Based Authentication and Extranet Deployment Options for
SharePoint 2007. All for only $99! Seats are limited to allow for lots
of live Q&A at the end. Register today!
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146176-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146177-0-0-0-1-2-207)
Know a Developer?
Pass on the SharePoint Mastery series, built especially for developers,
with speaker and Microsoft MVP Andrew Connell!
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146178-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146179-0-0-0-1-2-207)
Access All Our Security Resources!
With the online VIP Monthly Pass, you can have all the security
solutions in Windows IT Pro and SQL Server Magazine right at your
fingertips, PLUS VIP-only content on hot topics such as Vista,
SharePoint, and more. You'll also receive a full digital copy of the
latest issue of Windows IT Pro!
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146180-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146181-0-0-0-1-2-207)
CONTACT US
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146182-0-0-0-1-2-207
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146183-0-0-0-1-2-207
You are subscribed to this newsletter as boy.blogger@gmail.com
Manage your Security UPDATE subscription at
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146184-0-0-0-1-2-207.
Be sure to add Security_UPDATE@email.windowsitpro.com
to your spam filter's list of allowed senders.
To contact us:
About Security UPDATE content -- mailto:letters@windowsitpro.com
About technical questions -- http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146186-0-0-0-1-2-207
About your product news -- mailto:products@windowsitpro.com
About your subscription -- mailto:windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- mailto:salesopps@windowsitpro.com
View the Windows IT Pro privacy policy at
http://ct.email.windowsitpro.com/rd/cts?d=33-11169-803-202-62923-1146187-0-0-0-1-2-207
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2008, Penton Media, Inc. All rights reserved.
No comments:
Post a Comment