"The graphics rendering system is an extremely important component of the operating system. It's critical to functioning of operating system. Any time you make a change to such an important component, you absolutely have to ensure you're not introducing new problems."
"Microsoft claims that Windows Malicious Software Removal Tool for XP/2000/2003 (MSRT) can detect Hacker Defender. I always test the latest MSRT with Hacker Defender, and the latest MSRT does not even detect the latest public version of Hacker Defender (hxdef 1.0.0 revisited), which was published weeks ago and is available for download to everyone, with full source code."
"While this is an extreme example, it goes to show just how important information is in shaping response. Security fixes cannot simply be made and forgotten: they need effective distribution and uptake to have real-world impact. It wasn't the lack of a fix, but poor distribution and uptake of a security patch that enabled Blaster to infect 25 million Windows PCs, and bring entire networks to their knees. And… what better way is there to cripple uptake rates than to simply not inform users of the availability of a fix?
We can only hope Microsoft has learned its lesson... if approaches like this remain the norm there, we’re going to be dealing with more viruses, more sleepless nights, and more pounding headaches for quite a while before they ever get it right."
"No one should be saying "always write your passwords down", just as no one should be saying "never write your passwords down" because there is no absolute guidance for all users on that point. You have to pick what works for you, balancing the risks in creating complex passwords. If you have no need to keep a password system in your head, then it makes sense to write things down if that's the only way you can do complexity. Just be aware that while you are reducing your risk of a single password being cracked and compromising everything, you are increasing your risk that anyone who finds the paper (or papers if you are smart) has the complete keys to the kingdom. If you take careful enough precautions with the paper then on the balance writing it down can carry less risk because of the gain in randomness and complexity."
"Random combinations of letters, numbers, and symbols that must be written down to be remembered, can be misplaced, or found by others and used."
Google is looking for an enthusiastic individual that can live, breathe, and eat Windows security. If Windows security is what you love, then we would love to see your resume. This position is focus is in the Operations organization, but you will work with everyone in the company to bring good operating standards to Google.
Responsibilities:
* Design and implement security on the internal Windows infrastructure.
* Audit existing infrastructure and software to ensure proper setup, application of patches, and policy compliance.
* Evaluate security advisories for their impact to Google.
* Review designs for new Windows products and software implementations.
* Evangelize security within Google.
* Be a resource to Googlers regarding Windows security.
"This issue was originally publicly reported in May as being a stability issue that caused the browser to close."
Hi Ryan,
Just one thing to clarify Microsoft comments, because it seems they tried to add doubts and to discredit me:
Patch MS05-049 addresses three vulnerabilities:
Shell Vulnerability- CAN-2005-2122
Shell Vulnerability - CAN-2005-2118
Web View Script Injection Vulnerability - CAN-2005-2117
Shell Vulnerability- CAN-2005-2122 is the one on patch MS05-049 that was improperly fixed on previous patch MS05-018, named CSRSS Vulnerability - CAN-2005-0551 on patch MS05-018.
If you have any doubts you can contact serious third parties, I bet they will confirm my findings.
Thanks.
Cesar Cerrudo,
CEO & Founder.
Argeniss - Information Security
"Yes MS05-049 was a more complete fix. There’s no two ways about it. Should MS05-018 have been a more complete update to address the underlying vulnerable function? Yes, Cesar is right. But I want to reiterate that MS05-018 did protect against the issue that was brought to us. We don’t want people to worry that there was a problem with MS05-018 or that it didn’t protect against that the specific vulnerability it was designed to address...
[W]e’ve taken a look at this situation and incorporated some lessons learned. We will work very hard to help ensure something like this doesn’t happen in the future."
Call to Action:
1. If your site requires SSLv2, please reconfigure it to permit SSLv3 or TLSv1 connections.
2. Ensure that the hostnames used for your secure pages exactly match the hostname in your digital certificate. For example, using the certificate for www.example.com on secure.example.com will result in an error page.
3. If your site supports TLS, please ensure that it has a standards-compliant implementation of TLS that does not fail when extensions are present. Testing for a non-compliant TLS server is as simple as navigating to any HTTPS page on the server using IE7 on Vista Beta 2. If IE7 fails to connect, TLS extensions are the most likely culprit.
"Microsoft executives also cite a decline in the number of security bulletins issued for major products like Windows Server and Office as evidence that the new engineering discipline is having an impact.
There were 69 such bulletins issued for Windows 2000 Server in two and a half years and only 41 for Windows Server 2003 in a comparable period, the company said.
Eleven bulletins were issued for the 2001 version of Office XP during the first 594 days after its introduction; for Office 2003, there were six bulletins in the same period. For the last two Windows XP updates, 35 bulletins were issued for Service Pack 1 in the year ended last June but only 18 for Service Pack 2."
"The obvious thing is to apply patch MS05-051 on at least your Win2k systems. We do know the port 3372 scanning started in full force, likely in order to acquire target lists. If you can't patch, at least make sure port 3372 is closed."
1. Long -- A good password should be at least eight characters long. The longer the better. Passwords shorter than eight characters are inadequate today. If you are trying to improve password strength in your organization, teach people to use longer passwords that are not based on common words. One technique is also to base passwords, or better yet, pass phrases, on words in other languages than the primary one at the site.
2. Complex -- A good password should have a mix of all the four character types, uppercase and lowercase letters, numbers, and non-alphanumeric symbols. Preferably, all four should exist in a given password. Remember, any character on your keyboard is legal in a password. Using a pass phrase and interspersing it with randomly chosen characters and spaces considerably improves the strength of your password.
3. Changed frequently -- A poster from NativeIntelligence.com has a great phrase on it: "Passwords are like bubble gum; they are better when fresh." Passwords should be changed every 90-365 days, depending on the value of the asset they are protecting and the strength of the password. If you use eight-character passwords, 180 days is a reasonable change interval. If you use nine-character passwords today you can probably leave them valid for 360 days or even longer without a problem.
4. Used only in one place -- Reusing passwords significantly increases the exposure of the assets you are protecting with the passwords. Essentially, any given asset is only as secure as the least secure computer that protects that asset. When you reuse passwords the asset is only as secure as the least secure computer where you use that password.
5. Used only by one person -- Another characteristic that passwords borrow from bubble gum is that they are much better when used by a single person. If at all possible, each user on the computer should have their own account with their own password. This increases accountability and decreases exposure for the password. If you allow multiple people to use the same password you effectively give up all possibilities of monitoring their actions unless you install closed-circuit TV systems to oversee the computer.
6. Not typed on untrusted computers -- A password is only as secure as the computer or network it is used on. Keystroke loggers frequently target public kiosk-type computers, such as those used in Internet cafs, conferences, and hotel and airport lounges. The instant a password is typed on one of these computers fitted with a keystroke logger, the asset protected by the password is no longer secure.
"The answer is a resounding Yes! We have seen the number of security defects be reduced by approximately 50 to 60 percent when we follow SDL. The simple fact is that every product touched by SDL has fewer security defects. Period. And that certainly makes it worth pursuing."
"At the Cingular store this weekend signing up for a plan, I watched the clerk enter my information into a point-of-service web app running inside Internet Explorer. On the second screen, a window with a picture of a palm tree-studded beach appeared, interrupting him. “Damn popups,” he said, clicking the window closed."
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
"You've been given a second chance. I hope very sincerely that you use it to serve as a cautionary example, and speak out against the creation of these types of attacks. I know you just want to put all this behind you. But you have the opportunity to do a tremendous amount of good. Please use it, don't squander it. You've taken the first step by confessing and being honest about what you did. I respect that. Please don't waste the opportunity you have potentially been given to help some kid right now avoid your mistake and think twice before taking what seems to be a simple action, but that can impact so many people."
My blog is mine. The opinions represented in this blog are mine as well and may not represent my employer's opinions.
