Wednesday, January 25, 2006

Tuesday, January 24, 2006

Oracle v Microsoft

Ed Moyle: Take a look at Oracle's vulnerability process, compare it with Microsoft's, and tell me again why Microsoft is the security pariah?

Wednesday, January 18, 2006

XP LUA Goodness

Microsoft has published a technical white paper describing the least-privileged user account (LUA) approach in Windows XP. Lots of useful guidance, tools and resources.

Which reminds me: If I had one major quibble about the MSRC's security advisories pilot program, the absence of LUA guidance from the suggested actions would be it. What better place to spread an important gospel?

/. questions for Mike Nash

Microsoft's security bigwig Mike Nash is taking questions from Slashdot readers.

UPDATE: Todd Bishop has picked out some of the highest modded questions so far.

Saturday, January 14, 2006

Two-way Vista Firewall

Ed Bott has the skinny on the fact that Windows Vista will feature a two-way firewall.

Thursday, January 12, 2006

Rotten Apple

Microsoft security guru Michael Howard thinks that Apple's just-released QuickTime update presents one of those OMFG, APPLY THE PATCH!! scenarios. On the heels of the recent problems with these kinds of image-parsing bugs, he might be right.

It's somewhat amusing, in a sad way, that Apple chose to sneak out the QuickTime update on Microsoft's patch day. I've already written about this tactic, which has its pros and cons. Someone just mentioned to me that the QuickTime patch coincided with the MacWorld festivities, when everyone was looking the other way.

Wednesday, January 11, 2006

Zero Day Alive and Well

Long before the release of Microsoft's patch for the Web fonts flaw, researcher Piotr Bania had already started working on a blow-by-blow description of the vulnerability. More proof that the zero day is very much alive, and even more dangerous.

* Via Daily Dave.

Thursday, January 05, 2006

The Win2K SP3 Dilemma

If you are like a certain West Coast city government (I'm withholding the identity to avoid placing them at risk of targeted attacks) and you haven't migrated yet from Windows 2000 SP3 because of app compatibility problems, you'll have to fork out upwards of $200,000 to get custom support and, by extension, a patch for the WMF vulnerability.

Microsoft likes to slickly say that they'll continue to provide patches for Windows 2000 but that's not entirely true. Patches are only available for Windows 2000 SP4. Joris Evers mentions some others in a blog entry but still misses the fact that Windows 2000 SP3 users are also left out in the cold.

That's why I recently asked if Microsoft would tell us how many Zotob infections occured on Windows 2000 SP3. I suspect the answer is startling.

UPDATE: Paul Roberts finds Microsoft playing word games with severity ratings and older OS versions.

Hi, I'm Mike Nash

And I approve this message:

"With the update available today, you certainly have the choice of deploying now or waiting until your normal release process. If it were my decision, I would move up the schedule. That is what we are doing in our IT operation here at Microsoft."

Tuesday, January 03, 2006

The Problem With Ilfak's Patch

I see that third-party distribution of the third-party WMF patch has started. How soon before a fake malicious version of this 'patch' gets into the ecosystem? Sigh.

Fearmongering Redux

The SANS Internet Storm Center is conducting a poll on the impact of the WMF exploit. 80% of the 1142 respondents said they had not seen an exploit. Yet, if you read the nonstop diary entries, you'd think we're seeing a blended Blaster/Slammer/Sasser attack.

* Very uncharacteristic.

Monday, January 02, 2006

WMF Risk Management

This man should be writing the MSRC security bulletins. Seriously.


Matthew Murphy on why talking heads with doom-n-gloom soundbites are the people you should most avoid.

Here's a beauty from the oft-quoted privacy/security expert Richard Smith:

"We could see the mother of all worms here. My big fear is we’re going to wake up in the next week or two and have people warning users not to read their e-mail because something is going around that’s extremely virulent."