Category: Warnings

“In contrast, Microsoft immediately restricted access to its MSN Messenger instant messaging (IM) service in 2005 when it discovered a vulnerability in its IM client. Only users with an updated and nonvulnerable [sic] client were allowed to access the service, which meant Microsoft essentially performed the vulnerability management process on behalf of businesses. Skype provides no such protection,” Orans added.

Although Gartner has previously recommended that enterprises stay away from Skype, Orans repeated the advice in his note. “The most secure option is to block Skype traffic completely,” he said. “However, if after weighing the risks, a business decides to allow Skype use, it should actively manage version control of Skype client — and its distribution to authorized users — using configuration management tools.”

http://www.informationweek.com/news/showArticle.jhtml;jsessionid=HCZC5RR34UIFSQSNDBCSKH0CJUMEKJVN?articleID=188700351

Sun Microsystems, the developer of StarOffice, has boasted in the past about the security of its software developed in collaboration with open-source projects.

Stardust.A’s image loading functionality should work on any platform–Windows, Mac or Linux–on which OpenOffice and StarOffice run.

http://www.securityfocus.com/brief/218?ref=rss

By Immunity researcher Dave Aitel’s account, the exploit leverages a flaw in the operating system’s kernel that can be triggered through SMB, and will give an attacker full access to the PC. “An official security update from Microsoft will likely not be in development until after June when the information is released.”

Windows 2000 was last patched against an SMB vulnerability in June 2005.

http://www.informationweek.com/security/showArticle.jhtml;jsessionid=XQQITZ21JK35MQSNDBECKICCJUMEKJVN?articleID=188500259

Symantec Corp., in Cupertino, Calif., warned administrators to patch quickly and listed the Exchange vulnerability level as “High” on the company’s security response Web site.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1188468,00.html

In addition, users with any homegrown authentication mechanisms linked to Windows will have to rewrite their code from the ground up.

ISVs also have to completely rewrite and certify the custom code they write to interface with Winlogon, the Windows process that manages logon and logoff.

The new architecture, called Winlogon Re-Architecture, includes a model for building modules called Credential Provider. The February CTP also was the first time Microsoft included in the release notes the fact that the GINA architecture had been abandoned even though the company had started talking about it at its Professional Developers Conference last September. “There are things built into GINA that are not in the existing Winlogon module you get with the Vista beta,” says the ISV who requested anonymity.

Historically, many corporate users have waited for Service Pack 1 of a new operating system before adopting it.

The ISV says customers with multiple products that hook into GINA will have the most difficult support and migration issues. Another systems integrator says users always have faced this danger with custom code added to Windows. “To extend authentication we need to move away from GINA,” says Austin Wilson, director of product management for Windows client at Microsoft.

http://www.networkworld.com/news/2006/050806-microsoft-vista.html

During his talk, he described an attack where a user could enter malicious code in a Web form and then get that code to run by calling up the company’s customer service number and tricking a representative into inadvertently executing it. Stamos also showed how Web services requests could be used to conduct denial of service attacks, either by creating malicious XML queries that used massive amounts of memory or by bombarding databases applications with more requests than they can handle.

This trend is of particular concern to smaller companies that may not have the budgets to fully test the security of their software.

http://www.infoworld.com/article/06/04/07/77230_HNwebservicesrisks_1.html