CyberSecurity Institute

The monthly security bulletin addresses a vulnerability found in Windows 2000 Service Pack 3 and 4, which the company ranks as “important,” its second-highest severity rating. The flaw also appears in the older Windows 98, Windows 98 Second Edition and Windows Millennium Edition. “A remote code execution vulnerability exists in the way that Web View in Windows Explorer handles certain HTML characters in preview fields,” Microsoft said in its bulletin. “By persuading a user to preview a malicious file, an attacker could execute arbitrary code in the context of the logged-on user.” That attacker could install programs and view, change or delete data, or create new accounts with full user rights, Microsoft said.

Security company Symantec has rated the risk from the flaw as “medium,” noting that some user interaction is required for it to be used for an attack. For example, the PC user would have to download a corrupt document or save the document from an e-mail attachment, then browse to the document using Windows Explorer. “It would be fairly easy for an attacker to create a malicious document that could compromise a system and circulate this document through email or websites,” Oliver Friedrichs, senior manager at Symantec Security Response, said in a statement on Tuesday. “In order to combat this new and other security risks, users should always avoid opening files from unknown sources or following links to unverified sites. In addition, all users should deploy Internet security solutions such as antivirus software and firewall technology.”

More recent versions of the operating system are not affected by the flaw. Microsoft said it has tested Windows XP Service Pack 1 and 2, Windows XP 64-Big Edition Service Pack 1 and Version 2003 for Itanium, XP Professional x64 Edition, Windows Server 2003 and its Service Pack 1, Windows Server 2003 for Itanium-based systems and its related Service Pack 1 for the vulnerability.

Microsoft is urging people with Windows SP3 and SP4 to download the security update. For the older versions, Microsoft noted on its Web site that it does not offer security patches to older versions of its software that it no longer supports, unless the vulnerability is rated “critical.”

The software giant did not offer any workarounds. A Microsoft representative referred questions regarding what actions Windows 98 users should take to the company’s Microsoft Lifecycle Support site.

The software giant also released two security advisories of problems that do not necessarily require a patch from Microsoft. One notes a default setting in Windows Media Player Digital Rights Management could allow a user to open a Web page without requesting permission. The second is a clarification of Microsoft’s simple mail transfer protocol (SMTP) Tar Pit feature in Windows Server 2003 Service Pack 1 for Exchange Server 2003.

“Microsoft does not require or recommend that all customers implement this (Tar Pit) feature. It has been provided as an option for reducing the effectiveness of certain attacks that utilize standard features of the simple mail transfer protocol,” the advisory notes.

http://news.com.com/Fix+in+for+Windows+flaw/2100-1002_3-5701804.html?part=rss&tag=5701804&subj=news

CIOs have a new name to know: Zubulake. And if they don’t, they could be heading for trouble. Zubulake is shorthand for the case of Zubulake v. UBS Warburg LLC, which was heard recently in a federal court in New York. The court’s decisions in that case established new standards for retaining electronic data.

“The courts are increasingly depending on companies and their lawyers to produce electronic evidence and to make sure it’s not destroyed,” says Adam Rosman, a lawyer at Zuckerman Spader LLP in Washington. “It was an obligation that didn’t previously exist.”

CIOs have had to contend with hackers, worms and viruses for years. And they’re getting a handle on new federal regulations that set additional security requirements. But even veteran IT executives may be ignorant of some crucial aspects of security law, like the requirements coming out of the Zubulake case, lawyers say.

These security measures, while important legally, fail to attract adequate attention because they’re evolving standards, they’re mixed in with responsibilities traditionally handled by other executives, or they’re simply downplayed by the executive suite.

“There is some important work to be done to bring the CIO and the security officers up to speed,” says J. Beckwith Burr, a partner at Wilmer Cutler Pickering Hale and Dorr LLP, which has headquarters in Boston and Washington.

1 A threat of legal or regulatory action against your company should spur you to adopt more-conservative data-retention procedures. This is just as important as abiding by the rules for data storage that have emerged from the Zubulake case and better-known mandates, such as the Sarbanes-Oxley Act. “When you get wind that someone might be thinking of suing you, you have to immediately change your document destruction procedures so you don’t destroy anything that might be evidence,” says Stuart Meyer, a partner at Fenwick & West LLP in Mountain View, Calif.

2 Security threats from employees represent another often-overlooked risk that could land CIOs and companies in legal trouble. Companies have an obligation to secure their information, even from their own employees, says Robert M. Weiss, a partner at Neal, Gerber & Eisenberg LLP in Chicago. For example, if an unauthorized employee accessed another employee’s personnel file, officers and the company itself could be sued.

3 Corporate relationships with third-party service providers also present potential legal problems, lawyers say. For example, most contracts today limit the liability of outsourced providers to the cost of the contract. “So if there is a security meltdown, contractually the vendor isn’t responsible,” Burr says.

4 Changes in best practices have come quickly with new laws, regulatory requirements and court decisions, and the implications could go well beyond initial expectations. Take, for example, federal laws such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act and Sarbanes-Oxley. Most CIOs know that security standards are changing, and many use audits to find holes in their companies’ policies and procedures.

5 Double-edged audits. “If you have knowledge of a security gap and you don’t correct it and something happens, it’s hard to escape liability,” says David MacDonald, a New York-based partner at Kirkland & Ellis LLP. On the other hand, companies that fail to make reasonable efforts to find security gaps may also be liable.

http://www.computerworld.com/securitytopics/security/story/0,10801,101552,00.html

The security-advisories service is designed to alert customers to new security-flaw information in a more timely manner. When gray-hat hackers and private research outfits publish new security-related information, Microsoft will use the service to let customers know.

http://www.microsoft-watch.com/article2/0,1995,1813518,00.asp?kc=MWRSS02129TX1K0000535