Security UPDATE-- Microsoft Catches Flak for Lack of Vulnerability Disclosure--April 26, 2006

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Esker Software



1. In Focus: Microsoft Catches Flak for Lack of Vulnerability Disclosure

2. Security News and Features

- Recent Security Vulnerabilities

- Novell Acquires e-Security

- GRISOFT Boosts Its Security Offerings with Acquisition of Ewido

- New Antiphishing Toolbar Takes an Obvious Approach

3. Security Toolkit

- Security Matters Blog


- Security Forum Featured Thread

- Share Your Security Tips

4. New and Improved

- Bring Systems Back in Line


==== Sponsor: Esker Software ====

Align compliance with business efficiency, and learn how fax-document management plays a role in your strategy.


==== 1. In Focus: Microsoft Catches Flak for Lack of Vulnerability Disclosure ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

News stories last week discussed a blog entry (at the URL below) by Matthew Murphy of SecuriTeam that hammered Microsoft for what Murphy thinks is a lack of adequate vulnerability disclosure. Murphy's beef with Microsoft relates to Microsoft Security Bulletin MS06-015--Vulnerability in Windows Explorer Could Allow Remote Code Execution. In a nutshell, Murphy wants Microsoft to offer more details about vulnerabilities. (MS06-015 also happens to be the security bulletin that proved to be buggy--an update was due to be released yesterday.)

Many think that Microsoft's disclosure practices border on the silent fixing of security issues. It's no secret that in the past Microsoft has silently fixed security problems and sometimes has misinformed the public about the ramifications of security problems. Microsoft and many other companies don't like the publicity related to security problems, so they try to keep matters as quiet and calm as possible.

Granted, each company is free to establish its own policies about disclosure and few are forthcoming with complete details in any given instance of vulnerability discovery. For example, Apple silently fixes security problems and rarely if ever releases any substantial details about them. But then people interested in security don't place Apple under the same microscope as Microsoft.

When Microsoft releases a security-related patch, numerous independent researchers go to work to analyze the patch to find everything that's changed in the related files. If they detect anything that isn't documented, the researchers either call Microsoft on the carpet or they keep their mouths shut for any of several reasons, including the ability to exploit the undocumented bugs in systems that don't have the patch installed. Thus the patch could actually aid in the proliferation of malware and increase the overall risk of security breaches.

Of course, Microsoft's disclosure practices have improved over the years, but there's still room for improvement, particularly if the company expects the masses to more fully buy into the Trustworthy Computing ideology.

Again, we're back to the same old issue of disclosure being a double-edged sword. While many businesses and researchers have seen fit to adopt some form of responsible disclosure in terms of timing the release of vulnerability details, another important point of contention remains. Microsoft and other companies argue that too much disclosure creates a more dangerous network environment. But many security researchers contend that not enough disclosure creates a more dangerous network environment. Obviously, the situation calls for balance, and I think there is balance. However, when the balance tips too far toward either perspective, then risk levels increase.

Here's an interesting thought, even if it's only tangentially related: What if software as a service or applications on demand become commonplace? Think of a scenario in which you no longer have an OS and sundry applications installed on your desktops and servers, but instead everything is driven by some hardware-based technology that loads everything from a remote location that you don't control. That would just about put an end to many aspects of security research, security administration, and the disclosure debate, wouldn't it?


==== Sponsor: Availl ====

Ensure instant access to files at remote servers/offices. Confused by WAFS, Wide Area Mirroring, DFS, WAN acceleration, or Replication technologies? Do you have remote sites with common data or file needs? Get a free software trial, and register for the free seminar:


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Novell Acquires e-Security

With e-Security's Sentinel solution under its wing, Novell says its customers will enjoy a more comprehensive view of user, network, and application events that will help streamline processes, augment compliance monitoring, and cut costs.

GRISOFT Boosts Its Security Offerings with Acquisition of Ewido

GRISOFT aims to bolsters its cross-platform antivirus and firewall solutions by adding Ewido Networks' award-winning anti-malware protection to its suite of offerings.

New Antiphishing Toolbar Takes an Obvious Approach

TraceSecurity developed a different and rather obvious approach to an antiphishing toolbar. Instead of looking for known phishing sites, the free TraceAssure Toolbar searches for legitimate Web sites by matching domain names to IP addresses.


==== Resources and Events ====

How do you ensure that your email system isn't vulnerable to a messaging meltdown? In this Web seminar, Exchange guru Paul Robichaux tells you what you should do before you have an outage to increase your chances of coming out of it smelling like roses.

Learn the best ways to manage your email security (and fight spam) using a variety of solutions and tips.

Expert Ben Smith describes the benefits of using server virtualization to make computers more efficient. Download this exclusive podcast today!

Make sure that your DR systems are up to the challenge of a real natural disaster by learning from messaging survivors of Hurricanes Katrina and Rita. Live Event: Tuesday, May 2

Ensure that you're being effective with your internal network security. Are your DIY options protecting you against worms, BotNets, Trojans, and hackers? Make sure! Live Event: Tuesday, May 23


==== Featured White Paper ====

Examine the risks of allowing unwanted or offensive content into your network and learn about the technologies and methodologies to defend against inappropriate content, spyware, IM, and P2P.


==== Hot Spot ====

Try it Free: Access & Control PCs from your USB

NetOp Remote Control provides the most complete, scalable, and secure remote control software available. Access PCs from your desktop, PocketPC or USB! NEW On Demand option provides tiny, temporary, download with no user installation or firewall configuration and NO per session charges. Free evaluation & support.


==== 3. Security Toolkit ====

Security Matters Blog: Rubberhose: A Useful Form of Data Encryption?

by Mark Joseph Edwards,

Instead of making it glaringly obvious that data is encrypted, Rubberhose makes encryption deniable--i.e., supposedly it can't be proven that the data is encrypted. This technique might be useful for people who, for whatever reasons, can't use other forms of data encryption. Learn a bit more about it in this blog article.


by John Savill,

Q: Does Microsoft provide a different level of support for applications and services running under a VMware virtualization host rather than under a Microsoft Virtual Server 2005 virtualization host?

Find the answer at

Security Forum Featured Thread: Is Someone Trying To Hack Our System?

A forum participant has Windows 2000 Advanced Server with Terminal Services running. In the Security event log, he noticed many instances of an event in which someone tries to log on to a system named GARY-HOME. He has no system with that name, so he wonders whether someone is trying to hack into his network. Look at the event log entry he posted and join the discussion at

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Announcements ====

(from Windows IT Pro and its partners)

Exclusive Spring Savings

Subscribe to Windows IT Pro and SAVE 58%! Along with your 12 issues, you'll get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful articles. This is a limited-time offer, so order now:

Save 44% off Windows Scripting Solutions

For a limited time, order the Windows Scripting Solutions newsletter and SAVE up to $80. You'll get 12 helpful issues loaded with expert-reviewed downloadable code and scripting techniques, as well as hundreds of tips on automating repetitive tasks. You'll also get FREE, unlimited access to the full online scripting article library (more than 500 articles). Subscribe now:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

Bring Systems Back in Line

NetPro Computing describes SecurityManager 2.0 as "a significant upgrade." SecurityManager 2.0 centralizes policy management and enforcement for Active Directory (AD) and file servers. It includes new policies for object locking, group membership, separation of duties, and external trusts. SecurityManager 2.0 constantly monitors the network, so when systems become uncompliant with company standards, the software immediately sends an alert and helps remediate the problem. For more information about SecurityManager 2.0, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.