Security UPDATE--A Bug Bounty Program for Microsoft?--January 17, 2007


Expect the Unexpected: Disaster Recovery for your Windows-based Applications

Protecting Organizations from Spyware: Free Whitepaper

Double-Take Software: Upcoming Exchange Webinar!



IN FOCUS: A Bug Bounty Program for Microsoft?


- Man-in-the-Middle Attacks Made Simple

- Web Sites Move Toward One-Time PINs

- Blocking Web Sites in ISA Server

- Recent Security Vulnerabilities


- Security Matters Blog: Securing Windows Vista Services

- FAQ: Start a Command Shell with Elevated Permissions

- From the Forum: Drive Encryption with Page Files and Temporary Files

- Share Your Security Tips

- Microsoft Learning Paths for Security: Deploying Microsoft Identity and Access Management Technologies


- Encrypt Backup Data at the Media Server

- Wanted: Your Reviews of Products




=== SPONSOR: Neverfail


Expect the Unexpected: Disaster Recovery for your Windows-based Applications

Learn to differentiate between alternative solutions to disaster recovery for your Windows-based applications and to ensure seamless recovery of your key systems--whether a disaster strikes just one server or the whole site. On-Demand Web Seminar

=== IN FOCUS: A Bug Bounty Program for Microsoft?


by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

iDefense Labs' first quarter 2007 Vulnerability Challenge is targeted at those who can find particular bugs in Windows Vista and Microsoft Internet Explorer (IE) 7.0. The company is offering between $8,000 and $12,000 for a new discovery and between $2,000 and $4,000 for a working exploit of that vulnerability, depending on the quality.

According to the Vulnerability Challenge rules (at the URL below), "The vulnerability must be remotely exploitable and must allow arbitrary code execution in a default installation of one of the technologies listed above." Furthermore, "the vulnerability must exist in the latest version of the affected technology with all available patches/upgrades applied," and "the vulnerability must not require additional social engineering beyond browsing a malicious site."

iDefense (a VeriSign company) profits from these challenges by reselling the vulnerability data to its customers and from the publicity the challenges generate.

Black hats sell vulnerability information too. You've probably read news stories about people attempting to sell vulnerabilities of the caliber desired by iDefense on various Internet sites. These black hats often claim that they'll sell a working exploit to the highest bidder (they sometimes have a reserve price that they won't go below). One story I read said that a black hat offered to sell an exploit for $50,000. That's a lot of money for working exploit code.

People who buy such exploit code undoubtedly expect to profit from it somehow, most likely through some type of theft or fraud. So if sellers of exploit code can get that kind of money, or even half that much, and buyers can make their money back by using the exploit code, then the potential takers of iDefense's challenge will be either white hats or those who don't have a vehicle to sell their vulnerability information.

Fortunately, some people will sell their work to iDefense simply because they don't want to see their discoveries used to exploit innocent people, and that's a great motive. But I think we need to keep in mind that many discovers of security vulnerabilities don't care about innocent people--what they care about is personal gain. Seen in that light, iDefense's offer of a maximum of $12,000 seems rather low and might not attract people who discover the most serious vulnerabilities.

Other companies offering bug bounties include 3Com (at the first URL below) and Mozilla Foundation (at the second URL below). 3Com's Zero Day Initiative is a points program in which the more bugs you submit, the more points you receive. You trade points for benefits such as cash and travel to security conferences. Mozilla Foundation pays a flat fee of $500 for a bug found in Mozilla software, plus you get a T-shirt.

All three of these programs have been under way for quite some time now and are successful to some extent or other. The question in my mind is why hasn't Microsoft instituted a similar program? I think it would be a great addition to the company's current efforts at making their products more secure.

=== SPONSOR: WebSense


Protecting Organizations from Spyware: Free White Paper

Combat phishing and pharming with complete protection against complex Internet threats by filtering at multiple points on the gateway, network, and endpoints.



Man-in-the-Middle Attacks Made Simple

A kit automates the creation of a fraudulent URL, which acts as a man-in-the-middle to gather sensitive private information from unsuspecting users in real time.

Web Sites Move Toward One-Time PINs

Think you have too many cards in your purse or pocket? Just wait until you have a dozen or more PIN generators to carry around.

Blocking Web Sites in ISA Server

Web blacklisting services maintain lists of Web sites that contain pornography, hate speech, violence, hacking tools, or other prohibited content. You can subscribe to an inexpensive blacklisting service and import its list (typically updated each week) into ISA Server with a script. Jason Fossen walks you through the steps.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: Double-Take Software


Double-Take Software: Upcoming Exchange Webinar!

Join this webinar to learn new ways to maintain Exchange uptime by using continuous data replication and application availability. When recoverability matters, depend on Double-Take Software to protect and recover business critical data and applications. Date: 1/30/07. Time: 11 a.m. EST.



SECURITY MATTERS BLOG: Securing Windows Vista Services

by Mark Joseph Edwards,

As you might know, services in Vista are better protected than services in previous versions of Windows. But do you know how Microsoft hardens Vista services?

FAQ: Start a Command Shell with Elevated Permissions

by John Savill,

Q: How can I start a command prompt session with Administrative privileges in Windows Vista?

Find the answer at

FROM THE FORUM: Drive Encryption

A forum participant is testing TrueCrypt drive encryption. He's created an encrypted D drive and set his system page file to reside on the D drive so that it's also encrypted. His temporary directories are also on the D drive. His problem is that at boot time, the screen splits into four squiggly screens, then finally resolves. He said the problem was that the system was unable to create the page file because the D drive is unavailable until you enter the password into TrueCrypt. Does anyone have a solution or a recommendation for other drive encryption software? Join the discussion at


Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

MICROSOFT LEARNING PATHS FOR SECURITY: Deploying Microsoft Identity and Access Management Technologies

Effective identity and access management is critical to information security and one of the key components of Core Infrastructure Optimization (IO). Use these resources to learn more about the interdependent technologies and processes of deploying identity and access management solutions, including directory services, identity life-cycle management, access management, and more.



by Renee Munshi, [email protected]

Encrypt Backup Data at the Media Server

Symantec announced the Veritas NetBackup Media Server Encryption Option. NetBackup MSEO encrypts backup data at a central NetBackup media server instead of at the client or on a dedicated encryption appliance. Scheduled to be available this month, MSEO addresses the risk associated with transporting tapes off site. MSEO works with existing NetBackup policies and existing NetBackup clients and can encrypt specific information that client users want to encrypt. MSEO centralizes encryption key management by automatically and centrally tracking which key was used for which tape and can store keys at a disaster recovery site. For more information, go to

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.



For more security-related resources, visit

You know you need to manage your email data; how do you do it? What steps are you taking? What additional measures should you enact? What shouldn't you do? Get answers to these questions and get control of your vital messaging data. Download the free eBook today!

Can you really trust users to protect critical business data on their PCs? One in three users write down their passwords, leaving data at risk even with encryption-only protection. True PC data protection requires organizational control of your data. Download this free white paper today to find out how to accomplish your PC data security goals without inhibiting employee productivity.



Ready to get serious about data-driven applications? Learn how to get unparalleled data access and presentation capabilities so that your users can access the critical business information they need. Download this free white paper today to find out more, and get started developing with Microsoft .NET!



Special Invitation for VIP Access

Become a VIP subscriber and get continuous, inside access to ALL the content published in Windows IT Pro, SQL Server Magazine, Exchange & Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe now and SAVE $100:

Ring in the New Year with Windows IT Pro

Don't miss Windows IT Pro in 2007! As a subscriber, you'll get full access to must-have coverage relating to Windows Vista deployment, virtualization, disaster recovery, Active Directory enhancements, the Office 2007 launch, SharePoint fundamentals, and much more. Order now and save 58% off the cover price.


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

TAGS: Windows 8
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.