Security UPDATE--IE Exploit; Firewall Tests--April 5, 2006

1. In Focus: IE Exploit; Firewall Tests

2. Security News and Features

- Recent Security Vulnerabilities

- CipherTrust Launches PhishRegistry.org

- Black-market Sale on Spyware

- Beef Up Security for Your Mobile-Device Fleet

3. Security Toolkit

- Security Matters Blog

- FAQ

- Share Your Security Tips

4. New and Improved

- Password-Protect Your Web Site Logon Information

==== Sponsor: Thawte ====

Discover how to ensure efficient ongoing management of your digital certificates, how your business will benefit by addressing unique online security issues and more!

http://www.windowsitpro.com/go/whitepapers/thawte/iis?code=SECTop0405

==== 1. In Focus: IE Exploit; Firewall Tests ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

As you probably know, really dangerous JavaScript-based exploits of Microsoft Internet Explorer (IE) are on the loose. The exploits take advantage of problems in JavaScript processing that allow injection of arbitrary code. Microsoft is working on a patch for the problems that's currently scheduled for release April 11--the company's scheduled monthly patch release date.

Several attacks that use the exploits are under way. For example, one attack comes disguised as a BBC News story snippet. When a person clicks the link to read the rest of the story, the exploit is triggered. Ken Pfeil sent me a link to another site hosting an exploit. The exploit includes some shell code, but I didn't completely reverse-engineer the exploit, so I'm not entirely sure what all it does. If you want to take a look, visit 207.5.68.153 on port 80 with a telnet client and enter the command "GET /" to dump out the exploit code.

Ken also pointed out that some software, such as Microsoft SharePoint Server, can be configured to load files based on content instead of file extension. This means that an exploit can be packaged inside something as seemingly harmless as a .txt file to get past your defenses and will then be run by the software. This software capability undoubtedly adds to the danger level of the new exploits and other exploits.

While you're waiting for Microsoft's patch, you might consider using a third-party patch from Determina or eEye Digital Security. I haven't tested either of these patches so I can't vouch for them, but both companies are reputable. Alternatively, you can disable Active Scripting in IE to stop the execution of JavaScript.

I tested one of the JavaScript-based exploits with Mozilla Firefox and found that it caused the system's disk subsystem to go into overdrive. There was so much disk activity that it took me more than 5 minutes to get Task Manager to open so that I could terminate the Firefox process, which stabilized the system.

I recently came across an interesting set of desktop firewall test results--at the Firewall Leak Tester Web site. The 2006 results show which desktop firewalls perform best in terms of outbound application filtering and the prevention of information leakage. Coming in dead last out of 16 desktop firewalls is Windows Firewall, which ships as part of Windows XP Service Pack 2 (SP2). This isn't too surprising given that Windows Firewall doesn't do outbound blocking.

So which firewalls are the best? When it comes to outbound application filtering, no other firewall beats Jetico Personal Firewall. Kaspersky Lab's firewall is the strongest in terms of preventing information leakage, with Jetico coming in a close second place. Overall, Jetico appears to make the strongest desktop firewall available, beating out other well-known firewalls such as those from Sunbelt Software (Kerio), ZoneLabs (ZoneAlarm Pro and ZoneAlarm Free), and Symantec (Norton). As a bonus, Jetico Personal Firewall is free.

Check out the results at the URL below.

http://www.firewallleaktester.com

Editor's note: Meet Your Favorite IT Experts at Connections Europe in Nice, France, April 24-27

Did you know your favorite Connections conference is coming to Europe in April? Learn from your favorite authors live and in person, and hear directly from Microsoft experts about the next generation of Microsoft technologies. This is an action-packed event with four conferences located together for one rate: ASP.NET, Visual Studio, SQL Server, and Exchange, plus bonus sessions on SharePoint and Windows!

I'm going to let you know about a special rate: When you buy your first conference registration at 1,100 euros, you can get additional passes at half off--so partner up with your friends and take advantage of this great rate. The regular price is 1,450 euros, so this is a big bargain, especially when you check out the line-up of speakers! To get this special rate, go to http://www.devconnectionseurope.com/ to register today and enter promocode: SECENL.

==== Sponsor: 8e6 Technologies ====

Stop Spyware Now - Free White Paper!

Spyware remains a problem for most companies, disrupting productivity, wasting time and money. Now 8e6 Technologies' free White Paper proposes breakthrough solutions to counteract the Spyware problem: recognize potential infections, stop unauthorized programs at the source. Get the Free White Paper:

http://a.gklmedia.com/pnsecurity/nl/110

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

CipherTrust Launches PhishRegistry.org

CipherTrust launched a new free service, PhishRegistry.org, that aims to alert companies when their Web sites are mimicked for fraudulent purposes.

http://www.windowsitpro.com/Article/ArticleID/49848

Black-market Sale on Spyware

You might think that buying exploit code to create spyware would be expensive. But it's not. Security software maker Sophos reported that it found a site selling a spyware kit, WebAttacker, for $15. Learn more about it in this news article.

http://www.windowsitpro.com/Article/ArticleID/49816

Beef Up Security for Your Mobile-Device Fleet

When a mobile device falls into the wrong hands, so can a lot of corporate information--even the device owner's domain credentials, since most users choose to have the Microsoft ActiveSync client remember their username and password. But help is available in the form of Exchange Server 2003 Service Pack 2 (SP2) and the Messaging and Security Feature Pack (MSFP) for Windows Mobile 5.0. An article by Randy Franklin Smith shows you how to configure this protection.

http://www.windowsitpro.com/Article/ArticleID/49602

==== Resources and Events ====

Learn to secure your IM traffic--don't let your critical business information be intercepted!

http://www.windowsitpro.com/toolkits/symantec/index.cfm?code=0405emailannc

Special Offer Ends Soon!

Register now for DevConnections Europe, 24-27 April in Nice, France, and get a second registration for half price.

http://www.devconnectionseurope.com/?refer=0403emailannc

Learn the best ways to manage your email security (and fight spam) using a variety of solutions and tips.

http://www.windowsitpro.com/go/ebooks/ironport/emailsecurity/?code=0405emailannc

Expert Ben Smith describes the benefits of using server virtualization to make computers more efficient.

http://www.windowsitpro.com/go/podcasts/hp/virtualization/?code=0405emailannc

Learn the advantages of each alternative to traditional file servers and tape storage solutions, and make the best choice for your enterprise needs. Live event: Thursday, April 13

http://www.windowsitpro.com/go/seminar/symantec/storagebackup/?partnerref=0405emailannc

==== Featured White Paper ====

Protect mission-critical business information stored on your high-availability Exchange systems when you implement backup and restore strategies. You'll also learn about key configuration and deployment considerations.

http://www.windowsitpro.com/go/whitepapers/hp/bladeexchange/?code=0405featnl

==== Hot Spot ====

Learn to identify the top 5 IM security risks, and protect your networks and users.

http://www.windowsitpro.com/go/whitepapers/symantec/topimrisks/?code=SECHot0405

==== 3. Security Toolkit ====

Security Matters Blog: Microsoft Takes a Page from Open Source Playbooks

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Bugzilla is a great resource for both developers and users of Mozilla products. It lets people submit and track bug reports. Microsoft just launched something similar for Internet Explorer (IE) 7.0. Learn about it in this blog article.

http://www.windowsitpro.com/Article/ArticleID/49817

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: What is the User Profile Hive Cleanup (UPH Clean) service?

Find the answer at http://www.windowsitpro.com/Article/ArticleID/49799

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Announcements ====

(from Windows IT Pro and its partners)

Exclusive Spring Savings

Subscribe to Windows IT Pro and SAVE 58% off! Along with your 12 issues, you'll get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful articles. This is a limited-time offer, so order now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2064uw

Save 44% off the Windows Scripting Solutions newsletter

For a limited time, order the Windows Scripting Solutions newsletter and SAVE up to $80. You'll get 12 helpful issues loaded with expert-reviewed downloadable code and scripting techniques, as well as hundreds of tips on automating repetitive tasks. You'll also get FREE, unlimited access to the full online scripting article library (more than 500 articles). Subscribe now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2664us

==== 4. New and Improved ====

by Renee Munshi, [email protected]

Password-Protect Your Web Site Logon Information

Siber Systems announced the release of RoboForm 6.6, which automatically fills out online forms for users. New in RoboForm 6.6 is the ability to isolate and protect personal IDs and passwords currently left exposed in Microsoft Internet Explorer's (IE's) AutoComplete directory. Users can convert logon information stored in AutoComplete to RoboForm Passcards that are encrypted with a Master Password. RoboForm 6.6's other new features include support for several new encryption algorithms (AES, Blowfish, and RC6) and the ability to be loaded onto USB drives (from SanDisk, Kingston Technologies, and others) so that users can carry their RoboForm-stored information with them. RoboForm 6.6 is now available for a 30-day trial; personal users with 10 or fewer logons can use RoboForm for free even after the trial. Volume discounts are available. For more information, go to

http://www.roboform.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]