Security UPDATE--Responsible Disclosure; Spyware Resources--January 26, 2005

Subscribe to Windows IT Pro:

To make sure that your copy of Security UPDATE isn't mistakenly blocked by antispam software, add [email protected] to your list of allowed senders and contacts.


Exchange & Outlook Administrator


1. In Focus: Responsible Disclosure; Spyware Resources

2. Security News and Features

- Recent Security Vulnerabilities

- New Spyware Management Resources Aim to Help Admins

- Search Engines Put a Damper on Comment Spam

- Wired 802.1x Security

3. Security Matters Blog

- Forensics of Windows Systems

- Checking for Signs of a Compromised System

4. Instant Poll

5. Security Toolkit


- Security Forum Featured Thread

6. New and Improved

- Protect Applications from Insider Attacks, Viruses, Worms, and Hacker Tools


==== Sponsor: Exchange & Outlook Administrator ====

Try a Sample Issue of Exchange & Outlook Administrator!

If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Order now!


==== 1. In Focus: Responsible Disclosure; Spyware Resources ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

As you know, Microsoft recently released a patch (MS05-001) that corrects a problem with the HTML Help system. The vulnerability could allow a remote intruder to execute code on an affected user's system.

Last week, GeCAD NET reported that it had discovered that the patch isn't entirely effective. The company found a way to exploit systems running Windows 2000 Service Pack 4 (SP4) and Windows XP SP1, even with the patch installed. The company also said that as far as it knows at this time, the exploit doesn't work on XP SP2 with the patch installed.

What I found most interesting about GeCAD NET's discovery is the way the company reported it to the public. First, the company posted a summary report of its findings to the Bugtraq mailing list. The company also took the time to post workaround advice to help protect computer users: Either load XP SP2 and the patch or set the security of Microsoft Internet Explorer's (IE's) Internet Zone to high.

After notifying Microsoft (which said it would investigate the problem), GeCAD NET added the following statement to its announcement: "Due to the fact that this attack method allows the exploit of an extremely critical vulnerability on an up-to-date system, GeCAD NET has decided not to release, for the time being, any technical information about this exploit."

I think that's responsible disclosure. Those with an interest in security are now aware that their systems might still be exposed even with the latest patches installed, the vendor is researching the problem, and intruders must rack their brains if they want to find a way to exploit the problem.

That said, I want to point out some interesting information that relates to spyware. Benjamin Edelman's Web site has a hawk eye on spyware, probably to the extreme dismay of those who rely on spyware to peddle their wares in cyberspace. Edelman has a long list of articles that cover loads of interesting information about spyware, including how it works, who's using it, and who's funding it. Check it out.

Also be sure to read the related news item "New Spyware Management Resources Aim to Help Admins" below to learn about new resources you can use to help you reduce unwanted spyware pests in your network environments.

Until next time, have a great week!

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

New Spyware Management Resources Aim to Help Admins

A new spyware management Web site,, has been launched, along with a forum and mailing list. The new site aims to help administrators share ideas and experiences and is sponsored by Shavlik, which also sponsors the PatchManagement mailing list and Web site.

Search Engines Put a Damper on Comment Spam

If you operate blogs or Web-based forums, maybe they've already become targeted by comment spammers--those who post comments for no other reason than to advertise their Web site. Comment spammers typically use automated scripts to spam blogs and forums in rapid succession. Search engine operators, including Google, Microsoft (MSN) and Yahoo! have announced a solution to the problem.

Wired 802.1x Security

A typical TCP/IP network that uses DHCP is defenseless against individuals who can find a network drop and plug into it. Suddenly, the network graciously grants the unauthorized computer an IP address, and the attacker can launch a variety of attacks--such as breaking into specific servers, eavesdropping on network packets, and unleashing a worm or Denial of Service (DoS) attack. An Internet attacker breaching your firewall would have the same level of access. Randy Franklin Smith shows you how to implement the 802.1x wireless standard on your wired network so that you can guard against unauthorized individuals exploiting physical access to a network drop.


==== Resources and Events ====

Free Web Seminar: Best Practices for Systems Management, Part 2--Managing Applications

Keeping your IT infrastructure on course can be a challenge given the complexity of servers, infrastructure, and application software. In part 2 of this free Web seminar, discover the most effective practices to monitor and manage your infrastructure applications, like Active Directory and Exchange. Learn practical techniques to improve service levels and maximize IT staff efficiency. Register now!

The Essential Guide to Blade Servers by David Chernicoff

Simplifying server management and implementation has been a goal of server vendors for a long time. The cost of setting up new servers, provisioning them, and managing their operation is a significant one, and reducing those costs results in quicker ROI and more easily justifiable initial expenses. Blade server technology is an attractive methodology for addressing these concerns and implementing improvements in your server infrastructure. Get this Essential Guide now at

Free Web Seminar: Meet the Risks of Instant Messaging Head On

This Web seminar will expose you to the wide variety of risks associated with IM, including malware, buffer overflows, and disclosure of confidential information. Discover how to mitigate these risks and learn which risks can be addressed without special IM security solutions and which can't. You'll also receive a list of top requirements to consider when evaluating an IM security solution. Sign up now!

Discover All You Need to Know About 64-bit Computing in the Enterprise

In this free Web seminar, industry guru Mike Otey explores the need for 64-bit computing and looks at the type of applications that can make the best use of it. He'll explain how the most important factor in the 64-bit platform is increased memory. Discover the best platform for high performance and learn how you can successfully differentiate, migrate, and manage between 32-bit and 64-bit technology. Register now!


==== 3. Security Matters Blog ====

by Mark Joseph Edwards,

Check out these recent entries in the Security Matters blog:

Forensics of Windows Systems

As I was reading online, I saw a mention of the "Windows Online Forensics" incident-response toolkit. I did an Internet search on the phrase and found a useful white paper and set of tools.

Checking for Signs of a Compromised System

I found another useful white paper that explains how to check a system for signs of compromise. "Checking Microsoft Windows Systems for Signs of Compromise" (available in PDF format) offers a high-level perspective on the basics of system analysis.

==== 4. Instant Poll ====

Results of Previous Poll:

Do you think security researchers should allow more time before releasing proof-of-concept code?

The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 41 votes:

29% - Yes, they should wait until well after a patch is released

49% - They should not release such code at all

22% - No

New Instant Poll:

Is comment spam a problem on your company's blogs or Web forums?

Go to the Security Hot Topic and submit your vote for:

- Yes it was, but we solved it by requiring registration

- Yes, but we'll implement the new "rel" tag format to stop it

- Yes, but we don't plan to do anything about it

- No

==== 5. Security Toolkit ====

FAQ: Is a graphical front end available for the Portqry tool?

by John Savill,

Find the answer at

Security Forum Featured Thread: Domain Member Server in a DMZ

A forum participant writes that his business needs to deploy content to Internet-facing Web servers. Some of the content needs to be secured for use by only certain members of a particular Active Directory (AD) group. He has some questions about how to do this. Join the discussion at:


==== Announcements ====

(from Windows IT Pro and its partners)

Try a Sample Issue of Windows Scripting Solutions

Windows Scripting Solutions is the monthly newsletter that shows you how to automate time-consuming, administrative tasks by using our simple downloadable code and scripting techniques. Sign up for a sample issue right now, and find out how you can save both time and money. Plus, get online access to our popular "Shell Scripting 101" series--click here!


==== 6. New and Improved ====

by Renee Munshi, [email protected]

Protect Applications from Insider Attacks, Viruses, Worms, and Hacker Tools

Decru announced availability of Decru Client Security Module (DCS), which can be deployed selectively on servers and desktops and which works with Decru DataFort storage security appliances to enforce policies and protect endpoint machines from threats including insider breaches, viruses, worms, misconfiguration, and hacker tools. The optional DCS incorporates application white lists, cryptographic authentication, granular access controls, and hardware-based integrity checks to ensure that only authorized users and applications can access sensitive data. Security administrators can define access policies based on user, application, machine, and time of day. DCS endpoint policy enforcement complements Decru DataFort's transparent encryption capabilities across all enterprise storage environments, including Storage Area Networks (SANs), Network Attached Storage (NAS), Direct Attached Storage (DAS), and tape. DCS is available for Windows, Linux, and Solaris systems for $1200 per client. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Argent versus MOM 2005

Experts Pick the Best Windows Monitoring Solution;13273616;8214395;i?


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.