Skip navigation

WinInfo Daily UPDATE, August 22, 2002

WinInfo Daily UPDATE—brought to you by the Windows & .NET Magazine Network
http://www.winnetmag.net


THIS ISSUE SPONSORED BY

Availability Monitoring for Windows
http://www.mkssoftware.com/aceval/


SPONSOR: AVAILABILITY MONITORING FOR WINDOWS

MKS AlertCentre is an affordable availability monitoring solution that is extensible and easy-to-deploy. It can make system and network administrators more productive by automatically monitoring critical systems and applications by notifying them of problems so they can act quickly and avoid disasters. AlertCentre provides you with the "peace of mind" of knowing your website, e-mail server and other critical systems and applications are running smoothly. AlertCentre comes bundled with MKS Toolkit for System Administrators, which includes hundreds of tools for customizing monitors and automating corrective actions. Call 800-637-8034; +1 (703) 803-3343. Or, Try It. Request FREE for 30 day eval at:
http://www.mkssoftware.com/aceval/


August 22, 2002—In this issue:

1. NEWS AND VIEWS

  • Microsoft Security Vulnerability: Fact or Fiction?

2. ANNOUNCEMENT

  • Enter the Windows & .NET Magazine/Transcender Sweepstakes!

3. CONTACT US

  • See this section for a list of ways to contact us.

1. NEWS AND VIEWS
(contributed by Paul Thurrott, [email protected])

  • MICROSOFT SECURITY VULNERABILITY: FACT OR FICTION?

  • Yet another Microsoft controversy is in the news this week. This controversy involves a so-called Windows Shatter Attack that is "unfixable" because the only reliable solution reportedly requires functionality that Windows doesn't have. Predictably, several news agencies have latched onto the story, foretelling the upcoming demise of Windows. But as Microsoft points out, for the Shatter Attack to do any damage, an intruder must gain access to a user's system. And, according to the company's Ten Immutable Laws of Security (see URL below), after this situation occurs, the user's system already has been exploited. Thus, Microsoft says, the Shatter Attack doesn't represent a Windows vulnerability but illustrates what can happen when users ignore basic security practices.

    Programmer Chris Paget authored an online white paper that describes the Shatter Attack and other attack methods (see the second URL below). According to Paget, Microsoft Group Vice President Jim Allchin's comments during the company's antitrust trial inspired Paget's research. Allchin said that certain flaws in Windows were so serious that if the company revealed the Windows source code, information about the flaws would threaten national security. Allchin then mentioned the Windows message-queuing subsystem, and Paget got to work looking for flaws. The Shatter Attack is apparently one successful result of his research.

    Microsoft's response to Paget's attack is credible, however. After noting that the Shatter Attack is just a new approach to an old issue that the company has known about for years, a Microsoft spokesperson told Paget in an email that his attack requires that a system be compromised before the attack can do any damage. "The attack you describe either requires \[users\] to run an attacker's program on their \[systems\] or the attacker needs to have access to the \[users' systems\]," the email reads. "In either case, the attacker has been allowed to cross a security boundary. In our essay, the 'Ten Immutable Laws of Security,' these are Law #1—'If a bad guy can persuade you to run his program on your computer, it's not your computer anymore,' and Law #3—'If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.'"

    Obviously, the Shatter Attack isn't the real problem. The problem is the email virus that could deliver the attack or any other delivery vehicle that gives an attacker remote or physical access to a user's system. Thus, the details of the attack matter little.

    The Ten Immutable Laws of Security

    Shatter Attack

    2. ANNOUNCEMENT
    (brought to you by Windows & .NET Magazine and its partners)

  • ENTER THE WINDOWS & .NET MAGAZINE/TRANSCENDER SWEEPSTAKES!

  • Nothing can help you prepare for certification like Transcender products, and no one can help you master your job like Windows & .NET Magazine. Enter our combined sweepstakes contest, and you could win a Transcender Deluxe MCSE Select Pak (a $729 value) or one of several other great prizes. Sign up today!
    http://www.winnetmag.com/sub.cfm?code=swei202fus

    3. CONTACT US
    Here's how to reach us with your comments and questions:

    (please mention the newsletter name in the subject line)

    This daily email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
    http://www.winnetmag.com/sub.cfm?code=wswi201x1z

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email

    Thank you for reading WinInfo Daily UPDATE.

    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish