WinInfo Daily UPDATE—brought to you by the Windows & .NET Magazine Network
THIS ISSUE SPONSORED BY
ST. BERNARD SOFTWARE
SPONSOR: CONFIDENTLY SCAN AND PATCH SECURITY HOLES
UpdateEXPERT is a software patch vulnerability assessment tool that scans networks for missing patches and FIXES discovered weaknesses for increased network protection. St. Bernard's software patch experts maintain our extensive database, providing a complete patch management knowledge base to remediate with confidence. UpdateEXPERT helps enforce software security policies, enables you to scan for patches, validate installations and deploy updates to all networked machines.
FREE Live Trial:
May 30, 2002—In this issue:
1. NEWS AND VIEWS
- Report: Microsoft, SEC Resolve Financial-Reporting Investigation
- Microsoft Patches Critical Exchange 2000 Hole
- Attend Our Free Windows Security Solutions Webinar!
- Raising Windows 2000 Availability—Free Webinar
3. CONTACT US
- See this section for a list of ways to contact us.
1. NEWS AND VIEWS
(contributed by Paul Thurrott, [email protected])
According to a report in The Wall Street Journal, Microsoft is set to resolve a Securities and Exchange Commission (SEC) investigation into the company's accounting practices. The settlement will finally resolve a years-long complaint that Microsoft misrepresented its financial statements to maintain artificially steady profit and revenue growth.
Rumors about Microsoft's financial misdeeds date back to the early 1990s, when increasing Windows sales drove the company's profits through the roof. At the time, Microsoft adopted a policy of padding future financial results by deferring profits from its successful Windows and Office product lines. Then, during quarters that were financially disappointing, Microsoft reported parts of the deferred profits, effectively smoothing out the company's perceived growth.
The SEC began its investigation into the company after a former Microsoft auditor launched a wrongful-termination suit in 1997 and alleged that the company's so-called deferred-profit policy violated SEC rules. The auditor said the company fired him for speaking publicly about the policy, which Microsoft officials internally referred to as "smoothing."
Because this deferred-profit policy is a murky legal issue, the settlement will reportedly address lesser charges, and the SEC won't fine Microsoft for its transgressions. According to The Wall Street Journal, Microsoft will admit only that it failed to keep accurate records and will pledge to abide by SEC accounting rules. The company modified its deferred-profit strategy when the SEC investigation began more than 3 years ago and says that it now legally represents its financial condition. "We take our financial reporting responsibilities very seriously, and we work hard to comply with every aspect of the company's reporting obligations," a Microsoft spokesperson said this week. "Microsoft has cooperated fully with the SEC but because this is not a public inquiry, it's not appropriate to comment further or speculate about the status \[of the investigation or settlement\]."
Late yesterday, Microsoft released a patch that corrects what the company calls a "critical" security flaw in Microsoft Exchange 2000 Server. The flaw lets intruders send a specially formatted email message that ties up 100 percent of the server's processing power, effectively creating a Denial of Service (DoS) situation (which prevents users from accessing services). The flaw takes advantage of a bug in the way Exchange 2000 handles certain malformed email messages; rather than simply deleting the messages, the server repeatedly attempts to process them and ties up all its resources doing so.
"A security vulnerability results because it is possible for an attacker to seek to exploit this flaw and mount a \[DoS\] attack," states a Microsoft security bulletin about the patch. "An attacker could attempt to levy an attack by connecting directly to the Exchange server and passing a raw, hand-crafted mail message with a specially malformed attribute. ... Neither restarting the service nor rebooting the server would remedy the \[DoS\]."
The good news is that attacking Exchange 2000 in this manner is difficult. Intruders can't launch attacks through email messages; the attacks require a direct connection to the server. In addition, although you can't stop Exchange 2000 from processing the malformed message after it begins, the server restores normal operation after it finishes processing the message. Nevertheless, Microsoft recommends that all Exchange 2000 users download and install the patch, which you can find on the Microsoft Web site.
(brought to you by Windows & .NET Magazine and its partners)
If you're using Windows 2000 to run mission-critical applications, you know Win2K has security concerns. The Windows & .NET Magazine's Security Solutions Summit, a half-day online event, addresses where the vulnerabilities lie, how you can strengthen your enterprise's security, and how you can exploit the same tools that hackers use. Register today!
How can you reduce (or eliminate) data loss and downtime in the event of a site-wide disaster? Attend the latest free webinar from Windows & .NET Magazine and get the answers including what kind of fault-tolerant disk setup to use, what clustering is (and isn't) good at, and best practices for boosting SQL Server and Exchange 2000 Server availability. Register (for FREE) today!
3. CONTACT US
Here's how to reach us with your comments and questions:
(please mention the newsletter name in the subject line)
- TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
- PRODUCT NEWS — [email protected]
- QUESTIONS ABOUT YOUR WinInfo Daily UPDATE SUBSCRIPTION?
Customer Support — [email protected]
- WANT TO SPONSOR WinInfo Daily UPDATE?
This daily email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.