Security UPDATE--Month of Apple Patches--January 10, 2007


Give viruses admin rights to your computer

Black Hat security event

esxRanger Professional: Hot Backups for VI3



IN FOCUS: Month of Apple Patches


- Attacking Vista: From Proof of Concept to Actual Exploit

- Cisco Strengthens Mail Offering with IronPort

- Backup and Recovery Basics

- Recent Security Vulnerabilities


- Security Matters Blog: At Least 11 Unpatched Vulnerabilities in Microsoft Products

- FAQ: Start a Program with Elevated Permissions

- From the Forum: Information Quality During Security Incidents

- Share Your Security Tips


- Secure Remote Access from Handhelds

- Wanted: Your Reviews of Products




=== SPONSOR: Byte Crusher


Give viruses admin rights to your computer

Sounds crazy, doesn't it. But if you run Windows XP as an Administrator, this is exactly what you are doing every time you touch the Internet. You locked the door but forgot to close it. WindowZones can dynamically remove Administrator rights from Internet applications such as web browsers and email clients. Say "Access Denied!" to Internet threats with WindowZones.

=== IN FOCUS: Month of Apple Patches


by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Recently, someone announced that a new Apple-related security bug would be posted every day for the month of January (see the URL below). The stunt comes on the heels of other such projects, dubbed Month of Kernel Bugs and Month of Browser Bugs. There was also a proposed Month of Oracle Database Bugs, but that stunt never came to fruition.

You might have read my recent Security Matters blog article in which I questioned whether this relatively new "month of bugs" trend is stupendous or just plain stupid. If you missed it, you can read it at the URL below.

The problem I see with these events is that they place millions of computer users at severe risk. The alleged motives for launching these events vary, but it seems to me that they're primarily publicity stunts designed to draw attention to the operators of the events. If that weren't the case, then the bug publicists would at least post their bugs anonymously. Furthermore, if they really cared about the overall effects of their bug reports, they'd be more responsible with their disclosure methods instead of leaving people vulnerable while vendors scramble to fix the bugs.

At least some people out there have a conscience. In response to the recent launch of the Month of Apple Bugs (MOAB) comes the cavalry riding to the rescue, led by Landon Fuller, former Apple engineer.

Fuller found out about MOAB and decided that it would be a good exercise and public service to fix the bugs while waiting for official fixes from Apple. So day by day, as the new bugs are posted, Fuller works to find ways to fix them and subsequently releases patches.

In addition to Fuller's work, William Carrel stepped in to set up a MOAB Fixes group at Google where MOAB patch coordination is taking place. There you can find open discussion along with the patches released so far. The group is accessible at the URL below.

Apple will undoubtedly release its own patches for the bugs in the near future. However, so far the company hasn't said anything publicly about possible patches or the MOAB project. Although Fuller formerly worked at Apple and is helping to fix the bugs on his own, he stated that he hasn't heard anything from Apple regarding MOAB or his patching efforts.

I think that the work of the people who are now involved in patching the issues made known by the MOAB project is admirable. The people who launch these "month of bugs" stunts could take a lesson in public service from the example being set. But will they? I doubt it.

=== SPONSOR: Black Hat


Black Hat security event

Black Hat DC, February 26-March 1 in Washington, DC, is the DC version of Black Hat, the world's premier technical event for IT security experts. Featuring 10 hands-on training courses and 30 Briefings presentations with lots of new content--the best of Black Hat. Network with 300 delegates and see solutions from 10 major sponsors.



Attacking Vista: From Proof of Concept to Actual Exploit

During the final week of December, a vulnerability was discovered in Windows platforms that affects the Client-Server Runtime Subsystem (CSRSS) service. Then, on the final day of 2006, just in time to ring in the new year, an anonymous person posted a working exploit to the Full Disclosure mailing list.

Cisco Strengthens Mail Offering with IronPort

Cisco will acquire IronPort Systems, which makes a range of appliances that help companies defend themselves against email- and Web-based attacks.

Backup and Recovery Basics

Every business needs a comprehensive data protection plan. David Chernicoff shows you how to begin creating one for your company.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: Vizioncore


esxRanger Professional: Hot Backups for VI3

Still don't have a reliable disaster recovery plan in place?

Vizioncore's esxRanger Professional supports a sophisticated, yet cost effective DR strategy for your VMware Infrastructure 3 environment. Restoring entire virtual machine images--or just files--is smooth & seamless. Visit for a trial download today.



SECURITY MATTERS BLOG: At Least 11 Unpatched Vulnerabilities in Microsoft Products

by Mark Joseph Edwards,

Are you aware of the known vulnerabilities for which no patch is available? There are at least 11, and the list is growing. Learn more about them in this blog article.

FAQ: Start a Program with Elevated Permissions

by John Savill,

Q: How can I easily start a program in elevated permission mode?

Find the answer at

FROM THE FORUM: Information Quality During Security Incidents

A forum participant writes that he's seen discrepancies in data collected during various incidents, which can lead to wrong actions being taken. He's curious to hear stories from others about such incidents as well as suggestions about how people handle information quality issues during incidents.


Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.



by Renee Munshi, [email protected]

Secure Remote Access from Handhelds

Positive Networks announced PositivePRO 3.5, the newest version of the secure remote access service, which offers several major improvements, including automatic device detection for easier provisioning, the ability to work on handheld devices such as BlackBerries and phones with a Web browser, and Windows Vista support. The PositivePRO remote access service combines a client-based VPN, a clientless, Web-based Secure Sockets Layer (SSL) VPN, and remote desktop control. PositivePRO supports multiple antivirus products on the client and can prevent a client's access to the network if PositivePRO detects a virus on the client. PositivePRO can also install up-to-date antivirus software on a client that doesn't have it. For more information, go to

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.



For more security-related resources, visit

How do you manage security vulnerabilities? If you depend on vulnerability assessments to determine the state of your IT security systems, you can't miss this Web seminar. Special research from Gartner indicates that deeper penetration is needed to augment your existing vulnerability management processes. Learn more today!

Total Cost of Ownership--TCO--is every executive's favorite buzzword, but what does it really mean and how does it affect you? In this podcast, Ben Smith explains how your organization can use virtualization technology to measurably improve the TCO for servers and clients.

Protect your users and your network from email-borne threats. This free eBook gives you the knowledge required to understand the real threat that email-borne attacks pose and how to address those attacks in a way that reduces risk while ensuring users aren't impacted. Download it today!



Are you familiar with new government regulations affecting email? Learn about the dozens of issues surrounding the security of email in business today and make sure that your company is in compliance. Download your copy of this must-have white paper today!



Ring in the New Year with SQL Server Magazine

Don't miss SQL Server Magazine in 2007! As a subscriber, you'll have full access to must-have coverage of high availability, SQL Server & Office integration, business intelligence, clustering, reporting services, and much more. Order now and save 58% off the cover price:

Vote for the Next IT Pro of the Month!

Your vote counts! Take the time to reward excellence in a deserving IT pro. The first 100 readers to cast a vote will receive a one-year subscription to Windows IT Pro, compliments of Microsoft. Voting takes only a few seconds, so don't miss out. Cast your vote now at


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.