"In a sea change of philosophy, Microsoft Corp. is working to put security ahead of not just features and functionality, but also legacy application compatibility. In a meeting with eWEEK last week, several Microsoft executives responsible for security software development said the company is also changing the way it ships some products to make them safer and will begin developing its own line of security software." Read the rest of the report at ExtremeTech. In related news, a pair of Office XP bugs were uncovered while more security updates can be found here.
Privacy, Security Archive
A serious hole in Windows NT and Windows 2000 allows any user (even "guest") to gain complete control of the machine using the standard documented debugging interface. An article on ExtremeTech gives details and links to patches and sample exploits. To date, Microsoft has not commented on the vulnerability.
"The software bug--known as a buffer overflow--caused key memory-management functions in the zlib compression library to fail, a condition that could allow a smart attacker to compromise Linux computers over the Internet, said Dave Wreski, director for open-source security company Guardian Digital". Read the rest of the report at News.com.
IBM developerWorks has come out with three articles on OpenSSH, a free version of the SSH protocol suite for network connectivity. The first discusses RSA/DSA authentication, the second introduces ssh-agent and keychain, while the last goes over Agent forwarding and keychain improvements. Its a great resource for someone who needs some encryption.
"Microsoft Corp. is going on the offensive to restore confidence in its .Net platform after a security consulting firm claimed it had found a critical flaw in a new compiler Microsoft released earlier this week. In an unusual move, a member of the team that developed the product in question--the Visual C++.Net compiler--posted a lengthy message to the Bugtraq security mailing list excoriating Cigital Inc. for making what Microsoft deems to be false claims in its press release and inciting unnecessary concerns about the security of .Net applications built with the compiler. Brandon Bray, a member of the product's development team said: 'The allegation that applications compiled with Visual C++'s /GS switch somehow expose themselves to more attacks is unfounded and patently false.'" Read the rest of the story at ExtremeTech.
Seen this on WinInformat.com: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet."
The FBI's National Infrastructure Protection Center has urged users of Microsoft's WindowsXP operating system to disable a feature that could leave computers open to attacks from hackers. In a statement issued Saturday, the FBI's NIPC, which usually leaves computer security warnings to the private sector, said it held technical discussions with Microsoft and industry experts Friday to identify ways to minimize the risk from security holes in the XP software, which was launched in late October.
"Microsoft may have touted Windows XP as the most secure operating system it has made, but the company on Thursday released a bug fix for a security hole that could leave some people's systems open to malicious attack. Microsoft is recommending that every Windows XP customer apply the patch immediately. Customers using Windows 98, Windows 98 Second Edition and Windows ME with the "Universal Plug and Play" service up and running should also use the patch, the company said." And this comes only a few days after the serious IE6 security hole where Microsoft also urged the users to upgrade immediately.
"Researchers have discovered that hackers are already developing tools to take advantage of a hole that could allow the takeover of key servers in corporations and universities." Read the rest of the story at ZDNews.
OpenSSH 3.0 has just been released. It will be available from the mirrors listed at OpenSSH web site. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.
A SiliconValley.com article discusses the latest high tech security devices available today and in the near future. Vendors have been quick to capitalize on the world's paranoia, offering gadgets that range from face recognition systems to microwave powered incapacitation rays to full-body x-ray machines.