March 2005 - Posts
Customers will be interested in Windows Server 2003 SP1 as regards security for the following reasons:
- Windows Server 2003 Service Pack 1 is a unique service pack that provides customers with significant security enhancements and reliability and performance improvements.
- Building on a comprehensive collection of critical updates, Service Pack 1 addresses additional core security issues by providing customers with a reduced attack surface, better protected system services with stronger default settings, and reduced privileges.
- With Windows Server 2003 Service Pack 1, the development team took the time to treat the root cause of many security issues, not just the symptoms. This service pack is very significant and should help address certain classes of exploits.
In addition, Microsoft is announcing that Windows Small Business Server 2003 Service Pack 1 will also be available to customers within 60 days.
Note: Customers who have Automatic Updates enabled with automatic download should be aware that Windows Server 2003 SP1 will be made available through Automatic Updates (AU) as a High Priority update in July 2005. More information about SP1's availability through AU will be made available closer to this deadline.
Customers can obtain Windows Server 2003 SP1 at this location:
http://www.microsoft.com/downloads/details.aspx?FamilyId=22CFC239-337C-4D81-8354-72593B1C1F43
Security Innovation this last week announced the results of a recently concluded research project comparing the security of Microsoft Windows Server Platform with two servers running Red Hat Enterprise ES 3. The results showed that Linux based servers had more than twice the number of vulnerabilities reported and/or fixed in 2004 when compared to Windows Server 2003 during the same period.
It was also announced that the research was funded by Microsoft which as you can imagine, has sparked a bit of a debate around the validity of the results. It should be noted that Microsoft participates in commisioned and non-commisioned research as part of our ongoing “Get the Facts” campaign. It should also be noted that Security Innovation has published and asked the community for feedback on the methodology used for the research. “Anyone” is invited to test the methodology.
To see both the methodology and the final analysis, go here:
http://www.securityinnovation.com/resources/linux_windows.shtml
I know there will be lots of debate over this but will it be constructive? Those who would dispute the claims of the research should only do so as a result of testing the methodology and finding demonstratable issues with it.
Abstract: This paper discusses the Trustworthy Computing Security Development Lifecycle (or SDL), a process that Microsoft has adopted for the development of software that needs to withstand malicious attack. The process encompasses the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft's software development process. These activities and deliverables include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, and the conduct of code reviews and security testing during a focused "security push". Before software subject to the SDL can be released, it must undergo a Final Security Review by a team independent from its development group. When compared to software that has not been subject to the SDL, software that has undergone the SDL has experienced a significantly reduced rate of external discovery of security vulnerabilities. This paper describes the SDL and discusses experience with its implementation across Microsoft software. (19 printed pages)
http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp
The guide is a companion to the earlier solution guide Securing Wireless LANs – a Certificate Services Solution. However, this updated guide uses passwords to authenticate users and computers to the LAN instead of digital certificates.
http://www.microsoft.com/downloads/details.aspx?familyid=60c5d0a1-9820-480e-aa38-63485eca8b9b&displaylang=en
I guess most won't find this too useful but thought I'd post about it anyway. Using the ISA Server 2004 SDK you can automate tasks and create web and application filters amoung other things. I know, hard to come up with anything to improve on for ISA Server 2004 but you can try ;-)
Download is here:
http://www.microsoft.com/downloads/details.aspx?familyid=5c8121cd-3aff-43d3-bc09-bf3fddd2b9e3&displaylang=en
March 8, 2005
Today, no new security bulletins were released.
Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.
Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.
Bulletin Summary:
For March 2005 there are no new security bulletins being release so there will not be a summary bulletin.
Revised Bulletins:
Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711)
http://www.microsoft.com/technet/security/Bulletin/ms05-002.mspx
Vulnerability in Hyperlink Object Library Could Allow Remote Code Execution (888113)
http://www.microsoft.com/technet/security/Bulletin/ms05-015.mspx
This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.
If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.