This white paper describes how the Microsoft concern for security, as defined in the Trustworthy Computing initiative, has driven key features in the design, deployment, and operation of the Microsoft Online Services environment.
Security is critical to our customers: Online services from Microsoft were built from the ground-up to be more secure by design, secure by default, and secure in operation; validated by Cybertrust Certification and SAS 70 Type II attestation.
Overview
The benefits of software-plus-services (SPS) are often weighed against perceived costs in terms of security risks, and the potential for interrupted access to mission-critical business data.
Microsoft brings world-class experience in software design, development, deployment, and operations to its Microsoft Online Services offering, enabling businesses to gain considerable cost advantages while helping to avoid many of the security risks associated with Web-based software services.
Increased security in Microsoft Online services is derived from:
• Simplified automated access using single sign-on.
• Reduced user intervention for security-related tasks.
• Automated software and service updates.
• Comprehensive implementation of leading-edge, industry-standard network security and encryption protocols.
• Mature applications designed, built, tested, and deployed according to Microsoft- established software development disciplines.
• Field-proven service hosting platforms.
• Best practices for data center design and operations.
Microsoft Online services are designed to provide a software-plus-services environment featuring enhanced security and continuous access to applications and data. Increased security at each stage of the online transaction – user and administrator access, network connectivity, service hosting platform and physical datacenter -- helps you gain the established benefits of online services while minimizing your risk.
http://technet.microsoft.com/en-us/msonline/default.aspx
The Service Pack 1 of free Microsoft Virtual PC 2007 is ready for download at Microsoft's Download Center.
Microsoft Virtual PC 2007 SP1 is a Service Pack Update for Virtual PC 2007 qualifying Windows Server 2008, Vista SP1 and XP SP3
You can view also the release note here.
Information about Virtual PC is at http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx
Microsoft published this months security newsletter with the following articles:
For Home Users - Volume 5, Number 5:
- Set helpful limits for teens and their Zunes
- Download the latest Microsoft Security Intelligence Report
- Join a public debate about how to build a safer Internet
- What's the difference between spyware and a virus?
- Use Windows to back up your computer
- Help protect your Windows Live ID
- Beware of scams when job-hunting online
- Frequently asked questions about phishing
View the above topics at http://www.microsoft.com/protect/secnews/newsletters/security_08_0513.htm
For IT Professionals and Developers - Volume 5, No. 5:
- Security and Privacy: Twins of Different Mothers
- Microsoft Security Intelligence Report, Volume 4, Now Available
- Download Forefront Security for SharePoint with Service Pack 2
- Solution Accelerator Beta: Security Compliance Management
- Use the New Security Enhancements of Windows Vista SP1 and Windows Server 2008
- 2007 Microsoft Office Security Guide: Threats and Countermeasures
- Deploying Group Policy Using Windows Vista
- The Cable Guy: Wireless Group Policy Settings for Windows Vista
- Framework-Based Regulatory Compliance
- Enable Enhanced Identity Privacy
- Data Encryption Toolkit for Mobile PCs
- How to Create a Customized Privacy Import File
- Security MVP of the Month: Aloysius Cheang
- MVP Article of the Month: Privacy Issues -- Business Disabler or Enabler?
- Register Now for Tech·Ed North America 2008
- Upcoming Security Webcasts
All of the above at http://www.microsoft.com/technet/security/secnews/newsletter.htm
Don't forget to subscribe to it if you find them interesting. It's a free newsletter about Security... once a month.
I mentioned in this blog about Definitions.net and Synonyms.net joined Abbreviations.com and after reading a comment/question on what is the meaning of Donna, I checked for it. It means "An Italian woman of rank" but I'm not impressed with that there is publicly available image of naked women when I look-up for the meaning of Donna using their service.
Yigal Ben Efraim, CEO and founder of Synonyms.net respond by posting a comment. Thanks but I wonder why there's a need to add images when a user will search for definitions of a word or name? I just tried the service again and there's still images. Not as bad as when I first saw it last January but still images is there. I think the service is great because it'll be handy for those who need it (online or using widget for Mac, add-on for Firefox etc) but I don't think an image is needed. I noticed that not all defined words has an image which is good.
Microsoft released their monthly Security Updates this month. There's no security update for Vista today.
They released 4 Security Bulletins that affects Office, Windows 2000, XP, 2003 and their antimalware products namely Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, Microsoft Forefront Security
- MS08-026 - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (951207)
- MS08-027 - Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (951208)
- MS08-028 - Vulnerability in Microsoft Jet Database Engine Could Allow Remote Code Execution (950749)
- MS08-029 - Vulnerabilities in Microsoft Malware Protection Engine Could Allow Denial of Service (952044)
Microsoft re-released Security Bulletin MS06-069. Bulletin updated to add Windows XP Service Pack 3 as affected software. This is a detection update only. There were no changes to the binaries.
The Bulletin Summary for this month is as http://www.microsoft.com/technet/security/bulletin/ms08-may.mspx
The Microsoft Security Response Team wrote:
I think it is also worth noting that MS08-026 includes additional security mitigations against attacks as identified in Microsoft Security Advisory 950627. We recommend that customers install the updates provided in both MS08-026 and MS08-028 for the most up to date protection against these types of attacks.
Our Security Vulnerability Research & Defense blog this month discusses MS08-026. You can find a post discussing built-in functionality to turn off the vulnerable parsing code for one of the fixed vulnerabilities at http://blogs.technet.com/swi/archive/2008/05/13/file-block-and-ms08-026.aspx
http://blogs.technet.com/msrc/archive/2008/05/13/may-2008-monthly-release.aspx
If you have problem with the security updates, please do not hesitate to inform Microsoft. It's a free support. Call 1-866-PCSAFETY if you are in the US or Canada. If you are in other location, please go to this page.
Please remember that Microsoft NEVER sends security update via e-mail. Example of this fake and infected email pretending to be from Microsoft as May 2008 update is here.
One of the reason why patching/updating is important is to help us protect from known exploits. And the reason to ensure our security tools is in placed... to prevent malicious files or activity in infecting a user's system. One example of exploit is called IFrame Exploit. It's a malicious IFrames embedded on various legitimate websites.
Example: defspot(dot)com - an online music website.
I hope users do not allow any controls being offered by websites. I hope users has their protection in placed and that they are fully patched to avoid exploits.
Screenshots at
http://www.dozleng.com/updates/index.php?showtopic=18216
I blog about it last year and posted in Calendar of Updates forums that Mac users should install antivirus program.
Today, I’m blogging again and going to make a post at CoU forums (the same thread) that Mac users really need malware scanners also.
Read why at http://www.dozleng.com/internetsecurity/?p=243
IE Team describes the ActiveX improvements in IE8 and summarize the existing ActiveX-related security features carried over from earlier browser versions:
- Per-User (Non-Admin) ActiveX
- ActiveX Opt-In
- Per-Site ActiveX
- Enforcing Per-Site with ATL SiteLock Technology
- Reducing Exploit Risk with DEP/NX, “Killbits,” and Servicing
- Working with Users through Manage Add-Ons
More info at http://blogs.msdn.com/ie/archive/2008/05/07/ie8-security-part-ii-activex-improvements.aspx
Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy. While we cannot determine the exact number of compromised downloads, there have been 16,667 total downloads of the Vietnamese language pack since November 2007, so we anticipate the impact on users to be limited.
Mozilla does virus scans at upload time but the virus scanner did not catch this issue until several months after the upload. We are also adding after-the-fact scans of everything to address this sort of case in the future.
http://blog.mozilla.com/security/2008/05/07/compromised-file-in-vietnamese-language-pack-for-firefox-2/
/me wonder what virus scanner they are using. And what is the name of the risk name flagged *now* by their antivirus scanner. Time for Mozilla guys to upload their installer or other files to Virustotal to see if any of the 32 malware scanners will flag anything <G>
APSB08-13 Security Update available for Adobe Reader and Acrobat 7 and 8
http://www.adobe.com/support/security/bulletins/apsb08-13.html
Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.1 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Acrobat 8 and Adobe Reader install the 8.1.2 update and users of Acrobat 7 install the 7.1.0 update to protect themselves from potential vulnerabilities. This is an update to resolve the issues previously reported in Security Advisory APSA08-01.
APSA08-05 Potential vulnerability in After Effects CS3
http://www.adobe.com/support/security/advisories/apsa08-05.html
Adobe is aware of a recently published security issue in After Effects CS3 that could potentially cause code execution. An attacker would need to convince a user to open a malicious BMP file in After Effects to successfully exploit the issue.
Swen worm is on the loose again and it is pretending to be a security update for May 2008 by Microsoft. The email includes Q231448.exe file as attachment. It's fake and infected.
http://www.dozleng.com/updates/index.php?showtopic=18177
The new version of Windows Genuine Advantage Validation tool was first released on March 26 when user visits WGA website www.microsoft.com/genuine.
Today, Microsoft pushed it at Windows Update website. It was documented at their website (release date and that is today). This new version is to ready XP systems for the upcoming SP3.
More info at http://www.dozleng.com/updates/index.php?act=calendar&cal_id=1&code=showevent&event_id=50336
More Posts
Next page »