[ISN] Security UPDATE -- Really Simple Syndication Security -- July 6, 2005

InfoSec News isn at c4i.org
Thu Jul 7 02:45:24 EDT 2005


====================

This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

Protecting Your Company by Managing Your Users' Internet Access
   http://list.windowsitpro.com/t?ctl=DD4C:4FB69 

Testing Your Security Configuration
   http://list.windowsitpro.com/t?ctl=DD4B:4FB69 

====================

1. In Focus: Really Simple Syndication Security

2. Security News and Features
   - Recent Security Vulnerabilities
   - Microsoft Released Update Rollup 1 for Windows 2000 SP4
   - Bluetooth Security Essentials
   - Preventing Data Loss When Using EFS

3. Security Toolkit
   - Security Matters Blog
   - FAQ

4. New and Improved
   - Prevention Is Better than the Cure

====================

==== Sponsor: Protecting Your Company by Managing Your Users' Internet Access ====
   Companies pay plenty of attention to hardening their servers and 
networks but pay little attention to how uncontrolled Internet access 
from within an organization can represent a significant legal and 
security risk. For example, users who browse a malicious Web site can 
become infected with a Trojan or other malware without their knowledge 
as a result of vulnerabilities in Internet Explorer. Internet filtering 
technology is a key player in mitigating these threats. This white 
paper discusses the various methods available for Internet filtering 
and how to use them to increase security and decrease legal exposure. 
Download this free white paper now! OR Do You Know If Your Network Is 
At Risk Of A Trojan Attack? Discover the various methods available for 
controlled Internet access and how to use them to increase security and 
decrease legal exposure.
   http://list.windowsitpro.com/t?ctl=DD4C:4FB69

====================

==== 1. In Focus: Really Simple Syndication Security ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

As you probably know by now, Really Simple Syndication (RSS) technology 
is hotter than a firecracker. The technology is slated to explode into 
the world of even more users with the eventual release of the next 
version of Windows (code-named Longhorn). 

A slight wave of concern about security has started to grow with 
Microsoft's announcement that it will build RSS technology into 
Longhorn. Because Windows is so widely used and RSS will be built in, 
people have pointed out that RSS could become intruders' avenue of 
choice for exploiting systems. 

RSS can be used to deliver all kinds of content, and by far the most 
popular content is HTML-based text. However, RSS can be used to deliver 
more than just text. You might be aware that there are ways to include 
file attachments in an RSS feed. As a result, we now have exceptionally 
great technologies such as podcasting, which is a way of delivering 
audio files as RSS-item attachments. Likewise, RSS can be used to 
deliver video, software updates, documents, spreadsheets, and all sorts 
of other files. The possibilities are nearly unlimited. And therein 
resides the concern. 

RSS is a delivery vehicle for content. Some type of helper application 
is required to read, view, listen to, or otherwise handle that content. 
For example, if you have RSS deliver an MP3 audio file, then at some 
point, you'll launch your MP3 player to listen to that file. The same 
goes for HTML, video, documents, and so on. If any of the applications 
used to handle RSS-related data have security vulnerabilities, of 
course intruders will eventually find a way to deliver an exploit. 

Because RSS is so widely used and RSS feeds are typically updated in a 
somewhat automated fashion, the potential is high that someone could 
exploit a large number of systems very quickly. For example, a problem 
in your Web browser or media player software could be exploited by 
delivering specially crafted content. 

Combined attacks could be used too. For example, you might subscribe to 
an RSS feed at a major news site. An intruder might find a way to tweak 
your HOSTS file and DNS cache so that, unknown to you, your RSS 
aggregator or RSS reader goes to some other site instead. The RSS 
aggregator or RSS reader would then pull content from that illegitimate 
site and possibly launch an exploit on your system. All the while, 
you're none the wiser, thinking you've simply pulled the latest news 
articles, which of course would be designed to look exactly like the 
real thing.

The bottom line is that RSS isn't much of a security risk and poses 
few, if any, problems in and of itself. The real risks, so far as I can 
see, are that RSS feeds often interface with other problematic 
software, such as browsers, assorted media-playing software, and word 
processing software. To protect users, those applications need to be 
developed to be as secure as possible. If that isn't accomplished, 
computer users will be less likely to use the great RSS technology we 
now enjoy. 

====================

==== Sponsor: Testing Your Security Configuration ====
   Over a decade ago the Department of Defense (DoD) released a 
statement saying, "Hack your network, or the hackers will do it for 
you. Up until that point, the value of vulnerability scanning and 
penetration testing was questionable. Today, vulnerability-scanning 
hackers, Internet-traveling worms, and roving bots are common. The 
DoD's advice given 10 years ago still holds true: You should conduct 
regular vulnerability and penetration testing audits to validate your 
security policy. This free white paper will discuss how to identify and 
fix vulnerabilities, discover and use vulnerability assessment tools, 
evaluate your security investment and more. Download your free copy 
now!
   http://list.windowsitpro.com/t?ctl=DD4B:4FB69 

====================

==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at
   http://list.windowsitpro.com/t?ctl=DD52:4FB69

Microsoft Released Update Rollup 1 for Windows 2000 SP4
   Microsoft released Update Rollup 1 for Windows 2000 SP4, which 
contains all updates and patches issued as of April 30, 2005. A 
spokesperson for Microsoft said that there will be no Service Pack 5 
for Windows 2000 and that Update Rollup 1 won't be a requirement in 
order to receive support during Windows 2000's extended support phase. 
The company believes that "the Update Rollup will meet customer needs 
more appropriately than a new service pack."
   http://list.windowsitpro.com/t?ctl=DD5A:4FB69

Bluetooth Security Essentials
   Microsoft introduced comprehensive Bluetooth support for desktops 
and laptops in Windows XP Service Pack 2 (SP2), and for smart phones 
and Pocket PCs in Windows CE. As with its better-known cousin Wi-Fi, 
security questions have arisen about Bluetooth. John Howie takes a look 
at the fundamentals of Bluetooth, including its security features and 
potential risks and walks you through the process of securing your 
Bluetooth implementation.
   http://list.windowsitpro.com/t?ctl=DD56:4FB69

Preventing Data Loss When Using EFS
   Many people use the Encrypting File System (EFS) to protect their 
confidential files but later lose that information when they upgrade 
their computer or lose the computer and try to restore from backups. 
Randy Franklin Smith explains how to avoid losing data when using EFS. 
   http://list.windowsitpro.com/t?ctl=DD58:4FB69

====================

==== Resources and Events ====

Recover Your Active Directory
   Get answers to all your Active Directory recovery questions here! 
Join industry guru Darren Mar-Elia in this free Web seminar and 
discover how to use native recovery tools and methods, how to implement 
a lag site to delay replication, limitations to native recovery 
approaches, and more. Learn how you can develop an effective AD backup 
strategy. Register today!
   http://list.windowsitpro.com/t?ctl=DD4E:4FB69

Are Your Prepared to Answer Your CEO for Money Lost When Your Systems 
Are Down?
   In this free Web seminar, you'll get the tools you need to ensure 
your systems aren't going down. You'll discover the various categories 
of high-availability and disaster-recovery solutions available and the 
pros and cons of each. You'll learn what solutions help you take 
preemptive, corrective action without resorting to a full system 
failover, or in extreme cases, that perform a nondisruptive, automatic 
switchover to a secondary server. Register Now!
   http://list.windowsitpro.com/t?ctl=DD4F:4FB69

SQL Server 2005 Features for Developers
   SQL Server 2005 offers great features for every role: DBAs, Business 
Intelligence (BI) analysts, and developers. In this free Web seminar, 
you'll discover the numerous features and productivity enhancements 
over SQL Server 2000, including Common Table Expressions (CTEs), DDL 
triggers, XML data type, using T-SQL commands, and more.
   http://list.windowsitpro.com/t?ctl=DD50:4FB69

Back By Popular Demand--SQL Server 2005 Roadshow in a City Near You
   Get the facts about migrating to SQL Server 2005. SQL Server experts 
will present real-world information about administration, development, 
and business intelligence to help you implement a best-practices 
migration to SQL Server 2005 and improve your database computing 
environment. Attend and receive a 1-year membership to PASS and 1-year 
subscription to SQL Server Magazine. Register now!
   http://list.windowsitpro.com/t?ctl=DD51:4FB69

You Could Win An iPod Mini!
   Your expert opinion makes a difference--tell us what you think about 
industry conferences and events. Your feedback is very valuable to us. 
Take this short survey today!
   http://list.windowsitpro.com/t?ctl=DD53:4FB69

====================

==== Featured White Paper ====

Is Your Network at Risk of a Trojan Attack?
   Uncontrolled Internet access from within an organization can 
represent a significant legal and security risk. Internet filtering 
technology is a key player in mitigating these threats. In this white 
paper, learn the various methods available for Internet filtering and 
how to use them to increase security and decrease legal exposure. 
Download this free white paper now!
    http://list.windowsitpro.com/t?ctl=DD4D:4FB69

====================

==== Hot Release ====

FREE Download - The Next Generation of End-point Security is Available 
Today. 
   NEW NetOp Desktop Firewall's fast 100% driver-centric design offers 
a tiny footprint that protects machines from all types of malware even 
before Windows loads and without slowing them down. NetOp provides 
process & application control, real-time centralized management, 
automatic network detection & profiles and more.  Try it FREE. 
   http://list.windowsitpro.com/t?ctl=DD4A:4FB69 

====================

==== 3. Security Toolkit ==== 

Security Matters Blog: Any Problems with Win2K Update Rollup 1?
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=DD5E:4FB69

   I've heard a couple of reports of problems regarding the new Update 
Rollup 1 package for Windows 2000 Service Pack 4 (SP4). Have you 
experienced any problems?
   http://list.windowsitpro.com/t?ctl=DD57:4FB69

FAQ
   by John Savill, http://list.windowsitpro.com/t?ctl=DD5C:4FB69 

Q: How can I use a script to determine password-expiration dates for 
users in a domain or an organizational unit (OU) and send an email 
message to accounts whose passwords expire soon? 

Find the answer at
   http://list.windowsitpro.com/t?ctl=DD59:4FB69

====================

==== Announcements ====
   (from Windows IT Pro and its partners)

Check Out the New Windows IT Security Newsletter!
   Security Administrator is now Windows IT Security. We've expanded 
our content to include even more fundamentals on building and 
maintaining a secure enterprise. Each issue also features product 
coverage of the best security tools available and expert advice on the 
best way to implement various security components. Plus, paid 
subscribers get online access to our entire security article database 
(over 1900 security articles)! Order now:
   http://list.windowsitpro.com/t?ctl=DD55:4FB69

Exclusive Content for VIP Subscribers!
   Get inside access to all of the content and vast resources from 
Windows IT Pro, SQL Server Magazine, Exchange & Outlook Administrator, 
Windows Scripting Solutions, and Windows IT Security, with over 26,000 
articles at your fingertips. Your VIP subscription also includes a 1-
year print subscription to Windows IT Pro and a VIP CD (includes entire 
article database). Sign up now:
   http://list.windowsitpro.com/t?ctl=DD5B:4FB69

====================

==== 4. New and Improved ====
   by Dustin Ewing, products at windowsitpro.com

Prevention Is Better than the Cure
   Symantec has released Symantec Critical System Protection 4.5, an 
intrusion-prevention solution for desktops and servers running Windows, 
UNIX, and Linux OSs. Symantec Critical System Protection enforces 
behavior-based security policies that defend and proactively protect 
applications on client and server platforms. The software is designed 
to protect against day-zero attacks and maintain system compliance. 
Buffer overflow and memory-based attack protection provide an added 
defense against sophisticated attacks. The product includes a 
high-performance firewall that monitors inbound and outbound network 
traffic connections and can block by port, protocol, and IP address 
range. For pricing and more information, see the company's Web site.
   http://list.windowsitpro.com/t?ctl=DD60:4FB69

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you. 
   whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.

====================

==== Sponsored Link ====

Argent versus MOM 2005
   Experts Pick the Best Windows Monitoring Solution
   http://list.windowsitpro.com/t?ctl=DD49:4FB69

====================

==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=DD5F:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com

====================

This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.
   http://list.windowsitpro.com/t?ctl=DD54:4FB69

View the Windows IT Pro privacy policy at
   http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.





More information about the ISN mailing list