[ISN] Security UPDATE -- Netscape 8.0 Security -- May 25, 2005

InfoSec News isn at c4i.org
Fri May 27 03:26:30 EDT 2005


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

Reduce Costs with Cyclades AlterPath OnSite

Anti-Spam product not working? What more companies are switching to...
and why.


1. In Focus: Netscape 8.0 Security

2. Security News and Features
   - Recent Security Vulnerabilities
   - Windows TCP/IP Woes
   - NT OBJECTives Offers Two Free Security Tools

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Security Forum Featured Thread

4. New and Improved
   - Control Your Network Traffic


==== Sponsor: Cyclades ====

Reduce Costs with Cyclades AlterPath OnSite
   Reduce operational costs by eliminating the need for most remote 
site visits with the AlterPath OnSite, Cyclades newest out-of-band
infrastructure (OOBI) appliance specifically designed for small, remote
branch office management. The AlterPath OnSite combines the 
functionality of Cyclades ACS (advanced console server) and Cyclades 
KVM/net (KVM over IP) to deliver serial console control, KVM control 
and power control (through the AlterPath PM power control unit) – in a 
single, easy-to-use appliance. Visit Cyclades at Microsoft Tech Ed in 
Orlando, Florida, June 6-9, Booth #228 and #230.


==== 1. In Focus: Netscape 8.0 Security ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Netscape Communications' Netscape Browser 8.0 was released last week. I 
downloaded a copy and found that it has some impressive features, two 
of which are great innovations that I think are worth a close look. 
First, Netscape 8.0 can use both the Mozilla Firefox and Microsoft 
Internet Explorer (IE) rendering engines, which means that if you use 
it, you no longer have to open two browsers to get maximum 
functionality while surfing the Web. The IE engine is enabled by 
default for "trusted sites," and you can change that setting so that 
the Firefox engine is used by default instead. A menu option (Tools, 
Rendering Engine) lets you switch back and forth between the engines on 
the fly. 

Second, configuring Netscape 8.0 is fairly simple, especially if you're 
familiar with Firefox. The Options dialog boxes are nearly identical in 
both browsers. However, one Netscape 8.0 feature that you won't find in 
Firefox is the Site Controls, which are similar to IE's security zones. 
With Site Controls, you can define master settings that determine how 
the browser will behave for each site you visit. There are four master 
settings: "I Trust This Site," "I'm Not Sure," "I Don't Trust This 
Site," and "Local Files." These are equivalent to IE's Trusted Sites, 
Internet, Restricted Sites, and Local Intranet zones, respectively. For 
each zone in Netscape 8.0, you can enable or disable various Web 
features, such as Java, JavaScript, cookies, pop-up windows, and 
ActiveX controls. You read that last item right--Netscape 8.0 supports 

You can customize the master settings on a per-site basis for any sites 
you've added to any of the zones. Adding sites to a zone is simple. 
After you have a site open in the browser, right-click its tab and 
select Site Controls. Doing so presents a dialog box in which you can 
specify the zone the site should belong to and customize individual 
settings. You can also define a default rendering engine on a per-zone 
or per-site basis. 

A third new security feature (also part of Site Controls) is Trust 
Ratings. If you enable this feature, you're relying on a third party to 
determine whether you should trust a Web site's content and whether 
it's OK to enter sensitive information at that Web site. The third 
party maintains catalogs of trusted and untrusted sites. The catalogs 
are automatically downloaded to the browser based on a schedule you 
define. For example, you can refresh the catalogs hourly, daily, or 
weekly. What Trust Ratings lacks is any information about who creates 
the catalogs, what classification criteria is used, and a way to view 
the catalogs. The feature requires that you trust it blindly to decide 
on your behalf. Thus, I think this feature is less useful than it could 

Netscape 8.0 has other security-related features, some of which are 
similar to ones in Firefox. For example, Datacard Manager helps store 
information you might enter in Web forms. Passcard Manager helps you 
store frequently used passwords. Netscape 8.0 also supports themes and 
extensions. All those features are found in Firefox. Netscape 8.0 also 
has a handy toolbar button that erases the browser history and a Web 
mail manager that lets you configure account information for commonly 
used services such as MSN Hotmail, Yahoo!, Google's Gmail, America 
Online (AOL), and others. Those features don't come as standard 
components of Firefox, but extensions that offer such functionality are 
probably available. 

Another feature not found in Firefox is statistics gathering. Netscape 
8.0 can gather numbers about customers' browser feature usage, send 
them back to developers (while preserving customers' anonymity, of 
course), and use these statistics to improve future versions of the 
browser. As you would expect, when you install Netscape 8.0, you can 
import settings (such as preferences, cookies, browsing history) from 
other installed browsers, including Firefox, IE, and Opera. Although 
the installation routine did import all my settings, it didn't import 
all my search engine plug-ins, so that's one area that needs some 

One thing I'm not clear about yet is how Netscape 8.0 actually uses the 
IE rendering engine and ActiveX controls. Does Netscape 8.0 respect the 
security zone settings as defined in IE? When I configure Netscape 8.0 
to use the IE rendering engine, does it somehow map its own zones to IE 
zones to use the IE zone settings in the registry? Does it respect my 
IE zone settings for ActiveX behavior, such as disabling the download 
of unsigned controls? I did some basic testing to try to determine the 
functionality, and Netscape 8.0 didn't appear to use IE zone settings, 
but I could be wrong. If you have any information to help explain what 
goes on under the hood, please send me an email message with the 

Overall, Netscape 8.0 seems like an excellent solution, particularly 
because of the new Site Controls and its use of both the IE and Firefox 
rendering engines. You can download a copy at the URL below and take it 
for a test drive. Note that Netscape 8.0 is based on Firefox 1.0.3 
code. As such it inherited the same security problems that were present 
in that Firefox version. Netscape 8.0.1 has been released to correct 
those problems.


==== Sponsor: Postini ====

Anti-Spam product not working? What more companies are switching to...
and why.
   Many email administrators are experiencing increased frustration 
with their legacy anti-spam products as they battle new and more 
dangerous email threats. In-house software, appliances and even some 
services may no longer work effectively, require too much IT staff time 
to update and maintain, or satisfy the email security needs of 
different users. In this free white paper learn why many companies are 
switching to a managed service solution. You'll find out how to get 
better accuracy and effectiveness, lower overhead and administrative 
costs, get more flexible end user controls, improve service and support 
and more. Download your free copy now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

Windows TCP/IP Woes
   The Land attack method has been known to the public at least since 
November 1997. When a Windows system receives a SYN packet that 
contains the same source and destination address, the packet could 
cause a minor Denial of Service (DoS). Microsoft issued a patch to fix 
the problem in IPv4, but the company's IPv6 implementation is still 

NT OBJECTives Offers Two Free Security Tools
   NT OBJECTives announced that it has made its ntoinsight 2.0 Web site 
analysis tool and ntoweb vulnerability assessment tool available as 
freeware. Ntoinsight catalogs a Web site's content, architecture, and 
dependencies, and can identify areas that might be used as attack 
points by intruders. Ntoweb is a plug-in that lets ntoinsight use the 
Nikto vulnerability database.


==== Resources and Events ====

Safeguard Your Exchange Servers--Plus Receive a Free eBook
   Managing storage growth, providing application resiliency, and 
handling small errors and problems before they grow are all important 
aspects of boosting your Exchange Server uptime. In this free Web 
seminar, discover how storage and application management techniques for 
Exchange can be used to improve the resiliency and performance of your 
Exchange infrastructure. Register now and get a free eBook!

Streamline Desktop Deployments
   Managing desktop software configurations doesn't have to be a manual 
process, resulting in unplanned costs, deployment delays, and client 
confusion. In this free Web seminar, find out how to manage the 
software package preparation process and increase your desktop 
reliability, user satisfaction, and IT cost effectiveness. You'll learn 
how to simplify the deployment and configuration process, starting with 
the new-application request, review, and approval process and 
progressing through software packaging and deployment.

Here's Your Chance To Earn $100
   If you're going to TechEd 2005, we want you! Now's the time to tell 
us what you think--click here to see if you qualify to participate in 
this exclusive focus group opportunity.

Get Ready for SQL Server 2005 Roadshow in Europe
   Get the facts about migrating to SQL Server 2005. SQL Server experts 
will present real-world information about administration, development, 
and business intelligence to help you implement a best-practices 
migration to SQL Server 2005 and improve your database computing 
environment. Receive a 1-year membership to PASS and 1-year 
subscription to SQL Server Magazine. Register now!

Get on the 64-Bit Bandwagon
   In this free, on-demand Web seminar, you'll learn the most important 
factors and best uses of 64-bit technology. Join industry expert Mike 
Otey as he compares 32-bit and 64-bit technology and reveals the best 
platform for high performance. You'll also learn how to successfully 
migrate and manage the two. Register now!


==== Featured White Paper ====

Test Your Security Configuration
   Today, vulnerability-scanning hackers, Internet-traveling worms, and 
roving bots are common. You should conduct regular vulnerability and 
penetration testing audits to validate your security policy. In this 
free white paper, learn how to identify and fix vulnerabilities, 
discover and use vulnerability assessment tools, evaluate your security 
investment, and more. Download your free copy now!


==== Hot Release ====

Saving Time and Money with Network Faxing
   Despite the rise of e-mail and the Internet, fax continues to be an 
important means of business communication. Organizations can save 
significantly on long distance costs, increase worker productivity, and 
streamline their business processes simply by connecting a fax server 
to their local area network. Get this white paper now!


==== 3. Security Toolkit ==== 

Security Matters Blog: Hack IIS 6.0
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=AB25:4FB69

   Feel like testing your hacking skills against IIS? If you can break 
into the test server, you'll win an Xbox. Head over to 
http://list.windowsitpro.com/t?ctl=AB2C:4FB69 and read the rules of engagement. The contest 
ends June 8. 

   by John Savill, http://list.windowsitpro.com/t?ctl=AB23:4FB69 

Q: How can I restrict the application of Group Policy Object (GPOs) 
depending on the client machine's OS? 

Find the answer at

Security Forum Featured Thread: Accessing the Security Log on a DC
   A forum participant writes that he has a third-party audit tool 
running in Active Directory on Windows Server 2003. The configuring 
administrators of the audit tool aren't domain administrators, but they 
must have access to the Security log of the DCs to get the needed 
events. Is it possible to give access to the Security log on a DC 
without a membership in Domain Admins? Join the discussion at 


==== Announcements ====
   (from Windows IT Pro and its partners)

Why Do You Need the Windows IT Pro Master CD?
   There are three good reasons to order our latest Windows IT Pro 
Master CD. One, because it's a lightning-fast, portable tool that lets 
you search for solutions by topic, author, or issue. Two, because it 
includes our Top 100 Windows IT Pro Tips. Three, because you'll also 
receive exclusive, subscriber-only access to our entire online article 
database. Click here to discover even more reasons:

Nominate Yourself or a Friend for the MCP Hall of Fame
   Are you a top-notch MCP who deserves to be a part of the first-ever 
MCP Hall of Fame? Get the fame you deserve by nominating yourself or a 
peer to become a part of this influential community of certified 
professionals. You could win a VIP trip to Microsoft and other valuable 
prizes. Enter now--it's easy:


==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Control Your Network Traffic
   Lightspeed Systems offers Total Traffic Control (TTC) 5.03 for 
schools, government departments, and businesses. TTC 5.03 performs 
content filtering, spam blocking, bandwidth management, and reporting. 
TTC 5.03 incorporates a Security Agent, which augments virus signature 
matching with behavior analysis to identify and prevent malicious 
threats. The Security Agent enables administrators to quickly classify 
any undesirable application as a known malicious program and distribute 
that information to systems on the network. TTC 5.03 also has new spam-
blocking techniques and can block Web searches on words that you 
specify. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Symantec and Gartner Present Client Resilience
   Symantec Webcasts: Ensure devices are available and compliant.

Converting a Microsoft Access Application to Oracle HTML DB
   Convert MS Access into a Web application for multiple users. 
Download now!

Protecting Your Company by Managing Your Users' Internet Access
   Internet access within an organization can represent a legal & 
security risk


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=AB27:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list