Wednesday, April 14, 2004

Hey there,

Another day, another 20 Microsoft security patches released.

Sheesh! Talk about Swiss cheese. I feel sorry for all the people that don'tkeep their OS and browser patched, though. They're just asking for trouble.

Here's the link to the details on the latest updates:

CNet Windows security article

Microsoft released on Tuesday fixes that cover at least 20 Windows flaws, several of which could make versions of the operating system vulnerable to new worms or viruses.

At least six of the flaws could make the OS susceptible to programs similar to the MSBlast worm and its variants, which have infected more than 8 million computers since last August.

Another flaw affects a common file used by Internet Explorer, Outlook and Outlook Express and opens the way for the type of virus that executes when PC users click a specially crafted Web link.

The software giant released four patches to cover the 20 security issues, as part of its monthly update schedule. Microsoft wouldn't comment on the level of risk the flaws present, instead maintaining that companies that apply the fixes won't be in danger.

"If you are running a personal firewall, you are at reduced risk from a lot of these vulnerabilities," said Stephen Toulouse, security program manager for the Microsoft Security Response Center. "But we are absolutely taking this seriously."


Here's another link to a site that keeps track of all the known vulnerabilities (roughly 4,800 as of this writing) in Windows and common apps. Can you say buffer overflow? - An "open source" listing of known security flaws. It's open source because it's a collaborative effort, not a Linux one.

Stay safe...

Tuesday, April 13, 2004

Hi there,

Back from a long Easter break and boy did I need it. ;-)

A lot of folks don't take the time to tighten their browser security settings and then wonder why their antivirus software didn't stop a particular exploit.

Here's what you must do to build strong walls around your internet connection:

How to properly secure Internet Explorer

To configure the Security settings for Internet Explorer:

Select Internet Options under the Tools menu.
Select the Security tab
Click Custom Level for the Internet zone.
Most of the flaws in IE are exploited through Active Scripting or ActiveX Controls.

Under Scripting, select Prompt for Allow paste operations via script.
This increases computer security by preventing content from being exposed from your clipboard.

Note: Active Scripting should not be disabled since it is used by many websites.

ActiveX Controls are not as popular but are potentially more dangerous as they allow greater access to the system.

Select Prompt for Download signed ActiveX Controls.
Select Disable for Download unsigned ActiveX Controls.
Select Disable for Initialize and script ActiveX Controls not marked as safe.

Java applets typically have more capabilities than scripts.

Under Microsoft VM, select High safety for Java permissions.

This puts access barriers around the Java applet and prevents privileged access to your system.

Under Miscellaneous select Disable for Access to data sources across domains.

This protects you from cross-site scripting attacks.

Also, make sure that no un-trusted sites are in the Trusted sites or Local Intranet zones as these zones have weaker security settings than the other zones.

These security settings for Internet Explorer will also be automatically applied to your other Microsoft applications such as Outlook and Outlook Express.

For more information, you should read this page on Computer Security