|
Gardner Recommends to Replace or Augment Passport
by Arie Slob
Hello Windows users,
 Market research group Gartner last week issued an advisory titled: Security Flaw Shows Microsoft Passport Identities Can't Be Trusted, advising that financial institutions, credit card issuers, retailers and other enterprises that use Microsoft Passport for any meaningful business purpose immediately break all Passport connections until at least November 2003, until Microsoft can prove that its security is adequate. Or invest in an additional, more secure form of authentication for all issued Passport identities.
In addition Gardner advised those institutions to contact all their customers who use Passport and make them aware of Microsoft's recommendations for Passport account holders.
This advisory comes after the latest security flaw that hit Microsoft's Passport service on the 7th May. The flaw, in Passport's password recovery mechanism, could have allowed an attacker to change the password on any account to which the user name is known. The flaw was disclosed Wednesday evening on the security mailing list Full Disclosure.
While Microsoft fixed this particular vulnerability within a day, Gartner analysts say that "as with any piece of software with serious security flaws, more vulnerabilities will likely surface in Passport" and that "Enterprises considering Passport services should delay adoption until at least November 2003 or until Microsoft has completed a thorough security review of Passport, including outside reviewers."
Kaspersky Labs: IE users "defenseless" to Trojan attack
According to Kaspersky Labs, an international data security software developer, Microsoft hasn't reacted to its calls to issue a patch for the StartPage Trojan, which exploits vulnerability in Internet Explorer 5.0
StartPage is a classic Trojan - it is sent to victim addresses directly from the author and does not have an automatic send function. The first mass mailing to several hundred thousand addresses was registered in Russia on May 20.
The StartPage program is a Zip-archive that contains two files - one HTML file and one EXE file. Upon opening the HTML file the StartPage code is launched and proceeds to exploit the Internet Explorer security system vulnerability known as "Exploit.SelfExecHtml". It then proceeds to clandestinely launch the EXE file carrying the Trojan program.
"It is hard to call this program dangerous, its collateral effects include only the altering of an old Internet Explorer page. Still, StartPage has set a precedent with its usage of a vulnerability for which there is not yet a patch", commented Eugene Kaspersky, Head of Anti-virus Research at Kaspersky Labs.
According to Kaspersky Labs statistics, over 85% of virus incidences in 2002 were caused by malicious programs such as 'Klez' and 'Lentin' that exploit the IFRAME Internet Explorer vulnerability, which was discovered over two years ago, and thus users have had plenty of time to install the patch and protect themselves against any similar virus appearing in the future.
"With StartPage we are dealing with an open vulnerability. Users can protect themselves with anti-virus software, but not all of them have strong heuristic technology to protect against future viruses", continued Eugene Kaspersky. "A new vulnerability has been exposed that may incite the creation of a multitude of new malware that could lead to new epidemics of a global scale."
I think that a possible explanation for Microsoft's apparent reluctance to issue a patch is that Microsoft no longer supports Internet Explorer 5.0, which it replaced with Internet Explorer 5.01 and 5.5, both of which are in most cases entering their "Extended" support phase (or getting close to their End Of Life) according to the Microsoft Web site.
Recent Support BBS Postings
Anybody ever use the "repair" option? - Windows XP
Defrag every day, will it hurt? - Hardware
After cleaning out a Virus - General Discussions
Two routers on my home network - Networking
Flashing Bios question - Hardware
Recommended Book: PC Help Desk in a Book
|
List: $29.99
Our Price: $20.99
You Save: $9.00 (30%)
Paperback, 576 pages
Publication date: Nov. 2002
|
PC Help Desk in a Book: The Do-it-Yourself Guide to PC Troubleshooting and Repair
Each year, thousands of harmless PCs suffer the pain and humiliation of buggy Windows installations, bad cable connections, mismanaged system resources, viruses, and slow Internet connections. All too often, these downtrodden PCs end up being scrapped before their time by owners who just can't care for them any longer. The real travesty is that with a little love, these wounded PCs could become useful members of society. That's where Mark Edward Soper's book "PC HelpDesk in a Book" comes in. Using a unique, medical dictionary approach, this book walks users through the symptoms to diagnose and treat the problem. End-users will be armed to perform cost-effective upgrades, repair fouled Windows installations, and squeeze out a little more performance from a slow Internet connection in lieu of purchasing a new computer.
Mark has taught computer troubleshooting and other technical subjects to thousands of students from Maine to Hawaii since 1992. He is an A+ Certified hardware technician and a Microsoft Certified Professional.
To Order: USA | EU (£15.39)
|
|
Web Site Updates
These pages were added/updated in the past week. Information on previously updated/added pages is available on the What's New? page for 1 month.
Windows-Help.NET
Added: Kaspersky Labs: Internet Explorer users "defenseless" to Trojan attack
Added: Windows Newsletter LockerGnome Declares Non-Issue Tomorrows New Threat
Added: Microsoft Released a Rights Management Add-on for Internet Explorer
Added: Gardner Recommends Enterprises to Replace or Augment Passport
Windows XP
Added: Prevent Windows Media Player 8.0 from Maintaining a Recent-files List
|
Highlights
Windows Newsletter LockerGnome Declares Non-Issue Tomorrows New Threat
In his Windows Daily GnomeREPORT of May 20,Chris Pirillo writes that it's a grave danger that (Microsoft's) firewall doesn't protect incomming IPv6 traffic.
Read Full Article
Windows XP Tip: Prevent Windows Media Player 8.0 from Maintaining a Recent-files List
Windows Media Player's (WMP) file menu shows a list with the most recetly played files.
Read Full Article
Microsoft Released a Rights Management Add-on for Internet Explorer
This week, Microsoft released a Rights Management (beta) add-on for Internet Explorer. The Rights Management Add-on for Internet Explorer is a way that Windows users can view files with restricted permission. These restrictions help people to prevent sensitive documents, Web-based information, and e-mail messages from being forwarded, edited, or copied by unauthorized individuals.
Read Full Article
L2TP/IPSec NAT-T Update for Windows XP and Windows 2000
Microsoft has released an update package to enhance the current functionality of the Layer Two Tunneling Protocol (L2TP) and Internet Protocol security (IPSec) on computers that are running Windows XP or Windows 2000.
This update includes improvements to IPSec to better support virtual private network (VPN) clients behind network address translation (NAT) devices by implementing NAT as specified in the Internet Engineering Task Force (IETF) RFC 3193 and draft-02 of the IETF NAT-T specification. The update also includes additional support for stronger IPSec protection by using the 2048-bit Diffie-Hellman algorithm (Group 14).
Details
Download (Windows Update)
Windows Media Services 9 Series Fix
Users may experience excessive rebuffering or stream thinning during playback in either of the following scenarios:
When doing live streaming of higher bitrate content
or
When doing on-demand streaming where the files are located on a remote storage server by means of an SMB connection.
Details
Download Fix [1.29 MB]
Internet Explorer 6 SP1 Update: You Cannot Connect to the Internet After You Install Microsoft Updates
This update fixes an issue where users cannot connect to the internet when they are using a third-party proxy product that uses only basic authentication.
You cannot connect to the Internet after you install any of the following Microsoft updates:
Internet Explorer 6 Service Pack 1 (SP1)
or
Microsoft Windows XP SP1.
Supported Operating Systems: Windows 2000, Windows 98, Windows ME, Windows NT, Windows XP
Details
Download
[English, 410 KB] for other languages, check the Web page linked above under "Details".
Tell a friend about this Newsletter!
Need Help with Windows? Ask your questions here!
FREE Software!
Our Web Sites
Windows-Help.NET
WindowsBBS.com
InfiniSource.com
Rose City Software
|
24 May 2003, Vol 6 No. 18
