Users running pirated or counterfeit copies of Windows XP or Windows Server 2003 can now download Internet Explorer 7, Microsoft announced Thursday.

From the moment it released IE7 almost a year ago, Microsoft has restricted the browser to users who can prove they own a legitimate copy of the operating system. Before Microsoft allows the browser to download, it runs the user's PC through a Windows Genuine Advantage (WGA) validation test, a prime part of XP's antipiracy software.

When it instituted the requirement in 2006, Microsoft said rights to IE7 was one of the rewards for being legal. It changed its mind Thursday, saying the move is in users' best interest.

"Because Microsoft takes its commitment to help protect the entire Windows ecosystem seriously, we're updating the IE7 installation experience to make it available as broadly as possible to all Windows users," said Steve Reynolds, an IE program manager in a posting to a Microsoft company blog. "With today's 'Installation and Availability Update,' Internet Explorer 7 installation will no longer require Windows Genuine Advantage validation and will be available to all Windows XP users."

Microsoft has consistently touted IE7 as a more secure browser, and post-launch patch counts back that up. In the past 11 months, IE6 for Windows XP SP2 has been patched for 22 vulnerabilities, 20 of them rated critical. IE7 for XP SP2, however, has been patched only 13 times; 10 of those fixes were ranked critical. In fact, when Microsoft announced that IE7 would not be offered to users running illegal copies of XP, some analysts questioned the company's commitment to security.

Saying that an Internet Information Server exploit is due to a feature, not a flaw, Microsoft has published exploit code for the flaw but no workaround or patch.

The exploit, which was discovered on Dec. 15, 2006, and made public at the end of May, works against IIS 5.x. By design, versions 5.x allow bypass of basic authentication by using the "hit highlight" feature. The hit-highlighting feature can be used by an unauthorized user to grab documents to which he or she has no privileges.

At the very least, this leaves IIS 5.x users vulnerable to data interception. And while the exploit hasn't been used to take over systems to date, that could well change, according to Swa Frantzen of the Internet Storm Center.

The ability to execute code is "unexplored, but hinted about," Frantzen wrote in a blog post on SANS' Internet Storm Center security alert site.

The ISC has tracked public exploits that apparently focus on leaking protected information.

According to Microsoft, which has written up the issue in its Knowledge Base article 328832, hit-highlighting with Webhits.dll only relies on the Microsoft Windows NT ACL (Access Control List) configuration on 5.x versions.

Microsoft "strongly [recommends] that all users upgrade to IIS (Internet Information Services) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security," the company wrote in its KB article.

Microsoft is currently shipping IIS 6.0 of the Internet Information Services Server for Windows Server 2003. Microsoft is up to IIS 7.0 for Windows Vista and IIS 5.1 for Windows XP Professional.

What are the security issues with Microsoft's "Surface"? Click here to read more.

Yet, in spite of urging upgrading in order to gain improved security, Microsoft is treating the bug as a nonissue, providing no workaround nor indications that it will patch versions 5.0 and 5.1. "This behavior is by design," the KB article asserts.

Rather than supply a patch or workaround, Microsoft published six steps to reproduce the exploit—a response that is "a bit atypical," according to Frantzen. "Microsoft is telling the world how to exploit their products being used by their customers. Not that the worst of those interested in it did not already know, but the one thing we need from Microsoft is not the exploit, but the patch or at least a decent work-around," Frantzen wrote.

The only defensive information Microsoft gives is to urge users to upgrade to 6.0—an upgrade that's neither free nor easy, Frantzen pointed out. He provided these possible workarounds:

• If you don't use the Web hits functionality, a simple workaround would be to remove the script mapping for .htw files. Without a script mapping, IIS should treat the file as static content.
• Try to use application-level firewalls (filters). If you have the infrastructure it can be a temporary measure till you can upgrade IIS, solving the actual problem.
• URLScan, a URL filter by Microsoft can be used to stop access to .htw files and is reported by some SANS-ISC readers as being effective.
• Manage rights on the confidential files or directories themselves.
• Upgrade to Apache or another Web server, with or without a (cross) upgrade of the OS.
• Scramble an upgrade to Windows 2003, potentially on more potent hardware.

Frantzen advised IIS 5.x users that failing to find "null.htw" in a document root directory doesn't mean much—the exploit doesn't need the file.

Microsoft hadn't delivered a statement by the time this story posted.

“Protect Your PC in 2006” is the latest effort in Microsoft’s ongoing campaign to help reduce online threats through increased consumer awareness and education. The broad range of educational resources, software and services that Microsoft offers at www.microsoft.com/athome/security has become one of the Internet’s largest repositories of computing and online security and safety guidance.

The company will encourage consumers to “Protect Your PC in 2006” by maintaining a quick, four-step routine designed to increase the number of people who protect their computers with the most current defenses. A recent study by the National Cyber Security Alliance (NCSA) found that less than a third of PC consumers are not consistently protected today.

For more information, read this Q&A with Amy Roberts, Director of  product management for Microsoft’s Security Technology Unit (STU)

A Microsoft patch meant to fix critical security flaws in Windows 2000, Windows XP and Windows Server 2003 is causing trouble for some users, the company said Friday.

The patch was released Tuesday to fix four Windows flaws, including one that experts predict will be exploited by a worm in the coming days. The flaw, tagged "critical" by Microsoft, lies in a Windows component for transaction processing called the Microsoft Distributed Transaction Coordinator, or MSDTC.

Installing the patch can cause serious problems, Microsoft said in an advisory posted to its Web site Friday. The patch could lock users out of their PC, prevent the Windows Firewall from starting, block certain applications from running or installing, and empty the network connections folder, among other things, the software maker said.

Read More

Description:
SPI Labs has reported a vulnerability in ASP.NET, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an input validation error in the "System.Xml.Serialization.Xml.XmlSerializationReader.ReadReferencedElements()" function. This can be exploited to cause an infinite loop and consume a large amount of CPU resources on a vulnerable system by sending a specially crafted SOAP message to a RCP/encoded web method, which takes an array as input.

Solution:
Use the document/literal mode for web services handling input from untrusted sources.

The vulnerability will reportedly be fixed in an upcoming release.

Provided and/or discovered by:
Bryan Sullivan and Sacha Faust, SPI Labs.

Original Advisory:
SPI Labs:
http://www.spidynamics.com/spilabs/advisories/aspRCP.html

Via Secunia.Com

Microsoft's CEO announced Tuesday that the company is now shipping Windows Server Update Services, its free patching tool, and is launching the Microsoft Update site, which includes patches for Office and small-business products. As Scott Bekker writes, the launches are part of a larger Microsoft effort to get its patching house in order.

[Read more / Download]

The link below provides a listing of all the security fixes that were rolled into service pack 1 for Windows Server 2003.

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/sp1.mspx

Below are the non-security related fixes.

http://support.microsoft.com/kb/824721

Security is a major concern for both application architects and developers. Applications that store sensitive information need to be protected from malicious attacks and from competitors attempting to steal information or intellectual property. When designing a security model for your application, you need to be aware of security requirements from a business perspective and the implications that a chosen security model can have on performance, scalability, and deployment.

Security Considerations

If you are designing a server application, your design specification should contain a section that addresses security issues. You should consider and possibly address the following items in the application's functional specification:

• Security goals. Understand what you are securing and make sure that you can describe it.
  
• Security risks. Understand your application's vulnerabilities. You must also understand the significance of potential threats as they relate to your business.
  
• Authentication. This is the process of accepting credentials from a user and validating those credentials against a designated authority. The user's (or potentially an application's or computer's) identity is referred to as a security principal. The client must provide credentials to allow the server to verify the identity of the principal. After the identity is known, the application can authorize the principal to access resources on the system. Various criteria, which help you choose the appropriate authentication mechanism, are presented in the next section of this document.
  
• Authorization. This is the process of determining whether the proven identity is allowed to access a specific resource.
  
• Securing data transmission. By encrypting your data as it crosses the network, you can ensure that it cannot be viewed or tampered with while in transit. You must consider the degree to which your data needs to be secured while in transit.
  
• Impersonation. This mechanism allows a server process to run using the security credentials of the client. When the server is impersonating the client, any operations performed by the server are performed using the client's credentials. Impersonation does not allow the server to access remote resources on behalf of the client. This requires delegation.
  
• Delegation. Like impersonation, delegation allows a server process to run using the security credentials of the client. However, delegation is more powerful and allows the server process to make calls to other computers while acting as the client.
  
• Operating system security. This refers to the establishment of appropriate Access Control Lists (ACLs), and network security to prevent intruders from accessing secured resources. You must set the appropriate ACLs on the appropriate resources to allow access by only the relevant principals.
  
• Securing physical access. This refers to locating your server computer in a secure room. You should not overlook this fundamental issue.
  
• Code access security. This allows code to be trusted to varying degrees depending upon where it has come from and from other aspects of the code's identity. You should be aware of how to create your own access permissions.

Relationship Between IIS and ASP.NET

You should understand the relationship between Internet Information Services (IIS) authentication and the Microsoft® ASP.NET security architecture when designing your application. This will allow you to authenticate your users appropriately and obtain the correct security context within your application. You should note that ASP.NET application security configuration and IIS security configuration are completely independent and can be used independently or in conjunction with each other.

IIS maintains security related configuration settings in the IIS metabase. However, ASP.NET maintains security (and other) configuration settings in XML configuration files. While this generally simplifies the deployment of your application from a security standpoint, the security model adopted by your application will necessitate the correct configuration of both the IIS metabase and your ASP.NET application via its configuration file (Web.config).

More...

An anonymous reader writes "It seems impatient TV viewers have discovered BitTorrent in Australia mainly because the networks there are so slow; programs are at times behind by up to 8 months! According to an independent study, it takes an average of four months to watch the latest episodes of top-rated shows like Lost and Desperate Housewives. There are now calls for TV networks to consider offering episodes for download at a small cost."

See complete article at slashdot