Alexander’s Blog

In this commissioned report, Security Innovation presents a role-based comparison of the relative security of three different solutions satisfying the database server role:

1. Microsoft Windows Server 2003 running Microsoft SQL Server 2000 Service Pack 3 database server
2. Red Hat Enterprise Linux 3.0 running MySQL database server
3. Red Hat Enterprise Linux 3.0 running Oracle 10g database server

Looking at the database applications by themselves, the study found that SQL Server 2000 had zero vulnerabilities in the one-year time period, MySQL had 7 vulnerabilities, and Oracle 10g had 30 vulnerabilities.

The results of this study are intended to provide guidance to the IT manager who must make platform acquisition and deployment decisions to both maximize value and minimize security risk.

Fine print under Acknowledgements: “This study and our analysis were funded under a research contract from Microsoft.”

More info…

If you use Exchange Server 2003 and would like to make the Change Password option available to your Outlook Web Access (OWA) users, you’ll need to modify the registry. Unlike Exchange 2000 OWA, the option is not visible by default in Exchange 2003 OWA. You can modify the registry on your Exchange Server 2003 to make the Password Change button available to your OWA users by using the following procedure.

1. Start the registry editor (regedit.exe) on your Exchange Server 2003.
2. Go to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA.
3. Double-click DisablePassword in the right-hand pane.
4. Change the value from the default 1 (which disables the password option) to 0 so that the password option is enabled.
5. Go to Administrative Tools, Services.
6. Restart the World Wide Web Publishing Service and the Microsoft Exchange Information Store service.

Now your users can go to the Options section in OWA and change their passwords using the newly visible Change Password button.

Microsoft MSDN contains a 19-page document that discusses how to design and create colorful and dynamic icons for Windows XP using a vector program, such as FreeHand or Illustrator, and Photoshop.

Microsoft Windows XP introduces a new style in icon design. The guidelines in the document walks you through the steps of designing and creating Windows XP-style icons.

The Windows XP icon style is all about fun, color, and energy—and, as there are now 32-bit versions of the icons, smooth edges. Each icon is rendered in a vector program and then manipulated in Adobe Photoshop to create a beautiful image.

According to Microsoft, the guidelines are geared towards designers and they recommend you work with a good graphic designer, especially one with experience in using vector or 3D programs, to create your images, like the ones shown below.

More info…

According to Debasis Mohanty, while he was testing desktop based firewalls with the firewall evasion kit developed by him, he found that a very old flaw still exists in many latest versions of desktop based firewalls. It is possible for a malicious program to bypass a desktop based firewall by using DDE-IPC (Direct Data Exchange - Interprocess Communications) which enables an un-trusted program to communicate with the attacker or access internet via other trusted programs (e.g. Internet Explorer). This flaw has been known since before 2003.

Zone Labs reports that only free versions of ZoneAlarm firewall are affected because they lack Advanced Program Control, which is found in ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security, and ZoneAlarm Security Suite.

For the complete message from Debasis Mohanty, click here.

More info…

The US Computer Emergency Readiness Team (US-CERT) has kicked off an initiative to create common names for Internet worms and threats. The Common Malware Enumeration (CME) initiative aims to reduce confusion with the general public that is caused by disparate naming schemes for internet threats.

A recent worm that used a known vulnerability in the Windows operating system for instance was referred to as Zotob.E by Symantec, W32/IRCbot.worm!MS05-039 by McAfee while Trend Micro christened it WORM_RBOT.CBQ.

Currently Internet worms are often named using information about the virus or a follow a description the author entered when crafting the malware. The new naming scheme uses a CME-number, with the first virus being called CME-1 and so forth.

A similar naming system already exists for security vulnerabilities in software, which uses a Common Vulnerability and Exposure (CVE) identifier that includes the year in which it was identified and a sequential number. The worm naming initiative however chose not to include date information because users incorrectly rely on the date information and culd take an ‘old’ vulnerability less serious. The project is backed by several of the leading security and software vendors including Computer Associates, McAfee, Microsoft, Symantec and F-Secure.

More info…