Whitelisting applications versus Anti-virus

There was an interesting article in The Register yesterday called “the decline of antivirus and the rise of whitelisting“. It discussed the relative merits of using a whitelist to allow only known good programs to run, versus using traditional anti-virus (AV) to let everything run except things you know are bad. The comments to this article also raised a number of valid points, some academic and some based on real-world experience.

The obvious flaw in the traditional AV approach is the difficulty in keeping up with new malicious software rapidly enough to avoid infection. Whitelisting gives you a little more control but still takes substantial effort in a large environment, and is harder to delegate out to a third party without leaving so many loopholes as to render it pointless.

Read more of this post

Windows Vista more secure after six months than XP

Some readers may have seen the report which was published by Jeff Jones three months after Vista was finally released in which he showed that the number and severity of flaws in Vista were far less of a risk than XP after an equivalent period.

He has now updated this report to show the vulnerabilities in Vista after 180 days. What is key is not only the distinctly fewer known vulnerabilities overall, but the number of disclosed holes that remain unpatched at the time of writing.

Note that the blog entry is only a summary and the only graph you get to see relates to high severity vulnerabilities. Also, it only looks at those which affect the core systems, not optional components. So, Vista looks like it is doing better than XP at this point with almost no unpatched holes, and many people will go away with that impression because visuals work well in getting messages into the brain.

The full 14 page report (pdf) is also available, in which the discussion is much more detailed (even patch by patch). It is here that it becomes clearer that while it is faring better than XP did, to me it is not doing so much better given how much hype there has been about trustworthy computing and Vista (and Longhorn / 2008) being secure by design, rewritten from the ground up to be more secure, yadayada more secure.

Older software is less secure, so always use the brand new version

Myth: “Older software is less secure than the newest release, so always upgrade to the brand new version as soon as possible”

The most obvious reason this cannot always be true, is that you will hear the opposite said just as often and with as much conviction!

So where does the truth lie between these two opposing extremes? Quite apart from the cost to your business in terms of buying software and disrupting operations, retraining users and so on, you have no way of knowing that a newer product is necessarily more stable than its predecessor.

Read more of this post

Windows updates for June

The advanced notification has been published for the updates which will be released on Patch Tuesday, the 12th June.

Patch Tuesday 12th June 2007 advance notification page

4 out of the 6 are critical for at least one affected system. 2 of these are critical patches for just about all operating systems. One is critical for various versions of Internet Explorer (including IE7 on Vista); the last is critical for Windows Mail (the Vista replacement for Outlook Express).

The remaining two include a moderate fix for Vista and an important fix for Visio. These would not be installed automatically with default Windows Update settings but would need the user to choose them. Of course, in a business environment the best way to roll these out is to use WSUS version 3 which is now available.

On the subject of June patches, there are some updates for SBS 2003 servers as well. These are designed to get Vista to integrate into your SBS environment as smoothly as XP does – using /connectcomputer to join the domain for example. Of course you can run Vista in an SBS 2003 environment without this, but you lose some of the rich management features by doing so.

Read the MS SBS Blog post about these updates for Vista.

Thanks to Susan Bradley, the SBS Diva for her great blog where I first spotted this (and David Overton’s follow up about half an hour after Susan!)

Fix Exchange 2003 to make sure OWA works for IE on Vista

Because of the way IE is implemented on Vista, you will find that the rich functionality of Outlook Web Access (OWA) no longer works as you are used to under XP.

As described in KB 911829 you may not be able to compose new or reply emails, create contacts or appointments, and other activities which are pretty essential. You can read your email, but you can do nothing else with them!

Read more of this post

How Opera’s Desktop Team deal with security vulnerabilities

In an article entitled “Handling Security”, Claudio Santambrogio of the Opera Desktop Team discusses how they handle vulnerability reports, disclosure, patching and upgrades.

Recently, some of our users have asked why we chose to disclose a potential security issue only after the release of Opera 9.10. Let me try to give a short overview on how security issues get reported and disclosed – and not only at Opera, but in most applications: it might help some people to understand how this works.

January MS update highlights

Security updates from Microsoft from January include four for Office and one for Windows. The Windows update has a version for Vista listed, for all you folk who are already running this in live or test environments. The Windows security update is here:

KB929969

And the four for Office are: 924085 925525 921585 925257

There are the usual updates for junk mail filtering and the Malicious Software Removal Toolkit as well.

January patch Tuesday slimmed down

Microsoft have announced that there will be only four updates delivered on “Patch Tuesday” this month, rather than the eight which some people were anticipating. These four security updates comprise one for Windows and three for Office – it seems likely these will all be classed as critical. It is not clear whether these will be delivered via Windows Update (as well as Microsoft Update) and SUS (in addition to WSUS). The two High Priority non-security updates for Windows will only be made available through MU and WSUS.

There will also be the usual update to the Malicious Software Removal Tool which can be directly retrieved from the download centre or via WU, MU or WSUS. All of these should be available from around 6pm GMT on Tuesday 9th January

See also: SUS is end of life, upgrade to WSUS

Read the full Microsoft Security Bulletin advance notification.

SUS is end of life, upgrade to WSUS

Support for SUS v.1.0 ended on 6th December 2006

After this date it is no longer be supported, but more importantly it will no longer be able to download or distribute any new updates.

So, if you are still running “old” SUS you need to make the move to WSUS as soon as possible. While there is no ‘upgrade’ as such, you can migrate all your approvals and updates across. Read more of this post