DOJ Takes a Long Look at Longhorn

Government wants to make sure the upcoming OS complies with antitrust ruling.

Microsoft will meet with representatives from the U.S. Department of Justice (DOJ) next month for the first of several briefings intended to ensure that its upcoming Longhorn operating system complies with the terms of the final judgment in the government’s antitrust case against the software maker.,aid,119459,00.asp

Flaw finders go their own way

David Aitel, founder of vulnerability assessment company Immunity, has received criticism from software makers and security researchers for irresponsible disclosure of software flaws. Immunity discovered four flaws in Apple’s Mac OS X, but only provided the information to customers, keeping it secret from the public and Apple for seven months. While an increasing number of researchers delay announcing a flaw until software makers can release a fix–a process known as “responsible disclosure”–some believe that arrangement has made companies lax about releasing patches in a timely manner. However, many also consider it dangerous to release details of a flaw to the public before a patch is ready, since it can alert malicious hackers to the flaw. Opinions also differ depending on the company; one researcher says Apple essentially refuses to work with independent researchers who find flaws in Apple products.

Crafted Packet Causes Reload on Cisco Routers

Cisco Routers running Internetwork Operating System (IOS) that supports Multi Protocol Label Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on MPLS disabled interfaces. A system that supports MPLS is vulnerable even if that system is not configured for MPLS.

The vulnerability is only present in Cisco IOS release trains based on 12.1T, 12.2, 12.2T, 12.3 and 12.3T. Releases based on 12.1 mainline, 12.1E and all releases prior to 12.1 are not vulnerable.  Cisco has made free software available to address this vulnerability.  There are workarounds available to mitigate the effects.

Affected Products:
Vulnerable Products
Only the following products running a vulnerable version of IOS that support MPLS are affected.
 * 2600 and 2800 series routers
 * 3600, 3700 and 3800 series routers
 * 4500 and 4700 series routers
 * 5300, 5350 and 5400 series Access Servers

Products that are not listed above are not affected.

Software Versions and Fixes and Workarounds in

Multiple Vulnerabilities in Pocket IE

Airscanner reported several weaknesses in Pocket IE that can be used to trick end users into submitting local and/or sensitive data, such as usernames and passwords. The potential for exploiting these vulnerabilities are restricted only by an attacker’s imagination. However, Pocket IE is not as powerful as its big brother, and as such, an attacker is limited in what techniques she can use to launch the attack. For example, Pocket IE has no support for the IFrame tag, which is extremely useful in XSS and browser-based attacks. In addition, Pocket IE does not support every JavaScript command commonly used by attackers. The final example presented below is an attempt to combine these individual flaws into one attack and is only meant to serve as a proof of concept.

More info and test page at

Bugzilla Site Vandalized

The bugzilla bug reporting and tracking system on the Mozilla development site was vandalized yesterday. Mozdev is a community site for Mozilla developers to create and host applications and various add-ons to the Mozilla source code.

Mozilla contributor Henrik Gemal reported the activity on his blog.

“A couple of hours ago bugzilla mails started to pour in from,” Gemal wrote. “They all contained the same comment and the same action. changed status on all open bugs into Resolved Fixed. All bugs were submitted with the following comment: these bugs are not from me they where on there when I bought the computer.”

By early yesterday afternoon, Gemal updated his blog with a comment noting that all comments and damage done by the malicious user had been corrected.


[Feb. 15, 2005] Implementing Security in the Development Lifecycle

Start Time:   Tuesday, February 15, 2005 11:00 AM (GMT-08:00) Pacific Time (US & Canada)  
End Time:   Tuesday, February 15, 2005 12:30 PM (GMT-08:00) Pacific Time (US & Canada)


Security should be your primary concern throughout the development process. This session discusses how security can be implemented at each stage of the software development life cycle. Microsoft has created the Security Development Life Cycle to describe how to implement security best practices by adding pointed and well-defined checkpoints to the existing development life cycle. This session outlines recommended changes to the design, development, testing, verification and release phases that can reduce the number and severity of security vulnerabilities shipped to customers.

Presenter: William J. Steele, Developer Community Champion, Microsoft Corporation

[Feb. 15, 2005] Security360 with Mike Nash: Raising The Bar: Bill Gates Keynote at RSA Conference 2005

Start Time:   Tuesday, February 15, 2005 9:00 AM (GMT-08:00) Pacific Time (US & Canada)  
End Time:   Tuesday, February 15, 2005 10:00 AM (GMT-08:00) Pacific Time (US & Canada)

This month’s Security360 is a special edition of the show as we present the RSA Conference 2005 Keynote address by Microsoft Chairman and Chief Software Architect, Bill Gates. This will be an exciting opportunity to watch this live keynote where Bill will discuss his perspective on the state of security today, the importance of continued innovation, and advances in the Microsoft platform, products, and technologies designed to better protect customers. Security360, including the live question and answer segment, will return to its regular format in March.
Presenter: Mike Nash, Corporate Vice President Security Business & Technology Unit, Microsoft Corporation