Microsoft: May 2005 Archives

Write Down Your Passwords

Write down your passwords. So says Jesper Johansson, senior program manager for security policy at Microsoft.

Password policies that led to using the same bad password accross all systems are are foolish. Johansson said. "If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

I think this is good advice. Passwords that are written down on post-it notes and placed under the mousepad are bad. Passwords that are stored in encrypted databases are good. But it must be real encryption. Not the sketchy kind of password protection found in office documents. Passwords put in a sealed signed envolope and stored in a safe good.

By Roger on May 24, 2005 12:18 PM |

What's Important

Microsoft released a Windows Explorer patch yesterday with a rating of important. The exploit is that under Windows 2000 using the web view (which is the default) if you click on a specially crafted file it will run code of the attackers choice.

Now to me that seems kind of critical. I guess its only rated Important because it requires user interaction. User must save the file to disk rather than opening the file directly as in an email attachment. Next they must open it in Windows Explorer.

You can see examples of an exploit file over at security focus.

http://www.securityfocus.com/data/vulnerabilities/exploits/copy.doc
http://www.securityfocus.com/data/vulnerabilities/exploits/simple.doc
http://www.securityfocus.com/data/vulnerabilities/exploits/rename.doc


I just found the page where Microsoft details how it defines vulnerability severity. For Microsoft, to be considered critical a vulnerability must not require user interaction.

Critical
A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.

Important
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.

Moderate
Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.

Low
A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

By Roger on May 11, 2005 12:27 PM |
« Microsoft: April 2005 | Main Index | Archives | Microsoft: June 2005 »

Search