Microsoft: October 2005 Archives
Microsoft seems to be pushing the Rights Management Services (RMS) lately. They pushed it at a meeting I was at between my management and Microsoft. Reports from the MVP conference make it sound like it was pushed there as well.
RMS is a service on Windows 2003. With Office 2003 you can use RMS to restrict what people can do with your documents. In one way its better than encryption because it isn't an all or nothing proposition. Yet, Microsoft is carefull to make no claims about the security of RMS in spite of it using AES encryption.
For us it sounds like a internal solution only. External users would need to have a .net account and web access to our RMS server. Telling people to get a hotmail account so they can read our documents, really is a nutty idea. Of course if the partner company also had a RMS server we could federate them together. But then we have a really tight inbound traffic firewall policy that probably wouldn't allow that.
While it would be nice to have the ability to set a "do not forward" in an Outlook message that is meaningful, I'm not sure its really worth it. I'll be looking at RMS more the next few months as time allows.
Get the shovel. It looks like SSL2 is done. On the heels of Firefox's announcement a few months ago that they werre removing support for SSL 2, it will now be disabled by default in IE 7 beta 2. SSL 2.0 has many native vulnerabilities such as the ability for a MITM to downgrade your encryption to something more breakable.
Another change is the default behavior when dealing with bad certificates. In the past you've all seen a dialog box everyone says yes to. This will now take you to a redirect page that explains the problem in more detail. Should you choose to continue, the address bar will change to red to highlight that you are doing something unsafe. I suppose this is a good compromise. A lot of vendors use self signed ceretificates that will be blocked by this since I never access the site using the url they want (I use fqdn and they put only the host name in the certificate for example).
Also the error relating to a mix of https and http content on a page will be changed so that you will now be prompted by the information bar.
More information at the IEblog site.
The Internet Storm Center handlers are doing what we're all doing. Playing a game of prognostication. Will there be exploitation of MS05-051 this weekend. SANS and Microsoft Security Response recommend patching now. So what are you still doing here. Get thee to http://windowsupdate.microsoft.com.
Just to throw a monkey wrench into things some people have reported to the ISC issues with the MS5-051 patch.
We cant make decisions based solely on what happened in August, but one good sign is that at this point exploit code has not been made public. Perhaps we will survived the weekend.
I know I've got school things to be working on and dont need to have any patching excitement.
The French Security Incident Response Team had posted exploit code for MS05-044, MS05-045, and MS05-048. Fortunately these weren't the main 4 that I'm concerned about.
SANS did report yesterday that Immunity Sec Canvas customers have an exploit for MS05-051. That means the bad guys aren't far behind. Or more likely the bad guys that do have it prefer to be able to hack with it instead of compelling everyone to patch by releasing a worm.
Microsoft has posted the Security Bulletins for October. MS05-48 through ms05-052 are serious enough that it looks like this batch should be pushed out both on the desktops and the servers.
http://www.microsoft.com/technet/security/current.aspx (this link wasn't updated at last check, but should be soon)
