Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: huh? / Re: ORACLE-L Digest -- Volume 2002, Number 009

RE: huh? / Re: ORACLE-L Digest -- Volume 2002, Number 009

From: Mark Leith <mark_at_cool-tools.co.uk>
Date: Thu, 10 Jan 2002 02:47:36 -0800
Message-ID: <F001.003EBF8A.20020110021020@fatcity.com> 






Windows XP Security Hole Lets Attackers 'Plug and Prey'



Microsoft has issued a security patch to fix a vulnerability on its new
Windows XP operating system. Enterprises must act at once to deter malicious
attacks on their networked PCs.








Event


On 20 December 2001, Microsoft, acknowledging a "serious vulnerability" in
its Universal Plug and Play (UPnP) software, urged Windows users to apply a
security patch to protect their networked PCs from malicious attacks.
Microsoft recommends the patch for all customers of Windows XP. Customers
using Windows 98, 98SE or ME should apply the patch if UPnP service is
running. Windows users can download the patch from Microsoft's Web site at
www.microsoft.com/technet/security/bulletin/MS01-059.asp.



First Take



The 2001 holiday season hasn't been merry for early adopters of Microsoft's
Windows XP. They must cope with two cases of serious security
vulnerabilities - in the Internet Explorer 6 browser (see Gartner FirstTake
FT-15-1348, "Patch Security Holes but Demand Better Security From Vendors")
and now with UPnP service - both of which are embedded in Windows XP.



These vulnerabilities rate "High Risk" on Gartner's Internet Vulnerability
Risk Rating methodology. Gartner predicts that by the end of the first
quarter of 2002, standard hacker attack tools will incorporate these
weaknesses into the rampant hacker scanning that is seen on cable modem and
digital subscriber line Internet access systems.



The UPnP vulnerability validates Gartner's view that Microsoft's Secure
Windows Initiative was limited to its server operating systems. Discovery of
such a serious buffer overflow vulnerability in Windows XP software shows
that Microsoft must significantly increase management attention to security,
and focus on improving its software development and testing processes.



Enterprises considering a move to Windows XP should wait to see if more
security vulnerabilities are found in the operating system (OS) during the
next three to six months. Enterprises actively planning Windows XP migration
should follow Gartner's standard advice for testing application
compatibility with this patch (and subsequent fixes to that patch) in the
new OS image. Enterprises using Windows XP or that have installed UPnP
services on Windows ME-based PCs should block ports 1900 and 5000 on
corporate firewalls (plus personal firewall software on laptops and small or
home office router firewalls) and patch all affected desktops at once.
Enterprises that allow employees to remotely connect using home PCs that run
Windows ME should provide them with instructions to disable UPnP services
and install the patch.



Analytical Sources: John Pescatore, Information Security Strategies, Michael
Silver, End-User Computing, David Smith, Internet Strategies, and Neil
MacDonald, NT Strategies



Need to Know: Reference Material and Recommended Reading



"Secure Windows: Oxymoron or on the Horizon? (SPA-14-7346) The Secure
Windows Initiative must change Microsoft's mindset to focus on a long-term
campaign to reduce security vulnerabilities.
By John Pescatore



"Internet Vulnerability Risk Rating Methodology" (TU-14-9003) Enterprises
should use the Gartner risk rating methodology to quickly rank software
vulnerabilities. By John Pescatore



http://www4.gartner.com/DisplayDocument?doc_cd=103499



HTH


Mark



-----Original Message-----


Pierce


Sent: 09 January 2002 19:42


To: Multiple recipients of list ORACLE-L




ORACLE-L Digest -- Volume 2002, Number 009


> ------------------------------

>

>  From: "Gogala, Mladen" <MGogala_at_oxhp.com>

>  Date: Tue, 8 Jan 2002 13:42:33 -0500

>  Subject: RE: Oracle Future???




...



> win XP is allegedly the worst edition ever when it comes to stability

> and security.




According to who?



(no lumping, please, deal with stability and security
separately unless there is an explicit connection).



thanks,


ep


--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Eric D. Pierce
  INET: PierceED_at_csus.edu

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Mark Leith
  INET: mark_at_cool-tools.co.uk

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Thu Jan 10 2002 - 04:47:36 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US