Security Bytes: Microsoft pulls back user-based encryption

By SearchSecurity.com Staff 17 Jul 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft pulls back protected folders
Less than a week after Microsoft released a free password-protected folder feature, the software giant pulled the Windows add-on after enterprise customers questioned the logic of letting individual employees encrypt their own data.

"Private Folder 1.0 was designed as a benefit for customers running genuine Windows," Microsoft told CNET News.com Friday. "However, we received feedback about concerns around manageability, data recovery and encryption, and based on that feedback, we are removing the application today. This change will take effect shortly."

Microsoft had pitched the feature as "a useful tool ... to protect your private data when friends, colleagues, kids or other people share your PC or account." But professionals like Stuart Graham immediately voiced concern on the Windows Server-related MSBlog.

"Oh great, have they even thought about the impact this could have on enterprises," Graham wrote. "I'm already trying to frantically find information on this product so that A) I can block to all our desktops and B) figure out how we then support it when users inevitably lose files. I can see the benefit in this product for home users, but it's a bit of a sloppy release by Microsoft."

McAfee unwittingly fixes an ePolicy Orchestrator
While making enhancements to its ePolicy Orchestrator product, Santa Clara, Calif.-based security vendor McAfee Inc. unwittingly fixed a security flaw attackers could exploit to compromise machines and launch malicious code.

Aliso Viejo, Calif.-based eEye Digital Security Inc. discovered the flaw and said in an advisory that the problem is within the framework service component of McAfee Common Management Agent (CMA), which allows users to configure and enforce protection policies; deploy and configure agents; and monitor the security status of systems from a centralized console.

The framework service is enabled and running by default on all servers and agents, eEye explained, adding that the framework service listens by default on port 8081 and accepts requests over the HTTP protocol. The framework service allows for remotely submitting configuration and update changes. Each request is encrypted, SHA-1 hashed and DSA signed, and written to a file on disk.

Due to a directory traversal attack, eEye said it is possible to write any file with any contents to anywhere on the remote system.

"This flaw allows a remote attacker to anonymously compromise an affected system and execute code within the SYSTEM context," eEye said.

In its own advisory on the subject, McAfee said the flaw is fixed in CMA 3.5.5.438 (listed as CMA 3.5.5 on the McAfee download page).

Multiple flaws in Microsoft Works
Attackers could hijack machines and cause a denial of service by exploiting multiple flaws in Microsoft Works, the French Security Incident Response Team (FrSIRT) said in an advisory.

"These issues are due to memory corruption and NULL pointer dereference errors when processing malformed .wks or .xlr files, which could be exploited by attackers to compromise a vulnerable system or crash an affected application by tricking a user into opening a malicious file," FrSIRT said.

The flaw affects Microsoft Works version 8.0 and prior, and FrSIRT said it is not aware of any fixes.

Tags: Disk Encryption and File Encryption,  Network Device Management,  Securing Productivity Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Disk Encryption and File Encryption Database monitoring, encryption vital in tight economy, Forrester says Sophos integrates encryption into endpoint security Cryptography for the rest of us Encryption in data management should never be ignored, expert says The difference between AES encryption and DES encryption Security budget issues to resonate at RSA Conference Portable security storage device could replace OTP devices Mass. officials explain new data protection regulations A simple substitution cipher vs. one-time pad software Are encrypted, self-deleting USB storage drives worth the investment? Network Device Management Firewall rule management best practices What are best practices for fiber optic cable security? Enterprise UTM security: The best threat management solution? Making the case for network security configuration management Know when you need IDS, IPS or both SIEM: Not for small business, nor the faint of heart Evaluating MSSP security before taking the plunge Ixia network security tool exposes problems Product Review: Deepdive's DD300 Security services: Fiberlink's MaaS360 Mobility Platform Securing Productivity Applications Adobe ColdFusion websites being compromised Adobe fixes critical Shockwave Flash Player flaw Adobe issues first quarterly patch release fixing 13 flaws Adobe shifts to Microsoft patching process, incident response plan Balancing security and performance: Protecting layer 7 on the network Software Piracy pandemic needs government role, better vendor antipiracy plans McAfee to acquire Solidcore Systems for whitelisting Adobe issues Reader update fixing zero-day flaw Microsoft to patch critical PowerPoint zero-day flaw PCI DSS: Best practices for compliance

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) quantum cryptography  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary