Security Bytes: Microsoft pulls back user-based encryption

By SearchSecurity.com Staff 17 Jul 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft pulls back protected folders
Less than a week after Microsoft released a free password-protected folder feature, the software giant pulled the Windows add-on after enterprise customers questioned the logic of letting individual employees encrypt their own data.

"Private Folder 1.0 was designed as a benefit for customers running genuine Windows," Microsoft told CNET News.com Friday. "However, we received feedback about concerns around manageability, data recovery and encryption, and based on that feedback, we are removing the application today. This change will take effect shortly."

Microsoft had pitched the feature as "a useful tool ... to protect your private data when friends, colleagues, kids or other people share your PC or account." But professionals like Stuart Graham immediately voiced concern on the Windows Server-related MSBlog.

"Oh great, have they even thought about the impact this could have on enterprises," Graham wrote. "I'm already trying to frantically find information on this product so that A) I can block to all our desktops and B) figure out how we then support it when users inevitably lose files. I can see the benefit in this product for home users, but it's a bit of a sloppy release by Microsoft."

McAfee unwittingly fixes an ePolicy Orchestrator
While making enhancements to its ePolicy Orchestrator product, Santa Clara, Calif.-based security vendor McAfee Inc. unwittingly fixed a security flaw attackers could exploit to compromise machines and launch malicious code.

Aliso Viejo, Calif.-based eEye Digital Security Inc. discovered the flaw and said in an advisory that the problem is within the framework service component of McAfee Common Management Agent (CMA), which allows users to configure and enforce protection policies; deploy and configure agents; and monitor the security status of systems from a centralized console.

The framework service is enabled and running by default on all servers and agents, eEye explained, adding that the framework service listens by default on port 8081 and accepts requests over the HTTP protocol. The framework service allows for remotely submitting configuration and update changes. Each request is encrypted, SHA-1 hashed and DSA signed, and written to a file on disk.

Due to a directory traversal attack, eEye said it is possible to write any file with any contents to anywhere on the remote system.

"This flaw allows a remote attacker to anonymously compromise an affected system and execute code within the SYSTEM context," eEye said.

In its own advisory on the subject, McAfee said the flaw is fixed in CMA 3.5.5.438 (listed as CMA 3.5.5 on the McAfee download page).

Multiple flaws in Microsoft Works
Attackers could hijack machines and cause a denial of service by exploiting multiple flaws in Microsoft Works, the French Security Incident Response Team (FrSIRT) said in an advisory.

"These issues are due to memory corruption and NULL pointer dereference errors when processing malformed .wks or .xlr files, which could be exploited by attackers to compromise a vulnerable system or crash an affected application by tricking a user into opening a malicious file," FrSIRT said.

The flaw affects Microsoft Works version 8.0 and prior, and FrSIRT said it is not aware of any fixes.

Tags: Disk Encryption and File Encryption,  Network Device Management,  Securing Productivity Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Disk Encryption and File Encryption Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? What are the export limitations for AES data encryption? Network Device Management Researchers find thousands of flawed embedded devices Is there a way to block iPhone widgets that bypass Web filters? Will an application usage policy best control network bandwidth? What is the difference between static and dynamic network validation? How to manage network bandwidth with distributed ISP bandwidth DNSSEC deployments gain momentum since Kaminsky DNS bug Firewall rule management best practices What are best practices for fiber optic cable security? The requirements for being a PCI DSS-compliant service provider Enterprise UTM security: The best threat management solution? Securing Productivity Applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool How to manage patches for Adobe

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) encryption  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary