Security Bytes: Microsoft pulls back user-based encryption

By SearchSecurity.com Staff 17 Jul 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft pulls back protected folders
Less than a week after Microsoft released a free password-protected folder feature, the software giant pulled the Windows add-on after enterprise customers questioned the logic of letting individual employees encrypt their own data.

"Private Folder 1.0 was designed as a benefit for customers running genuine Windows," Microsoft told CNET News.com Friday. "However, we received feedback about concerns around manageability, data recovery and encryption, and based on that feedback, we are removing the application today. This change will take effect shortly."

Microsoft had pitched the feature as "a useful tool ... to protect your private data when friends, colleagues, kids or other people share your PC or account." But professionals like Stuart Graham immediately voiced concern on the Windows Server-related MSBlog.

"Oh great, have they even thought about the impact this could have on enterprises," Graham wrote. "I'm already trying to frantically find information on this product so that A) I can block to all our desktops and B) figure out how we then support it when users inevitably lose files. I can see the benefit in this product for home users, but it's a bit of a sloppy release by Microsoft."

McAfee unwittingly fixes an ePolicy Orchestrator
While making enhancements to its ePolicy Orchestrator product, Santa Clara, Calif.-based security vendor McAfee Inc. unwittingly fixed a security flaw attackers could exploit to compromise machines and launch malicious code.

Aliso Viejo, Calif.-based eEye Digital Security Inc. discovered the flaw and said in an advisory that the problem is within the framework service component of McAfee Common Management Agent (CMA), which allows users to configure and enforce protection policies; deploy and configure agents; and monitor the security status of systems from a centralized console.

The framework service is enabled and running by default on all servers and agents, eEye explained, adding that the framework service listens by default on port 8081 and accepts requests over the HTTP protocol. The framework service allows for remotely submitting configuration and update changes. Each request is encrypted, SHA-1 hashed and DSA signed, and written to a file on disk.

Due to a directory traversal attack, eEye said it is possible to write any file with any contents to anywhere on the remote system.

"This flaw allows a remote attacker to anonymously compromise an affected system and execute code within the SYSTEM context," eEye said.

In its own advisory on the subject, McAfee said the flaw is fixed in CMA 3.5.5.438 (listed as CMA 3.5.5 on the McAfee download page).

Multiple flaws in Microsoft Works
Attackers could hijack machines and cause a denial of service by exploiting multiple flaws in Microsoft Works, the French Security Incident Response Team (FrSIRT) said in an advisory.

"These issues are due to memory corruption and NULL pointer dereference errors when processing malformed .wks or .xlr files, which could be exploited by attackers to compromise a vulnerable system or crash an affected application by tricking a user into opening a malicious file," FrSIRT said.

The flaw affects Microsoft Works version 8.0 and prior, and FrSIRT said it is not aware of any fixes.

Tags: Disk Encryption and File Encryption,  Network Device Management,  Securing Productivity Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us