Larry Seltzer

Its hard to feel comforted by the fact that Windows XP Service Pack 2 was not subject to the more severe of Tuesdays announced vulnerabilities. Even most SP2 users need to scour their systems for vulnerable applications, and the whole affair raises many unpleasant questions. The bug is not the usual stack-based buffer overflow, but […]

Microsoft Corp. on Tuesday offered patches for two serious vulnerabilities in its products. One of the security breaches—taking advantage of the action from a tweaked image file—compromises a wide range of Microsoft products, including server and client operating systems as well as applications such as e-mail. However, this “Patch Tuesday,” following the August release of […]

Its not really the first patch day of the Windows XP Service Pack 2 era. Last months, Aug. 10, was a few days after the initial release of the massive security-focused update. But the initial day was anticlimactic, yielding only a single Exchange Server issue, and for an old version at that. But now were […]

Andrew Newton knows an absence of consensus when he sees it, and lately its been all over the MTA Authorization Records in DNS, or MARID, working group, which has been attempting to formulate a standard for SMTP authentication for months. After some weeks in the “Last Call” stage of the process, it became clear to […]

Even though Ive already declared Sender ID dead, I maintain that some form of e-mail sender authentication is inevitable and necessary. Now we hear that spammers are embracing authentication, with the implication that theyre so smart theyll undermine it by being part of the system. But its always been important to understand that authentication is […]

You may have seen inexpensive home routers described as “NAT firewalls.” For example, Linksys says of its BEFSR11 EtherFast Cable/DSL Router: “[T]he built-in NAT technology acts as a firewall protecting your internal network.” Its an interesting—if disingenuous—claim, but it raises a legitimate question: How much security do you get with a typical SOHO router? The […]

Next Generation Security Software Ltd. has announced Multiple High Risk Vulnerabilities in IBM DB2. IBM has released new “Fixpacks” to address two of the issues in DB2 Universal Database for Linux, Unix and Windows Versions 7.x and 8.1. According to NGS, the two issues patched by IBM are remotely exploitable buffer overflows that could allow […]

WinZip Computing Inc. recently revealed that Version 9.0 of its popular WinZip file compression program is vulnerable to a variety of security attacks. The company has released a “Service Release 1” to address the security problems. The WinZip advisory states that “a number of general internal improvements have been made to the WinZip program to […]

When I read about the serious vulnerabilities in the Kerberos v5 authentication system, one specific aspect of it caught my eye: The lesser of the two issues was related to the ASN.1 library, a library for managing data formats and interchange of data between systems. ASN.1 is a very popular standard and set of libraries […]

Theres always more stuff to find on Google. And like all programs, if you actually read the manual, you can do things you didnt even imagine. A couple of Google features have been sparking interest lately on security mailing lists. Both of the features rely on users leaving sensitive information out where Google can find […]