• Pescatore (Gartner) on 3rd Party Patch

    Posted over 8 years ago
    by Microsoft Swiss Security Team}

    A pretty cool quote from John Pescatore, Gartner on third-party patches:

    My neighbor is a smart guy, and he designs medical machinery. However, I'm pretty sure I won't be using his homegrown remedy for bird flu. I'm also really sure I don't want my kids to think its OK to accept medicine from anywhere they find it. It is not a good idea for enterprises or consumers to get in the habit of accepting patches to software from anywhere other than the vendor of the software. Use the time you'd spend undoing them to pressure software vendors to reduce the time the spend talking about security and increase the time they spend reducing security vulnerabilities before they ship their products.

    From SANS NewsByte

    Roger

  • ActiveX Change can be disabled

    Posted over 8 years ago
    by Microsoft Swiss Security Team}

    Mike Nash just published information about the ActiveX fix on the MSRC blog. The most important part is:

    1. New machines that ship with Windows will include the ActiveX change. 
    2. For our April IE cumulative security update, we will include the IE ActiveX change in the security update, but we will create a “compatibility patch” (deployed like a hotfix) that allows customers to turn off the change for a limited period of time through the June update cycle (2nd Tuesday in June) to provide time for enterprise customers to resolve compatibility issuess. 

    Read more at: http://blogs.technet.com/msrc/archive/2006/03/29/423560.aspx

     

    Roger

  • IE Vulnerability Update

    Posted over 8 years ago
    by Microsoft Swiss Security Team}

    There are at least two third party patches for the IE vulnerability out there. Please be aware of two things:

    • They do not fix the actual vulnerability
    • The application of a third-party-patch is not supported

    At the end it is part of your risk assessement what you do but we strongly advise you to wait until we will release the update. At the moment we are going for April 11 unless the situation on the web changes dramatically.

    Roger

  • ActiveX Behavior Change

    Posted over 8 years ago
    by Microsoft Swiss Security Team}

    Several times already we (Microsoft) infomred about a change we will ahve to make in the way we handle ActiveX. On February, 28 we published a Security Advisory to pre-warn about this change: http://www.microsoft.com/technet/security/advisory/912945.mspx.

    Finally we infomred that we will include this change in the next Cumulative Security Update for Internet Explorer. As you may expect, the next Security Update cannot be far away.

    Therefore I would really like you to test your applications that use ActiveX in order to make sure that you are able to roll this update out

    Roger

  • Application Threat Modelling

    Posted over 8 years ago
    by Microsoft Swiss Security Team}

    This February I had to opportunity to meet our internal IT Threat Modelling team together with a customer and I was really impressed how our internal IT is doing threat modelling of applications they are buying and using in our network.

    Now, they released the Beta 2 of the Application Threat Modelling Tool. Go and have a look at it at http://msdn.microsoft.com/security/securecode/threatmodeling/acetm/. Feedback wold be appreciated.

    Roger