Security Watch

All Eyes on RSA

The annual security conference revisits some familiar topics. Plus, Microsoft issues IE-centric security advisory; educating enterprises about Windows 7 security.

• By Jabulani Leffall
• 03/02/2010

It's time for the RSA Conference once again, and everybody who's anybody in IT security is flocking to (or is already at) the Moscone Center in San Francisco. Product launches, fraud predictions and workshops abound as they do every year, but there are some themes to look out for at this year's confab.

The most prominent involves implementing more nimble IT security programs. Cloud security and an offshoot of Software as a Service that many IT security evangelists are calling "security as a service" are two of the bigger discussions on this year's agenda. Already, security big shots like Symantec, McAfee and Trend Micro are offering hosted security options, but even well-respected smaller players like Kaspersky Lab and Sophos are getting in on the action.

Web-based threats will also be discussed in great detail at various RSA workshops this week, with an emphasis on which browser -- Internet Explorer, Chrome, Firefox, Safari -- is the most secure.

And then, of course, there are the evergreen issues: securing social media and mobile computing, the challenges and changes in IT security compliance, and password management -- always an enterprise computing favorite.

IE the Focus of New Microsoft Advisory
Microsoft is having more third-party disclosure problems. Late Monday, Microsoft issued yet another security advisory that has implications for the ubiquitous IE browser. However, this time the vulnerability is for Windows 2000, XP, and Windows Server 2003 through the (and language is important here) use of IE.

The advisory states that the bug "exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user."

Microsoft stressed that Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 aren't affected by this issue.

Exec: Microsoft Should Educate IT in Windows 7
Philip Lieberman's company, Lieberman Software, is one of many hocking products at this week's RSA Conference. For its part, Lieberman Software will launch a new rev of its ID management product called Enterprise Random Password Manager (ERPM).

Lieberman said ERPM works best when sitting on a secure enterprise OS such as Windows 7. But one of his main gripes with Microsoft's latest OS isn't with the OS itself, but with the fact that he thinks Microsoft should be more proactive in getting the word out about how good Windows 7's security is.

"Unfortunately, Microsoft has done a poor job helping large IT shops understand that the bad, old ways of doing things are no longer necessary," Lieberman said. "Most of the large IT shops we talk to still do not understand the value proposition of Windows 7, nor do they understand what Microsoft has done with Server 2008 R2."

This is tragic, Lieberman said, because "Microsoft has done a superb job in simplifying such technologies as PKI and VPNs in this new generation of products, all at a ridiculously low price compared to the costs of running an XP-Server 2003 shop."