Security Advisor
Microsoft's Intune Gets a Tune Up
While it's been fairly quiet on the news front at TechEd (currently being held in Orlando, Fla.), Microsoft did give a small nugget to the audience by announcing that a new version of its Intune service is now ready for download.
For those that don't know, Intune helps to control device access and security of a network for those running fewer than 500 Windows machines.
So what's new in version three? Let's break it down into easy-to-digest bullet points:
- Support for mobile devices running Windows Phone 7, Android and iOS.
- Integration with Windows Azure Active Directory -- this will ease the issue of setting universal policies for different computer and mobile devices running multiple OSes.
- Devices can be automatically recognized when accessing the Microsoft Exchange Server.
An added bonus for Intune users is the ability to automatically upgrade to Windows 7 Enterprise, no matter what other version of Windows 7 you're running. And once Windows 8 is released, you'll be granted access to upgrade at no additional charge.
For those unsure or want to give Intune a spin before committing, a free 30-day trial can be downloaded here.
And for those currently deploying Intune, how is it stacking up to your expectations? Does it ease the battle for tighter security and control or is it a huge waste of money? Let me know at [email protected].
So Many RCE Fixes To Patch, Only One Tuesday To Do It
Microsoft's June security present arrived yesterday, and, as is now the norm, remote code execution fixes make up four of the seven bulletin items. That's because hackers prefer exploiting your system from a distance over having you look over their shoulders when they invade your home.
The consensus among security experts is that bulletin MS12-037, a "cumulative" security update for Internet Explorer should be taken care of immediately. That's because it takes care of a batch of 12 holes -- some that have already been seen being exploited in the wild. And a Web browser seems like an easier window into your system than, say, waiting for you to fall for an elaborate attack in Photoshop.
Along with this batch of fixes, Microsoft is also changing its policy on how your system identifies bogus Microsoft certificates. And if you guessed this is in response to the Flame malware hiding under fake certificates, you would be 100 percent correct.
The major change is that instead of asking for your permission before updating its certificate black list, it will automatically send the information to your system.
While I don't usually like companies pushing data into my computer without my knowledge, I can live with this necessary intrusion.
MySQL Databases Let Loose User Passwords
In this edition's "Password Breach of the Week" story, news recently surfaced that an attacker could gain access to MySQL databases thanks to a flaw that will verify an incorrect password as correct.
While the flaw isn't found in all systems (and those running MySQL and its brother MariaDB databases on Windows are safe), this open door could give hackers access to all your info stored using the SQL language.
According to folks in the MariaDB camp, this flaw has the probability of popping up once in every 256 attempts. While those aren't the type of odds you would lay money down on in Vegas, know that an attacker could easily submit a password hundreds of times in a second. That's as close to a sure thing you're going to get in the world of cyber crime.
As with most security vulnerabilities, this bug can be easily avoided with patching your software to the latest version.