Ultimate Windows Security Newsletter:

OK, 7 patches for today and less you feel left out, there’s something for everyone; 3 for office, 1 for Exchange, 1 for IE, CAPICOM and DNS Servers each.

Workstation-centric patches
If you manage workstations, you’ll be interested in 5 of the patches.  Out of the 3 for Office only one of them is publicly disclosed and actively being used in attacks.  Unfortunately there’s no good workarounds for any of them, so you will either want to install just the public vulnerability patch ASAP and take your time testing the other 2 or try to save some time and reduce rollouts by batching all 3 together. 
The patch for IE affects all versions.  This security update patches 5 different holes in IE.  One of the hole’s exploit details are public (COM Object Instantiation Memory Corruption Vulnerability) but the good news is that there is also a good workaround for this particular hole – just set the kill bit on the affected ActiveX control.  I’ve got great directions and a video for how to automate kill bits using group policy here.   Don’t ask me what this control (unable to obtain a good explanation) does but apparently it was never supposed to be instantiated by IE anyway so killing it is not supposed to cause problems. 

The CAPICOM vulnerability is not going to be an issue for most of you.  CAPICOM is a scripting interface to the Certificate APIs of Win32.  Some applications may include and install CAPICOM, especially those using certificates and/or private/public key encryption.  I recommend using MBSA or looking for the registry keys specified below to determine if your systems have CAPICOM installed.  There is a good workaround, again the kill bit, so consider using that instead of risking a bad patch deployment.

Logging in Depth – Secure, Comply, Save – with EventTracker Complete Event Management
EventTracker software improves network security with centralized event log monitoring, security events correlation, host based intrusion detection and security beyond firewall. It provides unattended enterprise-wide event log management for millions of events a day.


Server patches
Provided you refrain from using Office and IE on servers I think you only need to pay real attention to 2 vulnerabilities, 3 if you have BizTalk running.
The one for DNS is important but manageable.  It does NOT affect the DNS protocol – just the remote administration interface that uses RPC.  I provided a full discussion of this vulnerability some weeks ago when it was announced.  I suggest testing this fully before deploying since you should have already implemented the work around. 
If you are running BizTalk please analyze the CAPICOM vulnerability and determine your level of exposure.

No time to decode event logs? Get served with the events that matter, in real time!
GFI EventsManager is the solution for centralized event log management & reporting. Boasting the most advanced event processing & filtering rules in the industry, this tool acts as an early-warning system for failures & alerts on possible security breaches. Get to know what's really happening on your network.

Here’s the chart of bulletins directly below, and below that there’s an interesting tip about a new, free tool for scanning your network for endpoint devices and assessing their use by your users

Until next time, happy patching!  That’s an oxymoron if I ever heard one!

Somebody passed me an interesting tip about a free tool that helps assess the degree to which endpoint devices are being used on your network.  You’ve probably been hearing a lot about endpoint security right now.  You know, USB drives, flash drives, iPods and the like, and how easily sensitive information can leak outside your network and subsequently fall into the wrong hands through lost or stolen devices.  There are a number of security software solutions on the market for controlling endpoint devices.  But how rampant is the use of such devices on your particular network?  It’s not often you can really quantify your exposure to something before deploying preventive technology.  But this time you can thanks to a nifty, free tool from a reputable security company. 
It’s EndPointScan from GFI and you can download and run it in about a minute from http://www.endpointscan.com/.  GFI’s interest in making this tool available of course is to increase awareness about their EndPointSecurity tool.  However, I’ve downloaded and tested the EndPointScan on my network and it works.  It came back within seconds with an easy to read HTML report showing all the endpoint devices currently in use or ever connected to all the computers on my network.  (There was an issue with Vista computers but GFI is working on that.)  You get detailed information about each device and there’s a good summary overview complete with totals and charts.  I recommend trying it out; the results may be revealing.