It seems that every week brings a new security threat to our Windows PCs and networks. The latest one, which became an issue just last week, involves a "digitally signed" Java program that affects Compaq computers and possibly others. The applet is intended to allow Compaq to update software over the Internet, but it can be directed by a rogue Web page to execute other instructions instead.
This problem, and others like it, is not the focus of this column. Instead, I want to share with you some resources that can keep you informed about threats before they affect your PC or your network.
One of the best sources of information from Microsoft is its Security Notification Service. This free e-mail bulletin is sent to subscribers whenever Microsoft determines that an issue affects any Microsoft products. It is especially worthwhile for Windows NT administrators and serious users of Microsoft Office.
Microsoft maintains an archive of current and previous security bulletins going back almost three years. Its "Security Advisor" page is one of the first places where Microsoft releases its comments on threats like the Melissa virus and the ExploreZip worm.
For a list of recent advisories, go to www.microsoft.com/security. Click "Security Bulletins," then "Current" or "Archive" to go back through the list. To subscribe to the Security Notification Service, go to www.microsoft.com/security/ services/bulletin.asp.
The alerts that Microsoft posts on these pages often provide software patches to close security holes. For example, a recent bulletin recommends a patch to cure Word 97's bad habit of running macros (without any warning) from templates - even when the template is on a malicious Web site.
Microsoft's security bulletins, of course, aren't the last word on high- tech threats. The alerts reflect only Microsoft's point of view. In the article, "What Customers Should Know About BackOrifice 2000", for instance, Microsoft says BackOrifice is similar to the Melissa virus in that "neither exploited any security vulnerabilities in Microsoft products".
The programmers who released BackOrifice - a program that allows an intruder to access your network from the Internet with the same privileges you have - might disagree. Still, Microsoft's notification service is a valuable improvement over simply denying that any problems exist at all.
The security bulletins that Microsoft publishes on its Web pages raise the question: Should this information be shouted about or kept quiet?
After all, many of the security holes described on the Microsoft site are said to have never been used by hackers in real life. Won't talking about these flaws make them more likely to be taken advantage of?
This question seems to have been decided squarely in favour of full disclosure. The Microsoft site, for example, describes in detail the L0phtCrack tool, a program that decrypts network passwords, sometimes in minutes. The Microsoft page even includes a convenient link so readers can download the utility for themselves: www.l0pht.com. (The first two characters of the domain name are lower-case "L" and zero.)Although L0phtCrack can be misused in the wrong hands, it can also be a good friend to a network administrator who needs to test a network for weak user passwords.
Another invaluable alert service is provided by the CERT Coordination Center, an outgrowth of the old Computer Emergency Response Team created by the US Government last year. CERT/CC, housed at Carnegie Mellon University, sends e-mail advisories whenever a virus threat or newly discovered security hole unnerves the Internet community. Go to www.cert.org, then click "Subscribe to our mailing list" for more information.
Perhaps equally important, the center helps to debunk virus hoaxes - some of which are hilarious - that run rampant on the Net. See the "Hoax" section of www.cert.org/other_sources/viruses. html. These are a fraction of the Windows security alerts available. Send me your favourites. Use "alerts" as the subject of your e-mail.