Microsoft pulls back protected folders
Less than a week after Microsoft released a free password-protected
folder feature, the software giant pulled the Windows add-on after
enterprise customers questioned the logic of letting individual
employees encrypt their own data.
"Private Folder 1.0 was designed as a benefit for customers
running genuine Windows," Microsoft told CNET News.com Friday.
"However, we received feedback about concerns around manageability,
data recovery and encryption, and based on that feedback, we are
removing the application today. This change will take effect
shortly."
Microsoft had pitched the feature as "a useful tool ... to
protect your private data when friends, colleagues, kids or other
people share your PC or account." But professionals like Stuart
Graham immediately voiced concern on the Windows Server-related
MSBlog.
"Oh great, have they even thought about the impact this could
have on enterprises," Graham wrote. "I'm already trying to
frantically find information on this product so that A) I can block
to all our desktops and B) figure out how we then support it when
users inevitably lose files. I can see the benefit in this product
for home users, but it's a bit of a sloppy release by
Microsoft."
McAfee unwittingly fixes an ePolicy Orchestrator
While making enhancements to its ePolicy Orchestrator product,
Santa Clara, Calif.-based security vendor McAfee Inc. unwittingly
fixed a security flaw attackers could exploit to compromise
machines and launch malicious code.
Aliso Viejo, Calif.-based eEye Digital Security Inc. discovered
the flaw and said in an
advisory that the problem is within the framework service
component of McAfee Common Management Agent (CMA), which allows
users to configure and enforce protection policies; deploy and
configure agents; and monitor the security status of systems from a
centralized console.
The framework service is enabled and running by default on all
servers and agents, eEye explained, adding that the framework
service listens by default on port 8081 and accepts requests over
the HTTP protocol. The framework service allows for remotely
submitting configuration and update changes. Each request is
encrypted, SHA-1 hashed and DSA signed, and written to a file on
disk.
Due to a directory traversal attack, eEye said it is possible to
write any file with any contents to anywhere on the remote
system.
"This flaw allows a remote attacker to anonymously compromise an
affected system and execute code within the SYSTEM context," eEye
said.
In its own
advisory on the subject, McAfee said the flaw is fixed in CMA
3.5.5.438 (listed as CMA 3.5.5 on the McAfee download page).
Multiple flaws in Microsoft Works
Attackers could hijack machines and cause a denial of service by
exploiting multiple flaws in Microsoft Works, the French Security
Incident Response Team (FrSIRT) said in an advisory.
"These issues are due to memory corruption and NULL pointer
dereference errors when processing malformed .wks or .xlr files,
which could be exploited by attackers to compromise a vulnerable
system or crash an affected application by tricking a user into
opening a malicious file," FrSIRT said.
The flaw affects Microsoft Works version 8.0 and prior, and
FrSIRT said it is not aware of any fixes.