Microsoft has begun publishing a new “Security Newsletter” once a month. The newsletter includes security tips and articles from Microsoft experts as well as announcements of security-oriented Webcasts, security FAQs, and other useful security news. I’m going to give you a closer look at the newsletter and show you how to subscribe to it, plus at the end of this article, I’ve got my regular roundup of other recent security news.

Interested security specialists and administrators can subscribe to the Microsoft Security Newsletter for free. Volume 1 No. 1 of the newsletter is already available online, but the second issue should be released by the time this article appears.

The first issue of the newsletter covered a number of interesting subjects. One notable inclusion was the article, “Beyond Security Patching,” written by Microsoft’s senior director of the Security Business Unit, Jeff Jones. Mr. Jones discusses the new strategies Microsoft will employ to reduce the number of patches required.

In this article, Jeff Jones explains that the Trustworthy Computing initiative has already greatly reduced the number and severity of patches, and that the new service pack structure (as I described in my last article), will include lockdown features to make patches less necessary. But mostly this article directs readers to “Understanding Patch and Update Management: Microsoft’s Software Update Strategy,” which was published in October. This is a white paper explaining Microsoft’s current strategy and is probably most useful for administrators new to the IT field or for copying and distributing to staff members or upper management executives who aren’t familiar with the security challenges that you face.

The newsletter also includes a brief look at the concept of rights management and why administrators should consider the use of Windows Rights Management Services in Windows Server 2003 and Office Suite 2003 to reduce administrative overhead while improving information security.

Final word
Although security specialists who are immersed in the IT security field full time will probably learn nothing new from the Microsoft Security Newsletter, it is a useful publication for those who are too busy to follow security developments on a daily basis either because their networks are already well-protected or because security isn’t their primary duty.

Because it is relatively brief, relying on links for most of the content, glancing over this once-monthly report can be a good way to make certain you haven’t missed anything, as well as a quick way to see what upcoming Webcasts may be of interest.

Also watch for …

  • Apple has released a patch that addresses vulnerabilities in OS X. reports that the patch is intended to block a remote takeover threat by altering DHCP server default settings for the Macintosh OS X 10.2.8 and OS X 10.3.2 workstation operating systems, as well as server versions. Apple had rated this as a low-level threat because the company claimed that it could only be carried out by an insider but, according to the CNET article, some security experts say it could be remotely exploited. This is a general security update that also addresses other threats and should be installed by an administrator responsible for an Apple network or graphics workgroup. Other Panther and Jaguar OS updates were released in November. Panther is the new OS released in October, replacing Jaguar.
  • There is some U.S. federal government news that also is of some general interest. The National Institute of Standards and Technology (NIST) has granted Level 1 certification to the OpenSSL crypto module. This is a validation of the security of the module, and it is directly of interest to federal agencies and those who supply them with software and services.
  • NIST has also published a draft of SP800-60, “Guide for Mapping Types of Information and Information Systems to Security Categories,” which is intended to help agencies comply with the Federal Information Security Management Act (FISMA). Again, this is mostly an issue for federal agencies and those who work with them, but it can be useful reading for those who are preparing enterprise-level security plans in a corporate setting. The nearly 38-page PDF file designated “Volume I” contains some helpful guides for determining the value and potential damage to operations from the compromise of various kinds of data. Remember that federal agencies face many of the same challenges as businesses, so take advantage of the work that has gone into this publication if you are faced with generating proposals or policy documents that relate security expenditures to the value of data. You can probably skip downloading the gigantic 266-page Volume II, which mostly consists of three appendices.
  • Administrators should also be aware that this year could bring an awakening of the threats against Linux. As that operating system becomes more popular while Microsoft is further hardening Windows, it is only natural that more hackers will turn their attention to finding and exploiting holes in Linux. It only takes a brief glance back at 2003 and the successful attacks that planted Trojans and possibly backdoors in the heart of open source development servers, to show administrators they need to be on the watch for suspicious activity on their Linux systems.