Microsoft Releases July Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for July 2010. These vulnerabilities may allow an attacker to execute arbitrary code. US-CERT encourages users and administrators to review the bulletins an...

Microsoft Releases June Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, Office, SharePoint, and .NET Framework as part of the Microsoft Security Bulletin Summary for June 2010. These vulnerabilities may allow an attacker to execute arbitrary code or operate with elevate...

Microsoft Releases May Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows, Office, and Visual Basic for Applications as part of the Microsoft Security Bulletin Summary for May 2010. These vulnerabilities may allow an attacker to execute arbitrary code. US-CERT encourages users and...

Microsoft Releases April Security Bulletin

Microsoft has released an update to address vulnerabilities in Microsoft Windows, Office, and Exchange as part of the Microsoft Security Bulletin Summary for April 2010. These vulnerabilities may allow an attacker to execute arbitrary code, operate with elevated privileges, cause a...

Dental Practice Loses $200K to Criminals

Organized computer criminals yanked more than $200,000 out of the online bank accounts of a Missouri dental practice this month, in yet another attack that exposes the financial risks that small- to mid-sized organizations face when banking online. Read the full article. KrebsonSecurity...

Microsoft Releases Out-of-Band Security Bulletin Update

Microsoft has released an update to its Security Bulletin Summary for March 2010 and has included the out-of-band bulletin MS10-018. This bulletin addresses ten vulnerabilities in Internet Explorer, including one previously announced in Microsoft Security Advisory 981374. The most severe of these...

Microsoft Releases March Security Bulletin

Microsoft has released an update to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for March 2010. These vulnerabilities may allow an attacker to execute arbitrary code. US-CERT encourages users and administrators to review the bulletins...

APC Network Management Card web interface vulnerable to cross-site scripting and cross-site request forgery

Overview The web management interface for the APC Network Monitoring Card NMC used in various APC devices contains cross-site scripting XSS and cross-site request forgery CSRF/XSRF vulnerabilities. By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker...

Version number

I notice that the JIRA footer displays the current version of JIRA. Revealing the specifics of the revisions of software that you run in production is generally considered a bad security practice. Is there a reason that it is displayed openly to all users in licensed versions of the product? Is i...

Microsoft Releases February Security Bulletin

Microsoft has released an update to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for February 2010. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or operate with elevated...

Security Best Practice: Blocking Yahoo! Messenger

Instant Messaging applications allow communication and collaboration between Internet users using various modes of communication, including instant messages exchange, voice and video, application sharing, white board, file transfer and remote assistance.Yahoo! Messenger is an...

The Berkeley breach: Is SaaS the answer?

One recent Friday afternoon I took time off to visit two new health providers: a new dentist nearer my home and an orthopedic to look at my lateral epicondylitis. In both cases, as a new patient, I filled in page after page of medical history and personal information, including my Social Security...

Security Best Practice: Familiarize Yourself with the Directory Listing Protection

One of the first steps an attacker may take before attacking a web site is to gather information about the site. The goal of the hacker is to get the web server to reveal information that hacker can use to tailor an attack...

Security Best Practice: Familiarize Yourself with the Non Compliant HTTP Protection

HTTP Protocol Inspection provides strict enforcement of the HTTP protocol, ensuring these sessions comply with RFC standards and common security practices...

Security Best Practice: Familiarize Yourself with the Header Spoofing Protection

One of the first steps an attacker takes before attacking a website is to analyze the web server response in order to gather as much information as possible about it. This is known as "fingerprinting"...

Security Best Practice: Familiarize Yourself with the Packet Sanity Protection

The Packet Sanity protection performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options and verifying the TCP flags.Numerous types of attacks may be hidden in fragmented packets...

Security Best Practice: Familiarize Yourself with the Network Quota Protection

Network Quota enforces a limit upon the number of connections that are allowed from the same source IP, to protect against Denial Of Service attacks...

Security Best Practice: Familiarize Yourself with the Max Ping Size Protection

Ping is a computer network administration utility used to test whether a particular host is reachable across an IP network and to measure the round-trip time for packets sent from the local host to a destination computer, including the local host's own interfaces.Ping operates by sending Internet...

Restrict the transmission of Confluence version details

I noticed that on several installs, Confluence by default displays its full version number and sometimes build number to the world. It is a commonly accepted web security practice to withhold all product details, including version information, except to users on a "need to know" basis. Otherwise,...

Do not release details about securrity vulnerabilities until after the fix was available for a reasonable period of time

It is an unfortunate practice at Atlassian to as a part of release notes release all the information, often including example exploits|http://jira.atlassian.com/browse/CONF-9350, about security vulnerabilities that were fixed in the version being released. This gives us great headaches because: w...