Some Details on IE7

A few details for IE 7 has been posted to the Internet Explorer weblog. The two mentioned are support for .PNG and fixing some CSS consistency issues.

Trusting Privileged Users

A new article on SecurityFocus talks about how two insiders inappropriately used their access to databases to get information they had no business retrieving. Both did so for purely personal reasons.

From a security perspective, this is always an issue. At some point you're going to have to trust a privileged few users. For instance, what's to stop the mail administrator from sending out an email as the CEO? What's to stop an administrator from resetting a password to gain unauthorized access to a set of files? In some cases audit trails are effective. Hence the reason we put them into place. However, technology only takes us so far. For instance, a best practice is to send security events to a separate system in the event a particular server gets compromised. However, if an insider knows what system has the backup logs, that person can overcome this security measure.

Unfortunately, there's no easy answer on this one. Background checks, thorough interviews, careful review of audit logs, multiple people in the process to get to sensitive data - all of these help protect an organization. But none of these are 100% foolproof. It's a sad but true fact of life.

Critical Flaw in Jet Database

There has been a report of a Jet database vulnerability which can be exploited by an attacker to execute code. It's due to a memory handling issue and can be exploited with a specially crafted .mdb file. Exploit code is available.

• Secunia Advisory
• Original Advisory from HexView
• Published Exploit on Full-Disclosure

Current workaround: Don't open an untrusted file, even if it's an .mdb.

Still no new SQL Server 2005 beta

According to the C|Net article, Microsoft has missed its latest beta release of Visual Studio 2005 and SQL Server 2005. They were targeting the end of March. Thus far, SQL Server 2005 beta 3 has not come out. Microsoft has announced that SQL Server 2005 RTM slipped from the summer to 2H2005. I'm hoping they'll still make that date.

Series on Finding and Patching SQL Server

Chip Andrews, founder of SQLSecurity.com and co-author of SQL Server Security from McGraw Hill-Osborne (among other authoring credits) has written a two part series of patching SQL Servers. The first part is on how to locate SQL Servers in a given environment.

Frank Kalis - SQL Server MVP

Frank Kalis is someone I've traded many a forum post and private message with over at SQLServerCentral.com. In today's newsletter I read the great news that Frank had been selected as a SQL Server MVP. In addition to posting at SQLServerCentral.com, Frank also runs InsideSQL.de (German). Way to go, Frank!

New T-SQL Performance Article by Randy Dyess

Randy Dyess, a friend of mine and author of the Transact-SQL Language Reference, has penned a new article titled Common Transact-SQL Performance Coding Errors. Randy has a great deal of experience with Very Large Databases (VLDBs) and he covers the common and not-so-common errors in transact-sql usage which can affect query performance.

Phishing and IM usage

I sat in a briefing last year at Black Hat Las Vegas where numbers were cited for SPAM and phishing attacks. The phishing attacks were significantly more successful, even if they only were believed by a relatively small percentage of the receiving audience. The small percentages don't tell the whole story, though, because if you can get 1 out of 1,000 to bite, you still have got a fairly large number of users. A good site to keep up with the latest in phishing attacks is the Anti-Phishing Working Group.

As indicated in their February 2005 Phishing Activity Trends Reports, the Anti-Phishing Working Group has noted an increased usage of IM and other non-email mechanisms to propogate these phishing attacks. There has been quite a bit of strong language against the use of IM in the workplace and while it can be seen as a "work saver," there are enough security concerns around its use to consider deploying appropriate appliances to control usage or blocking it altogether. With IM being utilized increasingly as a mechanism to deliver viruses and phishing attacks, I'm wondering if a balance will be reached, much like with email, before most organizations start blocking IM, period.

First Article!

A friend and fellow co-worker, Jeremy Brown, has published his first professional article: Flexible DTS Packages with Perl. He takes a look at using Perl to create a DTS package in memory in order to perform data transfer operations.

News on the SQL Server Front?

Steve Jones has this breaking article on SQL Server on Linux. Be sure to read the entire article, though.