Two consumer advocacy groups have asked the Federal Trade Commission to investigate whether new advertising initiatives announced last week by social networking sites MySpace and Facebook adequately protect consumer privacy.
In a Nov. 12 letter to FTC Chairman Deborah Platt Majoras, the Center for Digital Democracy and the U.S. Public Interest Research Group claimed that the "ambitious new targeted advertising schemes" launched by MySpace.com and Facebook Inc. "make clear the advertising industry's intentions to move full-speed ahead without regard to ensuring consumers are protected."
Jeffrey Chester, founder and executive director of the Center for Digital Democracy, said that by launching the advertising plans, MySpace and Facebook are "thumbing their noses at the FTC and consumer privacy rights" by allowing marketers to customize advertisements based on data provided by users in their profiles on the social networking sites.
"MySpace and Facebook are like the digital data equivalent of Fort Knox for Madison Avenue marketers," he said. "It is a kind of one-stop data shop for marketers. They know your interests, your politics and what movies you like. It is a much more rich array of content that marketers simply should not have automatic access to."
Chester said that consumers must be offered a complete opt-out option, and that the social networks must fully disclose how they intend to use their personal information.
The letter goes on to note that since both MySpace and Facebook are working with fast-food advertisers, the FTC should include their plans in its ongoing review of advertisements that may promote obesity among youths.
Several attorneys and privacy advocates last week questioned whether it is legal for the social networks to tell a user's friends about his or her purchases or likes without the user's written consent.
In a statement e-mailed to Computerworld, MySpace said it is "firmly committed to protecting user privacy and adher[ing] to a strict policy." In addition, MySpace noted that by the end of this year, users will be able to opt out of MySpace programs that use their preferences to help advertisers create customized ads.
"Our ad targeting platform is designed to work with user-expressed information from profile pages to create a more-relevant advertising experience," the statement said. "Users who are not interested in participating will have the ability to 'opt out' of the targeting platform."
Facebook did not immediately respond to a request for comment.
This week's letter was a follow-up to a report the two groups sent to the FTC in early November urging it to launch an investigation into new threats to privacy from the behavioral targeting and profiling of users -- especially youth -- by social networks and other online sites.
miercuri, 14 noiembrie 2007
Microsoft fixes WSUS malfunction in time for Patch Tuesday
For the second time in less than three weeks, Microsoft Corp. has had to apologize for blunders made by the application that enterprise administrators rely on to deploy the software vendor's security patches and other updates.
Late yesterday, Bobbie Harder, a senior program manager with Microsoft's Windows Server Update Services (WSUS) group, confirmed the latest gaffe in a posting to a company blog.
"Sunday evening, Microsoft renamed a product category entry for Forefront to clarify the scope of updates that will be included in the future," Harder said. "Unfortunately the category name that was used included the word Nitrogen in double quotes (appearing as "Nitrogen"). A double quote is a restricted character within WSUS, which created an error condition on the administration console. This issue occurred on many WSUS servers that synchronized with Microsoft servers between 5 p.m. Sunday and 11 a.m. Monday, Pacific time."
Monday morning, network administrators at Microsoft user companies began posting messages to WSUS support forums after they arrived at work to find the patch delivery software's management console reporting an error, essentially blocking them from retrieving updates.
The timing couldn't have been worse, as Microsoft is scheduled to deliver its monthly security fixes later today.
Harder said the glitch was fixed Monday afternoon and would be propagated to each WSUS server the next time it synchronized with Microsoft's update servers. She also provided instructions for administrators who have set WSUS to sync manually, with separate steps for WSUS 2.0 and WSUS 3.0.
Allen Moore, a systems administrator at DeKalb Memorial Hospital in DeKalb, Ill., said he didn't wait for Microsoft yesterday, but instead used SQL queries posted in a support forum to bring back WSUS. "I applied the two SQL queries to manually fix the tables yesterday, and was able to get back into WSUS without any errors," he said in an e-mail today. "I [also] just checked our WSUS 2.0 server and it appears to be working correctly after updating this morning."
Harder said her team would add new checks to curb errors like this. "We are also improving our publishing tools to make sure that issues like this are caught during the publishing process, before they impact customers," she said.
She said much the same thing, however, less than three weeks ago after admitting that recycling an update package had force-fed Windows Desktop Search (WDS) to client PCs which had been told to ignore the application. "We are also working on improving our internal publishing processes to ensure this does not happen again in the future," Harder said then.
Some users seemed to be unhappy with the trend in WSUS problems. "Thanks, Microsoft, it's great having things like this happen when I'm already too busy!!!" said someone identified as stormforce5 on a WSUS support forum yesterday.
As she did in the wake of October's WSUS snafu, Microsoft's Harder said she was sorry: "We sincerely apologize for any inconvenience this may have caused to our customers."
Anyone still having problems with WSUS should contact Microsoft support, Harder added.
Late yesterday, Bobbie Harder, a senior program manager with Microsoft's Windows Server Update Services (WSUS) group, confirmed the latest gaffe in a posting to a company blog.
"Sunday evening, Microsoft renamed a product category entry for Forefront to clarify the scope of updates that will be included in the future," Harder said. "Unfortunately the category name that was used included the word Nitrogen in double quotes (appearing as "Nitrogen"). A double quote is a restricted character within WSUS, which created an error condition on the administration console. This issue occurred on many WSUS servers that synchronized with Microsoft servers between 5 p.m. Sunday and 11 a.m. Monday, Pacific time."
Monday morning, network administrators at Microsoft user companies began posting messages to WSUS support forums after they arrived at work to find the patch delivery software's management console reporting an error, essentially blocking them from retrieving updates.
The timing couldn't have been worse, as Microsoft is scheduled to deliver its monthly security fixes later today.
Harder said the glitch was fixed Monday afternoon and would be propagated to each WSUS server the next time it synchronized with Microsoft's update servers. She also provided instructions for administrators who have set WSUS to sync manually, with separate steps for WSUS 2.0 and WSUS 3.0.
Allen Moore, a systems administrator at DeKalb Memorial Hospital in DeKalb, Ill., said he didn't wait for Microsoft yesterday, but instead used SQL queries posted in a support forum to bring back WSUS. "I applied the two SQL queries to manually fix the tables yesterday, and was able to get back into WSUS without any errors," he said in an e-mail today. "I [also] just checked our WSUS 2.0 server and it appears to be working correctly after updating this morning."
Harder said her team would add new checks to curb errors like this. "We are also improving our publishing tools to make sure that issues like this are caught during the publishing process, before they impact customers," she said.
She said much the same thing, however, less than three weeks ago after admitting that recycling an update package had force-fed Windows Desktop Search (WDS) to client PCs which had been told to ignore the application. "We are also working on improving our internal publishing processes to ensure this does not happen again in the future," Harder said then.
Some users seemed to be unhappy with the trend in WSUS problems. "Thanks, Microsoft, it's great having things like this happen when I'm already too busy!!!" said someone identified as stormforce5 on a WSUS support forum yesterday.
As she did in the wake of October's WSUS snafu, Microsoft's Harder said she was sorry: "We sincerely apologize for any inconvenience this may have caused to our customers."
Anyone still having problems with WSUS should contact Microsoft support, Harder added.
Microsoft patches URI bug, ancient DNS flaw
Microsoft Corp. today released two security bulletins that fixed a pair of flaws in Windows, including a vulnerability that had been the root of a monthslong debate over patching responsibility.
One of the updates was rated critical, Microsoft's highest threat ranking, while the other was pegged as important, the next-lowest notch in the company's four-step scoring system.
MS07-061 patched the Uniform Resource Identifier (URI) protocol handler bug in Windows XP and Windows Server 2003 that Microsoft admitted was its job to fix only after months of denying that a vulnerability existed in its software. In a security advisory posted Oct. 11, Microsoft owned up to the flaw.
The vulnerability has been exploited in the wild for weeks, most recently by a wave of attacks using rigged PDF files.
Although only PCs running XP or Server 2003 that were also equipped with IE 7 have been shown to be at risk, Microsoft pushed the patch to all users of those operating systems, no matter which browser they had installed. "Microsoft has not identified any way to exploit this vulnerability on systems using Internet Explorer 6," the security bulletin said, "[but] as a defense-in-depth measure, this security update is made available to all customers using supported editions of Windows XP and Windows Server 2003, regardless of which version of Internet Explorer is installed."
Andrew Storms, director of security operations at nCircle Inc., applauded the proactive move. "Microsoft's saying that even though it's unable to exploit [the URI protocol handler bug] for IE 6, the bug still exists, and someone else may come along and figure out an exploit," he said.
According to Eric Schultze, the chief technology officer of Shavlik Technologies LLC, Microsoft is simply following protocol. "They're giving the patch regardless of the SKU of XP or Server 2003, because they can't deliver it as an IE patch," he said. The flawed component, the "shell32.dll" file, is part of Windows, not Internet Explorer.But although the fix should put an end to URI protocol handler exploits which rely on IE -- or, as Storms put it, "at least until the next attacks" -- other applications that register buggy handlers will still have to patch their own code. Microsoft's security experts, including Mark Miller, the director of the Microsoft Security Response Center (MSRC), and Mike Reavey, the operations manager for the group, made that clear in an interview a month ago.
The other bulletin issued today, dubbed MS07-062, patches a DNS cache poisoning vulnerability in Windows 2000 SP4, and Windows Server 2003 SP1 and SP2.
"This is a classic, a nostalgic man-in-the-middle kind of vulnerability," said Storms, who also knocked Microsoft for taking so long to fix the flaw. "This is something that other DNS [Domain Name System] vendors, like BIND, have known about and fixed years ago." Storms, in fact, was quickly able to dig up reports of the DNS vulnerability from as far back as 2002.
"It's not an easy thing to take advantage of, but I'm willing to bet that there's still some script-kiddie code out there that can be modified for this vulnerability," Storms said. An attacker would probably partner an exploit with a phishing e-mail that would entice the recipient to a trusted Web site, say eBay. The exploit, however, would redirect the user to a fake site to plunder personal or financial information.
"This sort of vulnerability has impacted other DNS servers in the past and has been well understood by attackers for a long time," said Chris Valasek, a researcher with IBM Corp.'s X-Force, in an e-mail. "Now that Microsoft DNS Server's susceptibility has been disclosed we may see renewed attacks of this sort."
The only surprise in this month's patches, said Schultze, was the omission of a fix for a bug in third-party anti-piracy software that's bundled with Windows. The vulnerability in Macrovision Corp.'s SafeDisc digital rights management software was confirmed last week.
"I'm guessing that Microsoft wasn't able to wrap the updated [Macrovision] driver in its own installers in time," Schultze said. "Maybe we'll see it as an out-of-band release."
The two bulletins' patches are available via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).
One of the updates was rated critical, Microsoft's highest threat ranking, while the other was pegged as important, the next-lowest notch in the company's four-step scoring system.
MS07-061 patched the Uniform Resource Identifier (URI) protocol handler bug in Windows XP and Windows Server 2003 that Microsoft admitted was its job to fix only after months of denying that a vulnerability existed in its software. In a security advisory posted Oct. 11, Microsoft owned up to the flaw.
The vulnerability has been exploited in the wild for weeks, most recently by a wave of attacks using rigged PDF files.
Although only PCs running XP or Server 2003 that were also equipped with IE 7 have been shown to be at risk, Microsoft pushed the patch to all users of those operating systems, no matter which browser they had installed. "Microsoft has not identified any way to exploit this vulnerability on systems using Internet Explorer 6," the security bulletin said, "[but] as a defense-in-depth measure, this security update is made available to all customers using supported editions of Windows XP and Windows Server 2003, regardless of which version of Internet Explorer is installed."
Andrew Storms, director of security operations at nCircle Inc., applauded the proactive move. "Microsoft's saying that even though it's unable to exploit [the URI protocol handler bug] for IE 6, the bug still exists, and someone else may come along and figure out an exploit," he said.
According to Eric Schultze, the chief technology officer of Shavlik Technologies LLC, Microsoft is simply following protocol. "They're giving the patch regardless of the SKU of XP or Server 2003, because they can't deliver it as an IE patch," he said. The flawed component, the "shell32.dll" file, is part of Windows, not Internet Explorer.But although the fix should put an end to URI protocol handler exploits which rely on IE -- or, as Storms put it, "at least until the next attacks" -- other applications that register buggy handlers will still have to patch their own code. Microsoft's security experts, including Mark Miller, the director of the Microsoft Security Response Center (MSRC), and Mike Reavey, the operations manager for the group, made that clear in an interview a month ago.
The other bulletin issued today, dubbed MS07-062, patches a DNS cache poisoning vulnerability in Windows 2000 SP4, and Windows Server 2003 SP1 and SP2.
"This is a classic, a nostalgic man-in-the-middle kind of vulnerability," said Storms, who also knocked Microsoft for taking so long to fix the flaw. "This is something that other DNS [Domain Name System] vendors, like BIND, have known about and fixed years ago." Storms, in fact, was quickly able to dig up reports of the DNS vulnerability from as far back as 2002.
"It's not an easy thing to take advantage of, but I'm willing to bet that there's still some script-kiddie code out there that can be modified for this vulnerability," Storms said. An attacker would probably partner an exploit with a phishing e-mail that would entice the recipient to a trusted Web site, say eBay. The exploit, however, would redirect the user to a fake site to plunder personal or financial information.
"This sort of vulnerability has impacted other DNS servers in the past and has been well understood by attackers for a long time," said Chris Valasek, a researcher with IBM Corp.'s X-Force, in an e-mail. "Now that Microsoft DNS Server's susceptibility has been disclosed we may see renewed attacks of this sort."
The only surprise in this month's patches, said Schultze, was the omission of a fix for a bug in third-party anti-piracy software that's bundled with Windows. The vulnerability in Macrovision Corp.'s SafeDisc digital rights management software was confirmed last week.
"I'm guessing that Microsoft wasn't able to wrap the updated [Macrovision] driver in its own installers in time," Schultze said. "Maybe we'll see it as an out-of-band release."
The two bulletins' patches are available via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).
Abonați-vă la:
Postări (Atom)
