Report: Major Windows security update foiled: "Security firm says it has found a way to beat memory protections in Windows XP Service Pack 2. Is Microsoft back to square one?"—News.com

IP VPNs: Build Or Buy?: "To date, enterprises are taking the do-it-yourself approach to building IP VPNs with technologies like IPsec and SSL. However, new technologies like MPLS and the maturation of network-based VPN infrastructure provide enterprises with cost-effective and reliable IP VPN services that they can buy. So, what should your company do? Large enterprises should consider purchasing IP VPN services while small and medium-size enterprises (SMEs) should stick to an in-house approach. But ultimately, your internal IT and network staff will determine the right solution. If you lack the resources, a managed service is always a no-brainer." —Forrester Research

Aventail Revs SSLs: "Senior Editor Dennis Fisher caught up with Aventail CEO Evan Kaplan recently to talk about the consolidation among SSL VPN providers, the future of the technology and what the changes mean for customers."—eWEEK

Nortel working on new security routers: "Another ongoing effort comes at security from the desktop, making sure individual machines meet security standards before they can send traffic on the network. F5 Networks and Nortel last week announced they have joined Cisco, Extreme Networks, Juniper and others working with Microsoft to support the software giant's Network Access Protection (NAP) architecture. NAP is designed to create a broad security infrastructure that embraces servers, switches, routers and desktops. As NAP is gathering a long list of partners, Microsoft is preparing its first release for next year."—NetworkWorldFusion

Security strategies put Microsoft, Cisco at odds: "Microsoft's [NAP] approach is hardly novel. Many networking vendors are developing or offering similar features. Cisco Systems Inc. is implementing its Network Admission Control (NAC) program and Enterasys Networks Inc. recently announced its Trusted End-System. Both are designed to quarantine problematic end-user devices."—SearchNetworking.com

Trusted End-System Solution: "The Network-Based Trusted End-System solution complements the agent-based approach. It does not require a security agent to reside on each connecting device, making it particularly useful for organizations such as universities that often cannot control the number or type of end systems accessing the network. Once again, NetSight Atlas Policy Manager defines the end-system security requirements. When a user or device first attempts to connect to the network, its credentials are passed to an Authentication Server while the end system is scanned using vulnerability assessment and operating system patch assessment tools. This process is used to determine if that device meets the requirements for a trusted end system."—enterasys

Cisco's Secret Software Strategy: "Then there's the question of whether it makes sense for Cisco to develop this software on its own. 'I would be very surprised if Cisco would embark on third-party custom software development as a service or develop a software applications package,' Nolle says. 'With all the cash Cisco has, they'd be better off buying somebody.'"—Light Reading

Plugging the holes in porous university networks: "Not only are student laptops outside the control of the university's IT department, but students also tend to be drawn to software and services that pose security risks. In particular, students make great use of instant messaging systems and peer-to-peer systems, which are increasingly the target of security attacks, and students also tend to be drawn to free software, such as Kazaa, which is frequently targeted by Trojans and other computer infections. Plus, students tend to connect mobile devices, which are themselves increasingly the target of attacks."—IT-Director.com

MS AntiSpyware bites BitDefender: "A trial version of Microsoft software designed to rid Windows PCs of spyware is provoking complaints about false alerts. Microsoft said it is working with other vendors to resolve teething troubles with its Microsoft Windows AntiSpyware application, released to the public as a beta earlier this month."—The Register

SonicWALL Debuts World's First Sub-$400 Gateway Anti-Virus...: "SonicWALL Debuts World's First Sub-$400 Gateway Anti-Virus Firewall for Small Businesses"—Yahoo! Finance: SNWL

Brian Hook on the ActiveX Experience: "Brian Hook of id software fame got around to developing on ActiveX and found some minor grievances, particularly in the security department. To quote: 'I've been doing some ActiveX coding on the side for a couple days, stuff I'm not familiar with, and I'm just flat out _appalled_ at how bad that entire API and design is. I can make an OCX that basically formats your hard drive, stick it on a Web page with a tag, and if your security settings are set low enough, you'll start formatting your hard drive the minute you visit my Web page.'"—SlashDot

AlterPoint Addresses Compliance, Security: "To keep pace with the changing requirements of network managers and compliance and security officers, AlterPoint Inc. is set to unveil a new version of its DeviceAuthority Suite for automated network change and configuration management of heterogeneous networks."—eWEEK

Fried By Spyware: "How much of a nuisance is the prying software? Just ask McDonald's largest supplier."—Forbes

Nokia to launch all-in-one enterprise VPN solution: "With security concerns still the number one issue swirling around wireless systems, Nokia's announcement this week of Nokia IP VPN, a family of IPSec virtual private network products, should be welcome news to the enterprise."—InfoWorld

Check Point Unveils Connectra 2.0, Introduces Industry's First Software-Based SSL VPN Solution: "Industry analyst John Girard, vice president of Gartner Inc, explains: 'Endpoint security is an escalating problem as SSL VPNs go mainstream. Users need to be protected from the moment they start an SSL connection through the moment they have logged out.'"—Yahoo! Finance

Symantec's Schwarz on Microsoft's Antispyware: "They ... last week announced a beta version of an antispyware solution which was recently acquired from Giant. The beta that we have been able to test is greatly inferior to anything that is available in the market today from us and from other providers. So, frankly, we are not particularly concerned today that Microsoft is any day soon going to deliver a solution which is competent to satisfy the requirements of our customers."—Computerworld

Trojan Exploits Windows DRM Loophole: "Remember just a couple of weeks ago when we pointed out that there was a bit of a loophole in the way Microsoft DRM worked? At that time it was being exploited by various adware vendors (possibly at the request of the recording industry) on files being put up on file sharing networks. We expected that these would soon be replaced by much more malicious trojan horse files... and, it appears our one prediction for the new year came true pretty damn fast. It's now being reported that a malicious trojan is spreading in exactly this manner."—Techdirt

Securing data from the threat within: "Firewalls and antivirus software won't stop an angry employee from stealing data, or a sloppy one from accidentally exposing it."—News.com

More browser vulnerabilities - surfers advised to use Lynx: "News of more browser vulnerabilities surface. Three of them are rated 'extremely critical' for users of Internet Explorer, while another two affect Mozilla and Firefox."—Ars Technica

Microsoft 'Titan' Will Zap 10 Top Worms: "When the first version of Microsoft Corp.'s new malicious software removal tool is released on Tuesday, it will be pre-programmed to zap 10 of the most virulent worms and viruses, including Blaster, Sasser, MyDoom and Nachi."—eWEEK

McAfee tool identifies exposed data: "Recognizing that Google’s search engine can become a repository for far too much information, McAfee this week released an updated version of its Foundstone SiteDigger security tool that helps enterprises identify damaging information that may be exposed on the Web."—InfoWorld

Now to my predictions for 2005: "Microsoft's entry into the anti-virus and anti-spyware businesses will be a disaster for users. This is based on everything I know about Microsoft, having watched the company for almost 28 years. They will make a big fanfare, spend a lot of marketing dollars, but in the end, the company simply won't be able to keep up with the demands of keeping virus signatures current, which isn't the real point of this gambit, anyway. There is so much to this story and so much that I could write that I think I'll do so next week, and just move on to the next prediction."—I, Cringely

MS AntiSpyware vs Ad-Aware vs. SpyBot: "An anonymous reader writes 'Flexbeta.net compares Microsoft's new spyware fighting tool, Windows AntiSpyware, to Ad-Aware and SpyBot S&D; the two leading spyware tools on the market today. The review sets up an infected PC using VMWare Workstation and scans the machine using all three tools to see which tool detects the most spyware. Though still in beta, Microsoft AntiSpyware does an amazing job at detecting spyware by finding twice as many infected files as Ad-Aware and nearly three times as SpyBot.'"—Slashdot

FishNet Security Raises $12M From Edgewater Growth Capital Partners: "FishNet Security Inc., a provider of security consulting, management and monitoring services that's been around for almost a decade, said that it has raised $12 million in its first institutional funding round."—VentureWire

Gates: Microsoft Takes Step Closer To Anti-Virus Business: "Antivirus vendors have warned investors about the fallout as Microsoft enters the market. McAfee, for example, said in its most recent annual report that its own products could become 'obsolete and unmarketable' if Microsoft were to include antivirus protection in Windows software."—Forbes

Microsoft's search for spyware: "Microsoft's beta version of its Windows AntiSpyware application is now available for download via the company's Web site."—News.com

You can find the 7MB download here.

Microsoft anti-Spyware app hits the net: "Neowin is linking to the new beta of Microsoft's anti-spyware application. I'm running this here and it's quite good. On my honeypot computer (yeah, I run a computer that is open to the Internet) it found a few things that others didn't.

If you're trying this out, would love to hear your experiences."—Robert Scoble

Adobe offers PDF confidentiality feature: "The server software allows organizations more control of, and security for documents being shared over a network."—Computerworld News

Hackers step up search for unpatched servers: "Network administrators who have failed to patch their systems against the Microsoft Windows Internet Naming Service vulnerability are now at much greater risk of attack."—News.com

Aventail incompatible with Google Desktop Search: "Unfortunately, there are also a few programs which are entirely incompatible with Desktop Search. These include ... aslsp.dll (from Aventail)"—Google Help Center

Microsoft Readies 'A1' Security Subscription Service: "Publicly, Microsoft continues to be cagey about packaging and pricing plans for its anti-spyware and anti-virus solutions. But privately, Microsoft has begun informing partners of its plans for a security subscription service code-named 'A1,' according to developers who requested anonymity."—Microsoft Watch

Microsoft Anti-Spyware Beta Due 6th January: "Microsoft have just finished distributing an internal Beta 1 escrow build to internal beta testers. 'Atlanta' is the code-name for Microsoft's rehashed GIANT Software Anti-Spyware. In a memo internally, the company looks clear to distribute the software this coming Thursday calling it 'new, it's fresh, and it's all good'."—Neowin.net

Symantec Eyes One-Stop Shopping: "Looking to solidify the company's place at the top of the security heap, Symantec Corp. executives are considering a new pricing model in which enterprises using Symantec's managed services would pay a single price for all the products and services they purchase from the company."—eWEEK