Week in Security: Windows Flaws, Executive Appointments

* Security experts Monday warned of a flaw affecting systems running Microsoft Windows 2000 with Internet Information Server (IIS) that attackers exploited to compromise a U.S. military server in what experts called a "zero day" attack. A buffer overflow vulnerability in the Windows 2000 WebDAV (Web Distributed Authoring and Versioning) component used by IIS Web server software can allow an attacker to take over a system. The vulnerability only affects systems using Windows 2000 with IIS 5.0. Microsoft issued a patch and workaround for the flaw and warned users about another flaw in most versions of Windows that could allow hackers to take control of a system when users read e-mails or visit Web sites. A flaw exists in the way the Windows Script Engine for JScript processes information, Microsoft said, urging customers to download a patch from its Web site at www.microsoft.com/security.

* SonicWall named Matt Medeiros president and CEO. Medeiros, former president and CEO of Philips Electronics Components Division, replaces Bill Roach, who was appointed interim CEO after the resignation of Cosmo Santullo last August. Roach, who was a candidate for the permanent position, will remain at SonicWall as a senior executive focused on operational improvements and customer satisfaction, the company said. SonicWall, a Sunnyvale, Calif.-based supplier of Internet security appliances, also said Chuck Kissner, a board member, was elected chairman. He replaces Sreekanth Ravi, SonicWall's founder, who will continue to serve on the board.

* Antivirus vendors warned of a new mass-mailing worm that exploited the Iraq crisis. MessageLabs, a managed e-mail security provider, said it caught the first copy of Ganda.A on Sunday. The worm, which uses its own SMTP engine, comes with the subject line "Spy pics" and a message that reads, "Here's the screensaver I told you about. It contains pictures taken by one of the U.S. spy satellites during one of its missions over Iraq. If you want more of these pic's [sic] you know where you can find me. Bye!" Trend Micro rated the worm as low-risk.

* Security researchers at SPI Dynamics issued an alert about a serious vulnerability in BEA Systems' WebLogic application server that could allow an attacker to gain unauthorized access to applications and systems. The flaw affects WebLogic Server and WebLogic Express versions 6.0, 6.1 and 7.0. Researchers said they found several undocumented applications deployed in default configurations of WebLogic and that many of the applications were not adequately protected from unauthorized use. BEA issued a patch.

* Netsec, a Herndon, Va.-based provider of managed security services, named Glenn Hazard chairman and CEO. He replaces Ken Ammon, who will remain at Necsec as the head of government services. Hazard previously was a senior partner at consultancy firm Zero-G and was president and CEO of E-Certify, a supplier of security products and services. Netsec also announced that it raised $10 million in additional financing from its current investors, Mobius Venture Capital and ArrowPath Venture Capital, to expand its market and introduce new managed services offerings.

* Gibraltar Software released its patch management solution, Everguard System, in bundled packages for small and midsize businesses. The packages start at $2,995 and include software licensing, node licensing, appliance maintenance and 24x7 support. The software comes preloaded on a purpose-built hardened appliance.

* eEye Digital Security announced the availability of Retina Remote Manager, a software product that provides centralized access to its Retina vulnerability assessment scanners. The software allows administrators to conduct vulnerability assessment inside or outside the network perimeter and schedule scans to run as often as needed, the company said.

* SecurePipe, a managed security services provider based in Chicago, said it raised $2 million in funding from investors including First Analysis and Prism Opportunity Fund. The money will be used to build out SecurePipe's delivery channel and expand business development, partner recruitment and customer service. Altogether, SecurePipe has raised nearly $5 million in venture funding.