Security: Threat Alert

Jason Meserve provides up-to-the-minute news on vendor security alerts and fixes.

Search Security: Threat Alert

Ending with a roar: 12/18/08; The end is here. As you may have noticed from the Editor's Note that has been appearing above this space for the past few weeks, we are discontinuing this newsletter. It's been a pleasure serving you for the past eight years. Thank you for reading and contributing. And we're not going out with a whimper as Microsoft, Firefox and Apple have all released major updates. Get patching and Happy Holidays!
Internet Explorer flaw bigger than expected: 12/15/08; Still using Internet Explorer 5? You might be vulnerable to a information-stealing flaw. Microsoft last week said IE7 was the only browser version affected by a newly discovered vulnerability. But late last week the company expanded that advisory to include ALL versions of IE from 5 to 8 beta. No patches are available, but Microsoft does offer some risk-mitigating steps to take. Might be time to give Firefox, Safari or Chrome a try if you haven't already.
It's always the last one that gets you: 12/11/08; Microsoft is sending 2008 out with bang, patching some 28 vulnerabilities in the latest Patch Tuesday update released this week. Of course, it's the 29th bug that got them: Chinese security researchers said they accidently released an exploit for Internet Explorer 7 that takes advantage of an unpatched bug. If Microsoft holds to the schedule for its next update, that will mean this IE7 exploit will have a full month to be targeted. Redmond is not saying if it will release an emergency patch early or not.
8 Microsoft fixes coming in tomorrow's December Patch Tuesday: 12/08/08; Christmas comes early for those who equate patches with presents. Microsoft is releasing eight new updates tomorrow as part of its monthly Patch Tuesday release. Three-quarters of the patches are deemed critical. Timed well with the latest Patch Tuesday news is a study by a security researcher that says users are indifferent to Microsoft's patch "alarms." That may be true, but the auto-update feature does a good job of keeping people current on the latest updates.
Macs: To Antivirus or Not To Antivirus: 12/04/08; While Sun and VMWare top our list of patches this week, it's Apple that seems to be making the most news. Reports earlier in the week said that Apple was urging users to add an antivirus application to their Mac OS X systems. But, later in the week, Apple took down the warning page saying it was outdated. So, do Macs need antivirus? They are less of a target than Windows obviously, but still a target. Does it hurt to run antivirus and add that extra layer of security?
Malware attacks on all fronts: 12/01/08; Malware authors and distributors didn't take a break for the Thanksgiving holiday. Over the past few days a new worm targeting Mac OS X has hit the Interweb as well as a new Windows Trojan that targets the vulnerability Microsoft patched in October. Plus, there's quite convincing phising attacks targeting both Capital One and Bank of America customers to be on the lookout for. We might have slowed down for the last four days, but the bad guys have not.
A new flaw in Vista: 11/24/08; Researchers have stumbled on yet another vulnerability in a Windows operating system. Vista users could be at risk of having malicious code run on their system if hackers figure out how to exploit a pair of buffer overflow vulnerabilities in Vista's Device IO Controlm, according to researchers at Phion. Microsoft has yet to comment on the findings, but the next scheduled patch cycle is still two weeks away.
Linux vendors patch XML parser: 11/20/08; Most of the major Linux vendors have released patches for a pair of bugs in libxml2, an XML C parser and toolkit developed for the Gnome project. Both bugs could be exploited in a denial of service attack against systems that rely on the libxml2 module. Ubuntu, Mandriva, rPath and Debian are all out with patches today to remedy the problem.
Browser patches galore: 11/17/08; Browser patches are the big ticket items this week with updates out for Mozilla Firefox, Apple Safari and Google Chrome. Mozilla's Firefox update involves 11 flaws, 10 of which are moderate or greater in importance. That update should be auto-downloaded to your browser already or in the coming day or two. Apple's Safari update features a new anti-fraud update, which users can get via the Apple Update feature. Google's Chrome update is a little more difficult to pin down. The patch is supposed to prevent attackers from stealing files from a PC, but it is only available to developers and not through the update feature. There is a workaround for those that run Chrome and want the patch.
Microsoft better-late-than-never with 7-year-old patch: 11/13/08; From the better-late-than-never department: One of the two patches Microsoft released this week is for a 7-year-old bug in Windows, one that a founding member of the Trustworthy Computing team had warned about from the beginning. You might think there wasn't an exploit until now, so no need to patch. But, Cult of the Dead Cow (what a great name) released an exploit back in March Of 2001. Not sure what took so long for Microsoft to catch up, but they finally have. Also today, we've got some karping going on between rivals IBM and TrendMicro over flaws in the latters' products. Always good fodder when security companies snipe at each other.
Patch Tuesday Lite on tap from Microsoft: 11/10/08; After a mammoth October Patch Tuesday that was followed up by an emergency patch a week later, Microsoft is going lite on the security updates this month with two new fixes slated for tomorrow. One fixes a bug in Windows and Office, the other fixes a less critical flaw in Windows. Be on the lookout Tuesday around 1 p.m. EST for the updates.
Obama mania spawns malware: 11/06/08; Malware authors know a good thing when the see it and usually waste little time pouncing on the opportunity. Barack Obama's presidential election win spawned a wave of Obama-themed malware attacks that try to lure viewers to a fake video of his victory speech. Of course, the fake video really installs a backdoor Trojan and steals data from the victim's machine. Also this week, Adobe finally patched a bug in its PDF applications after the flaw was initially reported five months ago.
Google patches Android flaw: 11/03/08; Google was quick to patch software flaw in its new G1 Android phone operating system. Users began seeing an update last week after security researchers disclosed the flaw earlier the same week. Fortunately, no known exploit was available (most likely because of the small target audience). Still, good to see Google getting on top of a potentially embarrassing bug quickly.
Malware authors get busy in down economy: 10/30/08; What do malware authors do when the stock market is down? Increase their rate of malware distribution in an effort to capitalize on economic fears. And to do so, they're having to revert to some older tactics as the number of financial institutions dwindle, taking with them the number of phishing opportunities. This week, I talked with Ryan Sherstobitoff, chief corporate evangelist for Panda Security, about his findings on how stock and malware market activities mimic each other and other eyebrow-raising malware trends.
That was fast: Microsoft bug already exploited: 10/27/08; Hope you've got that out-of-cycle Windows patch installed, because there's already a worm running amok exploiting the flaw. Microsoft took the unusual step of rushing out a patch for Windows last Thursday and within hours attack code was published that could take advantage of the flaw. Not quite Zero Day, but pretty close. Of course, a lot of noise was made over Microsoft's non-Patch Tuesday release, but some in the security community are wondering what the big deal is? After all, there are automatic systems in place to install said patches, and other vendors release patches all the time without a parade. So why the hoopla over this Microsoft release?
Security requires a little common sense: 10/23/08; Sometimes its the simple things that can lead to a data leak. Like not shredding paper data. A dentist's office near my house is in hot water for letting paperwork containing sixty patients infomation to get loose. The Aspen Dental office in Nashua, NH says it didn't have to shred the data before throwing it away and that its the garbage contractor's fault for losing it. Haven't they heard of dumpster diving? All the network security in the world wouldn't have prevented this leak, but a little common sense would have.
Bad times could be good for security: 10/20/08; While virus/malware writers are using the down economy as a way to push their illicit wares, security professionals can benefit as well. Network World's Ellen Messmer has a piece on how you can push your vendors for those "special" projects since they're probably more eager for business with the down econonmy. During downtimes, the low hanging fruit can keep them satisifed enough that they can ignore the tougher customer requests. Now, they are more willing to respond "How high?" when you ask them to jump. Check out the story in our related links section.
To patch or not to patch: 10/16/08; When Microsoft releases new patches, as it does this week with its 10 vulnerability haul, everyone seems to get them installed pretty quickly after they're released. Maybe it's the automatic update feature in Windows or the fact that people are always wary of Microsoft security. Whatever the case, it's a good thing patches are installed quickly. Contrast that to a report from Computerworld that says while Oracle releases patches on a quarterly basis - with 36 delivered this week - database admins are not always as quick to apply those patches. Why? Are the systems too complex or cannot be taken offline to update quickly? Do they require more testing? All likely scenarios. Hopefully hackers are not exploiting the gap between patch release (and vulnerability disclosure) and the time it takes to patch.
Patch Tuesday and a full moon: A bad combo?: 10/13/08; October's Patch Tuesday is upon us with 11 new updates for various Microsoft products including Active Directory, Internet Explorer and Excel. Tuesday is also a full moon, so should be an interesting day. Apple users too have some patching to do as the company released a new wide-ranging Mac OS X update last week. Finally, with the downturn in the economy comes opportunity for spammers, phishers and malcode authors. If the deal looks too good to be true, it probably is.
Cisco patches Unity flaw: 10/09/08; Cisco has released a patch for its Unity unified messaging platform that fixes an authentication bug that could allow unauthorized users to make configuration changes. VMWare is out with a number of fixes as well for its Hosted products, VirtualCenter Update 3, ESX and ESXi lines. And Adobe finally acknowleged the Clickjacking attack that plagues its Flash player. The company released a workaround for the issue and says a permanent fix should be out at the end of the month.
Major DoS vulnerabilities in TCP/IP: 10/06/08; Yikes. Newly discovered (but yet to be disclosed) flaws in the TCP/IP protocol - the backbone of the Internet - could be exploited to launch denial-of-service attacks against virtually any device running any operating system, including firewalls and other security measures. According to reports, the researchers that discovered the flaws are working with vendors to repair the issue before releasing their findings to the general public. iPhone users weren't so lucky: A frustrated security researcher detailed two flaws he found in the popular Apple device after not hearing back from Cupertino on his July discovery.
Phishers and scammers use bleak economic news to lure victims: 10/02/08; Lots of Phishing, Spam and Scam news today. Looks like the down economy is proving to be a lucrative lure for scammers, who are using the stock and credit market woes in phishing attacks featuring Bank of America and pump-and-dump scams for penny stocks. Also, 419 scammers are hacking e-mail accounts and sending out a plea for money to "friends" of the hacked account. Different, but still slimy.
Yet another Firefox update: 09/29/08; Thought it was odd this morning that Firefox was asking me to install a new update when I had just done so late last week. Turns out Mozilla had to rush out another patch to fix a password vulnerability in the popular browser. Be on the lookout. Also, CA Service Desk users should download the latest update, which patches multiple flaws in the trouble ticket tracking system.
Inside the hacker underground: 09/25/08; Tom Rusin, President of Affinion Security Center, has me scared that hackers are trading my personal and credit card information all over the Web. His company uses monitoring of underground chat rooms and other sources to help keep customers credit safe and he recently gave me a live look at the hacker underground in action. Amazing how much of this information is being traded every minute.
Web-based mail service not so secure: 09/22/08; Much attention is being brought to the Web-based mail security (or lack of), after last week's hack in to vice presidential candidate Sarah Palin's Yahoo e-mail account. It seems all the major services are vulnerable to the same sort of password recovery hack used in the Palin case, so vendors are coming out with ways you can protect yourself and tips for the providers to offer better security for end users. The good news is, authorities seem to be hot on the trail of the Palin hacker.