SB09-110: Vulnerability Summary for the Week of April 13, 2009
Vulnerability Summary for the Week of April 13, 2009
Security Bulletin Webcast Questions and Answers - April 2009
By MSRCTEAM on Webcast Q&A
Hi,
During this month’s webcast we were able to address 15 questions in the time allotted, but have included the additional questions asked in this QA post. Most of the questions centered on the MS09-013: the Windows HTTP bulletin, MS09-014: Internet Explorer Bulletin, and MS08-015, the Blended Threat bulletin. We did address additional questions regarding the other bulletins, as well as, questions concerning Product Support Lifecycle.
Here is the link to the full Q&A so you can see all of the answers that were provided for these great questions:
http://blogs.technet.com/msrc/pages/monthly-security-bulletin-webcast-q-a-April-2009.aspx
Also, here is the link to the Q&A index page in case you want to view previous months:
http://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-index-page.aspx
As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:
Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Thanks!
Al Brown
Digital Content on TV, (Mon, Apr 20th)
With higher bandwidth to home and IP based TV, we can enjoy more dynamic content and have even more ...(more)...
AVG Unveils LinkScanner to Fight Malware on the Web (PC Magazine)
In technology
PC Magazine - AVG Technologies has released AVG LinkScanner, now a separate product. LinkScanner isn't perfect, but AVG claims a far higher percentage of detection than the reputation systems can possibly claim.
Wanted: Computer hackers ... to help government (AP)
In technology AP - Wanted: Computer hackers.
Metered Broadband, Twitter Worm, Pirate Bay and More on PC World Podcast Episode 25 (PC World)
In technology
PC World - This week, Tim Moynihan and Robert Strohmeyer co-host the 25th edition of the PC World Podcast. Editors Denny Arar and Darren Gladstone contribute to the discussion about Time Warner's metered broardband plan, the Twitter Worm, Ashton Kutcher's Twitter war with CNN, the Gadget of the Week, as well as the verdict of the Pirate Bay trial.
iWork Trojan horse may be turning Macs into zombies (Macworld.com)
In technology
Macworld.com - Over the years, Mac users have been lucky enough that the word “zombie†only conjures up the shambling brain-craving hordes of the undead in movies like Shaun of the Dead, but Windows users have long been dealing with the menace of zombie botnetsâ€"networks of PCs corrupted by malware into vectors for malicious attacks.
Researcher Offers Tool to Hide Malware in .Net (PC World)
In technology
PC World - A computer security researcher has released an upgraded tool that can simplify the placement of difficult-to-detect malicious software in Microsoft's .Net framework on Windows computers.
Phishers get more wily as cybercrime grows (Reuters)
In technology
Reuters - Phishing scams have grown up from the unsophisticated swindles of the past in which fake Nigerian princes e-mailed victims, who would get a big windfall if they just provide their bank account number.
Economic crisis 'to boost cyber crime': Microsoft (AFP)
In technology
AFP - The global financial crisis threatens to spark a rise in cyber crime as computer experts lose their jobs and resort to illegal ways to earn a living, a senior official of Microsoft said Thursday.
Researcher Finds Possible Bug in Apple's IPhone (PC World)
In technology
PC World - Famed Mac hacker Charlie Miller has found another possible security vulnerability in Apple's iPhone.
Google Docs temporarily locks out some IE users
By eric@arstechnica.com (Eric Bangeman) on security
If you were having trouble logging into Google Docs & Spreadsheets on Sunday, you were not alone. A reader tipped us to a problem experienced by number of users who tried to access their documents over the weekend only to be greeted by the dreaded "403 Forbidden" error message. The one thing they all had in common is that they were using Internet Explorer at the time.
Apparently, the presence of IE was setting off some security alarms for Google Docs. "We're sorry, but your query looks similar to automated requests from a computer virus or spyware application," the message said, according to a user who had had difficulties. "To protect our users, we can't process your request right now."
Symantec acquires Mi5, expands security offerings
By Elinor Mills
SAN FRANCISCO--Symantec has acquired Web security firm Mi5 Networks and plans to announce two new security suites at the RSA security conference on Tuesday.
Mi5 sells a Web security appliance that protects corporations against Web-based threats. Symantec will integrate the technology into its offerings later in 2009 and offer it ...
LinkScanner stands alone once more
By Seth Rosenblatt
LinkScanner is once again available as an independent plug-in for Windows-based Firefox and Internet Explorer, following more than a year spent as a feature of AVG Technologies' AVG security suite. Still available as part of AVG, users can now once again download LinkScanner independently of AVG's antivirus software, and ...
Windows 7 security enhancements
By Elinor Mills
Windows 7 makes remote connectivity to corporate networks seamless, protects data on thumb drives, and offers fewer user account control prompts to bug users compared to Vista, Microsoft said on Monday.
The software giant began an education blitz about the security features of the newest version of its operating system ...
AVG offers free LinkScanner for real-time Web page scanning
By Elinor Mills
AVG on Monday will begin offering a free version of its LinkScanner software, which offers real-time scanning of Web pages while surfing or doing Web searches.
LinkScanner, which is currently part of the AVG Free Edition suite, scans a Web page before a surfer visits the page and warns if ...
Secure software? Experts say it's no longer a pipedream
By Elinor Mills
With the Conficker worm still hot and Microsoft patching multiple software vulnerabilities last week, it might be reasonable to assume the bad guys are winning the battle to get control over Internet-connected computers.
That's not necessarily the case. Developers are increasingly equipped with tools to shore up their products and vendors are collaborating in unprecedented ways to not only close holes in software, but also make sure they aren't in there in the first place, according to security experts.
"I think the industry as a whole is definitely getting better, but the spread between the best and the worst is widening," said Dan Geer, a risk management specialist and chief information security officer for In-Q-Tel, a nonprofit venture capital firm that invests in security technology.
"Conficker did far less damage in 2009 than it would have done in 2003," said Dan Kaminsky, director of penetration testing at IOActive. "Windows used to be a lot easier to blow up."
But on the eve of RSA, the world's largest security conference, which starts on Monday, experts say the hunt is on for the elusive Holy Grail of computer security-vulnerability-free software.
At RSA shows in years past, Microsoft was roundly criticized for releasing software full of security holes. In 2002, the company launched its Trustworthy Computing initiative, vowing to make security a top priority. Seven years later, the move is bearing fruit. The company reports that there are far fewer security holes in newer versions of its products and weaknesses in its operating system overall have dropped. Web applications have become the security bad boys of software.
In the second half of 2008, the proportion of Microsoft vulnerabilities on Vista-based machines accounted for just 5.5 percent of the total, Microsoft says. Machines running Vista were found to have 60 percent fewer infections than those running Windows XP, the company said in a recent report.
Microsoft went from being the vendor responsible for the greatest proportion of vulnerabilities to being third, with 2.5 percent share, according to research last year from IBM's X-Force. The lion's share of the vulnerabilities come from start-ups racing to be the next Facebook, and 70 percent of them are doing the security testing and review after they release the product, Microsoft says.
"Security is an inherently hard problem. It's difficult to get to perfection for any company," said Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group. "What we are seeing is the percentage of vulnerabilities coming out of major software organizations is dropping as a percentage of the total of vulnerabilities reported."
Better tools, fewer mistakes
The company has turned its Security Development Lifecycle (SDL) process into a pseudo-religion for other companies to follow. Last year, Microsoft began offering free SDL tools so outside developers can assess their practices and analyze their software designs to look for security weaknesses.
The tools for writing secure code are getting better, so developers are less likely to make mistakes, said Johannes Ullrich, chief security researcher at the SANS Institute security organization.
Microsoft isn't alone in providing help to the developer community. HP is offering a free tool that helps find holes in Flash applications, and last week announced tools that nonsecurity professionals can use to do security testing. IBM sells a tool for Flash and Ajax developers, and last week the CERT Coordination Center at Carnegie Mellon released an open-source tool for testing ActiveX code.
In particular, Microsoft's recent release of an open-source tool called "!exploitable Crash Analyzer," which simplifies the process of identifying exploitable vulnerabilities during application development, is a "game changer," said Kaminsky.
"I don't think it's ever been quite so easy for non-security developers to recognize when they have vulnerabilities, when they have a flaw that could be used by a bad guy," he said.
Despite the recession, the software security market is growing significantly, accounting for more than $450 million in revenue in the U.S., Gary McGraw, chief technology officer at software security consulting firm Cigital, wrote in an article last week.
The challenge for developers
McGraw recently got a peek at the secure development processes at Microsoft, Google, Adobe, Wells Fargo, The Depository Trust & Clearing Corp., and four other leading companies, and released a report card of sorts (although grades are confidential) that other companies can use to gauge their level of progress. The Building Security in Maturity Model is "an objective yardstick" for development of products that are secure, McGraw said.
"In my view, software security is getting more and more important every single day," he said. "The good news is we are actually making some progress." The tools are out there, but the problem is developers often aren't trained, experts said.
A Forrester survey commissioned by Veracode and released last week found that only 34 percent of companies have a comprehensive software development lifecycle process that integrates application security and 57 percent of organizations don't have systematic application security training programs for developers.
Ullrich advocates a concept he called "software security street fighting"--where developers avoid complex techniques in which holes are more easily created.
"Developers, to some extent, can't really win," Ullrich said. "They have to be right every single time, while an attacker only has to be right once." ...
Forget your password? Use your phone
By Elinor Mills
FireID was set to announce at RSA 2009 on Monday technology that allows people to access multiple Web sites on their mobile phone without having to remember all the passwords.
The FireID universal personal authenticator app turns any phone that runs Java into a one-time password generator and generates the ...
SMS messages could be used to hijack a phone
By Elinor Mills
Be careful who you give your mobile phone number out to. An attacker with the right toolkits and skill could hijack your phone remotely just by sending SMS messages to it, according to mobile security firm Trust Digital.
In the Trust Digital demo on YouTube, an attacker sends an SMS
Teen Twitter worm writer gets job, spreads new worm
By Elinor Mills
Michael Mooney, aka "Mikeyy"
(Credit: Michael Mooney)
The teenager who takes credit for the worms that hit Twitter earlier this week has been hired by a Web application development firm and on Friday released a fifth worm on the microblogging site, he said.
Twitter fought off four waves ...
The hype factor at the RSA conference
By Jon Oltsik
It's nearly time for that annual spring ritual: the RSA Conference at the Moscone Center in San Francisco. ESG data tells me that, despite the recession, global organizations continue to spend on security products. So I expect another good show, though I do anticipate that the $500 kegs of ...
Report: Payment card data was top target in 2008
By Elinor Mills
More records were breached in 2008 than in the previous four years combined as a result of a few large breaches involving payment cards, according to a report released on Wednesday.
Last year, 295 million records were compromised and there were 90 confirmed breaches, ...
Microsoft to offer hosted security for Exchange
By Elinor Mills
Updated 5:20 p.m. PDT with more details and comments from Microsoft executive.
Microsoft will begin offering its first hosted security service under the Forefront brand on Thursday, dubbed Forefront Online Security for Exchange and designed to help keep malware and spam out of e-mail in-boxes.
The hosted service, ...
Microsoft fills Excel, Windows, Word holes
By Elinor Mills
Updated 12:30 p.m. PDT with ZoneAlarm discount offer and 11:50 a.m. PDT with comment from security vendors.
Microsoft on Tuesday closed security holes in Excel, Windows, and Word that had been exploited in the wild as well as other holes for which exploit code or details ...
Why a national data breach notification law makes sense
By Jon Oltsik
As we await the 60-day federal cybersecurity review from Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils , there is something else that could be done. It seems to me that the federal government could take another related action to help protect the private ...
Police detain Craigslist masseuse murder suspect
Two other women attacked
Police investigating the murder and attacks of three women who offered lap dance, massage and other services on Craigslist have taken a man into custody.…
Google boffins unveil new 'What's UP?' CAPTCHA
Arms race extended
Attempting to take the upper hand in the battle against bots, researchers from Google have devised a new CAPTCHA system that uses a series of randomly rotated images to distinguish between human visitors and automated scripts.…
FBI docs out home-brewed spyware probes
Browser vulns optional
The FBI for at least seven years has relied on a home-brewed package of spyware to infiltrate the computers of criminals and secretly send a wide range of information to servers controlled by the bureau, according to an investigation by Wired.com.…
DHS hunts for white-hat hackers
Only the elite
The Department of Homeland Security is looking to recruit white-hat hackers to help defend the US's critical internet infrastructure.…
Lumension keys in Securityworks for compliance buy
Knock your SOX off
Patching specialist Lumension has acquired compliance and risk management firm Securityworks. Terms of the deal, announced on Monday, were not disclosed.…
Twitter riddled with worms and scams (again)
Who will stop the madness?
Multiple new versions of the Mikeyy cross-site scripting worm spread across the Twitter micro-blogging network over the weekend.…
Music industry sites DDoSed after Pirate Bay verdict
Hacktivism cuts both ways
Hacktivists have launched denial of service attacks against music industry association ifpi.org and lawyers involved in the prosecution of the four Pirate Bay defendants in the wake of a guilty verdict against the quartet last Friday.…
In Oracle-Sun deal, analysts predict identity management fallout
By Eric B. Parizo
As a combined company, Oracle and Sun Microsystems will be the No. 1 vendor in enterprise identity management, but analysts say consolidating and unifying the product portfolio could be a painful process for customers.
Oracle to buy Sun Microsystems for $7.4 billion
By Barney Beal, News Director
IBM was the early favorite to purchase Sun, but Sun reportedly cast aside Big Blue's $7 million offer. Oracle gets the Sun Solaris OS, the most popular platform for Oracle's database.
Criminals pay top money for hackable Nokia phone
Criminals are willing to pay thousands of euros for a discontinued Nokia mobile phone with a software problem that can be exploited to hack into online bank accounts, according to a fraud investigator in the Netherlands.
Clamp down urged on staff flouting security rules
Businesses are being urged to clamp down on staff who are flouting security rules, after a survey found that too many companies are vulnerable to ignorant or careless behaviour from their workforce.
RSA Conference kicks off on somber note
Against an omnipresent backdrop of recession and uncertainty, IT security pros this week will gather at an RSA Conference focused on malware proliferation, protection of virtualized and cloud computing environments, and the specter of rising government involvement in their work.
NEC gets into security software
Japanese network equipment vendor NEC is making its first foray into security software at RSA Conference 2009 with the introduction of a Web application firewall to the U.S.
FBI used spyware to catch cable-cutting extortionist
The FBI used spyware to catch a Massachusetts man who tried to extort Verizon and Comcast by cutting 18 data- and voice-carrying cables in 2005, documents obtained under the Freedom of Information Act by Wired.com revealed yesterday.
Device fingerprinting defends against online fraud
Cybercriminals have established vast botnets comprised of millions of computers that are controlled by malicious masters. These bots allow the fraudsters to purchase goods, apply for credit cards, access bank accounts and more – all from the relative obscurity of a compromised device. A new security discipline called device fingerprinting is making it harder for criminals to conduct their illicit business from a device they have overtaken. Learn more about how you can validate if your transactions are coming from a legitimate device or one that has been compromised for criminal purposes.
Siloed reputation management vs. small town reputation management
Recently, I was talking about the relatively new identity management area of online reputation management. Some siloed reputation management systems were mentioned (e.g., eBay, Yelp, Trip Advisor), which are the ones always mentioned whenever identity management visionaries get together. But, in reality, what we're looking for goes back much farther than the online age.
Web Applications Security Scanner Introduced
Qualysis is announcing Web application scanning software to be offered as a product or licensed for development.
Antivirus Vendor Turns to Hardware Protection
The Norman Network Protector security appliance debuts at RSA.
RSA Conference Gets off to a Low Key Start
IT security pros meet against an omnipresent backdrop of recession and uncertainty.
U.S. Military Extensively Using IPod Touch
While we knew that some companies were trying to make iPod software to help military personnel, we didn't realize just to what...
Tech Groups Praise Obama Pick for CTO
Chopra has experience using technology to improve government, supporters say
Apple's iPod touch tackling "networked warfare" for US military
By Darren Murph on warfare
While the British military has had a love-hate relationship with Apple's darling, the US armed forces are reportedly warming up quite well to the iPod touch. A fresh Newsweek report asserts that the touch is increasingly replacing far more expensive dedicated devices in the field, noting that it is being used to spearhead the future of "networked warfare." Equipped with a rugged shell and software developed by language translation firms (among others), the device is being used to aid communications and acquire information from databases. In fact, the US Department of Defense is "developing military software for iPods that enables soldiers to display aerial video from drones and have teleconferences with intelligence agents halfway across the globe," and snipers are already utilizing a ballistics calculator to add precision to shots. And hey, it's not like easy access to Tap Tap Revenge is really bad for morale, either.
No comments:
Post a Comment