Saturday, July 11, 2009

Around The Horn vol.1,135

Microsoft Patch Tuesday for July 2009: six bulletins

By emil.protalinski@arstechnica.com (Emil Protalinski) on Patch Tuesday

According to the Microsoft Security Response Center, Microsoft will issue six Security Bulletins on Tuesday, and it will host a webcast to address customer questions on the bulletin the following day (July 15 at 11:00am PST, if you're interested). Three of the vulnerabilities are rated "Critical," and the other three are marked as "Important." All of the Critical vulnerabilities earned their rating through a remote code execution impact, meaning a hacker could potentially gain control of an infected machine. At least three of the six patches will require a restart.

Prosecutor: Cloud computing is security's frontier

By Elinor Mills

FORT BAKER, Calif.--As data moves to the cloud, attackers and thieves will follow, a federal prosecutor said on Friday.

The days of tracking down software counterfeiters in other countries who are selling pirated CDs are numbered as companies ...

Botnet worm in DOS attacks could wipe data out on infected PCs

By Elinor Mills

The denial-of-service attacks against Web sites in the U.S. and South Korea that started last weekend may have stopped for now, but code on the infected bots was set to wipe data on Friday, security experts said.

There were no immediate reports of any of the compromised PCs in ...

Users upset after CA anti-virus detects Windows system file as virus

By Elinor Mills

This CA user forum was filled with comments from confused and upset customers after the software detected a Windows system file as a virus.

Users of Computer Associates anti-virus software were complaining on Thursday after the company's anti-virus software mistakenly identified a Windows XP systems file ...

DirectX targeted in Microsoft security updates

By Elinor Mills

Microsoft said on Thursday that it will issue six security updates on Patch Tuesday next week, including a critical one that will fix two outstanding holes in DirectX that have been targeted in attacks.

In May, Microsoft announced that there had been attacks against a DirectX vulnerability that could allow ...

Least-Privilege Technology Still Swimming Upstream, But Making Progress

Least-privilege technology struggles to overcome conventional approaches to PC security

IBM Researchers Unveil New Data-Masking Technology

'MAGEN' technology automatically shields sensitive customer, patient data

Koobface Worm Lands on Twitter

In Virus and Spyware

After making the rounds on social networking sites such as Facebook and MySpace, the notorious Koobface worm has made its way to Twitter. According to Trend Micro, the worm infected a couple hundred Twitter users over the span of just a few hours Thursday.

DHS earns kudos for tightening security on intelligence systems

The Homeland Security Department has improved the security of its top-secret/sensitive compartmented information systems, the department's inspector general has found.

Cyberattacks add fuel to cybersecurity debate

Cyberattacks on government agencies' Web sites underscore the complex policy questions of cyber defense and offense, experts say.

Obama could ramp up E-Verify

The controversial E-Verify employment verification program continues to frustrate critics and supporters with its patchy progress this year. But that could change if President Barack Obama makes it a key piece of an upcoming overhaul of immigration policies.

Personal data requirements raise eyebrows

Privacy advocates are wondering why DHS needs to store data on mother's maiden name and financial history to allow employees and contractors regular building access.

Cyberattacks could have been mitigated

Agency responses to cyberattacks on U.S. government sites demonstrate a need for better coordination between agency security officials and the companies that provide Internet services, experts say.

Four years, many changes

Provisions of the Real ID Act have been a moving target.

Real ID: States chase moving target

In the face of shifting deadlines and requirements, states are struggling to comply with the Real ID Act for making driver's licenses more secure.

Real ID compliance score card

Twenty-six states have enacted legislation that indicates their intentions regarding compliance with Real ID.

U.S. national security in the Digital Age

White House officials should rethink the technology challenges of national security.

Senate passes E-Verify provision for contractors

The Senate passed a provision to require federal contractors to use the E-Verify program on the same day DHS announced that contractors must use the program starting Sept. 8.

Cyber Attack Code Starts Killing Infected PCs

Infected computers participating in the distributed denial of service attack on U.S. government and South Korean Web sites are set to destroy their own data.

Microsoft Fix For 'Browse-And-Get-Owned' Flaw Coming Tuesday

Two zero-day vulnerabilities, one reported last week, will be fixed in Microsoft's monthly patch release next week.

DHS Systems More Secure, Inspector General Finds

Report indicates progress has been made certifying and accrediting the Department of Homeland Security's intelligence systems.

IBM To Patent Data Mask

Big Blue's MAGEN system uses optical character recognition to selectively scramble sensitive onscreen information such as healthcare or financial records.

Cyber Attack Hits South Korea Web Sites Again

Attack denies access to some banking and U.S. government sites from South Korea and is similar to recent DDOS attacks there and in the U.S.

Google Chrome OS: Vaporware Or Victory?

Chrome OS, Google's newly announced operating system, isn't just a swipe at Microsoft. It's an attempt to realize the cloud computing future that Google's been predicting.

Text message scammers quietly prey on regional banks

You get a text message from your bank telling you there's been suspicious activity on your account. You call the number on your phone to see what's going on, and before you know it, you're a victim.

Botnets infect fewer computers in China

The number of botnets and of computers controlled by them in China has fallen in recent years, though the country remains a top host for the networks of compromised computers, according to the government and independent researchers.

Twitter suspends accounts of users with infected computers

Twitter is suspending the accounts of some users whose computers have fallen victim to a well-known piece of malicious software that has targeted other sites such as Facebook and MySpace.

Security flaws in Social Security numbers is old news

There was a big hoo-hah last week about a paper published by folks at my old school, Carnegie-Mellon University. There was so much attention, in fact, that I found myself endlessly humming "Dear Old Tech" over and over. According to the press release, "Carnegie Mellon researchers find Social Security numbers can be predicted with public information." Is that startling information? More importantly, is it a security/identity fraud problem?

Social-networking site Tagged to be sued by New York

The state of New York plans to sue the social-networking site Tagged.com for allegedly using deceptive e-mails in order to gain new users, the Office of the Attorney General said Thursday.

Google's 'My Location' Tracks PC's Location on Google Maps

Google is making it easier for you to find out where you are, with the introduction of My Location for the desktop. First introduced in late 2007 as a tool for Google Maps for mobile, My Location made it easier to find your way around town by triangulating your position based on surrounding cell towers. My Location for the desktop uses WiFi access point information instead of cell towers, but just like the mobile version, My Location on the desktop drops a little blue dot onto your approximate location in Google Maps.

Internet content filtering a waste of money: child groups

Children�s rights group Save the Children has appealed to the Labor Government to drop its controversial plans for a mandatory Internet filter, saying the scheme does not effectively teach children how to protect themselves from online danger.

News analysis: DDoS attacks highlight need to reduce government Internet access points

The network attacks that severely disrupted several federal agency Web sites this week highlights the need for the government to quickly finish implementing its ongoing consolidation of Internet access points, the former de facto CIO of the federal government and others said today.

Korea DDOS virus mission shifts to destroying, erasing data

They say what goes around comes around and on Friday owners of bot-infested PCs in South Korea will discover that's true.

Microsoft admits it knew of critical IE bug in early '08

Microsoft on Thursday confirmed it has known about a bug behind widespread Internet Explorer attacks for more than a year, but defended its security process against critics who say it should have acted faster.

U.S.-South Korea Cyberattack: Lessons Learned

Investigators may not yet know who was behind a series of cyberattacks on the U.S. and South Korea, but analysts are getting a better grasp on where the nations' governments may have gone wrong. Numerous government Web sites in both countries have been hit by distributed denial-of-service attacks, starting on the Fourth of July and continuing into today. Dozens of high-profile sites have been

Lessons for Your Website from US, S. Korean Attacks

On July 4, a botnet estimated to contain between 30,000 and 60,000 compromised computers received new marching orders: Attack five U.S. government Web sites.

Microsoft promises to stymie hackers next week with new patches

Microsoft today said it plans to deliver six security updates on Tuesday, including two for vulnerabilities that hackers have been using for months to attack Windows and Internet Explorer.

Will Google's OS Make the Desktop Safe?

Google says that its forthcoming Chrome operating system will be so secure that "users don't have to deal with viruses, malware and security updates." But Google's claim is being met with skepticism within the Internet security world.

DDOS attack again takes down South Korean Web sites

For the third day in a row a number of major public and private Web sites in South Korea have been taken off the Internet by a distributed denial of service attack

Trojans responsible for 75% of new malware

Trojans make up nearly three quarters of all new malware detected between April and June this year, says Panda Security.

Cyber attack in South Korea set to resume, says AhnLab

A denial of service attack that took down some of South Korea's highest profile Web sites on Wednesday is set to resume Thursday evening, according to computer security specialist AhnLab.

Solving the DLP Puzzle: 5 Technologies That Will Help

About this series: Companies are clamoring for Data Loss Prevention (DLP) tools to keep their data safe from online predators. But there is much confusion over what the true ingredients are. In this series, CSOonline talks to security practitioners, analysts and other experts for a crash-course on what DLP is, what it isn't and how to get on the right track. We'll begin with the proper technologies to use, followed by the right people policies.

Google's new OS raises privacy, antitrust concerns

Google's announcement Tuesday that it is developing an open-source operating system raised questions among privacy advocates about the amount of personal data Google will be able to collect.

State Department worker sentenced for passport snooping

A former U.S. Department of State employee has been sentenced to a year of probation and ordered to pay a US$5,000 fine for snooping on more than 50 electronic passport application files, the U.S. Department of Justice said.

No sign of N. Korean backing in bot attacks on U.S. sites, says researcher

Nothing in the code of the malware used to attack a wide array of U.S. and South Korean government and high-profile Web sites indicates the campaign is backed by North Korea, a noted botnet researcher said today.

Server pros have concerns about cloud security

Security of cloud services is an even bigger issue for corporate server and storage experts than it is for corporate security staff.

Google's OS security claims called 'idiotic'

Google, while announcing its new Chrome operating system late Tuesday, said users would no longer have to worry about viruses, malware and security updates, but security experts disagreed on whether Google can deliver on those promises.

The U.S.-South Korea Cyberattack: How Did It Happen?

It sounds like an advanced operation: Hackers hit dozens of high-profile Web sites, knocking the Federal Trade Commission and other government groups completely offline. Days later, South Korea gets a wave of the same treatment.

MasterCard halts remote POS security upgrades

In a purported second major security change in recent weeks, MasterCard has decided to disallow merchants' use of remote key injection (RKI) services to install new encryption keys on point-of-sale (POS) systems, says a Gartner analyst.

'Secure' Wyse thin clients vulnerable to remote exploit bugs
More secure As susceptible as PCs

A popular brand of thin client device used by nuclear labs, military contractors and Fortune 100 companies is susceptible to exploits that put entire fleets of the machines in the control of online attackers.…

Hijacked Twitter accounts spread Koobface worm
Micro-blogging site suspends compromised accounts

The Koobface worm, which previously infected users of Facebook and MySpace, is spreading among users of micro-blogging website Twitter.…

NHS hospitals struggle to hold back the malware tide
Still ill

Malware infection problems at NHS hospitals are a more serious problem than isolated reports of infestation might suggest, according to an investigation by More4 News.…

The practical guide to patch management
Get back in there and build me a proper business case

Paper trail You may have noticed how often these days IT vendors talk about "building a business case". They want to furnish you, the IT pro, with the info to persuade sceptical business unit managers, or B.U.M.s as they are sometimes known, to buy their stuff for the good of mankind.…

Rogue CA update bricks Win XP systems
Sky not really falling

A rogue security definition update to anti-virus software from CA hobbled Windows systems earlier this week, sparking howls of protests from users.…

Teen cuffed for bomb threat webcam pay-per-view
The SWAT channel

A North Carolina teenager has been arrested and accused of phoning in bomb threats to schools and universities so he could charge admission for people to watch in real time over webcams as police responded.…

Optimism down as priorities shift in mid-market IT
You can't postpone mission critical

With a sharply declining server market this year and relative stagnation expected for the few, according to a long range forecast released by IDC and a shorter-term one from Gartner, you can bet server resellers are trying to get a bead on what things midrange shops want and need to spend money on.…

Three 'critical' Windows fixes due on Patch Tuesday
Relief for what ails you

Microsoft on Tuesday plans to release updates patching three critical Windows security vulnerabilities, two of which are already under attack.…

Google Oompa-Loompas dream of virus-free OS
Everlasting gobstopper

Google has rather rashly claimed its plans to develop an operating system promise an end to security woes.…

UK data breach incidents on the rise
Security measures compromised by human dimwittery

Seven in ten UK organisations experienced a data breach incident over the last year, up from 60 per cent in the previous year.…

Microsoft knew of nasty IE bug a year before attacks
Security delayed or security denied?

Microsoft was aware of a critical vulnerability in an Internet Explorer component at least 12 months before attackers started targeting it in lethal exploits that take full control of end-users' PCs, a member of its security team said Wednesday.…

MyDoom dabs spotted on mega cyberassault
Traces of guilt

An updated version of the MyDoom worm is blamed for ongoing denial of service attack against high-profile US and South Korean websites, according to preliminary analysis.…

OpenSSH exploit rumours swarm
As milw0rm shuts up shop

Rumours are circulating about the active exploitation of systems running older versions of OpenSSH, the open source remote administration utility.…

Plod to get computer forensics 'breathalyser' next year
Commercial offerings fail forensic tests

UK police may be forced to develop a bespoke digital forensics device for seized computers after testing of market offerings failed to meet price, technical and speed standards.…

Short URLs in spam skyrocket
The Twitter effect

Incidents of shortened URLs in spam messages have skyrocketed since the start of this week.…

Cops swoop on e-crime gangs after banks pool intelligence
Early success for new task force

Two London-based cybercrime gangs have been busted, following an agreement by banks and credit card companies to share intelligence on network attacks and malware.…

Moderatrix to gain even more sinister powers
Cyberbullies quail as online reputation software launches

A new system to improve the behaviour of visitors to internet sites, by granting more draconian exclusion powers to moderators, is launching this week in the UK.…

Spam tool developer faces six years in chokey
Ralsky cohort cops a plea

A US software writer has pleaded guilty to developing a botnet-based spamming tool used by notorious spammer Alan Ralsky.…

US websites buckle under sustained DDoS attacks
South Korea, too

Websites belonging to the federal government, regulatory agencies and private companies have been struggling against sustained online attacks that began on the Independence Day holiday, according to multiple published reports.…

Schneier says he was 'probably wrong' on masked passwords
Security guru gets a bit carried away by the moment

Security expert Bruce Schneier has said that he probably made a mistake when he backed a usability expert's plea to website operators to stop masking passwords as users type because it does not improve security and makes sites harder to use.…

Opera CEO: Unite not a security risk
Au contraire!

Opera has been defending its Unite product, claiming that far from causing security problems it actually increases the security for users who would otherwise be dependent on the cloud.…

Imageshack , (Sat, Jul 11th)

We are aware that Imageshack was attacked by the anti-sec group. This seems to be affecting ot ...(more)...

VMWare Security Advisories, (Sat, Jul 11th)

I would like to thank Kirk at VMWare for alerting us to a couple of security advisories. ...(more)...

WordPress Fixes Multiple vulnerabilities, (Fri, Jul 10th)

WordPress 2.8 ...(more)...

UPDATED X1: Latest Updates on Ongoing DDoS on Governmental/Commercial Websites in USA and S. Korea, (Thu, Jul 9th)

A quick update on the DDoS of various govermental/commercial sites in the US and South Korea. ...(more)...

OpenSSH 0day FUD, (Thu, Jul 9th)

For the last couple of days we've been all witnesses of FUD surrounding a supposed 0-day exploit for ...(more)...

Safari 4.0.2 update published, (Wed, Jul 8th)

It looks like Apple released safari 4.0 ...(more)...

Milw0rm offline, (Wed, Jul 8th)

We've received multiple emails today from readers who cannot reach Milw0rm. The site's owner, ...(more)...

RFI: DDoS Against Government and Civilian Web Sites, (Wed, Jul 8th)

We are aware of an ongoing DDoS against several high-profile web sites. Public details are in ...(more)...

* INFOCON Status - staying green, (Tue, Jul 7th)

We had some internal discussion overnight about whether to raise our Infocon status to YELLOW becaus ...(more)...

OpenSSH Rumors, (Tue, Jul 7th)

Over the past 24 hours we've had a number of readers tell us that there is an OpenSSH exploit in act ...(more)...

US and South Korean Sites Under Attack; Late Data Says Attacking PCs to Self Destruct (July 8 & 9, 2009)

A variant of MyDoom is believed to be behind the distributed denial-of-service (DDoS) attacks that took down US and South Korean government, military and private industry websites last week.......

Teen Indicted on Swatting-Related Charges (July 8, 9 & 10, 2009)

16-year-old Ashton Lundeby of North Carolina has been indicted for a series of bomb threats that he allegedly turned into a money-making scheme.......

Author of Spamming Tools Pleads Guilty (July 7 & 8, 2009)

David S.......

Not Guilty Plea in Pump-and-Dump Scheme (July 7, 2009)

Jaisankar Marimuthu has pleaded not guilty to charges related to his alleged role in a pump-and-dump scheme.......

Revised Anti-Piracy Bill Adopted in French Legislature (July 9, 2009)

French legislators have adopted a revised version of a controversial Internet piracy bill.......

Talk Talk Pulls Out of Phorm Deal (July 8 & 9, 2009)

British Internet service provider (ISP) Talk Talk has said it will not use online targeted advertising technology from Phorm.......

Microsoft to Release Six Security Bulletins Next Week (July 9, 2009)

Microsoft will release six security bulletins on Tuesday, July 14.......

Apple Issues Safari Update (July 9, 2009)

Apple has released an updated version of its Safari web browser to address two security flaws.......

Tagged.com Faces Lawsuit for Alleged Deceptive Marketing Practices (June 9 & 10, 2009)

New York Attorney General Andrew Cuomo says he plans to sue social networking site Tagged......

Certain SSNs are Relatively Easy to Guess (July 6, 7 & 8, 2009)

Researchers at Carnegie Mellon University have published findings of a study that shows some Social Security numbers (SSNs) can be guessed with astonishing accuracy given just a person's birth date and place of birth.......

MasterCard Prohibits Remote Key Injection Technology in Certain Cases (July 8 & 9, 2009)

There are unconfirmed reports that MasterCard has decided not to allow some merchants to use remote key injection (RKI) technology "to install new encryption keys on point-of-sale (POS) systems.......

Thoughts on Naming Executables By Mark Eggleston A malware executable by any other name?

As part of good HIPS or endpoint protection, do you block known malware executables? For example, allowing video.......

Microsoft to address DirectShow, ActiveX zero-day flaws

By Robert Westervelt, News Editor

The software giant said it would issue six updates including three critical, repairing two flaws being actively targeted in the wild.

Latest DDoS attacks extremely unsophisticated, experts say

By Robert Westervelt

The denial-of-service attacks that briefly shut down some U.S. and South Korean government websites are not likely being carried out by a professional.

Adobe patches ColdFusion vulnerability blocking website attack

By SearchSecurity Staff

Users of ColdFusion 8 can apply a patch which blocks ongoing attacks compromising websites built with the application development platform.

Attorney General Cuomo Takes on Tagged Social Networking Site

New York Attorney General Andrew Cuomo plans to sue social networking site Tagged.com for allegedly stealing the identities of its members, raiding their e-mail contact lists and sending out spam in a bid to lure recipients to the site. Tagged's CEO denies the accusations.
- New York Attorney General Andrew Cuomo threw a legal right hook at social networking site Tagged.com July 9, charging the site with spamming and stealing the identities of 60 million of its users. Cuomo served the site with a notice of intent, marking his plan to sue Tagged.com for allegedly ra...

Microsoft to Plug DirectShow, Video ActiveX Security Holes

Microsoft is prepping fixes for vulnerabilities in the DirectShow and Video ActiveX Control components as part of July's Patch Tuesday. The Patch Tuesday release will consist of six security bulletins, three rated critical.
- Microsoft plans to swat two Windows bugs that have come under attack by hackers as part of the July 14 Patch Tuesday. Among the collection of patches are fixes for the DirectX vulnerability that Microsoft first warned users about at the end of May. But also slated to be fixed is a vulnerabilit...

IBM Reveals New Data Masking Technology

IBM pulled the covers off new technology today that uses optical character recognition to conceal data. The data masking tool does not change data but filters it before it reaches the PC screen, making it unnecessary to develop sanitized copies of enterprise data for individual users.
- IBM researchers have developed new data masking technology they say mixes screen scraping and optical character recognition to conceal confidential data. The platform-agnostic software, codenamed MAGEN (Masking Gateway for Enterprises) works by treating information on the screen as a picture an...

Fresh Cyber-Attacks Strike South Korea

A new series of cyber-attacks targeting Websites in South Korea was launched today, disrupting both commercial and government sites. The DDOS attacks continue a campaign that began targeting sites in the United States over the July 4 weekend.
- Another round of cyber-attacks hit South Korean Websites Thursday as the spate of denial-of-service attacks continued. The latest attacks affected service on both government and commercial Websites in South Korea. According to the Associated Press, an official from the state-run Korea Communicat...

PCs Used in Korean DDoS Attacks May Self Destruct

In Latest Warnings

There are signs that the concerted cyber attacks targeting U.S. and Korean government and commercial Web sites this past week are beginning to wane. Yet, even if the assaults were to be completely blocked tomorrow, the attackers could still have one last, inglorious weapon in their arsenal: New evidence suggests that the malicious code responsible for spreading this attack includes instructions to overwrite the infected PC's hard drive. Update: This is already happening. Please be sure to read the updates at the end of this post. Original post: According to Joe Stewart, director of malware research at SecureWorks, the malware that powers this attack -- a version of the Mydoom worm -- is designed to download a payload from a set of Web servers. Included in that payload is a Trojan horse program that overwrites the data on the hard drive with a message that reads "memory of the independence

You Down with APT?

By Richard Bejtlich

Today I had shared a phone call with a very knowledgable and respected security industry analyst. During the course of the conversation he made a few statements which puzzled me, so I asked him "do you know what APT means?" He might have thought I was referring to the Debian Advanced Package Tool or apt, but that's not what I meant. When I said Advanced Persistent Threat, it still didn't ring any bells with him.

Glitch in antivirus software troubles PC users (AP)

In technology

AP - Antivirus software cuts two ways. It's great at blocking known viruses, but it can sometimes misfire, mistakenly flagging clean files as malicious. That sends a computer into a tailspin trying to clean up stuff that's supposed to be on there.

Cyberattacks put spotlight on Web vulnerabilities (AFP)

In technology

AFP - Computer security experts were divided Thursday on whether North Korea was behind the ongoing attacks on US and South Korean websites, an assault that highlighted the vulnerabilities of the Web.

Will Google's OS Make the Desktop Safe? (PC World)

In technology

PC World - Google says that its forthcoming Chrome operating system will be so secure that "users don't have to deal with viruses, malware and security updates." But Google's claim is being met with skepticism within the Internet security world.

Microsoft Security Bulletin Advance Notification for July 2009

Revision Note: Advance Notification published.Summary: This advance notification lists security bulletins to be released for July 2009.

Questions about Timing and Microsoft Security Advisory 972890

By MSRCTEAM

Hi everyone, Mike Reavey here.

You’ve probably seen in Jerry’s Advance Notification posting today announcing that we’re on track to release an update to address the issue discussed in Microsoft Security Advisory 972890.

We’ve gotten some questions from customers about when we got the first report of this vulnerability and how long the investigation has taken relative to the outbreak of attacks against this vulnerability.

Before I go into the details, the key thing I want customers to understand is that this is an issue that was responsibly reported to us and we have been driving in our standard process towards a security update. While in the middle of that process, attackers found this same vulnerability and began attacks against it. We were far enough in the process that we could provide information that customers can use to protect themselves in the interim while we complete that investigation and deliver a security update that you can deploy broadly with confidence. Like Jerry said, we’re targeting next Tuesday to release this update.

In terms of timeline, we received the original report from Ryan Smith and Alex Wheeler with IBM ISS X-Force in the early Spring of 2008. The CVE number assigned to this, CVE-2008-0015, can make it look older but that’s because IBM (like Microsoft) gets CVE numbers in large blocks and assigned them sequentially to issues.

Once we got the report, we started an investigation and confirmed that this ActiveX control that ships with Windows did expose an exploitable vulnerability that could be exploited by malicious websites.

We always aim to be thorough in our investigations. For any issue that is reported to us, we strive to address not only the vulnerabilities brought to us but also to find any similar or related issues to ensure the update provides as comprehensive security as possible. And once we confirmed that issue we expanded our investigation to be thorough.

In the case of this particular issue, part of our investigation showed other interfaces were vulnerable, in this ActiveX Control, not only the one seen used in attacks.

Another thing our investigation showed is that there was no known use for these interfaces in Internet Explorer. In fact, as part of our security work on Vista, these interfaces had been disabled in Internet Explorer.

Based on that, our engineering teams felt the best approach to protect customers would be to prevent these any interfaces with no know use in Internet Explorer (45 in total), from loading in Internet Explorer in earlier versions of Windows.

However, disabling or removing functionality is a more radical step than updating code to address an unchecked buffer, for example. When we disable or remove functionality, we have to engage in even more research and testing than usual, to ensure that we can take this step and not cause more harm than good by inadvertently “breaking” applications. For something like this, we have to ensure not only our applications but also major third-party applications are not hurt by this. Otherwise, if our update “breaks” a major application, customers won’t deploy the update but the bad guys will have information about the vulnerability that they can use to attack it.

We were far enough along in our process that we felt comfortable taking this information from our investigation and giving it to customers so they could take immediate action to protect themselves while we finish our security update. To make it even easier for customers to protect themselves, we also implemented the “FixIt” that automatically implements the killbits.

Customers who have already implemented the killbits manually or through the FixIt workaround won’t need to implement next week’s security update, though we recommend that you apply the update to ensure that reporting accurately shows that the systems are fully protected.

We’re on track to release the security update next Tuesday. But if you haven’t implemented the killbits already, we recommend that you go ahead and do that to protect yourself against the attacks.

I hope this helps answer any questions you might have.

Thanks.

Mike

*This posting is provided "AS IS" with no warranties, and confers no rights*

July 2009 Advance Notification

By MSRCTEAM on Security Update

Advance Notification for the July 2009 Security Bulletin Release

Our Advance Notification was published today and indicates that next Tuesday, July 14 at 10:00 a.m. PDT (UTC -8), we will be releasing a total of 6 security bulletins consisting of:

· Three Critical updates affecting Windows.

· One Important update affecting Publisher.

· One Important update affecting Internet Security and Acceleration (ISA) Server.

· One Important update affecting Virtual PC and Virtual Server.

I want to provide some clarity on two of the pending Windows updates mentioned. First, we will be addressing the issue discussed in Security Advisory 971778 concerning a vulnerability in DirectShow. As noted in the advisory, we are aware of limited active attacks and we have been working aggressively to get a quality update shipped to customers.

Second, our engineering teams have been working around the clock to produce an update for the issue discussed in Security Advisory 972890 (vulnerability in the Microsoft Video ActiveX Control) and we believe that they will be able to release an update of appropriate quality for broad distribution that protects against the attacks we detailed in the advisory and in an MSRC blog post by Christopher Budd. In the mean time, we encourage customers to continue to enable the workaround by running the “Microsoft Fix it” solution in the associated knowledge base article (KB972890).

As you know, this information may change between now and next Tuesday. We will do our best to keep you updated if it does.

Some notes on restart requirements: One of the three updates for Windows will require a restart, the others may if the DLL being updated is in use. This goes for the Publisher update as well. To reduce your chances of requiring a restart, please see Knowledge Base article 887012. Both the ISA Server and Virtual PC/Virtual Server updates require restarts. Note however that the Virtual PC/Virtual Server update will not prompt you so you should factor a manual restart in to your deployment plans as soon as possible.

On release day, look for additional information on both this blog and the Security Research and Defense blog.  If you have questions or would like more information about this month’s release, please plan to attend our regularly scheduled security bulletin webcast on Wednesday, July 15, 2009, at 11:00 a.m. PDT (UTC –7). Click HERE to register.  

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

Cisco Security Center: IntelliShield Cyber Risk Report

June 29-July 5, 2009

Report Highlight: Data Privacy Concerns Surround Closure of Registered Traveler Vendor

U.S.-South Korea Cyberattack: Lessons Learned

Five days after the start of a widespread cyberattack on the U.S. and South Korea, security researchers say they know where the governments likely slipped up.

Will Google's OS Make the Desktop Safe?

Google has ambitious plans to make its Chrome operating system ultrasecure, but will it deliver?

France Creates New National IT Security Agency

France has created a new network and information security agency to protect the nation's critical infrastructure from cyberattack.

Dangerous Security Flaw Likely Just a Hoax

A claim of a software vulnerability in a program used to connect securely to servers across the Internet is likely a hoax, according to SANS.

Should the U.S. Brace for More Cyber Attacks?

Another wave of DDOS attacks hits South Korea, leaving many wondering what the U.S. government is doing to protect itself.

10 Free, Must-Have Windows Security Downloads

Put an end to prying eyes, bad guys and sneaky spies with free software for Windows that can help protect your privacy and security.

100 Essential Skills for Geeks

By Anton Olsen

What do you need to know to maintain geek cred? Here are 100 things.

Chinese Spying Claimed in Purchases of NSA Crypto Gear

By Kevin Poulsen

A Chinese national arrested on his way to a clandestine meeting with an undercover federal agent tells investigators he's buying NSA-designed crypto gear off the internet as part of a Chinese-government program to intercept U.S. communications.

New Law Floods California With Health Breach Reports

By Kim Zetter

In the five months since a new medical data breach notification law went into effect in California, state officials have been flooded with more than 800 reports of possible breaches. One medical center has been fined $250,000.

No comments:

Post a Comment

My Blog List