Security Watch

Windows IIS in Hot Seat Again

Plus, Adobe may surpass Office for most security vulnerabilities; Chrome a growing target for hackers.

It looks like Redmond's security staff will begin the new year by dealing with old security issues.

A flaw has been reported in Windows Internet Information Services (IIS), which is no stranger to security problems.

IIS is a vital program to Redmond; at any given time, it's either the No. 1 or No. 2 Web server in the world in terms of conducting Web traffic.

In a blog post late December, Microsoft spokesperson Christopher Budd downplayed assertions about IIS from security researcher Soroush Dalili and third-party security company Secunia, both of whom said there were corrupt code problems in the program.

Secunia theorized that the IIS glitch is caused when the Web server wrongly executes ASP code in files with extensions separated by semicolons.

Budd said that a Microsoft investigation over the holidays revealed that there are some inconsistencies with IIS but no new exploits on the program. He suggested that the results of Dalili's and Secunia's IIS vulnerability trials were more about poorly configured servers in an enterprise environment and less about a bug in IIS.

There's no word on whether Microsoft plans to cumulatively patch IIS, just to cover all the bases.

Adobe To Surpass Office in Security Vulnerabilities?
Those following IT security have known for quite a while that hackers are increasingly looking to exploit software applications that sit on or are installed via operating systems, rather than exploiting the operating systems themselves.

Those in the know are also hip to the fact that Adobe was one of the most targeted and porous applications last year -- and apparently remains so.

In its "2010 Threat Predictions" report (PDF), anti-virus software giant McAfee says Adobe's Acrobat Reader and Flash applications will likely surpass Microsoft Office as favorite targets of cybercriminals in 2010.

"Using reliable 'heap spray-like' and other exploitation techniques, malware writers have turned Adobe apps into a hot target," McAfee's report notes in a section titled "Malware Writers Love Adobe, Microsoft Products."

As two of the leaders in document presentation, graphics and imaging, Adobe Flash and Reader are the closest rivals to Office in their ubiquity. McAfee predicts that their status as two of the most distributed applications in the world will lead hackers to target Adobe.

The implications for Windows enterprise administrators are varied and vast, considering that Internet Explorer is the browser in which Adobe documents are currently opened, and that hackers will be able to study Adobe's vulnerabilities regularly now that Adobe's patch schedule is synchronized with Microsoft's monthly Patch Tuesdays.

Chrome a Target for Hackers in 2010
Late in 2009, Google's new Chrome operating system, which doubles as a browser since the open source program is Web-based, surpassed Apple's Safari as the world's No. 3 browser behind Firefox and Internet Explorer.

In December, nearly a year after its beta release for Windows PCs, Google released Chrome for Mac and Linux, which helped Google scoot past Safari in total market share.

Ironically, though, Chrome's roots in the WebKit technology used by Safari, along with its reliance on a new generation of HTML called HTML 5, will make it one of the more targeted browsers this year for hackers.

If Google has its way, HTML 5 would supplant rich-media plug-ins such as Adobe Flash and Microsoft Silverlight, both of which come with development features that Web designers and system engineers can build directly into the code that runs Web sites.

But increasing ubiquity will come with increased threats as hackers move to the Web to stage attacks. For instance, if a Chrome user on a Windows PC wants to tack on Google Wave (the cool new collaboration and communication software), they may be vulnerable to botnets, worms or automated malware.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Reader Comments:

Mon, Jan 11, 2010 lyle howard seave Canada

at any given time, it's either the No. 1 or No. 2 Web server in the world in terms of conducting Web traffic. At any given time? Are you serious? Last time I checked Netcraft in the fall Apache was DOUBLE the of Microsoft. And you claim that you wrote this in 2010? Does anyone at work proofread articles or does anything make it, not matter how wrong it is? You can defend your integrity by trying some verbal judo about what you meant and so on but lets' be honest, we all know how to manipulate words so as to make them more or less impactful. So if you are talking about a search engine outside of Google (yahoo, bing, etc), you can claim that your engine is always 1 or 2 which we all know means ONLY 2 because Google is for far ahead. You associated yourselves with success in hopes of poeple forget that your precious is not number 1. Look, I know what this magazine is all about, Im not gonna pretend differently. I also dont go to Mac sites to tell people that they are overpaying for the same hardware as others have. But I work in IT which means mixed environment: Microsoft, Unix and Linux. Its my JOB. So I dont appreciate when sites openly lie about products they are trying to pimp ESPECIALLY when its such a blatant and obvious lie. ANYONE who works with servers know where Apache stands and how far ahead of the competition it is. To try to claim otherwise (or to exaggerate like with this "sometimes IIS is first and sometiems its second") is ethically wrong. You may not like the reality but you just crossed the line from covering a certain sector of the IT business to just being like a Mac site: blind fanbois who get offended at the very idea that their precious isnt perfect. I dare you to look at these stats for Dec2009 (and feel free to look at other months because of monthly fluctuations) and claim that the server battle has been close in the past few years. Heck, if you really wanted to do some research you could even look up to see when IIS was in first the last time. http://news.netcraft.com/archives/2009/12/24/december_2009_web_server_survey.html People in economy are used to BS, lies and exxagerations; one of the reasons we get in these economic messes. No matter how wrong they are, there a never any consequences for their actions or words. In IT, we are judged by our results, our continous service and ability to minimize down time. If anything goes wrong in our department, thousands of employees and millions of dollars are left stranded. So we dont deal with facts not fiction. Maybe the author can write a novel next since fiction seems to be his forte (or lack of research, knowledge or integrity).

Tue, Jan 5, 2010 Dave

"Those in the know are also hip to the fact that Adobe was one of the most targeted and porous applications last year". Actually, those in the know are also hip to the fact that Adobe is a COMPANY, not an application.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.