Security Watch

Windows Mobile Platform Malware Places Calls to Somalia, South Pole

Plus: Ten for June's Patch Tuesday; MS responds to Google Banning Windows; Adobe encounters another critical security flaw.

• By Jabulani Leffall
• 06/07/2010

According to Hering, the malware doesn't brick mobile systems or lock users out of their phone but instead these apps simply make calls to international and premium-rate numbers across the globe without user permission. Somalia and the South Pole were two of the more ridiculous locations. So unless you know a pirate or a penguin that you want to ring up, you probably have malware on your Windows mobile phone if these numbers show up on your bill.

Big Load for June's Patch Tuesday
Following its light-heavy, then light, then heavy patch rollout pattern for 2010, Redmond will once again issue a very heavy June patch slate.

This week we will see 10 security bulletins addressing a pretty hefty 34 total vulnerabilities.

"The June release is a large update and will keep system administrators busy, even if they have migrated to Windows 7 already," said Wolfgang Kandek, chief technology officer of Qualys.

Also among pressing security concerns this week is third-party apps -- both on PC and mobile devices operating systems apps. And of course there's the ongoing passive tit-for-tat with a large (clearing throat) Internet search company about..what else but security.

Microsoft Defending its Security Against Google Claims
Without mentioning Google directly, Redmond's in-house Windows blogger Brandon LeBlanc hit back at Google by pointing out Microsoft's fervent security efforts, including but not limited to the Security Development Lifecycle initiative.

The response comes after Google formally, if not indirectly, placed blame on Windows systems for a large hack job in January, which gained international attention.  As a result this is reportedly driving Google to take steps to replace Windows as the company's operating system on internal PCs.

This appears to be one large tech rival scapegoating another. As Google attempts to push its own Chrome browser as an operating system of record for Web-based apps in the cloud era, it will want to tout the security of its own products. Placing the blame on Microsoft is an easy component to that marketing campaign.

Microsoft has since patched the issued two cumulative IE patches, and one security expert told me Tuesday afternoon that the jab at Redmond was a bit premature and unfair: The attacks have more to do with access controls than Windows flaws.

"Microsoft has acted very quickly to patch these vulnerabilities upon discovery, but the fact remains that companies are left vulnerable for days and weeks while patches are developed," said Steve Kelley, an executive vice president at BeyondTrust. "As our recent analysis of Microsoft vulnerabilities notes, the vast majority -- including Internet Explorer vulnerabilities -- are easily mitigated by organizations that remove administrator rights from desktop users."

Another Flaw for Adobe
Adobe has acknowledged a "critical" security flaw in its Reader, Acrobat and Flash Player software.

Adobe says the vulnerability potentially enables hackers to take control of corrupted computer systems.

"There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat," said Adobe in its security advisory.

As usual, users and enterprise administrators presiding over systems running Windows, Macintosh or Linux are all be open to attack if Adobe apps are on their stacks.

The company is working to fix the problem. In the meantime, users of Reader, Acrobat and Flash are advised to ensure their anti-virus software is up-to-date.

This latest zero-day flaw comes as Adobe is increasingly considered the most vulnerable third-party application on Windows stacks worldwide. To that end, a quarterly patch cycle is proving not to be often enough.

I previously reported in this blog that Adobe has, in recent months, begin to piggyback Microsoft's monthly patch cycle, coming out on the same Tuesday as Redmond every 90 days.

Well, now Redmond may have a new monthly third-party patch peer.

In a recent post on the age, "The H" quotes Brad Arkin, Adobe's Director of Product Security and Privacy, as saying a monthly rollout schedule is one of the things Adobe is considering in its security evolution.

The more telling part of what Arkin said, confirms something I reported in March: The idea of Adobe and Microsoft collaborating on updates.

To wit, Arkin now says that by the end of 2010, Adobe updates should be "distributed via Microsoft's System Center Updates Publisher (SCUP). If this is true, Windows IT pros who have Adobe products in their stack would be able to integrate the third-party products a little easier if they use System Center Configuration Manager (SCCM) and System Center Essentials (SCE). Such a process would not only help streamline patch management but also use up less network bandwidth and man hours.