Security Watch

Microsoft's Holiday Present Includes 17 Patches

• By Jabulani Leffall
• 12/14/2010

The gargantuan patch release of December 2010 cements this year as one where Microsoft faced the most vulnerabilities and patched the most holes in the history of Redmond's formal update process.

The final count, if December's advanced bulletin count holds up, will be 266 total vulnerabilities, plugged by 106 patches.

Looking at the growth of bugs and the patches that fix them, the natural assumption -- in a year that had a large number of in-the-wild exploits affecting Internet Explorer and Windows Web Components -- is that security threats are growing.

And threats obviously are growing -- especially on the Web. But Mike Reavey, director of the Microsoft Security Response Center, also attributes the large count to product obsolescence, which happened en masse this year with the discontinuance of support for operating systems such as Windows XP.

In this blog post, he said the 17-patch, 40-bug behemoth of a slate "isn't really surprising when you think about product life cycles and the nature of vulnerability research."

He went on to say that security research methodologies "change and improve constantly" with "older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports."

Product support discontinuance aside, it's a brave new world for real-time threats and savvy hackers. It will be interesting to see in 2011 whether Windows IT pros will start to demand a quicker, more fragmented distribution system for the more urgent patches. To wit, if admins found themselves bogged down month after month with both patches and vulnerabilities in double figures, it would get old really quick.

Gawker Media Hack Raises Larger Questions
 One of the largest publishers of content on the Web, Gawker Media, got pwned (owned or hacked) over the weekend with hackers turning the company's user profiles inside out and displaying more than 1.3 million usernames, e-mails and accompanying passwords.

According to PBS, such an instance of attacks is alarming because the digital smash and show job on Gawker included e-mail addresses and passwords of employees from federal, state and local government agencies that appeared to be separated from the larger attack for potential use on attacks directly against the government in the future. Security expert HD Moore said he didn't necessarily think the original intent was a government attack but that such an attack could become a byproduct of what was otherwise routine breach of personal identifiable information (PII).

 "I don't believe that the motive of the attack was to reach government accounts," said Moore, who is chief security officer for Rapid7 and inventor of the Metasploit malware database. "But there were over 300 US government e-mail accounts in the set, with another 300 more military. Even if the original attackers had no interest in government targets, the data is now accessible to the folks who may have government assets in mind."

Meanwhile, with the controversy surrounding Wikileaks and the specter of cyber espionage and warfare growing, true hacker intent -- if it's not money or stealing passwords to gain access to corporate systems for sabotage -- will surely become evident in time.

Microsoft Looking Into Attacks on its Ad Network
Microsoft said in a statement to the IDG News Services that it was investigating the circumstances under which hackers infected online ad networks run by both Redmond and Google.

For Microsoft in particular, clickable ads that launch malware on user PCs were first spotted on the Hotmail service, according to according to security consultancy Armorize.

Amorize said the malware exploits holes in Adobe Reader, Java and other PC software run on Windows operating systems.

Amorize added that users with up-to-date antivirus software wouldn't be at as great a risk.

Symantec's Predictions for 2011
Just after Thanksgiving Antivirus software giant Symantec looked ahead at the threats to come in 2011 in this blog post titled The Shape of things to come.

Symantec identified three major themes that have particular resonance for enterprise and Windows IT pros in the coming year:

• Zero-Day" vulnerabilities will become more common as highly targeted threats increase in frequency and impact.
• The exponential adoption of smart mobile services that blur the line between business and personal use will drive new IT security models.
• Critical infrastructure will come increasingly under attack and service providers will respond, but governments will be slow to react. 

Certainly for Windows IT pros, zero-day vulnerabilities attacking Internet Explorer and related Web components as well as other frequently used applications will be a fixture in the coming year. The same can be said for mobile devices. As for the government, it will never be as fast as hacker's mind or a self-replicating automated exploit and that's something to consider to in the year to come.

Happy New Year!