The Good, The Bad, The Ugly -- Redmondmag.com

The Good, The Bad, The Ugly

Oracle fixes piled onto Microsoft fixes; October out-of-band patch still makes admins twitch; common programming errors resulting in security lapses.

By Jabulani Leffall
01/13/2009

The good news: Windows enterprise professionals likely only have one security patch to deal with this month. The bad: If your Windows environment interoperates with Oracle-based applications, you may have to add more fixes to that tally as Oracle follows up Microsoft's December fixes with a whopper list of its own. Now, the ugly: A Windows Server service program is under siege, and a consortium of techies have gotten together to assert that there are at least 25 common programming errors that lead to systemic security problems.

The Oracle Knows
Businesses using the most common operating system in the world, in tandem with the most pervasive enterprise database software in the world (that is, Oracle), may want to seriously consider how to deploy security updates this month, as Oracle's patch cycle coincides with Microsoft's. Oracle says its critical patch update contains fixes for 41 vulnerabilities "across hundreds of Oracle products." The enterprise systems giant says that due to the threat posed by a successful attack, it strongly recommends that customers apply the fixes as soon as possible. Additionally Oracle Database software in particular "will be the recipient of 10 of the new vulnerabilities." One particular thing Windows users can pay special attention to this month is whether f any of the fixes affect Oracle Fusion Middleware, which ties Oracle apps together with Microsoft components such as Windows Server and Microsoft Office apps.

Patched Flaw Still a Nuisance
Panda Security reports that Windows users haven't seen the last of a remote code execution exploit in remote procedure call requests affecting supported versions of Microsoft's OS, including Windows 2000, XP, Vista, and Servers 2003 and 2008. Panda says that despite the release of an out-of-band patch in October 2008, there are huge increases in malware samples and reported infections regarding this hack vector.

Additionally, last week firm Symantec said it was tracking an increase in infections. In a blog post, Symantec said its researchers were seeing a "considerable" build up of Conficker-type bugs that can ding Windows-based PCs with malicious RPC packets on the off-chance that the local systems administrator didn't patch systems with the October update yet.

Microsoft hasn't formally responded to these suggestions by the ISVs, but in a Sunday blog post, Roger Halbheer, the chief security adviser for Microsoft's Europe, Middle East and Africa group, called Conficker an "ugly beast" and suggested users who didn't patch yet are neglecting their systems at their own peril.

Common Programming, Tactical Errors Shape IT Security
According to a study group, whose conclusions were corralled by the SANS Institute, there are 25 "dangerous programming errors" that not only lead to new security bugs but enable pre-existing ones.

The errors list came from a consortium of ITSEC pros hailing from Microsoft, Apple Product Security and the National Security Agency, a list of about 30 organizations chipped in. The group claims that the list is so comprehensive because it touches on three core categories.

Category number one is "insecure interaction" between technological components such as failure to preserve SQL Server query structures and Web page structures.

Second up on the list is the more people-oriented "risky resource management," which includes IT staffers downloading code without a quality assurance process and not properly updating software security fixes.

The third and last category is "porous defenses," which the group concluded came from Enterprises and organizations not having hard-coded passwords and not monitoring access controls and assigning unnecessary system privilege levels to impertinent staffers.

A lot of the errors can be solved with some IT auditing and top-down policy and procedure surrounding security. But in the end, IT managers must decide what to deal with first -- the bad or the ugly -- so that they can make things good again.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.