False Sense of DLL Security
Dynamic link library vulnerabilities have long been the bane of Windows IT pros existence, especially this year. As recently as August, Microsoft issued workarounds and guidance on DLL flaws and later, even patched the issue.
Well it's not over yet.
According to this recent entry from the Acros Security Blog, Windows applications remain vulnerable to DLL hijacking, even on patched systems. The research shop says "DLL planting and DLL loading" are still possible because of the sporadic and erratic way Windows loads DLLs. Such attacks, it should be pointed out are highly technical in nature and require detailed and intimate knowledge of Windows directories and binary code. Perhaps that's the very reason that Windows IT pros should take notice.
Microsoft Mulls Encrypting Bing
Last week we talked about Firesheep, a tool that allows its users to spy on browser sessions on an open wifi network. Mostly Firesheep is designed to work with a user during a Firefox session. So, where does Microsoft come in?
The blogosphere is ablaze with assertions that Redmond-owned Windows Live is among the sites that can be hacked with Firesheep. Specifically, one blogger who believe this to be true is Errata Security's Robert Graham.
Graham as well as other security bloggers, such as Eric Bulter, who created Firesheep, have made assertions about the Firesheep presentation being a "game changer," and prompting the need for a secure sockets layer and other types of encryption on Microsoft-related sites.
So far Firesheep is only designed for Firefox browsing sessions, so IE users don't have the same concerns for now. But a NetworkWorld blog claims that the managers of Redmond's Bing search engine are looking to add SSL to it. The blog quotes a Microsoft spokesman: "The security and privacy of our customers is very important to us at Bing. We are looking at SSL and other technologies for future releases of Bing."
The thinking here seems to be that it's only a matter of time before a browser snooping technology that affects IE surfaces or before Microsoft-related sites accessed during Firefox sessions come under greater risk.
Google Serious About Mobile
Google's Android Smartphone, with its hip OS, is outselling Apple's much lauded and popular iPhone. And Google is taking it a step farther in the one-upmanship game with a comprehensive program for mobile security. According to the Google Enterprise blog, Android users will now be able to access mission critical files with built-in administrative settings.
Among these capabilities are those found previously in corporate laptops. These include the ability to:
- Remotely wipe all data from lost or stolen mobile devices
- Lock idle devices after a period of inactivity
- Require a device password on each phone
- Set minimum lengths for more secure passwords
- Require passwords to include letters and numbers
It's good to hear Google is getting ready for inevitable security problems that could leave them and their customers vulnerable in the enterprise.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.