Critical Windows 7 holes fixed in record Patch Tuesday
Microsoft released a record number of 13 bulletins for 34 vulnerabilities on Patch Tuesday–and the first critical update for Windows 7–as well as fixes for zero-day flaws involving Server Message Block (SMB) and Internet Information Services (IIS).
The most severe of the three SMB flaws, which were first reported last month, could allow an attacker to take control of a computer remotely by sending a specially crafted SMB packet to a computer running the Server service. Exploit code for one of the SMB holes has been posted to the Web, Microsoft said.
Windows 7 is affected by two critical patches intended to mend vulnerabilities that could allow remote code execution if a malicious Web page were viewed, one part of a cumulative security update for Internet Explorer and the other in .Net Framework and Silverlight.
The official release date for Windows 7 is October 22, but the new operating system has been available to some large businesses with volume licenses since the summer. The code was finalized in July.
Windows 7 is affected by two critical patches intended to mend vulnerabilities that could allow remote code execution if a malicious Web page were viewed, one part of a cumulative security update for Internet Explorer and the other in .Net Framework and Silverlight.
The official release date for Windows 7 is October 22, but the new operating system has been available to some large businesses with volume licenses since the summer. The code was finalized in July.
Other critical patches in the security bulletin for October fix a vulnerability in Windows Media Runtime that could be exploited if a user opened a malicious media file or received malicious streaming content from a Web site or application, and if a specially crafted ASF (Advanced Systems Format) file is played using Windows Media Player 6.4.
Among the critical updates: a cumulative security update of ActiveX Kill Bits that is being exploited and that affects ActiveX controls compiled using Active Template Library (ATL); and another patch resolving several vulnerabilities in ATL ActiveX Controls that could allow remote code execution if a user loaded a malicious component or control. ActiveX and ATLs were the subject of an emergency patch Microsoft released in July.
The final critical bulletin fixes a hole in Windows GDI+ (Graphics Device Interface) that could allow an attacker to take control of a computer if the user viewed a malicious image file using affected software or browsed a malicious Web page.
“Microsoft has repeatedly had to fix problems related to the Graphics Device Interface in Windows, and vulnerabilities in the component have been exploited broadly in the past. We can expect that security researchers will be looking to reverse-engineer today’s patches, which may very well lead to exploits being created,” said Dave Marcus, director of security research and communications at McAfee Labs
Nine of the vulnerabilities were previously disclosed, which meant that attackers had time to come up with so-called “zero-day” exploits before the patches were available, Marcus noted.
Nine of the vulnerabilities were previously disclosed, which meant that attackers had time to come up with so-called “zero-day” exploits before the patches were available, Marcus noted.
The most alarming vulnerability in the mix is the SMB flaw, which was introduced by the patch for a different vulnerability, according to Josh Phillips, virus researcher at Kaspersky Lab.
Andrew Storms, director of security operations at nCircle, said the bug that is likely to have the biggest impact will be the critical one that affects Windows Media Runtime and involves a speech codec bug that has limited exploits in the wild. “This is a typical file-parsing issue and similar to vulnerabilities that have allowed attackers to create drive-by attacks that infect unsuspecting video viewers,” he said.
Meanwhile, the critical SMB vulnerability is relatively difficult to exploit given default firewall conditions, but the IIS bugs are easy to exploit, Storms added.
“The sheer volume of the bulletins and patches is extreme,” said Jason Miller, senior data team leader for Shavlik Technologies. “This is really going to affect administrators. It’s going to be very challenging because of the time and research that’s going to be needed” to patch systems.
Also released were five bulletins rated “important” to fix vulnerabilities in IIS, for which exploit code has been publicly released and for which there have been limited attacks, along with Windows CryptoAPI, Windows Indexing Service, Windows Kernel, and Local Security Authority Subsystem Service.
The update for Windows CryptoAPI relates to flaws in the way domain names are verified on the Internet, which could allow attackers to impersonate a site and steal information from unsuspecting Web surfers. The holes were revealed by researchers Dan Kaminsky and Moxie Marlinspike at Defcon in August.
Affected software includes Windows 7; Windows 2000; Windows XP; Windows Vista; Server 2003 and 2008; Office XP, 2003, and 2007; Microsoft Office System; SQL Server 2000 and 2005; Silverlight; Visual Studio .Net 2003; Visual Studio 2005 and 2008; Visual FoxPro 8.0 and 9.0; Microsoft Report Viewer 2005 and 2008; Forefront Client Security 1.0; and Office software including Visio, Project, Word Viewer, and Works.
The installation also removes the Win/FakeScanti Trojan, which displays fake malware warnings and then asks computer users to pay for fake antivirus software.
One out of 100 PC have Malware
Results from a recent extensive study by Panda Security – of the toughest anti-virus brands known on the Internet – show that 1% of all the computers in the world are affected and heavily tormented by malware.
Sure, 1% seems like a very small amount, but if you equate that to the actual number of PC and laptop computer users that are exposed to the Internet, we’re talking about millions of users falling victims to the evil deeds of malware.
The numbers only indicate that malware has really become a growing problem over the years. People are being robbed blind of their IDs and other confidential information that could either be used against them or in favor of those who take advantage of the unauthorized access. The worst common case scenario of an individual would be that he incurs financial losses due to stolen information, and that doesn’t take a genius to tell it’s bad.
So let this be a warning to readers out there: protect your computers and ultimately yourself from malware attacks.
Technorati Tags: malware statistics
$250,000 Reward for Conficker Author
Microsoft has pulled out the big bucks and announced a 250 thousand dollar reward for the person or persons who can lead international authorities to the arrest and conviction of the authors of the infamous Conficker (Downadaup) worm. The worm which is known to affect all versions of the Microsoft Windows operating system has even migrated over to the new Windows 7, as well as infiltrating Windows Vista Service Pak 1 and WIndows XP Service Pack 3.
Conficker was initially spread by exploiting a Critical vulnerability in Windows Server Service. Since that was patched in October 2008, the malicious code has continued to evolve, with two current versions, Conficker.A and Conficker.B, which use additional attack vectors including unprotected network shares and portable media’s AutoPlay feature.
“As part of Microsoft’s ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers,” explained George Stathakopoulos, general manager of the Trustworthy Computing Group at Microsoft. “By combining our expertise with that of the broader community we can expand the boundaries of defense to better protect people worldwide.”
Currently, the best clue to origin of the Confiker worm is that the virus does not affect computers using the Ukranian keyboard layout, which has led many investigators to conclude that its author may have ties to the Ukraine. Microsoft, which considers the virus to be a crimminal attack, has guarantted to pay the reward in any country where it can be accepted, but stipulates that an arrest and conviction must be obtained for the reward to be payable.
Microsoft is not alone in this quest, either. It is but one of a consortium of companies which include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.
Microsoft is not alone in this quest, either. It is but one of a consortium of companies which include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.
The Sony Mofiria
For most of us, a fingerprint is the height of personal identification, but for some applications, something a bit more secure is necessary. For that, Sony is introducing the Mofiria, which can use near-infrared to look at the veins in your finger.
Fingerprints, as we’ve all seen in movies, can be altered or removed, and a wiley criminal can even mimic someone else’s prints under certain circumstances. But the veins in your finger are as unique as your fingerprint, and there is currently no known way of altering them without extensive and expensive surgery. And even that surgery could only alter yours, it can not currently be used to simulate someone else’s.
This is exactly what the mofiria is designed to indentify. It uses near
infrared LEDs on the side of the user’s finger, and then CMOS sensors
can capture the scattered light inside the finger veins.
infrared LEDs on the side of the user’s finger, and then CMOS sensors
can capture the scattered light inside the finger veins.
Sony hopes to have these devices available sometime during the fiscal 2009 year, and reports that these devices, like their fingerprint scanning countrparts, are flat, which will allow for easy integration into mobile devices.
Security Flaw In MD5 Algorithm
Independent researcher in both California and the Netherlands have discovered a weakness the Internet digital certificate infrastructure, which poses a threat of hackers impersonating site identifications trusted by most web browsers. In essence, hackers could make your browser believe it is on a secure website or email server while virtually undetectable phishing of your system is in progress.
The problem arises from one of several algorithms used to establish a secure https connection, known as MD5. This is not the first weakness discovered in MD5, either. A team of Chinese researchers presented the first one at a 2004 cryptology conference. In that case, they wee able to create a “collision attack, and generate two messages with the same digital signature.
The new discovery makes use of the collision method, but allows the hacker almost complete freedom in creating a rogue certification authority (CA) that will be verified by most commonly used web browsers, including both Microsoft and Mozilla. The team hopes to draw attention to this security weakness, and drive the industry to use stronger encryption methods.
University of Michigan Introduces “Cloud Security”
A new twist on Open Communication - Cloud AntiVirus
Research recently done by the University of Michigan introduces a better solution to virus detection and computer protection – “the cloud”. This is a method where a series of servers are connected to act as large anti-virus software.
The concept is behind the “cloud”, which actually refers to the servers that work together by facilitating the different anti-virus software installed on each of the computers. Through network, the respective anti-virus software has been found to be capable of detecting over 35 percent more viruses than just one anti-virus which clutters up the desktop and takes up memory.
This new technology is said to be a response to the many viruses that can be reproduced in other mediums despite having the best and most updated anti-virus software installed. This kind of approach, however, is still being questioned as to its effectiveness on the internet as well as matters of security, since the anti-viruses severely rely on the need to have accessible computers.
And the best is yet to come. Cloud security doesn’t alienate other antivirus programs, but incorporates many. At this writing, Cloud Security is compatible with 12 popular security applications.
A study has revealed that patients have better outcome of health when they are all treated with Information Technology systems at hospitals.
This study made a comparison of all IT adoption along with discharge data of patients across Florida
A new technology that Cisco announced, Trusted Security which integrates role based and identity measures of security for all networks and in particular enterprise ones. In order to take care of the compliance requirements as they have increased in number for a mobile and global workforce. This will help enabling a secure infrastructure and more agile infrastructure. In order to expand their compliance policies and their businesses, demand for highly secured way is high from customers. Architecture of Cisco TrustSec delivers completely new epitome for security without business velocity compromises and to applications in user access that is role based. TrustSec from Cisco taps into plenty of components to create a enterprise network that is completed trusted from the Cisco lineup. Solution is completely dependent on switches and routers from Cisco. Wireless network controllers from Cisco also hold a key in the solution for user authentication, enforcing policies of access, integrity delivery, roles assigning and network traffic confidentiality.