Macs: To Antivirus or Not To Antivirus

12/04/08

While Sun and VMWare top our list of patches this week, it's Apple that seems to be making the most news. Reports earlier in the week said that Apple was urging users to add an antivirus application to their Mac OS X systems. But, later in the week, Apple took down the warning page saying it was outdated. So, do Macs need antivirus? They are less of a target than Windows obviously, but still a target. Does it hurt to run antivirus and add that extra layer of security?

Malware attacks on all fronts

12/01/08

Malware authors and distributors didn't take a break for the Thanksgiving holiday. Over the past few days a new worm targeting Mac OS X has hit the Interweb as well as a new Windows Trojan that targets the vulnerability Microsoft patched in October. Plus, there's quite convincing phising attacks targeting both Capital One and Bank of America customers to be on the lookout for. We might have slowed down for the last four days, but the bad guys have not.

A new flaw in Vista

11/24/08

Researchers have stumbled on yet another vulnerability in a Windows operating system. Vista users could be at risk of having malicious code run on their system if hackers figure out how to exploit a pair of buffer overflow vulnerabilities in Vista's Device IO Controlm, according to researchers at Phion. Microsoft has yet to comment on the findings, but the next scheduled patch cycle is still two weeks away.

Linux vendors patch XML parser

11/20/08

Most of the major Linux vendors have released patches for a pair of bugs in libxml2, an XML C parser and toolkit developed for the Gnome project. Both bugs could be exploited in a denial of service attack against systems that rely on the libxml2 module. Ubuntu, Mandriva, rPath and Debian are all out with patches today to remedy the problem.

Browser patches galore

11/17/08

Browser patches are the big ticket items this week with updates out for Mozilla Firefox, Apple Safari and Google Chrome. Mozilla's Firefox update involves 11 flaws, 10 of which are moderate or greater in importance. That update should be auto-downloaded to your browser already or in the coming day or two. Apple's Safari update features a new anti-fraud update, which users can get via the Apple Update feature. Google's Chrome update is a little more difficult to pin down. The patch is supposed to prevent attackers from stealing files from a PC, but it is only available to developers and not through the update feature. There is a workaround for those that run Chrome and want the patch.

Microsoft better-late-than-never with 7-year-old patch

11/13/08

From the better-late-than-never department: One of the two patches Microsoft released this week is for a 7-year-old bug in Windows, one that a founding member of the Trustworthy Computing team had warned about from the beginning. You might think there wasn't an exploit until now, so no need to patch. But, Cult of the Dead Cow (what a great name) released an exploit back in March Of 2001. Not sure what took so long for Microsoft to catch up, but they finally have. Also today, we've got some karping going on between rivals IBM and TrendMicro over flaws in the latters' products. Always good fodder when security companies snipe at each other.

Patch Tuesday Lite on tap from Microsoft

11/10/08

After a mammoth October Patch Tuesday that was followed up by an emergency patch a week later, Microsoft is going lite on the security updates this month with two new fixes slated for tomorrow. One fixes a bug in Windows and Office, the other fixes a less critical flaw in Windows. Be on the lookout Tuesday around 1 p.m. EST for the updates.

Obama mania spawns malware

11/06/08

Malware authors know a good thing when the see it and usually waste little time pouncing on the opportunity. Barack Obama's presidential election win spawned a wave of Obama-themed malware attacks that try to lure viewers to a fake video of his victory speech. Of course, the fake video really installs a backdoor Trojan and steals data from the victim's machine. Also this week, Adobe finally patched a bug in its PDF applications after the flaw was initially reported five months ago.

Google patches Android flaw

11/03/08

Google was quick to patch software flaw in its new G1 Android phone operating system. Users began seeing an update last week after security researchers disclosed the flaw earlier the same week. Fortunately, no known exploit was available (most likely because of the small target audience). Still, good to see Google getting on top of a potentially embarrassing bug quickly.

Malware authors get busy in down economy

10/30/08

What do malware authors do when the stock market is down? Increase their rate of malware distribution in an effort to capitalize on economic fears. And to do so, they're having to revert to some older tactics as the number of financial institutions dwindle, taking with them the number of phishing opportunities. This week, I talked with Ryan Sherstobitoff, chief corporate evangelist for Panda Security, about his findings on how stock and malware market activities mimic each other and other eyebrow-raising malware trends.

That was fast: Microsoft bug already exploited

10/27/08

Hope you've got that out-of-cycle Windows patch installed, because there's already a worm running amok exploiting the flaw. Microsoft took the unusual step of rushing out a patch for Windows last Thursday and within hours attack code was published that could take advantage of the flaw. Not quite Zero Day, but pretty close. Of course, a lot of noise was made over Microsoft's non-Patch Tuesday release, but some in the security community are wondering what the big deal is? After all, there are automatic systems in place to install said patches, and other vendors release patches all the time without a parade. So why the hoopla over this Microsoft release?

Security requires a little common sense

10/23/08

Sometimes its the simple things that can lead to a data leak. Like not shredding paper data. A dentist's office near my house is in hot water for letting paperwork containing sixty patients infomation to get loose. The Aspen Dental office in Nashua, NH says it didn't have to shred the data before throwing it away and that its the garbage contractor's fault for losing it. Haven't they heard of dumpster diving? All the network security in the world wouldn't have prevented this leak, but a little common sense would have.

Bad times could be good for security

10/20/08

While virus/malware writers are using the down economy as a way to push their illicit wares, security professionals can benefit as well. Network World's Ellen Messmer has a piece on how you can push your vendors for those "special" projects since they're probably more eager for business with the down econonmy. During downtimes, the low hanging fruit can keep them satisifed enough that they can ignore the tougher customer requests. Now, they are more willing to respond "How high?" when you ask them to jump. Check out the story in our related links section.

To patch or not to patch

10/16/08

When Microsoft releases new patches, as it does this week with its 10 vulnerability haul, everyone seems to get them installed pretty quickly after they're released. Maybe it's the automatic update feature in Windows or the fact that people are always wary of Microsoft security. Whatever the case, it's a good thing patches are installed quickly. Contrast that to a report from Computerworld that says while Oracle releases patches on a quarterly basis - with 36 delivered this week - database admins are not always as quick to apply those patches. Why? Are the systems too complex or cannot be taken offline to update quickly? Do they require more testing? All likely scenarios. Hopefully hackers are not exploiting the gap between patch release (and vulnerability disclosure) and the time it takes to patch.

Patch Tuesday and a full moon: A bad combo?

10/13/08

October's Patch Tuesday is upon us with 11 new updates for various Microsoft products including Active Directory, Internet Explorer and Excel. Tuesday is also a full moon, so should be an interesting day. Apple users too have some patching to do as the company released a new wide-ranging Mac OS X update last week. Finally, with the downturn in the economy comes opportunity for spammers, phishers and malcode authors. If the deal looks too good to be true, it probably is.

Cisco patches Unity flaw

10/09/08

Cisco has released a patch for its Unity unified messaging platform that fixes an authentication bug that could allow unauthorized users to make configuration changes. VMWare is out with a number of fixes as well for its Hosted products, VirtualCenter Update 3, ESX and ESXi lines. And Adobe finally acknowleged the Clickjacking attack that plagues its Flash player. The company released a workaround for the issue and says a permanent fix should be out at the end of the month.

Major DoS vulnerabilities in TCP/IP

10/06/08

Yikes. Newly discovered (but yet to be disclosed) flaws in the TCP/IP protocol - the backbone of the Internet - could be exploited to launch denial-of-service attacks against virtually any device running any operating system, including firewalls and other security measures. According to reports, the researchers that discovered the flaws are working with vendors to repair the issue before releasing their findings to the general public. iPhone users weren't so lucky: A frustrated security researcher detailed two flaws he found in the popular Apple device after not hearing back from Cupertino on his July discovery.

Phishers and scammers use bleak economic news to lure victims

10/02/08

Lots of Phishing, Spam and Scam news today. Looks like the down economy is proving to be a lucrative lure for scammers, who are using the stock and credit market woes in phishing attacks featuring Bank of America and pump-and-dump scams for penny stocks. Also, 419 scammers are hacking e-mail accounts and sending out a plea for money to "friends" of the hacked account. Different, but still slimy.

Yet another Firefox update

09/29/08

Thought it was odd this morning that Firefox was asking me to install a new update when I had just done so late last week. Turns out Mozilla had to rush out another patch to fix a password vulnerability in the popular browser. Be on the lookout. Also, CA Service Desk users should download the latest update, which patches multiple flaws in the trouble ticket tracking system.

Inside the hacker underground

09/25/08

Tom Rusin, President of Affinion Security Center, has me scared that hackers are trading my personal and credit card information all over the Web. His company uses monitoring of underground chat rooms and other sources to help keep customers credit safe and he recently gave me a live look at the hacker underground in action. Amazing how much of this information is being traded every minute.

Web-based mail service not so secure

09/22/08

Much attention is being brought to the Web-based mail security (or lack of), after last week's hack in to vice presidential candidate Sarah Palin's Yahoo e-mail account. It seems all the major services are vulnerable to the same sort of password recovery hack used in the Palin case, so vendors are coming out with ways you can protect yourself and tips for the providers to offer better security for end users. The good news is, authorities seem to be hot on the trail of the Palin hacker.

Apple has its own Patch Tuesday

09/18/08

Apple Patch Tuesday came out of the blue this week with a new Mac OS X 10.5.5 update the fixes flaws in numerous systems, including a well-known DNS vulnerability. The company also released an update for Remote Desktop to fix a privilege flaw. Plus, there's a new Trojan on the march trying to infiltrate SQL Server systems.

DEMOFall features cool security technology

09/15/08

Last week's DEMOFall 08 generated a lot of press around the theme of "distributed Web", but there were a number of security-related technologies worthy of mention. My favorite among the bunch was Usable Systems UsableLogin product, which promises single-signon for Web sites using strong passwords and centralized management. Very slick.

Microsoft, Apple and Google release major fixes

09/11/08

Big names rolled out patches this week: Microsoft, Apple and Google, along with updates for Mandriva, Gentoo and Ubuntu. Microsoft's Patch Tuesday is only (only!) four critical patches, but touches some 42 different products/versions, making life difficult for those ensuring all systems are up-to-date. Google's Chrome update is interesting too because users must manually get the update, unlike competitor Firefox that automatically rolls out fixes to users. Finally, I did promise some DEMO coverage today, but will push that off until Monday. The 72 companies are all melded in my mind and I need to sort them out.

Will security products debut at big tech shows this week?

09/08/08

With some 120 new products being unveiled this week at the DEMOfall 08 and TechCrunch 50 events this week (I am at DEMOfall), it'll be interesting to see how many are enterprise security related. Usually, not many. But every once in a while one slips through, such as Lucent's Lojack-like system for laptops a few years ago. Hopefully we'll get a couple of new security entries that will help lock down networks while continuing to allow workers to remain productive. If so, I'll bring it to you in our Thursday newslettter. In the meantime, Microsoft's got four new critical patches coming on Tuesday.

More

Jason Meserve is multimedia editor at Network World.