Microsoft announced that it will release at least a dozen patch bundles this next patch Tuesday to plug various vulnerabilities in its Windows operating system and other software.

This batch of patches could end up breaking a record for the number of vulnerabilities fixed in one fell swoop, as each patch usually fixes a number of flaws. Microsoft said that most of the patches address 'critical' flaws, which usually means that they could be exploited by an attacker or worm to take complete control over a computer.

Three of the patches are expected to address problem with the MS Office productivity suites. Also, Microsoft noted that one of the critical patch bundles will patch security flaws in Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, and Microsoft ForeFront -- Microsoft programs designed to defend Windows machines from spyware, viruses and worms.

As Microsoft has been known to make last minute decisions on updates and patches, I'll keep you notified once patch Tuesday rolls around next week.

Tags: Microsoft Patch Tuesday, Office Patches

Posted by pschooff in Patches | Permalink | Comments (0) | TrackBacks (0)

As proof that IT pros must update often and on-time, and many still don't, a certain patch that Symantec issued seven months ago for a vulnerability in their antivirus software is still being actively exploited throughout cyberspace. That means that a virus that should be dead and gone by now is still very much ALIVE!

As reported by The Register, this exploit turns user PCs into zombies that join other zombies to create a vast botnet used to spread spam and engage in denial-of-service attacks. And the only thing keeping this malware alive is other IT pros, pro as in procrastinators (although there are plenty of excuses, of course, as just about everything needs to be done yesterday).

The attack targets unpatched versions of Symantec Client Security and Symantec AntiVirus Corporate Edition. Symantec initially dismissed the flaw, saying it wasn't likely to be exploited, until the the worm resurfaced in November. And unlike many Symantec updates, which are installed automatically, the fix for corporate antivirus software has to be downloaded on the company's website and manually installed. Symantec is wisely re-evaluating this policy.

Let's face it, most IT professionals pay for protection so they can be free to worry about all the other things there are to worry about in a corporate computer system.

Tags: Security Updates, PC Zombies, Symantec Patch

Posted by pschooff in Better Protection • Patches • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

Like anyone, I get tired of turning on the evening news and always hearing about this or that horror, and in terms of blogging about security, quite frankly I am tired of all the stories about how hackers have made mincemeat of our defenses (let’s face it, we work hard and pay good money to keep our computers secure).

So I am happy to report about this most excellent and totally free tool from Secunia, the Secunia Software Inspector, which, when downloaded, will scan your machine to tell you exactly what patches you are missing. And get this, this program not only tells you how you stand with Microsoft Window’s updates, but will also give you the heads up on Skype, instant-message applications, Web browsers Firefox and Opera, as well as multimedia applications such as Adobe Reader, QuickTime, iTunes, Macromedia Flash Player, Sun's Java JRE, and Winamp.

I uncovered this information on Brian Kreb’s Security Fix, and what is great about this handy tool is there is no need to download any software, you can simply run the scanner straight from the site (but you will need to temporarily enable Javascript if you have it disabled). So check out your patches pronto and let's at least make hackers have to work for it.

Tags: Patch Checker, Security Inspector

Posted by pschooff in Better Protection • Patches | Permalink | Comments (0) | TrackBacks (0)

In it’s first monthly scheduled Patch Tuesday of 2007, Microsoft issued patches for 10 security flaws which fixed vulnerabilities in Excel, Outlook and Windows. 3 of the patches were deemed critical, in that they would allow bot herders to take control of targeted computers in the growing botnet problem, while a fourth patch was rated as important.

Security professionals are saying the most important update is the MS07-004, which fixes a problem in the Vector Markup Language which could potentially allow remote code execution if the user visits a certain web page. This is considered crucial because it affects all versions of Internet Explorer, including the most recent release IE 7.

The other critical and important patches are, according to Microsoft, and taken from Search Security, are as follows:

MS07-002, which fixes five separate security flaws in Microsoft Excel, most of which are exploitable when the spreadsheet program parses certain files and processes malformed IMDATA, column and palette records. One of the flaws wasn't specified.

MS07-003, which fixes three separate flaws in Microsoft Outlook. The first flaw is exploitable when Outlook parses a file and processes a malformed VEVENT record. The second flaw is exploitable when Outlook parses an .oss file.

The third flaw is a denial-of-service condition that involves the way Outlook processes email header information. "An attacker who successfully exploited the vulnerability could send a malformed email to a user of Outlook that would cause the Outlook client to fail under certain circumstances," Microsoft said. "The Outlook client would continue to fail so long as the malformed email message remained on the email server."

The fourth security update, MS07-001, was rated important. It fixes a remote code execution vulnerability in the Microsoft Office 2003 Brazilian Portuguese Grammar Checker. An attacker could exploit the flaw when Office opens a file and parses the text, Microsoft said.

Today’s security update was only half the number expected by many, as Microsoft said it would release 8 critical updates, but today only issued 4 of them. As a Microsoft spokesman explained, “There are many factors that impact the release of a security update, and every vulnerability presents its own unique challenges," he said, adding that Microsoft also tweaked its advance notification last month when it added MS06-078 to fix two zero-day flaws in the Windows Media Player."

Tags: Microsoft, Patch Tuesday

Posted by pschooff in Patches | Permalink | Comments (0) | TrackBacks (0)

Microsoft is looking into a vulnerability in MS Word that could allow a hacker to gain control of a PC or Mac just from opening a malicious Word file attached to an email.

According to this Microsoft advisory, so far this previously unknown flaw has only been used in limited attacks and affects Word 2000, Word 2002, Word 2003, Microsoft Word Viewer 2003, Word 2004 for Mac, Word 2004 version X for Mac, and Works 2004, 2005, and 2006.

"In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker," the advisory stated.

Microsoft may release a patch for the issue on its regularly monthly patch schedule, which would fall on December 12, or could issue an emergency update before or after that date.

Until then, and even after than, it's a good idea never to open an attachment from a sender you don't directly know. And even if you do get an attachment from someone you know, it's probably a good idea to approach attachments cautiously, and if anything about the email seems even a little bit off (I once got an email from a lawyer friend that started off with "Yo," and my friend would never say that), check with the sender directly.

Tags: Microsoft Word, Email Virus

Posted by pschooff in Hackers • Microsoft • Patches | Permalink | Comments (0) | TrackBacks (0)

Apple released 31 patches yesterday for exploitable flaws in the Mac OS X operating system. The free updates can be downloaded using OS X’s software update feature, or directly from Apple.

Brain Kreb’s Security Fix reported that the first patch corrects a flaw found in the wireless cards on certain Mac systems which HD Moore, a researcher, first uncovered earlier this month, and which attackers can use to install malware. Apple said the vulnerability is present in eMac, iBook, iMac, PowerBook G3, PowerBook G4, and Power Mac G4 systems equipped with an original AirPort card; systems with the AirPort Extreme card are not affected.

The remainder of the patches correct easily exploitable flaws, such as malware that can be installed when a computer simply visits a specific website. Other flaws corrected include a fix for ClamAV, which is an antivirus program used by OS X, as well as a whole hacker’s dozen of vulnerabilities with how OS X unzips compressed files.

Tags: Apple, OS X Patches

Posted by pschooff in Apple • Patches | Permalink | Comments (0) | TrackBacks (0)

Yesterday, Microsoft issued patches to correct nine vulnerabilities in the Windows operating systems and Internet Explorer as well as other software. 3 of the patches fixed security holes in Internet Explorer that could install malware onto a computer just by visiting a specially built website. Another exploit with IE can occur if someone merely views a tainted HTML message in an email preview pane.

Microsoft said the IE flaws are much less a problem on Window Server 2003 systems or with IE7, as their default settings won’t allow those flaws to activate.

Other security patches fixed a flaw in Windows “Microsoft Agent” that again could be exploited simply by visiting a site, while another corrected serious flaws in Adobe’s Macromedia Flash player that comes bundled with Windows XP.

Microsoft also patched a critical bug in their “workstation service” Windows XP and Windows 2000. This problem is more of a problem for businesses, as it’s most likely to be exploited by someone with access to a company’s internal network.

Finally, two critical flaws in “XML Core Services” and “Client Service for Netware” were corrected, but neither are automatically installed by default on Windows machines. Users can download and install the patches via Microsoft or with the company’s Automatic Update service.

Tags: Microsoft, Patch Tuesday

Posted by pschooff in Microsoft • Patches | Permalink | Comments (0) | TrackBacks (0)

Mozilla has patched flaws in Firefox, Seamonkey and Thunderbird that hackers could use to bypass security restrictions, crash computers and run malware on machines. It is important to note, though, that these flaws do not affect the recently launched Firefox (which also features new security tweaks and an anti-phishing tool).

Below are the three advisories released by Mozilla and excerpted from SearchSecurity:

• Attackers could exploit several unspecified glitches to corrupt system memory, crash machines and possibly run malicious code. Mozilla noted that Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were enabled in mail.

• RSA digital signatures with a low exponent could be forged. The flaw was corrected in the Mozilla Network Security Services (NSS) library version 3.11.3 used by Firefox 2.0 and current development versions of Mozilla clients, but Firefox 1.5.0.7 was still vulnerable to attack.

• Attackers could modify a script object while it is executing and launch malicious JavaScript code as a result.

All of these patches are deemed critical, and are fixed by Firefox 1.5.0.8, Thunderbird 1.5.0.8 and SeaMonkey 1.0.6.

Tags: Mozilla Firefox, Patches

Posted by pschooff in Better Protection • Patches | Permalink | Comments (0) | TrackBacks (0)

With a week for DBAs to get accustomed to Oracle’s October patch update and revamped bulletin, so far the reviews have been mixed. In its most recent quarterly update, Oracle fixed 101 security flaws and included an updated bulletin that provides more details on the flaws being fixed.

In an article at SearchSecurity.com, DBAs discussed their impressions of Oracle’s updated approach. Some said the more detailed bulletin made deploying patches easier, while others said it made little difference. Also, half of those interviewed said that Oracle still had a way to go to improve their security process.

Many complained about how long it took for Oracle to issue the patches. Arup Nanda, a database engineer for Starwood Hotels and Resorts, said, "Some of the vulnerabilities are so severe that one would expect a resolution in a matter of days, yet they took months, and only after exploits had been lingering around the Internet for a while. So yes, Oracle should beef up their process."

Nanda was also not impressed with the new bulletin format, while Chris Ruel, an Oracle DBA with Perpetual Technologies Inc., added that he couldn’t tell the difference between this bulletin and the last one.

"Typically I don't pay much attention to the bulletins," he said. "The patches come out and I'm simply required to apply them. I read the technical details on how to apply it, but to me, they are security flaws that simply must be patched, so I don't get as mired in all the flaw details. I couldn't have told you it was any different than last time."

Other DBAs said they did notice the more informative bulletins, and found them helpful. Brian Peasland, a DBA working as a contractor with the U.S. Geological Survey, said, "This part of the bulletin is much clearer and makes it easier for me to quickly locate the patch for my specific version and platform. Prior to this bulletin, one had to click on another Metalink note and then make one more click just to find the patch number to download. My opinion is that the October 2006 CPU bulletin is much cleaner than previous ones."

Jon Emmons, an Oracle database consultant and blogger of Life After Coffee, said, “Perhaps the most valuable new feature in the CPU bulletin is the executive summaries," Emmons said in an email interview. "These bulleted lists give a great high-level summary. At one point or another we've all had to explain to our boss why we need to apply these patches and now Oracle has given us the words to do it with."

The DBA did say that it’s important that the CPU clearly identifies the nature of the flaws and the specific products affected. Also, the harder it is to understand the bulletin, the longer it takes to start the deployment. While the actual patching process isn’t all that time consuming (usually only about 30 minutes), it’s the testing, and scheduling the downtime, that’s much more time intensive. All the more reason Oracle needs to be clear, concise, and timely with in order to properly serve a company’s most valuable informational asset, its data.

Tags: Oracle, DBAs, Security Patches

Posted by pschooff in Oracle • Patches | Permalink | Comments (0) | TrackBacks (0)

Patches are now available to plug the security flaws found in the Bluetooth communications software that can give hackers the ability to compromise certain machines. Bluetooth technology allows computers to exhange information wirelessly over short distances (typically between 10 to 100 meters).

The problem resides in Bluetooth device drivers made by Toshiba Corp., drivers that are also present in a number of computers made by Dell. According to Secure Works, while an attacker would not need a computer’s login credentials on the target computer, they would need the Bluetooth address of the victim’s device, but that wouldn’t be a problem for computers configured to allow other Bluetooth devices to find it out (there are several readily available Bluetooth scanning tools that could easily be used).

Secure Works reported that the Toshiba drivers are also present in some Sony Vaio and ASUS computers. It was SecureWorks researcher David Maynor and independent researcher Johnny “Cache” Ellch who revealed the flaw, and said it could lead to the ominous “blue screen of death” to appear. Both acknowledged they were not able to use the bug to install programs on a vulnerable machine.

According to Elizabeth Clarke, a spokesperson for Secure Works, Maynor "was able to demonstrate a crash that could execute code on a Dell running a Toshiba Bluetooth stack." Apparently, Dell was the only hardware platform they tested the exploit on.

Dell said it has shipped updates to fix the problem on Latitude Models D820, D620, D420, and D520. Other Latitude models also are vulnerable, including the D810, D610, D410, D510 and X1 versions, but the company doesn't expect to ship updates for those models until Nov. 4.

While it is not likely that these vulnerabilities will be readily exploited anytime soon, it is always a good idea to make sure you have the most up-to-date Bluetooth drivers.

Dell patches can be found right here. Select “Latitude,” your model, the operating system you are using, then hit “find downloads.”

To see which version of Bluetooth you have installed, follow this from Brian Kreb’s Security Fix, where this article came from: “right-click the blue "Bluetooth Manager" icon in the task bar near the system clock, then select "Device Properties" and then "General." If that doesn't work, right click on the Bluetooth Manager icon, select "Options," then "General," then "Details." Users running version 4.20.01 should download and install the "PC Bluetooth Stack," available at this link. Toshiba users with Bluetooth versions 3.x through 4.00.36 should install the "PC Bluetooth Stack Security Patch 2,” downloadable from this link.

Tags: Bluetooth, Dell, Toshiba, Secure Works, Sony Vaio, ASUS, Patches

Posted by pschooff in Better Protection • Dell • Patches • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

To most people, patch Tuesday means a chance to shore up their Microsoft programs and hopefully make their desktops more secure. For hackers, it means Microsoft is pretty much finished fixing their vulnerabilities for a month, so why not maximize the time they have for the next series of exploits. So, according to Brian Krebs Security Fix, as regular as patch Tuesday has become, the day after has become known as exploit Wednesday.

The day or two after, the hacker bulletin boards light up with the newest found flaws. Just yesterday hackers revealed a serious flaw in the Powerpoint files of Office 2003, which means someone up-to-no-good can install malicious software on your computer just by having you open a document. For it's part, Microsoft has acknowledged reports of a possible vulnerability.

To me, it seems like it's time to stop this too predictable cycle. While I know it's not practical to have IT administrators updating their systems daily, and it is good to have a deadline for patches, it's not like we're ever likely to see the following announcement from our IT Admins: Employees, please turn off your computers between 3 and 4 PM today because cyber criminals have told us they're going to be launching an attack. Microsoft needs to adopt an approach that is as dynamic and unpredictable as those of the hackers.

Tags:Brian Krebs Security Fix, Microsoft

Posted by pschooff in Hackers • Microsoft • Patches | Permalink | Comments (0) | TrackBacks (0)

As Microsoft continues to adhere to their plan of one set of patches per month, their list of security updates scheduled for today has grown to 11 (not exactly a record, which I believe is 22).

Of the eleven, six will be for Windows, four for Office (with both sets having patches deemed 'critical'), and the final one is for the company's NET Framework. This is according to Microsoft's Advance Notification bulletin on its Technet website. These updates can be found at Automatic Updates and will require a restart.

There has been some conjecture that one of the patches will actually be Internet Explorer 7, a long overdue corrective to IE6, and will give Explorer security features and web enhancements that are common with other browsers. While Microsoft refuses to confirm whether IE7 will be released today, they do say it is due out this month, and will feature tabbed browsing, RSS feeds, as well as tools to stop phishing. The new version also promises to shore up ActiveX, which helps with web interactivity, and which has been so abused by hackers they have come to call it HacktiveX.

And in Microsoft's well publicized move to a more secure (along with additional cost) platform with the upcoming Windows Vista, one of IE7's most useful security features, which they have deemed a containment wall, will only be available for those who upgrade to Vista.

Microsoft will also be releasing an updated version of its Malicious Software Removal Tool and will host a webcast Wednesday to answer any questions. Also, as these notices alert hackers as well as administrators, I’d recommend you implement the patches ASAP.

Tags:Microsoft,patches

Posted by pschooff in Patches • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

Microsoft, which has been downplaying a recently discovered VML (vector markup language) vulnerability, has "rush released" a patch to resolve the problem, making one believe that it was more critical then they let on. The vulnerability primarily targets those who are logged on that have full administrative rights, and an attacker could gain complete control over an affected system where they could install programs, view, change, or delete data, and even create new accounts with full rights. Users without full rights are less vulnerable, and now that zero-day attacks have become a real possibility, Microsoft recommends that the update is applied immediately. You can download the update here.

Also, the Patch Adams in the title refers to the reported Javascript flaw in Mozilla, which was announced by two presenters at the ToorCon hacking convention in San Diego, was, like the doctor who healed through humor, actually intended as a joke. Said the 19 year old Mischa Spiegelmock, "The main purpose of our talk was to be humorous...the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has."

Tags:Microsoft, Patches

Posted by pschooff in Microsoft • Patches | Permalink | Comments (0) | TrackBacks (0)