Security Watch

Hybrid Fix Among 9 Patches for August

Plus: Adobe Reader exploits growing; Twitter tweets on attacks; ACLU dismayed at White House cookie plans.

• By Jabulani Leffall
• 08/11/2009

For some security pros are still recovering from July's out-of-cycle patches, released late last month -- that's if they've even gotten to them yet as the release was on July 28 -- on Tuesday Microsoft is saying to these enterprise staffers, 'well here's nine more.'

There will be five critical patches and four important ones with one doozie of a hybrid patch in the form of a cluster fix Microsoft Office, Visual Studio, ISA Server and BizTalk Server. That's right -- one patch across four different programs. This particular security bulletin will raise eyebrows among security pros, since Visual Studio and ISA Server were both patched in July's cycle.

Out of band patches and heavy-volume regular cycle roll outs are becoming more frequent as the Internet grows in usage and popularity and hackers start to blur the line between client- and server side incursions.

With the rise of virtualization, the Web will play an even more important role and it will be easier for hackers to hide as well as be more nimble, cunning and selective in who they hit.

Adobe Exploits Growing
Speaking of who or what hackers are choosing to hit, Adobe Systems Inc., which recently announced that it would periodically have Patch Tuesday releases to coincide with Microsoft's monthly rollout, is the new popular target.

Independent security research shop F-Secure says its research of exploits affecting Windows OSes shows that more than 48 percent affect Adobe's Acrobat Reader. In fact, Acrobat has now surpassed by leaps and bounds that of Microsoft Office documents, which have been on a ride of their own in the last couple of years. The three Office apps together only represent 7.4 percent (Excel), 39 percent (Word) and 4.5 percent (PowerPoint) of the exploits that F-Secure tracked.

This is probably why Adobe has chosen to coincide its fix release with Redmond's release -- giving administrators an opportunity to test and install everything at once. It will be interesting to see how Adobe's patch management process evolves or if the rise in exploits leads to a strategic shift on the enterprise with the use of other types of files. Time will tell.

Twitter Still Sorting Out Attack
The people at Twitter teetered on disaster last week when hackers, through a Denial of Service attack, shut down the microblogging and social networking portal. This blog has extensively covered the evolution of exploits on Twitter and also colossally flubbed the Queen's English in pathetic attempts to see how clever one can be with the word Twitter.

Neither of these occurrences, it turns out, are funny at all. For its part, Twitter said in a blog post that it is preventing some third-party Twitter applications from communicating with the company's application programming interface, which has frustrated some Twitter app users who are trying to get push products, services, killer apps and interactive links by getting their tweet on.

The company described its investigation and post-attack maintenance as "ongoing" in the blog post.

"Due to defensive measures we've taken against the ongoing denial-of-service attack, some Twitter clients are unable to communicate with our API, and many users are unable to tweet via SMS," Twitter's team wrote.

Hands In The Cookie Jar
The American Civil Liberties Union has been known to fight for rights and adjudicate, as well as be an advocate for obscure causes. Now it's all about cookies for the ACLU -- that is, Web Cookies, aptly named because of the digital signatures and information "crumbs" left in the wake of a user's browsing session. By definition, cookies contain valuable info such as form information, saved passwords, user preferences and even shopping cart contents resulting from e-commerce purchases.

The ACLU this week maligned a proposal by the White House Office of Management and Budget that would allow the greater use of cookies on government Web Sites. Cookies, the ACLU argues, "can be used to track an Internet user's every click and are often linked across multiple websites; they frequently identify particular people."

It takes sophisticated hackers to glean info from cookies and such digging has to be targeted with the intruder knowing what they're doing. But from the ACLU's perspective, this is the way the cookies -- ahem -- crumble.