Security Watch

Microsoft Breaks Patch Records (Again)

Plus: researcher blames Hotmail password thefts on botnets, not phishing; Adobe joins Tuesday patch brigade.

• By Jabulani Leffall
• 10/13/2009

In the past year-and-a-half, Redmond has topped itself with at least three "historic" patch releases in which the number of vulnerabilities, as well as security bulletins, went into the double digits.

Here we go again.

The record wrecking continues with the hotfixes released this week. Patches for all versions of Microsoft's operating systems and for applications such as SQL Server, Office and Silverlight are all in play, along with the much-anticipated hotfix of a Server Message Block (SMB) vulnerability.

Security pros are predicting a long week for administrators who will have to decide what to patch, what not to patch and whether to wait to patch (whew) due to the sheer size of October's slate.

"Overall, the advanced bulletin from Microsoft further illustrates the importance of the need for a strong patching solution as IT administrators will spend a lot of extra time patching this month if they don't have a proper process in place," said Paul Zimski, VP of market strategy for security firm Lumension.

The frequency of record-setting patch releases over the last two years shows beyond a shadow of a doubt that hacker sophistication and brazenness have grown, and that as the Web and network-bound processing environments expand, so too will attacks.

Researcher: Hotmail Password Theft the Work of Botnets
Mary Landesman, a senior security researcher at San Francisco-based ScanSafe, contends that the recent incursion into thousands of Hotmail accounts wasn't the result of phishing attacks, but of botnets.

As I mentioned in last week's blog post, Microsoft stated that the incursions were definitely phishing-related and "not a breach of internal Microsoft data."

If the incursions were, in fact, automated (and not the result of phishing), the implication is that botnets likely got into Hotmail's server and recovered the compromised passwords. Landesman thinks that there were variations in password complexity among the exposed accounts that are inconsistent with a phishing attack,

"The victims appeared to be taking reasonable precautions (in most cases) with the uniqueness, length and complexity of their password," Landesman wrote in her blog. "There were certainly exceptions, but by and large the passwords could be considered respectable."

In other words, the victims whose accounts were hijacked were probably a bit more experienced and cautious than most Web users, and "thus potentially less likely to fall for a phishing scam."

For its part, Microsoft said it's continuing to investigate the issue.

Adobe: We Have Patches, Too
Adobe continues to have issues with .PDF files that are vulnerable to malicious embedded code. This week, to add insult to installation for security pros, Adobe said it's joining Microsoft in issuing patches on Tuesday, in its case for Adobe Reader and Acrobat versions 9.1.3 and earlier on Windows, Mac OS and Linux.

For the fourth time this year, Adobe says it has seen reports of hackers using corrupted .PDF documents to break into Windows PCs when unsuspecting, curious or careless users open them. The bug is being exploited in "limited, targeted attacks," Adobe said in a security advisory.

Meanwhile, Microsoft said current users of Vista and Windows 7 can protect themselves by enabling Data Execution Prevention, a security feature designed to stop various document-borne exploits.