Security Watch

Windows IIS in Hot Seat Again

Plus, Adobe may surpass Office for most security vulnerabilities; Chrome a growing target for hackers.

• By Jabulani Leffall
• 01/05/2010

It looks like Redmond's security staff will begin the new year by dealing with old security issues.

A flaw has been reported in Windows Internet Information Services (IIS), which is no stranger to security problems.

IIS is a vital program to Redmond; at any given time, it's either the No. 1 or No. 2 Web server in the world in terms of conducting Web traffic.

In a blog post late December, Microsoft spokesperson Christopher Budd downplayed assertions about IIS from security researcher Soroush Dalili and third-party security company Secunia, both of whom said there were corrupt code problems in the program.

Secunia theorized that the IIS glitch is caused when the Web server wrongly executes ASP code in files with extensions separated by semicolons.

Budd said that a Microsoft investigation over the holidays revealed that there are some inconsistencies with IIS but no new exploits on the program. He suggested that the results of Dalili's and Secunia's IIS vulnerability trials were more about poorly configured servers in an enterprise environment and less about a bug in IIS.

There's no word on whether Microsoft plans to cumulatively patch IIS, just to cover all the bases.

Adobe To Surpass Office in Security Vulnerabilities?
Those following IT security have known for quite a while that hackers are increasingly looking to exploit software applications that sit on or are installed via operating systems, rather than exploiting the operating systems themselves.

Those in the know are also hip to the fact that Adobe was one of the most targeted and porous applications last year -- and apparently remains so.

In its "2010 Threat Predictions" report (PDF), anti-virus software giant McAfee says Adobe's Acrobat Reader and Flash applications will likely surpass Microsoft Office as favorite targets of cybercriminals in 2010.

"Using reliable 'heap spray-like' and other exploitation techniques, malware writers have turned Adobe apps into a hot target," McAfee's report notes in a section titled "Malware Writers Love Adobe, Microsoft Products."

As two of the leaders in document presentation, graphics and imaging, Adobe Flash and Reader are the closest rivals to Office in their ubiquity. McAfee predicts that their status as two of the most distributed applications in the world will lead hackers to target Adobe.

The implications for Windows enterprise administrators are varied and vast, considering that Internet Explorer is the browser in which Adobe documents are currently opened, and that hackers will be able to study Adobe's vulnerabilities regularly now that Adobe's patch schedule is synchronized with Microsoft's monthly Patch Tuesdays.

Chrome a Target for Hackers in 2010
Late in 2009, Google's new Chrome operating system, which doubles as a browser since the open source program is Web-based, surpassed Apple's Safari as the world's No. 3 browser behind Firefox and Internet Explorer.

In December, nearly a year after its beta release for Windows PCs, Google released Chrome for Mac and Linux, which helped Google scoot past Safari in total market share.

Ironically, though, Chrome's roots in the WebKit technology used by Safari, along with its reliance on a new generation of HTML called HTML 5, will make it one of the more targeted browsers this year for hackers.

If Google has its way, HTML 5 would supplant rich-media plug-ins such as Adobe Flash and Microsoft Silverlight, both of which come with development features that Web designers and system engineers can build directly into the code that runs Web sites.

But increasing ubiquity will come with increased threats as hackers move to the Web to stage attacks. For instance, if a Chrome user on a Windows PC wants to tack on Google Wave (the cool new collaboration and communication software), they may be vulnerable to botnets, worms or automated malware.