Security Watch

Patches Galore In Store for 2010

With April's planned patch releases, Microsoft sets pace to exceed 2009's fixes. Plus: Conficker, a year later; how you set admin rights may be key to overall security, says one vendor.

• By Jabulani Leffall
• 04/05/2010

As the Windows enterprise IT community prepares for the April patch rollout, one thing is clear: Internet Explorer is under siege.

Late last week Microsoft released an out-of-band patch, which shows not only the increasing frequency of IE-related vulnerabilities but also the increased need on the part of Microsoft to issue patches outside the rollout cycle.

Microsoft is setting the stage for a record year for off-cycle patches in 2010; as of March 30, IE has already been exposed to several high-profile bugs both staged and real that use the popular browser as a vector. Additionally, beyond the vulnerability identified in a security advisory early this year, Microsoft reports nine other vulnerabilities that are addressed in its latest cumulative IE cumulative update, meaning that just this one patch addresses 10 holes in the browser.

"The unscheduled release is in response to a reported upswing in attacks against Microsoft customers," said Don Leatham, senior director of solutions and strategy for Lumension. 

Leatham and scores of others I talk to about security-related issues say that given the rash of new attacks on IE and the appearance of zero-day threats on the browser, now is the time to upgrade to IE8, which is the strongest iteration of the browser yet. Even so, just two weeks ago a hacker "pwnd," or hacked, into that version of IE in two minutes.

Responding to Conficker, One Year Later
Right around this time last year, Conficker, a malicious self-replicating botnet that originated on Windows programs had the IT pundit contingent and security administrators scrambling for an antidote. In the end, the Conficker hype died down as Redmond issued various patches and called the IT ecosystem together for a response. To that end, the U.S. Department of Homeland Security plans this month to publish a report detailing how security researchers and Internet infrastructure providers working in the Conficker Working Group handled the most serious and pervasive automated cybertheat in years.

The working group consists of a who's who of tech giants, as well as well-known name brands like Microsoft, Symantec, Trend Micro and Facebook. Of course the catch-22 of publishing its findings at the time is that cybercriminals -- among them, Conficker's authors -- probably took notes along with everyone else.

The government's report will discuss how it all came together and how the public and private sector can collaborate in another event of this magnitude.

Securing Admin Rights Will Deter Attacks
Security firm BeyondTrust recently released a report (registration required to read it) saying what many in the enterprise IT arena already know or should know: Controlling access privileges to mission-critical systems in the enterprise environment is one of the biggest security measures an administrator can take.

In that vein, key findings from the report show that removing administrator rights will better protect companies against the exploitation of, among other things, 90 percent of critical Windows 7 vulnerabilities reported to date; 100 percent of Microsoft Office vulnerabilities reported in 2009; 94 percent of Internet Explorer bugs and 100 percent of IE 8 vulnerabilities reported in 2009, and lastly, about 64 percent of all Microsoft vulnerabilities reported in 2009.

It's important to note that BeyondTrust specializes in access control technology so there's a bit of a spin here that doesn't take some of the more sophisticated remote code execution hacks into account. But the report does get the major theme right: Internal IT policies and procedures that are clear and concise always get the job done. Clear rules on separation of duties between developers and administrators and among users with strict access parameters can markedly decrease incursions into a processing environment.