Security Advisor

Will the Real Patch Tuesday, Please Stand Up?

Windows and IT security pros already are on edge each Patch Tuesday. Now there's a fake Patch Tuesday that could push them over. Plus: Tweaks to the Exploitability Index; DLL weakness report; improving Microsoft Security Essentials; more.

• By Jabulani Leffall
• 05/10/2011

As if Windows IT security pros didn't have enough to worry about with the real Patch Tuesday, now they have to watch out for the fake Patch Tuesday.

Hackers have been circulating a scam e-mail claiming to have details for a "critical security update" from Microsoft. According to the Websense community blog, the e-mail says Microsoft has issued a "high-priority" security fix for Windows, which can be downloaded via a link in the fraudulent message. Of course Microsoft does have a Windows fix but it's not that one.

Tweaking the Exploitability Index
Speaking of Patch Tuesday, Redmond is also tweaking how it measures security risks and looking to give Windows admins some patch management insight in the process.

The software giant is making changes to its Exploitability Index, which Microsoft contends aids IT pros in deciding what's urgent and what can wait.

The new iteration of the index will come with two index ratings per patched vulnerability. This way, there's one for newer OS and application versions and another for earlier releases.

According to this post by Maarten Van Horenbeeck, Redmond's senior security program manager, Microsoft has been"collecting ratings internally in this way for the last eight months." He says that out of a total of 256 ratings, at least 97 issues were less serious, or not applicable on the latest version of the product.

The overall goal is to make vulnerability assessments more clear and also give insight into less common vulnerabilities, like denial of service bugs, since the greatest number of exploits happen to be remote code execution considerations.

"We understand that some customers may not be able to install all updates at the same time," he wrote, adding that by exploring "exploitability and impact," IT administrators could make more "rational decisions."

Researcher: DLL Weaknesses Still An Issue
Microsoft is investigating Acros Security's claims that Dynamic Link Library vulnerabilities, thought to be patched, are still a threat.

The issues with DLL were first uncovered last August around the same time as this security advisory. It was then that HD Moore, the creator of the Metasploit penetration database and hacking toolkit (he sold his technology to Rapid7, where he is now chief security officer), made the issue public with his research.

And now using a technique called "DLL load hijacking" or "binary planting," Acros researchers claim they can prove that Internet Explorer 8 and 9 can be used on various OS platforms including Windows 7, Vista and XP for attacking a system regardless of whether or not the much-touted 'Protected mode' in those browsers is enabled.

Acros has promised to put their proofs of concept to work at the upcoming Hack in the Box security conference in Amsterdam.

Microsoft spokesman Pete Voss said in a statement, "Research into DLL-preloading issues continues."

Mozilla Snubs Government Request
Mozilla, the open source collective that maintains Firefox, is refusing a Department of Homeland Security Request to get rid of its function called MAFIAAFire, an add-on that helps users gain access to Web sites whose domain names have been frozen by the government for copyright infringement.

The key here is that while the government can seize a domain name, it can't seize the servers upon which the alleged infringing addresses are hosted. So, it has asked Mozilla to discontinue the add-on that allows such sites to be hosted off U.S. soil and for hosts to conduct business under URL pseudonyms.

In his blog titled "including but not limited to...," Mozilla's General Counsel Harvey Anderson asks, "Have any courts determined that the Mafiaafire add-on is unlawful or illegal in any way? If so, on what basis?"

The issue is twofold. On the one hand, the government is looking to track down counterfeiters or other people perpetrating nefarious schemes that take advantage of a mistyped web address or lure users to spoofed pages.

On the other, Anderson and others, such as Mafiaafire's anonymous creator, argue that the move is tantamount to censorship and threatens an open Internet.

It's a delicate issue -- liberty vs. safety, security or freedom -- that will continue to be debated on many fronts, and increasingly so in the IT space.

AV Firm Says MSE Needs Improvement
Redmond's free antivirus software, Microsoft Security Essentials, falls a bit short in tracking sophisticated malware. That's the bold claim of AV-Test. The German security testing and consultancy said that while MSE performs at about 100 percent in scanning during the least demanding test, the program's ability to find and clean malicious programs began to deteriorate under tougher testing, some of which involved 107 more recent zero-day e-mail malware attacks and Web-borne bugs.

Many of those programs, AV-Test said, evaded MSE scanning and thus couldn't be cleaned from an infected system.

In the end Security Essentials was awarded a "pass" because it made the grade in 11 of the 18 areas tested. Noteworthy is that BitDefender Internet Security Suite 2011 took top honors.