Security Watch

Redmond Tweaks Autorun

Microsoft moves to make worms less effective. Plus: RSA kicks off security conference season; Google to school IT pros on the perils of cross-site scripting; and the FBI weighs in on Conficker.

• By Jabulani Leffall
• 04/28/2009

"The reason we're making this change is that we've seen an increase, since the start of 2009, in malicious software abusing the current default AutoRun settings to propagate through removable media like USB devices. The best known malicious software abusing AutoRun is Conficker, but it's not alone in that regard," security spokesman Christopher Budd wrote in the post.

Budd added that there are other malicious programs that abuse this feature and pointed users to get more details at Redmond's Malware Protection Center's blog.

Google, Microsoft Concerned About X-Site Scripting
Google released a new version of its Chrome browser to fix what it called a high-severity security problem. If a user has Chrome installed, visiting an attacker-controlled Web page in Internet Explorer could have caused Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice. Such an attack only works if Chrome is not already running. The problem affects Google's mainstream, stable version of Chrome and is fixed in the new version 1.0.154.59 (download). Google has built Chrome so it updates itself automatically with no user intervention, but the updated version is only triggered through a restart.

The security issue comes as Chris Evans, security lead at Google, said in an e-mail that he's slated to present a paper on cross-domain vulnerabilities with Billy Rios, a security engineer at Microsoft, on Thursday at the HITBSEC confab in Dubai. Other presentations scheduled for the conference include the release of Vbootkit 2.0, a tool capable of bypassing Windows 7 security, and a discussion of how the Conficker worm affected computers in Windows enterprise environments.

Apathy Is Now The Law
It's no secret that many enterprise professionals, for reasons that vary, tend to be lax on patching vulnerabilities on not just Windows systems but in general. There's more evidence of this apathy illustrated in "Laws of Vulnerabilities 2.0," a report from Qualys. Qualys found that 1 percent of all corporate networks are never patched and that 80 percent of vulnerability exploits are now available within single-digit days after the vulnerability's public release by software and hardware companies. This is an alarming uptick from five years ago, according to the report, because in 2004 it took an average of 60 days for an exploit to appear.

According to Qualys, nowadays it only takes on average 29.5 days to eliminate 50 percent of known vulnerabilities in a network.

The Qualys study didn't single out any vendor but IT pros' perception of the importance of Redmond's patches appears to be abysmal. Qualys indentified four updates in particular from last year that were all labeled "critical" by Microsoft when they were released, Among them was a pre-patch Tuesday fix MS08-001, a two-patch update in January 2008 that plugged holes in as many as three Windows TCP/IP protocol programs. The second was MS08-007, a single February 2008 patch for Windows' WebDAV Mini-Redirector, which initiates basic file functions such as Copy, Move, Delete and Create via a Web browser using mark up language with the HTTP prefix on Web URLs. Then there was MS08-015, a one-fix update in March 2008 for a bug in Outlook, Microsoft's mail client, that could be exploited by tricking a user into visiting a malicious Web site. Finally there was MS08-021, a two-patch update released in April 2008 for Windows' graphics device interface function, which is a core component of the OS and has been the target of hotfixes fairly often.

But these are more technical patches that have mitigating controls to stave off intrusions. So how did other applications from other companies fare? Strangely enough, the report found that almost none of the respondents patched their Adobe Systems-related apps, which is funny because on Tuesday morning, Adobe Systems Inc. confirmed that it's looking into chatter that its popular PDF viewing software, Adobe Reader, contains a critical vulnerability. A researcher from Securityfocus said that the bug is another in a long line of flaws in Adobe's implementation of the popular programming language JavaScript.

FBI: Conficker Hype Hampered IT Security
As Conficker continues a sparse and slow trickle of mischief in isolated cases throughout cyberspace, law enforcement officials are saying the ongoing hype isn't helpful in solving the problem.

"For the general public to focus [only] on Conficker, I think that is actually a bit of a problem for us as a society," Shawn Henry, assistant director of the FBI's Cyber Division, said in a speech this week. "There are dozens of Conficker-like threats and vulnerabilities out there. I think that focusing people on that particular aspect perhaps took away their attention from the overall threat, which is just as great or greater than Conficker itself."

For its part, Symantec Security Response said that IT pros should expect the logical botnet worm to slowly change.

The AV firm pointed out that there is a possibility of Conficker installing a subset virus, known as Waledac, that sends out e-mail spam without knowledge a PC's owner, along with a fake anti-spyware program both as a diversion while the larger Conficker parent does its dirty work and at the very least, a nuisance to enterprise administrators. The Waledac virus can also draw users into unknowingly downloading other botnet programs as well.

Hype or not, it's a official that Conficker is one of the most complex botnets ever designed and that it's going to take more than research studies, fear mongering and even the threat of capturing its authors to combat the issue. Such is the charge of security pros in this day and age.