Security Watch

Mozilla Matches Microsoft in Browser Flaw Fixes

Plus: Windows 7 security baseline guide; Adobe installer flaw; U.S. still ranks in spam origination.

• By Jabulani Leffall
• 07/21/2009

Microsoft is continuing to investigate the causes and effects of an ActiveX control for Office Web Components that puts users with most versions of Internet Explorer at risk of an attack. Mozilla has beat Microsoft to the patch, so to speak, in fixing a bug that exploits weaknesses residing in its open source Firefox browser. The flaw affects Firefox pretty much in the same way that Microsoft's Active X control holes are responsible for most of Redmond's latest zero-day IE vulnerabilities.

Normally this wouldn't be a big deal as the respective flaws in Firefox and IE are inherently different. But observers took notice when Mozilla's advisory came out the same day as Microsoft's: July 13.

Mozilla made it known at the end of last week that it had fixed a critical flaw in the new TraceMonkey JavaScript engine's just-in-time compiler for Firefox 3.5.1. The patch, Mozilla said, staves off a scenario where an attacker could run arbitrary code and install malware.

For its part, Microsoft has released a tool for download and described workarounds where users can disable ActiveX controls. There was even a cumulative kill bit patch for ActiveX, but nothing specific to Office Web Components was included in the monthly patch rollout last week.

Thus it's easy to see why security experts would scratch their heads, given the fact that as recent as last Thursday Symantec, Sunbelt Software and SANS' Internet Storm Center (ISC) bumped up their warnings after Microsoft released its latest security advisory related to the bug.

Security Best Practices in Windows 7, IE 8
Microsoft released a beta version of a download that will give Windows 7 and IE8 users an inside track on best practices and security settings for two new systems.

According to Redmond the baselines are designed to help security admins and, in particular for IE 8, web developers and network administrators plan for the installation, configuration and deployment of the new systems.

The download is said to provide "prescribed settings documentation and Group Policy objects for Windows 7, BitLocker Drive Encryption, and Windows Internet Explorer 8."

Microsoft goes on to say that "the preconfigured settings" described in the download and inherent in it are designed for both "Enterprise Client and Specialized Security -- Limited Functionality environments."

The software giant emphasizes that the ultimate goal of this baseline solution is to cut down on time that may elapse in trying to strengthen Windows 7 and IE 8 at both the individual workstation and the network level in a given enterprise.

Researcher: Adobe Files Still Corrupt
Danish security researcher Secunia is saying Adobe Systems may be unknowingly letting users download an obsolete version of its popular Adobe Reader 9.1 application for .PDF files. The problem, Secunia asserts, is that the outdated Reader files don't have the security patches that the more current Reader versions offer. Adobe recently hotfixed about 14 security vulnerabilities over the last 60 days and said it would piggyback Microsoft's monthly patch release.

Predictably Secunia arrived at this conclusion when it found that users of its own Personal Software Inspector (PSI) utility -- one design to check Windows machines for upatched apps -- said that despite the fact that Adobe patched its programs they still had faulty editions after download.

Here's what Adobe had to say in an e-mailed comment:

Adobe Reader 9.1 for Windows is the most recent full installer of the product. Adobe Reader 9.1.1 and 9.1.2 for Windows are patches that require Adobe Reader 9.1 to be present. This is the reason users are offered Adobe Reader 9.1 via the 'Get Adobe Reader' page on Adobe.com.

Adobe said further that "once Adobe Reader 9.1 is installed, the Adobe Updater will subsequently offer the Adobe Reader 9.1.1 and 9.1.2 patches. Or, alternately, the end user can manually apply the patches via the Product updates section of our Web site."

Microsoft: America, Top Spammer
Terry Zink, Microsoft's in-house anti-spam blogger for the Forefront Server security team, found out that the United States is at the top of the list for something dubious in technology: spam.

Zink recently released his study that said nearly 31 percent of all spam release anywhere is either born or launched on U.S. servers or using U.S.-based Internet protocol (IP) source code. The next country on the list is a country that many had thought, according to Zink, would be the first and that's China. But China is only responsible for originating a little more than 10 percent. South Korea, Brazil and Argentina round out the top five. Russia, a place where a lot of the more high-profile online fraud happens, was noticeably absent.

Zink arrived at his findings from calculating how much spam comes in from each country based on where the IP source code originates. It should come as no surprised that there is a lot more IP source code infrastructure in America than any place else but China is a close second.

So if you're visiting a foreign country, now perhaps brag to the locals that not only do we have a monopoly on both kinds of Spam -- Hormel's mystery meat and the e-mail inbox filler.