Security Watch

Microsoft Patch Causes BSOD?

Plus: browsers are a prime target in the "hacker Olympics"; the government simulates a cyberattack via "Shockwave."

• By Jabulani Leffall
• 02/16/2010

Bad news. For the second time in three months, there's a possibility that a security patch is causing operating systems to freeze, shut down or die temporarily via a blank screen.

In early December, there were premature complaints about a so-called "black screen of death" being caused by a Microsoft security patch issued in November. U.K.-based security firm Prevx, which made the supposition, later apologized for jumping the gun on the issue.

Now we go from a black screen to a blue screen in an issue that came up last week.

This time, the patch in question (MS10-015) was for a long-unaddressed Windows kernel bug that could enable elevation-of-privilege control by an attacker. The patch, which was contained in February's mammoth security update, was based on a security advisory that Microsoft released in late January.

Given the sheer girth of vulnerabilities in recent patch rollouts and the increasing frequency of glitches related to patch installation, questions inevitably arise as to whether Microsoft's security updates aren't only efficient but sufficient.

One observer is satisfied with Microsoft's methods and looks at the latest "screen of death" issue with cautious optimism.

"Microsoft is one of the very few vendors in the market who has been diligent about consistently releasing security updates on a regular basis, and at times out-of-band, to ensure...users are protected," said Chris Merritt, director of solution marketing for patch management company Lumension.

"We can't really say whether Microsoft rushed this patch out due to their lag from Windows NT or if this was a departure from their normal process," he continued. "The verdict is still out, but we believe you have to give credit to Microsoft for quickly recognizing the issue and rushing to fix the issue versus waiting for their monthly cycle."

Browsers a Prime Target in 'Hacker Olympics'
In Web parlance, the word "pwn" is pronounced "own," as in: "That IT security blogger got pwned by someone who totally busted him for not knowing what he's talking about."

That's just an example, but such is the culture of the fourth-annual Pwn2Own contest -- also known as the hackers' Olympics -- which kicks off next month at the CanSecWest security conference in Vancouver.

Perhaps the area most IT security observers will be looking at is how the top three browsers stack up against mercenary hackers competing for prize money. Targeted this year will be Internet Explorer, Firefox, Chrome and Safari. The browser track, as it's called, will pit hackers against IE, Chrome and Firefox installed on Windows 7, which is Redmond's newest -- and reportedly most secure -- OS.

Also, hackers will try to break into the mobile operating systems on the iPhone and BlackBerry. This year, the Droid smartphone will be added to the field, as well. 

'Shockwave' Hits Nation
The U.S. government is so serious about the threat of a massive cyberattack that on Tuesday afternoon it staged a simulation called Cyber Shockwave to test the readiness of government IT systems in the event of a big denial-of-service attack or logic-bombing of government servers.

This exercise is the first of its kind. Homeland Security Secretary Michael Chertoff, former Director of National Intelligence John Negroponte, former White House Security Advisor Fran Townsend, and former Press Secretary Joe Lockhart were all drafted as cast members for the simulation.

The end result of the exercise will be a briefing of President Barack Obama about what might happen in such an attack.

The simulation, sponsored by The Bipartisan Policy Center and various private sector IT groups, comes after attacks launched via Internet Explorer against Google and other corporate entities were suspected of being state-sponsored, with China as the main suspect.

However, no one really knows how severe such an attack will be or where it would originate from. The thinking with Cyber Shockwave seems to be that practice makes perfect.