Security Watch

Microsoft Plays Catch-Up to Hackers

• By Jabulani Leffall
• 10/05/2010

Microsoft issued an "important" out-of-band patch in of September but only made it available for manual download from its security site. The patch resolves a publicly disclosed vulnerability in ASP.NET that could allow for information disclosure, but in a rare occurrence Microsoft released the patch without undergoing its standard testing program for new patches.

Microsoft eventually released the automatic update last Thursday and revealed that it held back its automatic rollout because it had evidence the flaw was being actively exploited by hackers.

This move signals more than anything else Microsoft's concession that it won't be able to move at the speed of hacking but that it believes some patch is better than no patch.

Symantec Transfixed on Stuxnet
Symantec has released a comprehensive study on the W32.Stuxnet worm that has plagued some Windows systems recently. The "W32.Stuxnet Dossier" white paper was presented at the Virus Bulletin 2010 Conference and its findings in PDF format can be downloaded here.

The company's investigation into Stuxnet started June 17 when the Symantec team began a journey of what it calls "surprises, wrong turns, frustrating moments, and moments of validation.

The Stuxnet worm is more than a year old but first appeared in earnest in early April, playing mischief on an enterprise system in The Netherlands. It was mainly transmitted through a USB flash drive.

Symantec staffers and other security experts and gadflies who attended Virus Bulletin 2010 hope this white paper will circulate and serve as a cautionary tale.

Microsoft Investigates Twitter Bug
Redmond said it has "completed its investigation" into the Cross-Site Scripting related security issue publicly disclosed earlier this month.

An information disclosure threat in Microsoft's Internet Explorer has its roots in a "Twitter-rolling" attack, which is the result of the way the browser parses cascading style sheets. Microsoft so far has not specified which browsers might be affected by the bug.

Nevertheless, Microsoft said in a statement that it will take "appropriate action to resolve the vulnerability and will communicate to customers as necessary."