Security Watch

Hackers Know It's All In the Timing

Patch Tuesday reminds us once again that hackers will always be a step ahead. Plus: Outlook issue to be fixed out of band; Intel's intentions with McAfee buy seem questionable.

• By Jabulani Leffall
• 02/09/2011

Two months into 2011, Microsoft has gone from two patches to 12. Even though many of the ones fixed in yesterday's Patch Tuesday release were zero-day bugs that Redmond didn't have time to fix last time, many security pros believe this is entirely the point.

On top of that, Redmond came up just short on patching the MHTML issue. Even though Microsoft released a workaround for that issue, the question once again arises as to whether patches can ever beat back hackers.

The software giant has pointed out that the threat level for the MHTML issue is low. Still, ESET researcher Aryeh Goretsky points out in this blog post, "We have also seen countless examples in the past where vulnerabilities in a popular operating system or application have been exploited on a massive scale."

And so it goes. Redmond remains the best in the business when it comes to timely and comprehensive patches, but hackers know that security lead times and the administrative girth of security updates will continue to be the bane of Windows IT and security generalists.

Outlook Fix To Be Reworked
Speaking of lag time, it appears the third time will be the charm for an especially troublesome Outlook issue. First released Dec. 14, 2010, the Outlook 2007 patch was pulled days later, then reissued Jan. 11, 2011. And now this: "We've found an issue...which may result in users being unable to access their archive mailbox," wrote Bharat Suneja, a senior technical writer with the Exchange team, in this post.

It's not really a security issue, but a functionality problem with Exchange 2010 Service Pack 1, which first rolled out last August.

The Outlook fix isn't part of this month's fixes, but Suneja indicated that a hotfix, tweak or full re-release of the update would be part of another cumulative patch for Outlook 2007 later this month.

Intel Intent with McAfee Still Unclear
As Intel awaits a U.S. Department of Justice nod on its mammoth acquisition of AV software company McAfee, some in the security community question the assertion that Intel is developing functionality that will prevent zero-day threats at the chip level and whether such functionality will ultimately prove anticompetitive and freeze out security vendors.

"To date, Intel's intent and vision behind the deal has been muddy at best," said Lumension CEO Pat Clawson. "This deal certainly ruffled a few feathers when it was being passed through."

Clawson says that Intel's pledge to the EU Competition Commissioner that it will provide rival security firms with access to the necessary information to allow their products to use Intel's chips is "reflective of one market reservation over this acquisition."

The real pressing concern, Clawson adds, is whether it's acceptable among third-party security firms and PC vendors using Intel chips -- to say nothing of users -- for Intel to impose security on the devices that they ship. Justin Rattner's indication that Intel is developing functionality that will prevent zero-day threats on the device is interesting. But, the feasibility needs to be explored.

"The lack of an official announcement on (Intel's) intention for the deal has left the market pondering what exactly it will do next, " Clawson said. He concedes that security innovation on the mobile devices would certainly "be an interesting and most likely welcome addition to the consumer handset market."