Security Watch

Microsoft Ends 08 with Two Security Battles

Plus: Should security experts follow open source's open development model? And the damage that can happen in 4.5 seconds.

• By Jabulani Leffall
• 12/16/2008

Microsoft Battles Threats on Several Fronts
Just when the software giant thought it had sated the public's desire for answers regarding a zero-day vulnerability that was thought to only affect IE7, yet another new bug had been identified over the weekend with SQL Server database. The kicker here is that a seasoned hacker could in theory use the IE bug to then deploy the SQL Server bug. A report from Austria-based SEC Consult Advisory said it's possible for outsiders to target the vulnerability remotely on Web sites that link search boxes, customer databases or other Web apps to SQL Server. Redmond was still investigating both flaws as this post went up and, as per procedure, said it will issue workarounds and possible patches in the future as part of its normal monthly security bulletin release.
 
Is Open Source the Answer?
With all the hubub over response time to security threats that seem to come about at the processing speed of a T-1 line on a sunny day, there has been talk in security circles that perhaps a more public beta program for Microsoft patches or a "no-support, use-at-your-own-risk sign-up" is needed, so IT pros and individual users can download patches prior to or during the quality assurance and testing phases. Such an undertaking could prove tenuous for Microsoft, but the open source community does this already.

Yet, according to a study released Monday by open source application security company Palamida, 54.8 percent of 3,500 top-level IT managers still won't switch to open source. The reason for this, Palamida said, is that while collaborative and cost effective, open Source software is still unproven in the security space. But for those who are curious, Palamida is working on a database that keeps updates of scores of open source security enhancements and releases for enterprise customers and also has pricing models for deployment of the software. Additionally, the company has released a top 25 list of open source security projects that users and security staffers should look at to save money and possibly have a better handle on software updates. Of particular interest to Windows enterprise pros are interoperable programs such as SQLite, PostgreSQL and MySQL, which were nine, 11 and 12 on the list respectively and complement Microsoft's SQL Server (which, as I've mentioned already, has seen an increase in attacks).
 
"There's a lot of dark matter out here as far as business risk and security that people still need to get a handle on, but alternatives are there," said Palamida CEO Mark Tolliver in a interview last week with MCPmag.com.

Every 4.5 Seconds; Another Infected Web Page
True enough the year was filled with security breaches, new threats, a rise in spam and the most vulnerabilities ever patched by Microsoft. Yet and still,

Third-party security firms looking to sell software or services are prone to hyperbole, but according to U.K. ITsec outfit Sophos' Security Threat Report 2009, by the time any given computer user counts to five, a Web page is infected with code that can give hackers entry into a system if a malicious Web page is opened up on an individual workstation. The study also found that 97 percent of business-to-consumer e-mail can be indentified as spam and that there was a growth in SQL injection attacks.

The information superhighway, as it was once called, is now purportedly propagated with automated stagecoach robbers as it were. The report goes on to say what many in the IT community already know that the "Web is now the primary route by which cybercriminals infect computers." This is mainly because firewall technology has become a more exact science and encryption on data, even of the most rudimentary variety, can stave off most server-side advances. Add to that the fact that enterprises are securing email and deploying spam filters, even blocking navigation to non-pertinent, non-work-related Web sites. The unintended consequence of that is a new lay-in-wait mentality among hackers that counts on human curiosity -- and, often times, stupidity -- to trip the switch. More and more, cybercriminals simply plant malicious code on regular everyday Web sites, which can be triggered with a click.

If you're an ITsec pro in this environment, tidy up and lock it down -- it looks like 2009 is going to be an interesting year.