Security Watch

Rethinking IE 7's Patching Schedule

Plus, Cooking up a new browser from scratch; baking in security; Adobe Reader flaw discovered.

• By Jabulani Leffall
• 02/23/2009

Browser security problems continue for Microsoft, as hackers last week found a hole in Internet Explorer 7 that had not yet updated with a cumulative patch released in this month's rollout cycle. Wolfgang Kandek, chief technology officer of Qualys, told me that, in a nutshell, because of the pervasiveness of the browser, IE patches should get special priority for installation but don't. "The little time that went by one week between release of (MS09-002) and the emergence of the vulnerability and exploit in the wild is a good indication of how quickly IT managers have to react," he said.

Despite frequent and numerous patches for IE, exploits persist and this latest instance, security researchers say, is all the more reason for IT pros to close the time-lapse gap between patch release and enterprise-level installation. Because while it only take a little while to patch a system, it takes even less time for systems to be taken over.

Does this mean Redmond may look to fortify its browser or perhaps even go back to the drawing board where security is concerned? Let's see.

Gazelle Might Be Faster, More Secure
Meanwhile, Microsoft researchers said early this week that they are developing a new Web browser, said to be faster and more secure than not only the competition but even IE.

So far, the project, which has been dubbed "Gazelle," is just a prototype. The researchers say that Gazelle is different from other browsers in that it separates different elements of of a Web site -- such as iframes, subframes and plugins etc. – and sifts through code more thoroughly than say, Google's Chrome browser, which runs a Web page and its elements in a single process.

Parts of Gazelle are based on IE architecture with the main difference being that this application will be part of what the researchers call a multi-principled OS structure.

"As Web sites evolved into dynamic Web applications composing content from various Web sites, browsers have become multi-principal operating environments with resources shared among mutually distrusting Web sites," the researchers wrote.

Gazelle isn't darting through the tech ecosystem anytime soon, as Microsoft will soon be releasing IE8 and still dealing with residual effects of complications with IE7 and earlier versions. What's important to Redmond at this point is that the idea for a faster and safer browser, with a cooler name to boot, is on paper.

Security Is Baked Into It
If you're interested in the "Amazing Adventures of Kevlarr,", a.k.a Kevin the hypothetical application developer, and would maybe also like to know how to secure your Windows-based enterprise processing environment, then Microsoft has a new Web Site called "bakingsecurityin.com" for you to visit.

Taking a cue from Google in trying to give its marketing and application initiatives a "cool" factor, the people behind Microsoft's Security Development Lifecycle (SDL) program launched a Web portal that includes comic strips (PDF and XPS) as well as videos that detail how an enterprise can build secure code into applications as they are developing them for a Windows stack.

Taking down the "league of malware," may be a concept that Redmond makes light of to make the content punchier and less technical, but the people behind the site -- Steve Lipner, senior director of security engineering strategy, and Michael Howard, principal security program manager -- assert that cleaning up an infected system is considerably less fun. The SDL, Howard and Lipner say, is all about preemptive and parallel building of security into the development framework so IT pros don't have to react to a threat but instead protect against one.

New Adobe Flaw Found, Could affect Windows
A critical bug in Adobe Reader has been the latest vector for hackers for as many as 12 days, according to anti-virus software giant. Symantec, which claims to have discovered a zero-day security vulnerability within Reader and immediately contacted Adobe on February 12. Symantec said in a statement that it has "observed a few exploits of this vulnerability in the U.S., China, Japan, Taiwan and the U.K. and continue to monitor for any signs of a widespread attack."

Meanwhile, volunteer-led Internet security research group Shadowserver published findings about the Adobe bug that could affect Windows users. According to Shadowserver, the flaw could be exploited on systems running Windows XP SP3. For its part, Adobe acknowledged that the flaw was "critical," but will not be releasing a patch for Adobe Reader 9 and Acrobat 9 until March 11. After that, Adobe said, additional hotfixes for Reader 8 and Acrobat will be rolled out as well, followed by an update for the older Reader and Acrobat 7.