Security Watch

Hackers Take Shots at IE

Microsoft's browser takes center stage at Pwn2Own contest. Plus: yet another vendor takes on patch management, and fixing Windows 64-bit.

• By Jabulani Leffall
• 03/23/2010

Yep, it's already that time of year to get pwned by mercenary hackers as well as security researchers with proofs of concept looking to prove the strengths of their security offerings. That's right -- the Pwn2Own contest is slated to kick off on March 24 at the CanSecWest IT security conference.

The program is sponsored by Tipping Point's Zero Day Initiative and takes aim most prominently at the most popular browsers. It's basically a forum for hackers to embarrass the world's best known application makers while showcasing their own hacking skills.

Over three days Microsoft's Internet Explorer 8 on Windows 7 and IE 7 on Vista and XP will be hacker target practice.

This year's contest comes as both of the leading browsers in terms of user market share, IE and Mozilla's Firefox, have been under heavy attack. In the middle of last month, Microsoft pointed to an IE security flaw, and late last week Firefox admitted to a new zero-day exploit, for which it will release a security update with its newest browser iteration on March 30.

Hackers won't be allowed to test the latest remote code execution vulnerability on Firefox, according to contest organizers.

"The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix," said Mozilla in a statement.

The odds-on favorite in terms of strongest security is supposed to be IE 8 on Windows 7. So as always, it will be interesting to see which browser gets pwned first and quickest.

AV Firm Center of Windows PC glitch
Antivirus software maker BitDefender began the week attempting to fix problems on some Windows 64-bit PCs over the weekend, which allegedly crashed using its products.

Beginning on Saturday users wrote in to BitDefender discussion forums complaining of a faulty antivirus update that caused 64-bit Windows machines to stop working. Among the affected systems that users complained about are those that play prominently in a Windows enterprise environment: Visual Studio and SQL Server.

BitDefender would not comment directly on the subject other than to point to statement in its blog post where it acknowledged that it software had "falsely detecting several Windows and BitDefender files as infected with the Trojan.FakeAlert.5 virus."

This says the company is what spawned all the complaints on the message boards where "BitDefender and/or Windows and/or certain programs becoming inoperable, as well as PCs failing to boot."

This event is significant because of the use of a fake alert to trick an anti-virus system and cases of malware infiltration with elements of configurable logic components are becoming more common.

BitDefender suggest that users use its "rescue CD" but has not yet issued any downloadable updates or workarounds.

YAV Joins Patch Monitoring Fray
As Microsoft and Adobe begin to collaborate on various ways to manage the distribution of their patches, many third-party vendors are looking for ways to get in on the act.

Shavlik Technologies is one of said companies, recently introducing its SCUPdate catalog that delivers update information from multiple vendors -- like Adobe or Apple -- to Microsoft's System Center Configuration Manager. The company claims its SCUPdate can help Windows enterprise client administratrors make sense of the nightmare of managing patches for third-party apps on a Microsoft OS.

According to Shavlik's brass, Windows System Center Configuration Manager users should have a single workflow for deploying updates for both Microsoft and non-Microsoft applications. Such products are relevant because Microsoft is no longer the lone target of cybercriminals and hackers. Quite frankly, with its plethora of security flaws Adobe bugs are nearly as ubiquitous as Windows.

Nancee Melby, director of product marketing for Shavlik points out that "the capabilities of Reader and Flash rival that of browsers like IE and Firefox."

With ISVs making further forays into patch management services, look for more collaborations between the bigger vendors on collaborative patching programs.

It's a brave new world.