Security Watch

Security Flaws: Old News in a New Year

It's like 2010 all over again with security. Plus: Microsoft admonishes Google for its security policies; fake updates in your inbox.

• By Jabulani Leffall
• 01/04/2011

Happy New Year! And it promises to be an interesting one from a security standpoint for Windows enterprise pros.

Microsoft started out the year pretty much like it ended it: fixing problems on Internet Explorer. Redmond announced that it is investigating two proofs of concept flaws in the browser and other Web-related software that were revealed at the end of last month.

And already this week, the first Security Advisory coming out Tuesday addresses a publicly disclosed vulnerability affecting Microsoft Windows' Graphics Rendering Engine on XP, Vista, and Windows Server 2003. The advisory warns that an attacker who successfully exploits this vulnerability "could run arbitrary code in the security context of the logged-on user." After that, the hacker has carte blanche access and can install programs; view, change, or delete data; or create new accounts with full user rights. Getting hacked is no way to start 2011.

MS vs. Google on IE Security
Much like they did last year, Microsoft's and Google's security staffs continue to voice differences of opinion on the safety and integrity of Internet Explorer. The latest issue has Google security engineer Michal Zalewski claiming to have found holes in IE using a browser tool called "Cross Fuzz." Although Zalewski cited bugs in several browsers -- IE was just one of them -- Microsoft took issue with the way Zalewski disclosed the findings.

"Security is an industrywide issue and Microsoft is committed to working with researchers and/or the companies who employ them, when they discover potential vulnerabilities and this case is no exception," said Jerry Bryant, spokesperson for Microsoft's Trustworthy Computing at Microsoft, in a statement.

The drama started when Zalewski said he had reason to believe that Chinese hackers knew of an unpatched vulnerability in Internet Explorer. In his research note, Zalewski added that the pattern of leaks "is very strongly indicative of an independent discovery of the same vulnerability in Microsoft Internet Explorer."

Meanwhile, Microsoft's Bryant responded by saying that Redmond is working with software vendors to address potential vulnerabilities in their products before details are made public. Without mentioning Google specifically, he said such cooperation "reduces the overall risk to customers. In this case, risk has now been amplified."

Security Notice a Fake
If you open up your e-mail and see a message with a prompt that says "Update your Windows," do yourself a favor: Don't click on it. Security gadfly Graham Cluley of security shop Sophos said cybercriminals are "up to their old tricks, spreading malware under the disguise of a critical security patch from Microsoft." Cluley says the scammers even try to further the hoax by using the real name of a senior member of Microsoft's security team, Steve Lipner, to try to fool you into believing the alert is genuine.

A proper suggestion here would be to phone, message or e-mail Mr. Lipner if you know him. Otherwise, avoid clicking on the fake update.