Security Watch

A 'Hurry Up and Wait' Security Strategy

Security experts have yet to get the edge on hackers. Plus: Unpatched IE bugs likely to be fixed post-Patch Tuesday; smartphones all the rage -- with hackers.

• By Jabulani Leffall
• 01/11/2011

Should Microsoft and other vendors step up their patching to try and keep pace with hackers and replicating exploits? More important: Is such an aim even possible or feasible?

"We get the sense that what we do now is hurry up and wait for these two zero days that currently exist in the wild, both of which could allow remote code execution, to unfold," said Paul Henry, Forensic & Security Analyst at Lumension in an e-mail note to me that came ahead of Tuesday's patch release.

Henry's "hurry up and wait" assertion is becoming a regular thing, with patches that require planning and testing juxtaposed with fast-moving, quick-piling, in-the-wild-quick exploits.

Hurry up and wait, indeed.

Unpatched IE Bugs
Meanwhile, look for a light batch of patches this month. Not included? Fixes for some unpatched IE bugs. According to Qualys Chief Technology Officer Wolfgang Kandek, the Windows IT security community continues to discuss "two additional vulnerabilities in Internet Explorer and proof of concept code exists."

"We expect Microsoft to acknowledge and respond to (the vulnerabilities) soon." Kandek said.

The SANS Institute's Internet Storm Center has an overview that lists the open issues with IE at the moment.

While Microsoft has not patched these items yet -- and it's not likely it will happen in Tuesday's update -- the software giant has released this table identifying the issues and their possible mitigations.

If last week's advanced bulletin is any indication, new security issues with Internet Explorer won't be addressed in the regular patch cycle. That doesn't rule out the possibility, though, that the security team at Microsoft may produce an out-of-band update if the bugs get too hairy.

Apple, Adobe, Smartphones Targeted
To be sure, Windows and Internet Explorer remain the most targeted proprietary programs for hackers, given Redmond's persistent dominance in the computing world. But hackers have been turning their attention to Adobe and Apple with more frequency.

"McAfee Labs saw malware of increasing sophistication that targets Mac this year; we expect this trend to increase in 2011," was the money quote from the company's "2011 Threat Predictions" report (.PDF here).

The report also indicates that further along the emerging threat landscape we'll begin to see Google smartphone users running into big trouble. Looks like hackers are going mobile.