|
| Top
Security News |
QuickTime Issues Still Plague Websites
Similar to the issue that allowed the MySpace worm to parade through the popular social networking site, another flaw in Apple's QuickTime can be exploited. Windows and Mac users are vulnerable to a pair of security issues with QuickTime. Any website that permits the embedding of QuickTime content could provide an unimpeded avenue for malicious code.
Data Thieves Drop In On Your Phone
Spyware geared toward stealing data from a mobile device has been spotted accompanying phone-infecting viruses; this early effort probably signals more sophisticated attacks are in the offing. Cellular service providers and major Internet players like Google, Yahoo, and AOL all want to get more people using their services. There are tremendous profit opportunities they see in mobile services.
Keeping An 'eEye' On Zero-Day Exploits
Marc Maiffret's eEye security firm has launched the Zero-Day Tracker, a website where the company will post and archive information on vulnerabilities hit by zero-day exploits. When a patch emerges from a prominent software company like Microsoft or Oracle, the details of a new vulnerability can spur malicious people to try and exploit those issues before...
BuddyProfile Sending AIM Users To Malware
A site that allows visitors to embed content in their AIM buddy profiles is being exploited by malware and adware distributors who create profiles laden with links to unwanted content. Adult and other undesired Adult and other undesired content have been the choice of malicious parties who are trying to capitalize on a younger audience and gain access to their systems. Getting in front of a tech-savvy but less...
Holidays
Are Good For Phishing
All the online holiday shopping is fertile ground for online scammers looking to fence a few ill-gotten dollars from unsuspecting consumers Sophos says a Web poll (already skewed toward Web users) of 280 computer users showed that 71 percent will be shopping online during the holidays. While they're doing that phishers will shadow them, looking...
CAN-SPAM
Has Minimal Spam Impact
About three years after the debut of the CAN-SPAM act, very little impact has been made on the volume of spam deluging inboxes, a problem that has worsened each year Since CAN-SPAM was enacted on January 1st, 2004, firms in the US have been required to obey its provisions. Since most spammers are...
|
|
|
 |
|
From May through December 2006, Microsoft endured the emergence of ten zero-day exploits affecting their products.
When it came to the potential for a large number of people to experience problems stemming from attacks against software, Microsoft products proved a desirable target. As 2006 proceeded, attackers seemed to shift their zero-day exploits to vulnerabilities disclosed just as Microsoft released their monthly updates.
Microsoft is the proverbial big ship in terms of steering its products away from the threats. It takes time to research flaws, exploits, and ways to fix the problem without shattering the entire software stack into a bunch of pretty pieces of glass.
The problem comes from criminals understanding this. Security advisory tracker Secunia illustrated Microsoft's zero-day exploits and their dates of publication; note how the dates tend to be close to the Patch Tuesday for each month:
|
| Advisory name | Date published | | Microsoft Word Unspecified Code Execution Vulnerability | 20061211 | | Microsoft Word Memory Corruption Vulnerabilities | 20061206 | | Microsoft XMLHTTP ActiveX Control Code Execution Vulnerability | 20061104 | | Microsoft Visual Studio WMI Object Broker ActiveX Control Code Execution | 20061101 | | Microsoft Vector Graphics Rendering Library Buffer Overflow | 20060919 | | Microsoft Word Code Execution Vulnerabilities | 20060905 | | Microsoft Visual Basic for Applications Buffer Overflow | 20060808 | | Microsoft PowerPoint Code Execution Vulnerabilities | 20060714 | | Microsoft Excel Multiple Code Execution Vulnerabilities | 20060616 | | Microsoft Word Malformed Object Pointer Vulnerability | 20060519 |
Most of the dates occur in the early part of the month, close to the second Tuesday that has been Microsoft's designated patch release date for a couple of years.
Rather than the scattershot approach of yore, where malicious coders would try to infect as many systems as possible, the targeting of applications like Excel and Word reflect a more specific approach to attacking systems, according to Secunia.
Excel and Word can be found on millions of computers, many in enterprise settings. A successful exploit that can drop a keylogger or other type of snooping program onto a machine could yield login details or sensitive files, and send them back to the attacker.
It's difficult to make non-technical employees understand that blithely opening documents from unknown senders can be dangerous. Salespeople and graphic designers are not system administrators, but we ask them to think that way.
As of this writing, Microsoft's Word zero-day problems (actually a trio now) are still unpatched. The next Patch Tuesday arrives January 9th. Will Microsoft have the Word issues fixed? Which products will be targeted next for exploitation? We'll likely know that in three weeks.
About
the Author:
David Utter is a technology writer for SecurityProNews, WebProNews, and InternetFinancialNews.
|
|
,
Inc. 2549 Richmond Rd. Lexington KY, 40509
