Last month I kicked off a post focusing on the top endpoint security stories in the past month. This month brought a number of endpoint security events ranging from the latest Microsoft zero-day vulnerabilities without a fix to botnet and phishing news. The theme of the month is that both individuals and corporations are simply losing the battle against online criminals when it comes to desktop security.
- Sept 1, 2009 – IIS FTP flaw announced with exploit code
Microsoft kicked off the month by confirming the publication of exploit code for the IIS FTP vulnerability that could allow remote code execution on affected systems. The vulnerability affected systems running the IIS web server and was particular dangerous to FTP servers that had anonymous accounts for uploads. - Sept 3, 2009 – Apple shows it continues to have more security problems than its ads would lead you to believe
Apple released security patches for Java that fixed 15 documented security vulnerabilities. The most serious vulnerability allowed unauthorized Java applets to gain escalated privileges. - Sept 5, 2009 – Microsoft announces patches will fail to include fix for IIS flaw
The patch that was released following the announcement of the IIS exploit code did not contain a fix for that problem. Despite the severity of the problem, the complexity involved with producing, testing and distributing a patch to a serious security vulnerability prevented Microsoft from quickly fixing the hole in their operating system. At this same time, limited attacks were beginning to show up against those servers. - Sept 9, 2009 – Microsoft announces SMB2 vulnerability affecting Windows Vista and Windows Server 2008
Yet another zero-day vulnerability was announced without an immediate fix. Some security experts debated the impact of this vulnerability with many thinking this could set the stage for a Vista worm. - Sept 11, 2009 – Clampi botnet continues to be a problem
Online banking credentials continue to be targeted and stolen online by this dangerous botnet. - Sept 17, 2009 – Security researchers demonstrate a remote exploit of the SMB2 vulnerability capable of spawning a worm
The vulnerability was originally announced as a denial of service vulnerability and now was shown to have the potential to propagate a worm. - Sept 17, 2009 – Botnets being used for click fraud
Computerworld reported that the “bahama botnet” was being used to create fraudulent clicks to be used for affiliate marketing fraud. - Sept 18, 2009 – Microsoft releases fix/workaround to SMB2 vulnerability
The day after researchers announced remote exploitation code for the SMB2 vulnerability that could lead to a worm, Microsoft issued a fix that essentially turned off the service until a patch could be issued. They also indicated that this could have a performance impact until they produced the patch. - Oct 1, 2009 – Antiphishing Working Group announces that phishing websites and rogue anti-virus software sites are dramatically on the rise.
Coordinated attacks to trick users into infecting their PC with malware are booming. Phishing websites and fake anti-virus software both work to direct users to bogus sites where they become infected with malware.
All in all, this past month was more evidence that our reactive patching and signature based endpoint security strategy is coming to an end of its useful lifespan. The discussion has already begun at conferences and among the analysts as to what will become the new de facto endpoint security standard. Signs point strongly to a whitelisting solution playing a prominent role in this transition.
[...] is whether this patch will fix the critical SMB2 problem that I referenced in last week’s September Endpoint Security Stories [...]