November was a busy month for security stories. The month kicked off with more stories of massive security patches from both Microsoft and Apple leaving me to wonder when the patching madness will ever end. Windows 7 was found to have a flaw that allows denial of service attacks. Internet Explorer v7 (IE7) even made it into the news with the latest vulnerability, but I question efforts to patch an aging application, why not just upgrade or use Firefox? If they aren’t willing to upgrade, do people really think they will patch IE7?
Without further delay, here are the stories that caught my eye in November:
- Apple issues a massive security patch of its own – In November Apple issued a patch that fixed 58 holes as reported by Threatpost. The days of Apple being immune to security compromise are over. The combination of phishing and browser based attacks should make Mac users concerned and will soon drive security solutions adoption on those systems.
- Microsoft is back with it’s own large security patch – Microsoft fixed 15 separate vulnerabilities with 6 security updates in November. This is the same old story as previous months, but at least it wasn’t the record 13 updates hit in October.
- Microsoft reported an increase in worm infections, but decrease in scareware antivirus – Worm infections were up over 98% since the last Microsoft Security Intelligence report and it appears that Conficker bears a good part of the blame. Researchers believe that it is still being spread by USB keys with autoexecute capabilities. Scareware numbers are down where a user is tricked into visiting a site that says they are infected and then prompted to download “protection” from the malware.
- More news of botnet operators utilizing social networks to avoid detection – Searchsecurity.com reported that botnet writers are turning to Google and social networks. Popular social networking sites like Facebook and Twitter are increasingly prominent in security news for both spreading infection and providing a means of command and control for organized malicious software writers.
- Four people were sentenced in the UK for attacks on online banks – This is something I would like to see more of. It is a rare occurrence when cyber criminals are actually tracked down and brought to justice. Last month four individuals who were syphoning money from online accounts were caught and sentenced.
- CSO online had a nice detailed story about the fight against botnets – CSO published a nice seven page story about the individuals and organizations who research and combat botnets. It’s an interesting and informative read.
- Windows 7 is revealed to have flaw that allows DoS attacks – A flaw in the OSs Server Message Block (SMB) could be used to crash the system and could be activated when a user visits a malicious website.
There were several other interesting stories, but the fact remains that endpoints are under attack and we are in a continual catch up game with our current endpoint security.