Patch time for Apple users too

Mac OS X users sometimes smugly point out that their operating system is more secure than Windows, an assertion is far from proven.

This issue's topics:

Virus News:

* Numbers game

Security News:

* Patch time for Apple users too

* Why they do it

* It’s a $sys$Sony update

Virus News:

* Numbers game

Microsoft security people often refer to Secunia’s advisory tracking as evidence that its software is now secure and safe to use, and on the surface of it, things look good. For instance, there are only two advisories for Internet Information Server (IIS) 6 over the past two years. Compare this to the 28 for the main competitor, open source Apache 2.0.x and 16 for the 1.3.x range.

Unfortunately for Microsoft, selectively referring to advisories doesn’t tell the whole security story. Customers still have to run IIS 6 on an operating system which of course in Microsoft’s case means a Windows flavour. The number of advisories for Windows Server 2003 Standard and Web editions, 75, doesn’t look half as impressive as the track record for IIS 6.

What’s more, 37 of the 75 advisories were rated as “Extremely” or “Highly” critical, and 60% were remotely exploitable. Worse yet, eight of the 75 holes recorded in the Secunia advisories remain unpatched by Microsoft, so you’re left with a niggling sense of uncertainty or should I say insecurity as a Windows Server admin.

Another pinch of security salt: Internet Explorer is still inextricably wedded to every variant of Windows, including the server editions. Sure, it’s been neutered a bit in Windows Server, but with six month old unpatched holes that have proof-of-concept exploits published on the internet, you have to wonder about Microsoft’s uneven approach to security.

It doesn’t look like things will get better on the Internet Explorer front either. Trend Micro’s David Sancho thinks hot new feature in upcoming IE7, Really Simple Syndication or RSS, will be exploited by worm and malware writers. Sancho however missed that Microsoft is working on extending RSS so that it will be a two-way protocol. The RSS extension is called Simple Sharing Extensions and would be used to synchronise information across a mesh of users for instance. A hijacked RSS feed would certainly make for some very interesting synchronisation.

- Internet Information Server (IIS) 6 Security Advisories 2003-05

- Apache 2.0.x

- Internet Explorer 6 Security Advisories 2003-05

- Mozilla Firefox Security Advisories 2003-05

- Windows Server 2003 Standard Edition Security Advisories 2003-05

- Hackers publish code for critical IE bug

- Microsoft Security Advisory (911302)

Vulnerability in the way Internet Explorer Handles Mismatched Document Object Model Objects Could Allow Remote Code Execution.

- RSS could aid worm attacks

- Microsoft chief technical officer Ray Ozzie’s blog entry on SSE

Security News:

* Patch time for Apple users too

Mac OS X users sometimes smugly point out that their operating system is more secure than Windows, an assertion is far from proven. Apple has released another big set of patches, 13 in all, to fix a bunch of flaws in core components of Mac OS X. Some of these can be exploited remotely, so make sure to run Software Update as soon as possible.

- Apple releases patch for 13 security flaws

* Why they do it

It’s official: computer crime is a big and very, very lucrative market. In fact, it’s almost one-and-a-half times bigger than the entire NZ economy, measured by the US Treasury at US$150 billion in 2004 and more profitable than the drugs trade; it’s arguably safer too as apart from perhaps China, no country executes criminal hackers.

The seamy side of IT has been developing at break-neck pace since the late 1990s, and we’re seeing an increasing amount of cross-over between the various illicit e-disciplines. Nigerian 419ers scan for vulnerable proxies and webmail installations and sell them to spammers; the latter team up with virus writers or try their hands at malware-crafting themselves, in order to build “bot nets” for spamming or on-selling, and it’s all done outside “meatspace”.

It amounts to something of a peer-to-peer network of criminals sharing information, trading resources – and doing deals as well. Dealing with this kind of networked crime is nigh impossible for the authorities who have only just begun legislating against cyber tort and malfeasance.

- Cybercrime more profitable than drugs

- Security concerns cloud holiday shopping

- Meet Average-Joe Spammer

* It’s a $sys$Sony update

The Sony rootkit DRM issue clearly struck a deep chord everywhere, refuses to go away. Now the EFF has taken up the cudgel and is going after Sony in the courts, after the state of Texas decided to do the same. In both cases, the legal action could cost Sony masses of money.

The bad news continues for Sony however, as fearsome New York state attorney Eliot “The Blitzer” Spitzer is now getting interested in the issue as well. He already took Sony to task over radio disc jockey payola scheme, to the tune of US$10 million.

It could get even worse for Sony because the EFF went further than looking at the XCP DRM rootkit DRM and checked out the MediaMax software as well. This comes on four times more CDs than XCP, and installs itself even if users decline the licence. Like XCP, MediaMax “phones home” over the internet in order to rat on what customers are listening to.

Who will dare to put a Sony BMG music disc into their computers from now on?

- Electronic Frontier Foundation: SonyBMG litigation and rootkit info

- Reuters: Texas sues Sony for spyware violations

- Spitzer Gets on Sony BMG's Case

Join the newsletter!

Error: Please check your email address.

More about ApacheAppleBMG Lab TechEFFElectronic Frontier FoundationMicrosoftMozillaReuters AustraliaSecuniaSonyTrend Micro Australia

Show Comments
[]