Category: News

This represents an increase of 10.8 percent compared with the number found in the first quarter, and a jump of 20 percent compared with the second quarter of last year, the institute said in its quarterly report.

If companies and individuals don’t take corrective action, the agency warned, their systems could be used by remote hackers for identity theft, industrial espionage, and distribution of spam and pornography.

In order to be included on the quarterly list, the vulnerabilities must affect a large number of users, the SANS Institute said. Additionally, they must allow an attacker to take control of a PC remotely, and they must remain unpatched on a substantial number of systems. Information sufficient to let people exploit the flaws must be available on the Net.

Among the flaws are serious vulnerabilities in popular data backup products used by enterprises, while home users face increased risk from holes in iTunes and RealPlayer, as well as Internet Explorer. “These include backup software, management software, licensing software, etc. Flaws in these programs put critical resources at risk, as well as having a potential to compromise the entire enterprise.”

http://news.zdnet.com/Security+holes+add+up+in+second+quarter/2100-1009_22-5803078.html?part=rss&tag=feed&subj=zdnn

More than 422 significant new Internet security vulnerabilities emerged in the second quarter of 2005, the cybersecurity research organization found, an increase of 11 percent from the first three months of the year.

Particularly troubling are holes in backup software made by Computer Associates International Inc. and Veritas Software Corp., which together account for nearly one-third of the backup-software market, said Ed Skoudis, founder of the security company Intelguardians. Fixes are available for all the problems outlined in the SANS report, but many of the new flaws aren’t fixed as quickly as older ones.

Administrators take an average of 62 days to fix backup software and other software inside their firewall, compared to an average of 21 days for e-mail servers and other products that deal directly with the Internet, said Gerhard Eschelbeck, chief technical officer of business-software maker Qualsys.

Home users typically take even longer to fix problems, said SANS chief executive Allan Paller. Many of the new flaws were found on products popular with home users. Flaws in media players like Apple Computer Inc.’s iTunes and RealNetworks Inc.’s RealPlayer could enable a hacker to get into a user’s computer through a poisoned MP3 file. Users of Microsoft’s Internet Explorer Web browser could be compromised simply by visiting a malicious Web site, SANS said. Even the open-source Mozilla and Firefox Web browsers, which has gained in popularity thanks to security concerns, had flaws as well, Paller said.

http://www.eweek.com/article2/0,1895,1840577,00.asp

The buffer-overflow flaw is in device drivers that Windows loads whenever USB devices are inserted into computers running Windows 32-bit operating systems, including Windows XP and Windows 2000, said Caleb Sima, chief technology officer and founder of SPI Dynamics. The company will be demonstrating the vulnerability at this week’s Black Hat Briefings hacker conference in Las Vegas, but will not release details of the security hole, Sima said.

A spokesperson for Microsoft’s Security Response Center confirmed that the company has not received a vulnerability report from SPI.

For example, an attacker who knows of a vulnerability in a USB device driver can program one USB device—say a portable memory stick—to pose as the kind of device that uses the vulnerable driver, then plug the device into the host system and trigger the exploit when the host system loads the flawed driver, said Darrin Barrall, another SPI researcher.

Companies like Microsoft are just beginning to consider the security threat from peripheral devices, even as developments like the USBIF’s Wireless USB standard will make it possible to remotely connect to PCs using high-speed, USB-based technology, Sever said.

At Baptist Memorial Healthcare Corp., in Memphis, Tenn., IT administrators turned to Safend after some departments in the hospital network, such as Human Resources and Risk Management, started using portable USB “jump” drives to make backup copies of sensitive data after the hospital introduced new desktop systems that did not have floppy drives, said Lenny Goodman, director of the desktop management group at Baptist.

http://www.eweek.com/article2/0,1895,1840141,00.asp

Microsoft is keeping details under wraps until the program is finalized, yet executives say it is planning to require partners to gain industry-standard certifications such as one from the International Information Systems Security Certification Consortium.

“Becoming a Gold partner and qualifying for the security competency have done a lot, but Microsoft certifications are not enough and we will be adding industry-respected certification,” said Mike Nash, corporate vice president of the Security Business and Technology Unit at Microsoft, Redmond, Wash.

http://www.crn.com/showArticle.jhtml;jsessionid=Q20WOK44VGIHOQSNDBNSKH0CJUMEKJVN?articleID=165702774

“A couple of years ago Linux was without doubt more secure than Windows, but things have changed a lot,” said Titterington. “My hunch would be that Linux still has the edge but it’s difficult to tell with all this misleading information being pumped out. Just doing a head count of vulnerabilities is useless, for example, if you’re not grading the seriousness of the vulnerabilities.”

He added that Microsoft had made real progress on security in the past two years, but that the increasing number of Linux enthusiasts coming into the market would help the open source alternative in the long run.

John Engates, chief technology officer at managed hosting company Rackspace, which offers both Linux and Windows hosted servers, said: “If you think about where you get Linux talent it’s in the younger generation. Linux has a slight advantage in that computer science students are learning it, but Microsoft has made life easier for non-techies, particularly with its improved patches.” Engates added that his company manages 13,000 servers, roughly half of which are open source and half Microsoft. He claims to see little difference between the security on either platform.

http://www.vnunet.com/vnunet/news/2139790/surveys-useless-security

Almost 65 percent of respondents to the survey indicated they have an endpoint security solution in place.

Allan Carey, program manager of security and business continuity services at IDC, said survey participants’ definitions of endpoint security ranged from secure devices to firewalls and security policies. “One of the most surprising findings was the amount of confusion over what endpoint security means,” Carey told internetnews.com. “Depending on their perspective, IT or business, endpoint security took on different flavors of how to control the issue.”

“IDC defines endpoint security as centrally managed client security and likened it to a 21st century digitized watchdog protecting users from “a cesspool squirming with destructive technological deviants.”

But security vendor Check Point, which owns personal firewall application vendor Zone Labs, has a related but somewhat different definition. Rich Weiss, Check Point director of endpoint product marketing, explained that the term “endpoint security” means centrally managed personal firewall-based security and that it was popularized by Zone Labs in 2001.

“More recently, the term has become so popular that others are putting their own spin on it, and some organizations such as IDC include anti-virus in the definition,” Weiss told internetnews.com. “However, we believe that personal firewall-based security and anti-virus are still distinct markets. The original definition of endpoint security created by Zone Labs is still valid.”

Network risks have changed since 2001, though, and Check Point has expanded its definition.

“To meet the definition of a complete endpoint security solution today, a product must have a mature, proven network access control capability,” Weiss said. “Considering that the penetration of antivirus in enterprises is virtually 100 percent, IDC’s numbers make sense if you mix them with pure endpoint security adoption rates,” Weiss explained.

“We agree that anti-virus is effective at addressing threats that have been in the wild for a while. Organizations voiced their concern for point products trying to solve the problem, when a more comprehensive solution is required consisting of processes, policies and end-user awareness, in addition to technology,” IDC’s Carey said.

http://www.wi-fiplanet.com/news/article.php/3519791