09.08.09
Eye on Microsoft: The Security Comedy Resumes
Summary: A roundup of Microsoft’s latest examples of poor performance at securing its software
Microsoft’s incapability with security has already cost the economy trillions of dollars. Some days ago we wrote about the impact on parts of national operations that are funded by taxpayers; they too pay the toll.
Conficker borks London council
[...]
The May incident took several days to clean-up and landed the west London council with a bill of £500,000 in lost revenue and repairs, The Guardian reports. Because IT systems were borked, the council was unable to process more than 1,800 parking tickets, at an estimated cost of £90,000, libraries lost out on £25,000 in fines and booking fees, council property rent went uncollected, and £14,000 was spent in overime sorting out delayed housing benefit claims.
Some time ago we also wrote about IIS coming under siege. It is getting worse:
New IIS attacks (greatly) expand number of vulnerable servers
[...]
Attackers have begun actively targeting an unpatched hole in Microsoft’s Internet Information Services webserver using new exploit code that greatly expands the number of systems that are vulnerable to the bug.
3rd parties jump to Microsoft’s (or their customers’/users’) rescue. This is also covered in:
- Microsoft IIS Servers Vulnerable to FTP Attack
- Unpatched Flaw Could Take Down Microsoft’s IIS Server
- Microsoft IIS Zero-Day Vulnerability Reported
Exploit code affecting the FTP module for certain versions of Microsoft IIS has been posted online. US-CERT recommends taking countermeasures.
Another press release heralds another security problem in Microsoft’s stack. Microsoft is investigating and denying it.
For more than a year, Microsoft has been sitting on a purported SQL Server vulnerability that could enable a malicious insider to obtain users’ passwords, claims database security vendor Sentrigo.
There is also coverage in Dark Reading and net-security.org, which states:
Sentrigo has discovered a vulnerability in Microsoft SQL Server that allows any user with administrative privileges to openly see the unencrypted passwords of other users, or the credentials presented by applications accessing the server using SQL Server authentication.
More reasons are given to believe that Vista 7 will persist with the same security problems of Vista. A company warns about UAC.
While changes to Windows 7’s UAC benefit the home user market, enterprises must be aware that the new “slider” feature is only for administrators and may increase security risks.
Applications with an anti-viral goal still show that they may cause more trouble than it’s all worth.
McAfee false alert snares innocent JavaScript files
[...]
Faulty virus definition updates from McAfee that flagged legitimate JavaScript files as potentially malign caused a headache for some sysadmins earlier this week.
In other news:
Compromised Computers Host an Average of 3 Malware Families
[...]
Unfortunately, we are talking about infected files and not doughnuts. According to security company ESET, the average compromised machine is home to 13 infected files as well as malicious programs from three different malware families.
An Illinois district court has allowed a couple to sue their bank on the novel grounds that it may have failed to sufficiently secure their account, after an unidentified hacker obtained a $26,500 loan on the account using the customers’ user name and password.
Given the scale of botnets, nobody should be left surprised. Systems which were not built to be secure in the first place can never be properly secured. █
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
