security problems on upswing?

Security is very much in the headlines this week, nothing new really but in the near past it seemed the IT industry was moving security down its priority list and when ever that happens security becomes the news pretty quickly it seems.

For example has 3 articles today:


Microsoft Issues Critical Out-of-Cycle Patch for Word, Excel Flaws – Late Wednesday, Microsoft released an out-of-cycle critical patch revision in the form of Security Bulletin MSO7-025 in an effort to stave off a barrage of remote code execution (RCE) exploits that popped up less than two weeks after Redmond’s March patch rollout.

InformationWeek’s home page:

  • CA Patch – “This vulnerability is a big deal by itself, first because of the huge install-base of the affected products, and second because of the nature of these applications. Being able to compromise one of these systems in a corporation could make a quick stepping-stone to more crucial servers – especially considering how mushy-gushy most corporate network security is deep behind the DMZ.
  • MacBook Hacked in Two Minutes “Security researchers from Independent Security Evaluators managed to hack a MacBook Air using a zero-day vulnerability in Apple’s Safari 3.1 Web browser.”

RSA Show

Just back from vacation in NYC, and its nice to not have to pay someone every time I step out of a car…

Please stop by and visit us at the RSA show this year, we will have presenters from VMware, Juniper and of course best of all Mike Rothman from Security Incite and our own Eric Schultze.  We will cover the latest in security from all of us and our customers, including our new work in the Federal areas with SCAP and FDCC, cool new VM security management, and Juniper’s integration with our line.

On other notes it seems Apple is pushing a copy of its Safari browser out to Windows users of iTunes, and with missing patches no less.  We are working on removing and patching this s/w shortly via Protect.

New Patches


Here is a good overview of patch day from Bill Sisk at SearchSecurity.  One very big key, and I noted this below in regards to MBSA already:  “Most of the affected products in this particular bulletin are not detected by Microsoft Baseline Security Analyzer (MBSA) 2.0.1. However, Microsoft has worked with Shavlik Technologies to provide support for legacy security update detection. Please refer to the main MBSA website for additional information.”  Or you can just to go and get trial of our s/w to scan for these patches (and buy our product of course)

Microsoft has released four critical security bulletins this month, all in Office.  Sometimes Office is hard to patch with Altirus and SMS so be sure to use patching products (!) and be aware that tools like MBSA do not even do remote scans for Office patches (MBSA is not really a scanner tany more anyway but that is a different topic)

MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)

Severity: Critical

MS08-015: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (949031)

Severity: Critical

MS08-016: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030)

Severity: Critical

MS08-017: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)

Severity: Critical

Cancel Patch Tuesday?

Modern patch management products can patch about 1000 computers per hour via one person without requiring setup such as an agent, or if you are already using an agent that works too.  Products like SMS, Altirus and others are likely to take longer when unsupported products need to be patched as packages will need to be hand built and detection does not work, but again focused patching products take care of all this so its not really a problem, at least for those using them.

So — with the right products now available could Microsoft now release patches as they exit test to shrink the vuln. window? Is it worth it?  What about known vulns that MS does not patch for months, this problem would not go away.  Its an interesting thought.

Dennis Fisher mentions a new way to look at Patch Tuesday (actually the old way as he notes)

Instead of leaving flaws unpatched for weeks between cycles, Microsoft should use its resources to produce high-quality patches shortly after vulnerabilities are discovered.

Patch Tuesday is perhaps the most anticipated and feared day of the month for network administrators and security managers. They wait eagerly for the next batch of patches from Redmond, glad to have some protection against attacks on the vulnerabilities that have popped up since the previous month’s release. But they dread it too, and with good reason, given the massive amount of work involved in rolling out a dozen or more patches to thousands of systems.

Brett Favre

Since I am from Green Bay, WI(i) it was nice to see the post from Mike about Brett Favre.  I was at Favre’s first game in ’91 (Bengals with Boomer at QB) which was shortly after my brother and I watched Favre in practice in summer camp, all we knew was Favre liked to drink, was like 3-5 passing in his 1st season in the NFL, plus we gave a 1st round pick to Atl (rolled our eyes) for the guy, then we saw his great arm and it made us think, or better said hope.

Of coursr I still do not believe the NYG championship game is over, and it took me this long to even write on note on Favre’s leaving the game. Its all a healing process.

Security Research for VMs just getting started

With all the changes VM management is going to bring to data centers and IT ops in general we can surely expect to see a rapid increase is research being done around VM security.

This artice about Core Security’s lastest work in researching VM security gives a great example, and the research will of course lead to the need for security configuration and patching for all the VMs on networks

Core Security co-founder and CTO Iván Arce, “it’s wrong to think that just by spreading virtualization all over your organization you will be more secure.”

VM's brave new world

The world of VM security is just getting started, some say it’s the next big wave of security and I tend to agree.  In the pre-VM days you had to get a fairly big budget to buy a new server which created a fair amount of resistance to adding servers, which in turn made it easier to manage the servers you had since their number was limited.  You also onlybrought a server on line after taking the time to stage it. And for the most part it was running 7×24 so you could check on it whenever you wanted.  At the time it seemed hard, and it was, but compared the VM-based world it was easy.

Fast forward to today. It’s now very easy to add a server. You do not need to buy nearly as much hardware, VMs are easy to setup, and guess what? Vendors will deliver software on a VM, all you need to do is install and start it and you have a new product running on your network.  No need for a vendor to ship you a blade, they just need to send you a VM to load.

One day you have 1,000 Servers and a few weeks later you have 5,000. While that’s good for storage vendors, it’s not good for you as you try to keep them secured and stable.  Of these 5,000 VMs several hundred are probably offline…ticking security time bombs and a problem you never had to worry about before.

Never mind all the desktops and mobile devices out there in your wild wild wild west. Never mind the crazy end-users downloading andinstalling software from the Internet. You have bigger problems now.Your data center is exploding with new servers, and people are running  servers all over the place, off-line, on-line everywhere.  And each of those virtual servers needs to be secured.

This brave new world is an area where we are working hard to help customers. From us being integrated into VMware, to us adding the full stack of security management solutions to our products so you can manage all your new servers. Offline, online, VMs from Microsoft, from VMware it doesn’t matter. You push the big green button and you secure your virtual world  the same you way you secure your physical servers today.