Another big updates from Microsoft

Microsoft issues mammoth security update, biggest in five years
Fixes 28 flaws in Windows, Office, IE, ActiveX development tools and more

By Gregg Keizer
December 9, 2008 (Article from: Computerworld)

Microsoft Corp. today patched 28 vulnerabilities, nearly all of them marked "critical," in the biggest batch of fixes it has issued since it switched to a regular monthly update schedule more than five years ago.

Of the 28 bugs quashed today, Microsoft ranked 23 of them critical, the top rating in its four-step scoring system. Of the five others, three were judged to be "important," the next step down, and two were pegged as "moderate." The patches were issued in eight updates for Windows, Internet Explorer, Office, SharePoint, Windows Media, and the company's most popular development tools, Visual Basic and Visual Studio.

Researchers agreed that one of the Windows updates should be tops on everyone's to-do list. "There are a few that will stick out for a lot of people," said Andrew Storms, director of security operations at nCircle Network Security Inc. "The GDI is one."

MS08-071, which contains two separate vulnerabilities, both critical, updates the Graphics Device Interface (GDI), the core graphics rendering component of Windows. GDI has been repeatedly patched by Microsoft, most recently in September.

"This looks very similar to MS08-021," said Storms, referring to an April update that patched two other GDI bugs. Like that earlier fix, as well as the one in September, hackers could exploit the vulnerabilities by duping users into opening or viewing malicious Windows Metafile (WMF) images.

"[MS08-071] is something similar to what we saw with WMF files once before this year, and once last year, too," said Amol Sarwate, manager of Qualys Inc.'s vulnerability lab. "It's in the core kernel, it's always there, it's in all versions of Windows and the attack vector is pretty high." Like Storms, Sarwate put the update at the top of his list.

The long-running patch job on GDI will, said Storms, inevitably prompt some to ask whether Microsoft's vaunted Security Development Lifecycle (SDL) process, under which it scrutinizes code as its written for bugs, really works. "Is SDL functioning? I don't know," Storms admitted. "Without seeing the code analysis, it's difficult to presume it's not."

"Yes, I think that's a fair question," said Wolfgang Kandek, chief technology officer at Qualys. "But is it realistic to expect Microsoft to find everything? No, it's not."

Storms said the IE update, MS08-073, would be his next highest update priority, simply because of the number of vulnerabilities it fixes -- four, all critical -- and because of the dominance of Microsoft's browser. After that, it gets murkier. "GDI and IE are certainly top of the list, but beyond that it's a toss-up," he said. "It's going to be difficult for people in the trenches to understand what to go after the first and second."

Qualys' Sarwarte and Kandek, meanwhile, staked out MS08-070 as the second-most-interesting update among today's eight. "This is a far-reaching vulnerability," said Kandek, who noted that while end users won't be installing this update for Visual Basic, it can potentially affect anyone who browses the Internet with IE.

"Microsoft's telling developers that they need to update their development system and the Visual Basic runtimes, then notify users of the ActiveX controls that they've created," said Kandek, talking about the technology that provides IE with add-on functionality. "And again, all [hackers] have to do is just come up with a malicious Web site with vulnerable ActiveX controls."

The Visual Basic update patches a total of six bugs, all ranked critical.

Other bulletins include updates that patch Microsoft Word's file format (MS08-072, with a total of eight vulnerabilities), Microsoft Excel's file format (MS08-074, three vulnerabilities), Windows Media (MS08-076, two vulnerabilities), SharePoint (MS08-077, one bug) and Windows Search (MS08-075, which deals with two vulnerabilities).

Some caught the eye of researchers. "The reason why I'm expecting questions about whether SDL is working is because of MS08-076," said Storms, referring to the two-patch update for Windows Media. "Both those bugs are very similar to what we've seen before in other Microsoft products."

Eric Schultze, the chief technology officer at Shavlik Technologies LLC, agreed. "This is closely related to a security patch from last month -- MS08-068," said Schultze in an e-mail today. That bug, which Microsoft fixed in November, was in how the Server Message Block (SMB) protocol handled credentials when a user connected to an attacker's SMB server. At the time, Schultze and others claimed that the bug went back at least seven years.

"It's similar to the MS08-068 attack, but uses different communication mechanisms to log on to the computers," Schultze added. "Microsoft says that Windows Media Player doesn't play by the same rules as the operating system, and that's why this issue wasn't fixed in November. I'd get this one patched right away.

Storms, however, pointed to MS08-075, which patches Windows Search, the integrated desktop search function, in Windows Vista and Windows Server 2008. He found the update interesting, not so much because it only affects Microsoft's newest operating system, but because one of its two patches fixed a flaw in yet another protocol, this time "search-ms."

"There have been issues prior with protocol handlers in Windows," said Storms. "Why would Microsoft make it possible for a protocol handler to call my local file system? What's the validity of that?"

As Storms said, Microsoft has had to patch several protocol handler vulnerabilities in the last 13 months, starting with one in November 2007 in Windows XP and Server 2003 that the company argued for months was not its responsibility to fix.

This month's eight security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

This must be one of busiest month before the X-mas break.
I've notice my Vista computer wanting me to install around 8 updates last night.

More scary news before the X-mas from Antivirus vendors

Computer threats becoming more sophisticated

By Computing staff
11 December 2008

The scale and sophistication of IT security threats increased at an unprecedented rate during 2008, according to a series of end-of-year research studies published last week.

Anti-virus vendor Kaspersky Lab said that 15 million new forms of malware will have been detected by the end of this year ­ up from just two million in 2007.

IBM said data from its 3,700 managed security services customers worldwide showed that the number of security events rose from 1.8 billion to 2.5 billion per day over the past four months alone.

And security firm F-Secure said the level of malware detections trebled over the year to equal the total amount accumulated over the previous 21 years.

“It would be no surprise if the cyber-crime business [in 2008] was worth not less than US$100bn, said Kaspersky Lab chief executive Eugene Kaspersky. “Unfortunately, the anti-malware industry is in a panic. It has finally recognised that it needs to invest more in technology.”

Kaspersky estimated that there are “tens of thousands of people in the cyber-crime business”, and that security vendors are engaging in technical espionage and battling with each other to recruit the best engineers to keep up.

Mikko Hyppönen, chief research officer at F-Secure, said online crime is now more prevalent and more professional than ever before, and put the blame on the inability of national and international authorities to catch, prosecute and sentence computer criminals.

“The bottom line is that too few of the perpetrators of internet crime are either caught or punished,” he said. “If no action is taken it sends the message to these criminals that internet crime is an easy way to make a lot of money and they will never be caught or punished.”

Copyright © 2008 Computing

As expected from every year's end of the year reports by AV vendors, in another words it's expected numbers as number of computers are increasing as well as market competitions becoming difficult and these AV vendors are scared of financial meltdown may led to slow sale.
So this may help them to stay.

VMware: New VMware 3.0

VMware View 3 enhances virtual desktops
By Daniel Robinson 3 December 2008

VMware has updated its virtual desktop product with enhancements that
make it easier to provision and manage virtual clients, and new capabilities
that support mobile workers on laptops.Released today, VMware View 3 is a
rebranding of the firm's Virtual Desktop Infrastructure (VDI) but with several
new features.
Key among these is View Composer, which can provision virtual
machines by combining a fixed master image with changeable user data stored
separately, dramatically cutting the storage required for virtual
clients.
The second key feature is Offline Desktop, which lets a worker
download their corporate virtual client onto a laptop and take it out of the
office.
Tommy Armstrong, VMware's senior marketing manager for enterprise
desktops, explained that the development is about broadening out virtual
desktops for customers looking at more strategic deployments.
"The number one
thing customers told us they need for virtual desktops is to bring down the
initial capital investment, for example in storage requirements," he
said.
View Composer addresses this by splitting each virtual client into the
operating system, applications and user data such as files and
settings.
"Firms can manage lots of clones linked back to a single master
image. Any commonality - Windows XP, service packs - is in that 'golden master'.
The deltas [differences], which contain anything unique, can be much smaller,"
Armstrong said.
This can reduce storage requirements by up to 90 per cent
compared with traditional virtual desktop deployments, VMware claimed, as well
as enabling centralised patching and backup of the virtual
clients.
Meanwhile, Offline Desktop enables firms to implement a virtual
desktop strategy even if they have roaming users or some workers connected via a
high latency connection. It combines VDI with another VMware product, ACE, that
lets firms distribute virtual machines with corporate policy mechanisms applied
to them.
"We're bringing these together so users can connect to their virtual
desktop over the network as usual, but if a user wants to run their virtual
machine locally they can 'check out' their desktop and run it on the local
machine," said Armstrong.
Users can check their desktop back in when they
reconnect to the network, or check in a backup, a delta file that just updates
the datacentre image with any changes.
This will also allow users to make use
of local resources for demanding applications, such as those that are
graphics-intensive, according to Armstrong.
"It's about being able to run
apps where it makes most sense, being able to move the virtual machine between
datacentre and the client itself, the access device, if necessary," he
said.
View Manager 3, VMware's connection broker (previously called Virtual
Desktop Manager) can now connect users to a Terminal Services session or to
physical PCs, such as blade workstations, as well as virtual clients.
Other
enhancements address the end-user experience with virtual printing support,
better USB redirection and improved multimedia handling.
Virtual printing
lets the user print to whichever printer is currently attached to their access
device, whatever or wherever that may be, according to VMware. USB redirection
now allows for a broader range of peripherals to be connected to the access
device and used with the virtual desktop.
With View 3, VMware has licensed
Wyse's TCX technology for better media handling. This recognises media files,
such as music and video, and sends them to the endpoint access device to be
played locally.
VMware View 3 currently supports only Windows, but Armstrong
strongly hinted at future Mac support, enabling users to check out their
Windows-based corporate virtual client to an Intel-based Mac laptop, for
example.
Copyright © 2008 vnunet.com

Great news for these virtual machine users.
Link: http://www.vmware.com/products/view/whatsincluded.html

Report: Symantec Report on the Underground Economy: November, 2008

Secrets of the underground economy

By Kathryn Small 1 December 2008 01:11PM

In IRC channels and web-based forums, the underground economy is thriving, according to the latest year-long report by Symantec. Find out how much a botnet or a set of credit card details would cost you.

The ‘underground economy’ refers to commercial cybercrime activity – specifically, the purchase and sale of fraudulent goods and services. Items for sale might include sold credit card data, bank account credentials, email accounts, and other data.
Services might include cashiers who can transfer funds from stolen accounts into true currency, phishing and scam page hosting, and job advertisements for roles such as scam developers or phishing partners.

The value of the total advertised goods on underground economy servers during the twelve-month period was more than US$276 million.
Information is bought and sold on IRC channels and web forums. Sometimes sellers set up shop on legitimate servers, which makes it harder for police to shut them down.

The underground economy is highly diverse. “The top ten servers control the top 11 per cent of the revenue,” said Craig Scroggie, VP and MD of Symantec Asia Pacific.
Sixty-three (63) per cent of sellers were offering online credit as payment, using wire transfers, or funnelling money through online currencies such as Linden dollars or World of Warcraft gold.

Credit card information was the most highly prized data, accounting for 31 per cent of everything that was sold during the survey period. That included credit card numbers, credit cards with CVV2 numbers, and credit card dumps. It was also the most requested category, making up 24 per cent of all goods requested.

Credit card details might be as cheap as US$0.10 per card, ranging up to US$25, while credit cards with CVV2 numbers ranged from US$0.50 to US$12.
“The thing about credit cards is that it could cost you as little as 10 cents, but the average advertised stolen credit card limit observed by Symantec is more than US$4,000. So it’s an incredible return on investment,” said Scroggie.

“We calculated that the potential worth of all credit cards advertised during the reporting period was US$5.3 billion.”

Credit card information is popular because it’s easy to obtain and easy to use for fraud, explained Scroggie.

“Credit cards are easy to use for online shopping, and it’s often difficult for merchants or credit card providers to identify and address fraudulent transactions before fraudsters complete these transactions and receive their goods.”

Australia has a disproportionately high number of credit card transactions every year. Scroggie explained that in Australia there are 14 million credit cards in circulation, performing 1.4 billion transactions in the last year. By contrast, the UK is three times as large, but had less than 1.8 billion transactions.

“Australia’s always been an early and strong adopter of technology, and we’re an early adopter from a market stand-point. We have high credit card usage relative to other strong economies.”Next, fraudsters traded in financial accounts, at 20 per cent of the total. Stolen bank account information sells for between $10 and $1,000, but the average advertised stolen bank account balance is nearly $40,000. Symantec calculated that the total value of bank accounts advertised as US$1.7 billion.
The average price of a botnet was $25, while the price of phishing scam hosting, keystroke loggers or screen scrapers was $10.

Desktop computer games made up 49 per cent of pirated software, which Scroggie said directly correlated to retail sales in the legitimate market. Following that was commercial software suites such as Adobe’s Creative Suite. “There was a large number of pirated games but the average retail price of games is low – around $50. So there’s a large amount of piracy, but not a large amount of money.”
The underground economy is spread out across the world, ranging from loose collections of individuals to organised and sophisticated groups. North America hosted the largest number of servers, with 45 per cent of the total; Europe/Middle East/Africa hosted 38 per cent; Asia/Pacific with 12 per cent; and Latin America with 5 per cent.

The report noted that the geographical locations of underground economy servers are constantly changing to evade detection.
Scroggie said businesses and individuals could take simple steps to protecting themselves from online fraud.

“They can protect themselves by ensuring they have messaging filtering, a defensive depth strategy, multiple mutual overlapping or complementary software, such as anti-viral, anti-spyware, anti-malware and anti-phishing.
“You can buy a combination of these technologies from reputable security vendors.”

Symantec report page : Link
Actual download link for report: Here (PDF file)