Today we published a notification to our security customers advising them that the latest Microsoft vulnerability, discovered only after in-the-wild criminal attacks, should be treated as “Hot.” Hot is our term for something which needs to be addressed within seven days.

In June we published a similar advisory regarding the DirectShow vulnerability, also discovered only after in-the-wild criminal attacks, wherein we advised the issue as “Important.” Important means to take action within thirty days.

Both issues were discovered only after in-the-wild criminal attacks, so why would we rate them different?

(more…)

Microsoft has announced that they have discovered a vulnerability in DirectShow. Exploitation of the vulnerability could allow a criminal to run code of their choice in the victim’s security context simply by the victim browsing to a website while allowing scripts to run. The browser being used doesn’t matter providing it allows scripting. Microsoft is aware of limited attacks in-the-wild. Patches are being developed.

All versions of Windows are vulnerable, except Vista and Server 2008. It is worth noting that DirectShow was patched for similar vulnerabilities in April 2009, and previously in December of 2007. Neither of those vulnerabilities was ever significantly exploited.

(more…)

Verizon Business customers, and security professionals generally, should resist succumbing to a herd mentality and fear of the unknown surrounding the Conficker worm. In most respects, Conficker (a.k.a. Downadup or Kido) is just another piece of crimeware threatening Windows computers. The known risks it represents are minimal; so far, versions A and B simply spread and version C is presently dormant. They impact the integrity of infected systems but the costs are limited to disinfection. Our defenses are set and we are alert for significant changes in the risk environment if they come, but risk has changed little at this time regardless of the apparent desire of the technical press and the blogosphere to indicate otherwise.

Conficker is not generating spam revenue for the outlaws, nor is it exporting data from infected systems or any of the other myriad of hostile activities current crimeware usually exhibits. Infected systems are under the control of a criminal and could begin executing more criminal instructions. On April 1st, 2009, version C is expected to begin listening for instructions from its master(s) using a new Command and Control (C&C) method.

(more…)

So rumors abound that a paper and exploit code will be published today that use a vulnerability in a processor’s caching mechanism to install code that is being called “undetectable.”

If it appears that we’re obviously not stating names and vendors, you’re right, we aren’t. At the time of writing all we’ve seen is speculation.

But let’s just take one aspect of the current hoopla: “Can something be installed on your computer and become undetectable?”

(more…)

I was reading Graham Cluely’s blog post about Jack Straw’s email account being hacked. At the end of the entry Graham has included a video describing how he comes up with a very strong password which, he says, is easy to remember. See:
http://www.sophos.com/blogs/gc/g/2009/02/24/nigerian-scammers-hack-jack-straws-email-account/

Well, after watching it I realized that we computer security folks are definitely a bunch of nerds, particularly if you think what Graham suggests is “easy” for the average person.

(more…)

In a recent blog post at ZDNet, Jason O’Grady mentioned the benefits of running an application that monitors outgoing (egress) traffic on your Mac. OS X malcode has been in the news lately, with Trojaned versions of iWork and Photoshop CS4 appearing on the BitTorrent network, and Jason offers Little Snitch (an egress firewall application) as “one way to keep tabs on software that likes to call home” (such as a Trojan).

As our recent series on Mac AV suggests, I don’t run antivirus software on my OS X client systems. However, I do run Little Snitch. We neglected to mention egress firewalls as a worthwhile addition to good OS X configurations in that series, and would like to take the opportunity to do so here.

(more…)

A number of organizations take the end of the year as an opportunity to publish predictions about what will happen in the security space during the subsequent year. The RISK Team engages in that exercise every Thursday as part of our weekly Risk call, during which we analyze emerging threats and vulnerabilities. So instead of generating a new list, we’ll share one that was refined over the course of 50 weekly meetings. In addition, we’ll share our predictions from the prior five years.

(more…)

by Peter Tippett and Kevin Long

This is Part III of a three-part series on OS X security. Please read Part I and Part II if you haven’t already.

If you ran Amtrak, would you install a missile defense system on your trains? Trains are certainly vulnerable to missile attack, and the cost of such an attack would be devastating. Luckily, trains are not commonly subjected to missile attack, so the cost of implementing such a defense is not justified.

Is the protection afforded by antivirus software (AV) worth the cost? First we’ll estimate the cost, then we’ll discuss the protection AV affords.

(more…)

by Peter Tippett and Kevin Long

This is Part II of a three-part series on OS X security. Please read Part I if you haven’t already.

Before we go further, a review of the Verizon Business RISK Team’s risk equation is in order. Risk is traditionally thought of as the product of Likelihood * Impact (Cost). In the world of computers, the Likelihood is itself the product of Threat, which is the frequency of attempts of an attack, and Vulnerability, which is the likelihood of success of an attempted attack considering all countermeasures that are already in place. Thus, Risk = Threat * Vulnerability * Impact.

For the purposes of this discussion, Impact is consistent across platforms, so Threat and Vulnerability are the factors that will be addressed.

The threat of attacks against OS X systems has traditionally been significantly lower than that against Windows systems. When OS X was introduced in 2001, reasons cited for that could have included the following: (more…)

by Peter Tippett and Kevin Long

What’s a Mac user to do? Depending on where (and when) you looked, during December you’ve been offered the following advice when it comes to having security software on your system:

• If you listened to Apple on December 1, you should be running multiple antivirus applications.
• If you listened to a maker of antivirus software, you should be running their respective antivirus application.
• If you listened to various bloggers and columnists, you’ve certainly not heard a consistent message.
• If you listen to Apple today, they’re suggesting that Leopard is protected against malicious code “right out of the box.”

Despite the existence of several notable posts already written about this topic, this month’s chatter provides an opportunity to share the reasons we recommend against running antivirus software on Macs (in most situations).

(more…)