Oracle has released the first Critical Patch Update for 2009 to provide fixes for at least address 43 vulnerabilities across several database server products.
Browsing Category: Vulnerabilities
Microsoft on Wednesday plans to launch a new research effort to determine the total cost of the patch-management cycle, from testing and distributing a fix to user deployment of the patch. The end result of the project, which will be completely open and transparent to outsiders, will be a full metrics model that the company plans to make freely available.
Microsoft today released its April batch of security patches: 8 bulletins with patches for at least 20 documented holes in popular software products. The most serious of the flaws could lead to remote code execution attacks that give a malicious hacker complete ownership of a vulnerable machine.
From Computerworld (Gregg Keizer)
Although the media blitz about the Conficker worm prompted a significant number of enterprise users to finally fix a six-month-old Windows bug, about one in five business computers still lack the patch [computerworld.com], a security company said today.
Scans of more than 300,000 Windows PCs owned by customers of Qualys Inc. show that patching of the MS08-067 vulnerability — a bug that Microsoft fixed with an emergency update issued in October 2008 — picked up dramatically two weeks ago. Read the full story. Also see our previous coverage of the Conficker threat.
Internet fraudsters are increasingly taking advantage of the deepening recession to dupe unsuspecting email recipients. The e-mail often includes a request for personal details on the pretense of receiving some financial reward, which later leads to fraud.
Common themes include prize wins, inheritance claims, money mule schemes and, increasingly, recession-beating scams. Read the full story [websense.com]
From CIO (Robert McMillan)
Corporate IT staffers will get a double whammy next week, as both Microsoft and Oracle are set to release critical security updates [cio.com] on the same day, including a likely fix for an Excel bug that has been used by cybercriminals.
This month, Oracle’s quarterly software fixes and Microsoft’s monthly patches happen to fall on the same day, next Tuesday. For Windows users, there will be a lot to patch. Microsoft plans to release eight updates in total [microsoft.com]: Five of them are for Windows, with a single update each for Internet Explorer, Excel and Microsoft’s Internet Security and Acceleration (ISA) server. Read the full story. More from ZDNet Zero Day [zdnet.com]
From Network World (Jeremy Kirk)
Millions of PCs infected with the Conficker virus have received a series of updated files over peer-to-peer connections that improve the worm’s defenses against security products and also include a sniffer and some fake anti-virus software.
Malware that attacks mobile phones and other handheld devices has been the Next Big Threat for most of the last decade. And much like the Year of PKI, it’s never really materialized. Security experts have postulated that this is mainly because there’s not enough valuable data on these devices to attract the money-motivated attackers. But a new paper, “Understanding the Spreading Patterns of Mobile Phone Viruses,” from a group of scientists shows that the barriers are more likely market saturation and geography.
From InformIT (Gary McGraw)
This article originally appeared on InformIT.com as part of Gary McGraw’s Software [In]Security series.
Using the Software Security Framework (SSF) introduced in October, we interviewed nine executives running top software security programs in order to gather real data from real programs.Our goal is to create the Building Security In Maturity Model (BSIMM) based on these data, and we’re busy going over what we’ve built with the executives who run the nine initiatives (stay tuned here for more).
From Purdue University’s CERIAS
The economic crisis has affected virtually every facet of society, and information security is no exception. In a new report titled Unsecured Economies: Protecting Vital Information, researchers from Purdue University’s CERIAS security center lay out the fairly bleak view of what the tough times have done to corporate IT security.