Experts call for better measurement of security

If there’s one key message coming through all of the noise at the RSA Conference this week it’s the fact that there’s a pressing need for more data. Data on attacks, data on vulnerabilities, data on data breaches, data on software security, data on everything having to do with security. The mini-movement that has sprung up around metrics and measurement in security has taken over a lot of the conversation at the conference, with some interesting results.

Microsoft to unveil patch management metrics project

Microsoft on Wednesday plans to launch a new research effort to determine the total cost of the patch-management cycle, from testing and distributing a fix to user deployment of the patch. The end result of the project, which will be completely open and transparent to outsiders, will be a full metrics model that the company plans to make freely available.

Microsoft today released its April batch of security patches:  8 bulletins with patches for at least 20 documented holes in popular software products.  The most serious of the flaws could lead to remote code execution attacks that give a malicious hacker complete ownership of a vulnerable machine. 

From CIO (Robert McMillan)
Corporate IT staffers will get a double whammy next week, as both Microsoft and Oracle are set to release critical security updates [] on the same day, including a likely fix for an Excel bug that has been used by cybercriminals.
This month, Oracle’s quarterly software fixes and Microsoft’s monthly patches happen to fall on the same day, next Tuesday. For Windows users, there will be a lot to patch. Microsoft plans to release eight updates in total []: Five of them are for Windows, with a single update each for Internet Explorer, Excel and Microsoft’s Internet Security and Acceleration (ISA) server. Read the full story.  More from ZDNet Zero Day []

Trojan downloaders and malware that masquerades as security software are the two fastest growing threats on the Web right now, according an analysis by Microsoft’s Malware Protection Center. In its latest Software Intelligence Report, released on Wednesday, the MMPC found that a Trojan downloader named Renos that installs rogue security software was the most prevalent threat in the second half of 2008, increasing by 66 percent.

Microsoft has issued an advisory to warn about an under-attack zero-day vulnerability affecting its PowerPoint software.
According to the pre-patch advisory, the flaw allows remote code execution if a user opens a booby-trapped PowerPoint file. The company described the attacks as “limited and targeted.”

From The New York Times, by Saul Hansell
Microsoft is at work on a couple of new technologies that may finally help enterprises unravel the giant ball of yarn that is user identity management. The head of the company’s server and tools business, Bob Muglia, said Microsoft’s Azure technology, as well as a tool called Direct Access in Windows 7, will give enterprises the help they need to make sense of identity management.

From Facebook, by Jeff Williams, Microsoft
When the Koobface worm hit Facebook users last year, the company’s security team scrambled to help affected users reset their accounts and avoid new infections. But the worm has continued to crop up periodically since then, and so the anti-malware team at Microsoft has been helping the Facebook technicians get a handle on the attack.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.