Who Needs Enemies?
Sometimes patch releases don't always go as planned. Following a release by Microsoft last week of patches for Internet Explorer 6, and DirectX 8, it was discovered that the patches were identical to those released in May 2004 (Internet Explorer), and August 2003 (DirectX 8). The 'Release Date' and 'Date Published' for both updates showed a date from last week, as well as Microsoft's Download Notification email which was sent out. At least the patches were for issues that had already been resolved (in the earlier patch releases).
Sometimes it isn't the patches, but the actual software itself which doesn't necessarily work as planned. The launch of a search engine with built in anti-phishing (trust) features encountered a hiccup when it was discovered that an obvious phishing site had been listed as a trustworthy site. The search engine, TrustWatch, is derived from the technology which drives the 'Ask Jeeves' search engines, and provides its evaluation of the trustworthiness of a site, alongside the normal search results. Netcraft, which operates a similar service, also stumbles when it provides the phishing site in question with a risk rating of 'one', which is one step removed from a trusted listing.
Incidents such as this highlight the trouble faced by automated tools which attempt to classify trusted and untrusted sites, and the false sense of security that they can provide to the end users. The major risk is that they will classify a site as legitimate which isn't, and this will lead to users entering sensitive data onto a phisher's site, having trusted the results from the tools. Where the liability lies will surely be resolved by the courts following the first set of major breaches. Unfortunately it also gets the phishers working harder to ensure that their sites match the legitimate sites more closely, which has the result of making it more difficult for the non-technical user to differentiate between the legitimate and illegitimate sites.
Staying with odd behaviour from software, and there are times when the users would almost give anything for a suitable patch to be released. Reports have been circulating that malicious software has begun to surface which attacks the Microsoft Jet Database Engine vulnerability which was initially reported on in the column of 8 August.
The Jet Database Engine is used as a component of Microsoft Access, and the flaw has been known since April this year, with public exploit code circulating since early August. Microsoft have yet to issue official acknowledgment of the issue, and the malware currently circulating apparently opens a backdoor on infected systems, allowing their complete compromise (or rapid assembly into a zombie spam network). It has also been claimed that this vulnerability affects all Windows systems from Windows 95, onwards (previous reporting only identified Windows 2000 and later).
Aside from the issues which appear to have plagued Microsoft in the last week, one of Microsoft's main competitors, Apple, has been in the news over public disagreement about iTunes Music Store pricing.
The week before the rumoured opening of the Australian iTunes Music Store, Apple's iTunes Music Store is beginning to publicly upset some Record companies, with Apple's CEO Steve Jobs recently digging in against efforts to increase the base cost of songs on the US version of the store. Already, the CEO of Warner Music has publicly complained about the price point that Apple has set with the iTMS.
Online forums have lit up with the virtual wailing and gnashing of teeth (appropriate royalties paid, of course), at the perceived greed of the Record companies. Standard complaints and gripes claim that the industry needs to accept new distribution methods as part of their existence, that music sharing existed long before the Internet, and that the music industry should not complain about the services that at least appear to be providing a reasonable (for the consumer) price point for purchasing music in an electronic format. Mixed in with those responses are ongoing claims that the Record companies are behaving like a cartel through their Industry Association, and that they are monopolistic.
Not afraid to weigh in to the argument, the Canadian Recording Industry (through Environics) has released an amazing report (that they sponsored), which claims that Canadians between the ages of 18 and 29 are more likely to shoplift, cheat at school / university and illegally copy music and software. It is suspected that the report was issued in an attempt to link the use of Peer to Peer (P2P) software, and criminal and unethical activities. Although correlation does not imply causation, now that the report is on public record, it suggests that the general populace will only recall the sound bite snippets from the reporting, and not the underlying agenda.
Unfortunately, this is not the only widely reported case involving the horrendous use of statistics to push an agenda in the last couple of weeks.
Further doubts have been cast on the accuracy of the recent Internet Security Threat report from Symantec, when it was discovered that an English town with a population of less than 40,000 people had the second highest number of infected personal computers globally, behind London, and ahead of likely suspects such as Seoul. The report claims that 5% of the total infected systems were located within the town, out of approximately 2 million infected globally.
That means that every person in the town has at least two computers (some even more), and every system is infected.
It is highly possible that the report is an aberration, that it indicates a localised spike in the sample data set, which has then been extrapolated to fit the population size. This is a risk which is faced when conducting experimental work, that applying set rules to a set of data points which are outside normal boundaries will return results which will fail basic logic tests (such as more computers than people and a 100% infection rate in an area that isn't a global high technology centre).
The outcomes from the Symantec report aren't all bad, however. Parallel reporting from the ACE European Group (an Insurance Group which has partnered with Cisco, Deutsche Bank, KPMG and IBM to sponsor a series of reports) suggests that more than 50% of European companies have suffered significant financial losses from Information Technology system failures in the past twelve months. While system downtime due to hardware failure may be the first thought when it comes to a system failure, the research suggested that weak security, electronic crime and malware were significant contributing factors to the financial losses, with a quarter of respondents indicating that electronic crime was responsible for their losses. The survey claimed that even with 'continual investment' in areas such as security and protection, that 'significant financial losses' were still taking place.
In passing news, companies behind the competing formats for the next generation of home media content have been at each other's throats in the last week. The successor to the DVD is going to be one of two proposed formats, the Blu-Ray, and the HD-DVD. With various high-powered companies in the respective camps, such as Sony and Matsushita for Blu-Ray, and Microsoft for HD-DVD, the misinformation has been flying thick and fast from each side about the opposing technology. Some of the key elements in the recent spat included the available space for content, and also the availability of the actual disks for consumer use.
3 October 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.