Microsoft released some security patches last month without revealing them to the public. Some of the fixes affected software in mission critical Exchange mail servers.

The patches were hidden in one of Microsoft’s periodic updates issued April 13, namely “Microsoft Security Bulletin MS10-024 – Important: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832).”

“This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Exchange and Windows SMTP Service,” Microsoft said in the security bulletin’s executive summary.

“The more severe of these vulnerabilities could allow denial of service if an attacker sent a specially crafted DNS response to a computer running the SMTP service,” it continued. “By default, the SMTP component is not installed on Windows Server 2003, Windows Server 2003 x64 Edition, or Windows XP Professional x64 Edition.

It added: “This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003; 32-bit and x64-based editions of Windows Server 2008; Windows Server 2008 R2 for x64-based Systems; and Microsoft Exchange Server 2003. This security update is rated Moderate for Microsoft Exchange Server 2000.”

Continue reading Microsoft releases stealth patches for Exchange

The most prevalent vulnerability by overall frequency identified by the report is cross-site scripting (XSS).

Most software used by large companies in critical business applications is insecure, according to a report released by a company that tests programs for security vulnerabilities.

In a report titled “State of Software Security,” the company, Veracode, of Burlington, Mass. disclosed that when it first tested some 1600 business critical applications, 58 percent of them failed to achieve an acceptable security score.

The worst culprits were programs developed by companies for internal use. Failure rates for those applications were as high as 88 percent, the report said.

“Extrapolating from the application sample set, more than half of the software deployed in enterprises today is potentially susceptible to an application layer attack similar to that used in the recent Heartland or Google security breaches,” it noted.

The most secure software submitted to Veracode for testing originated with the financial industry or government sector. More than half the applications from those industries passed muster on their first go-round with testers, which placed them at the top of the list of 15 industries represented in the study’s data set.

The report also plugged open source software as a viable solution for businesses. The failure rate for open source programs was on par with their commercial counterparts–39 percent for open source, 38 percent for commercial wares.

What’s more, the speed at which security vulnerabilities were addressed in open source programs was far better than their competitors–36 days for open source, 48 days for internal software and 82 days for commercial apps.

In addition, open source programs contained the fewest vulnerabilities that could potentially be converted into backdoors which could be exploited by crackers for havoc. “The relative absence of potential backdoors is apparent testimony to the positive effect of transparency in the Open Source community,” the report reasoned.

Continue reading 58% of critical apps insecure

Number of Vulnerabilities in Network, OS and Applications

After years of concentrating their nefarious efforts at computer operating systems, it seems that the cracking community is redirecting more of its muscle at desktop and Web applications. That red flag was waved this week by security researchers at the SANS Institute in a report on top security risks.

The report, which studied Black Hat activity from March to August of this year, maintained that malevolently motivated spammers are mounting massive campaigns to compromise computers through client-side applicataions.

“Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office,” the researchers noted.

“This is currently the primary initial infection vector used to compromise computers that have Internet access,” they declared.

“In many cases,” they added, “the ultimate goal of the attacker is to steal data from the target organizations and also to install back doors through which the attackers can return for further exploitation.”

One reason crackers are being attracted to local applications and away from OS exploitation is that the odds against discovery are better. “On average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities,” the researchers estimated. “In other words the highest priority risk is getting less attention than the lower priority risk.”

Continue reading SANS says crackers targeting desktop and Web apps