Microsoft and Oracle play a mean game of trick-or-treat by
releasing October updates that cause their own issues, BlackBerry dangers give
RIM a black eye, and Cisco warns users that delaying Cisco patches increases their
own risk.

Details

Surprise! Perhaps enacting its own version of
trick-or-treat, Microsoft served up some tricks in this month’s security
updates. If you’ve dutifully applied the patch
provided in Microsoft
Security Bulletin MS05-051 and at some point changed the default access control
list settings, your users have likely experienced
serious problems with their PCs, including loss of network connections (as
well as dialup configurations) and a failure to initiate the Windows Firewall. Microsoft
has posted updates to the security bulletin and has published Knowledge Based article 909444,
which addresses
the problem.

In addition, a problem has cropped up in the DirectShow patch
distributed with Microsoft
Security Bulletin MS05-050. The threat stems from possible confusion
over which patch to apply.

If you have DirectX versions 8.0 or 9.0 and apply the
DirectX 7.0 patch by mistake, you won’t actually fix the problem or protect
your system. The patch doesn’t cause any harm to your system; it just doesn’t
provide the protection you think you’ve added.

Redmond’s not the only one dealing with tricky updates—Oracle
users are struggling with problems with the
most recent quarterly update from the software vendor. Apparently, the
latest update didn’t patch a number of serious vulnerabilities.

This is especially a concern considering that the vendor
only releases four sets of patches each year, which means the company likely
won’t fix these known flaws until next year. In addition, complaints about the
quality and effectiveness of Oracle patches have also surfaced.

And if that’s not bad enough, an exploit
is reportedly now circulating on the Internet for one of the recently
patched Oracle vulnerabilities. Oracle patched nearly 90
vulnerabilities in its recent round of fixes, and this is only the first of
what’s likely to be many exploits reverse-engineered from the patches.

Meanwhile, the popular BlackBerry device recently experienced
a serious problem when the BlackBerry Enterprise Server’s software version 4.02
allowed devices linked through the server to broadcast chunks of text to
unintended recipients. The BBC’s
temporary ban of the use of BlackBerry devices last week helped highlight
the problem.

While reporters always get very nervous about competitors
learning their secrets, this threat should concern every user. Consider the
implications if you were making nasty comments about your boss or exchanging
contract negotiating strategies!

Finally, Cisco considers the use of older versions of its
ubiquitous Internetwork Operating System (IOS) to be so serious a security
threat that the vendor’s chief security officer, John Stewart, has issued
a warning to users. Of course, the problem with Cisco is that—unlike many
vendor patches—you can’t just perform a quick upgrade to hardware. Instead, you
must shut down the network and reinstall IOS to apply the fixes.

Final word

The Cisco IOS update problem neatly illustrates one of the ongoing
problems with security. As a vendor, Cisco puts a lot of work into making a
really solid operating system not overlaid with dozens of Band-Aid patches.
However, that makes updates a complex and expensive process, so users tend to
ignore even critical vulnerabilities.

Is it better to release patches quarterly as Oracle does—leaving
systems vulnerable for longer periods of time—or monthly as Microsoft does? Is
it preferable to issue small patches that often don’t even require a reboot? Or
is it better to sport a more secure platform even if it’s much harder to patch
when inevitable flaws do appear?

Different security patch protocols adopted by vendors are
simply that—different, but not necessarily superior. In fact, each has its own
set of problems.

Speaking of protocol, a reader recently requested a simple
definition of phishing, which isn’t
as strange as you might think. While many technical computer terms have strict
definitions, a lot of the terms we use in computer security have only vague
definitions because they’re relatively new.

With many new terms, often all we have to go by is the old “I
know it when I see it” explanation. But you can’t pass laws on that basis—OK,
so actually you can, and legislators do it all the time—but you can’t enforce such laws.

A case in point is the term spyware. The Anti-Spyware
Coalition (a group of prominent security industry vendors) has been
struggling to define the term for a considerable time. According to one report,
the ASC has defined spyware as “a term for tracking software deployed without
adequate notice, consent, or control for the user. In its broader sense,
spyware is used as a synonym for what the ASC calls ‘Spyware and Other
Potentially Unwanted Technologies.'” For definitions of related terms, see the ASC’s Anti-Spyware
Coalition Definitions and Supporting Documents.

In somewhat related news, the former CEO of Intermix Media has
recently agreed
to pay $750,000 in penalties for spreading spyware. This came in the wake
of New York’s Attorney
General Eliot Spitzer’s negotiations with the company, which earlier agreed
to pay $7.5 million for the same privacy violations. Now, if only some other
states woke up and started pursuing these and other spyware distributors!

Also watch for …

  • The
    U.S. financial industry is finally taking security seriously by building a
    database of former employees who have caused
    security breaches    . While I feel for those who may land on this list, I
    feel a lot more compassion for the bank customers with stolen identities.
  • The
    popular Skype VoIP service has reported a buffer
    overflow vulnerability in its software    . The flaw could allow attackers
    to take over client systems. The company strongly recommends that users
    upgrade to the latest version.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.